none
Best Practices for DPM Backup to Azure in terms of security and performance RRS feed

  • Question

  • Hi,

    I am looking for best practices for DPM Backup to Azure in terms of security and performance. Basically, things that should be considered and configured for security and increased performance.

    Monday, July 6, 2020 9:27 AM

All replies

  • Hi,

    Please refer the below links which talks about the pre-reqs, steps to configured the online backup using DPM and best practices for Vault credentials.

    https://docs.microsoft.com/en-us/azure/backup/backup-azure-dpm-introduction

    If you have huge amount of data and don't want to stream it via WAN/Internet, you can consider manual seeding: Refer below link:

    https://docs.microsoft.com/en-us/azure/backup/offline-backup-server-previous-versions

    Go through the links and if you have follow up queries, feel free to drop your question.


    Monday, July 6, 2020 9:40 AM
  • Hi,

    There are no available best practices for backing up to Azure.

    What you need to consider is the following:

    • The amount of data being backed up from on-premise to Azure.
    • The bandwidth speed between on-premise and Azure.

    Security wise, the traffic is encrypted and you can also encrypt the data in the Recovery Vault within Azure. If you have a lot of data, you will need to make sure you don't push the bandwidth too hard.

    DPM 2019 will also receive a capability (in upcoming Update Rollup) to use Azure Data Box.
    What this means that you can copy your on-premise backups to an Azure Data Box, which is a physical storage device, Microsoft will then come and get the Azure Data Box and then drive it to their Azure data center, the data will then be copied to your Recovery Vault from there.

    This can be useful if you need to pre-seed a large amount of data, or if you have sensitive data that you don't want to back up through the WAN/Internet, think of it as banks transferring money in their highly secured vans.

    Best regards,
    Leon


    Blog: https://thesystemcenterblog.com LinkedIn:

    Monday, July 6, 2020 9:53 AM
  • Hi,

    We'll probably go for online method instead of offline. I have tested DPM features with Azure already, however I could not find anything related to security enhancements for backup to cloud.

    Also, when I tested(Few months ago)DPM with Azure it was directly over internet link. Is it still supported ? I am not sure if Microsoft expressroute is mandatory requirement now, also I don't have experience on it so will have to look into it.

    Monday, July 6, 2020 10:02 AM
  • Backup to Azure is directly over Internet yes, but you also have the option to configure a proxy.

    ExpressRoute is not mandatory, but it will surely speed up your backups by a lot.


    Blog: https://thesystemcenterblog.com LinkedIn:

    Monday, July 6, 2020 10:10 AM
  • Hi,

    We'll probably go for online method instead of offline. I have tested DPM features with Azure already, however I could not find anything related to security enhancements for backup to cloud.

    Also, when I tested(Few months ago)DPM with Azure it was directly over internet link. Is it still supported ? I am not sure if Microsoft expressroute is mandatory requirement now, also I don't have experience on it so will have to look into it.

         If you are interested in EXPRESSROUTE, you can consider below recommendation for the same:

    You can back up your data over Azure ExpressRoute with public peering (available for old circuits) and Microsoft peering. Backup over private peering is not supported.

    With public peering: Ensure access to the following domains/addresses:

    • http://www.msftncsi.com/ncsi.txt
    • microsoft.com
    • .WindowsAzure.com
    • .microsoftonline.com
    • .windows.net

    For more information refer ExpressRoute routing requirements

    And With DPM 2019 UR1, Support for additional layer of authentication to delete online backup. You will be prompted to enter a security PIN when you perform Stop Protection with Delete data operations.

    Monday, July 6, 2020 10:29 AM
  • Hi Leon,

    Thanks. We have approx 15~18 TB data and that also will not be backed up at same time. We'll go with first backup set like 3TB and then next one and then go on till all are completed. However, speaking about Data Box which I believe similar to AWS snowball. When we copy data of some machines to Data Box and then Microsoft copies the data to our recovery service vault. Basically, I would still need to configure my machine's backups for future data changes, then how do I link already copied data(Data copied to Data Box and then vault) to the backups that I'll configure manually so that only changes are copied to vault ? Then, how my backup server will be able to restore the data that was copied using data box.

    Also, is there any recommendation or security best practices that we should follow to secure backups when DPM copies data to Recovery service vault using internet line ? Is azure expressroute recommended for Azure backups ?

    Monday, July 6, 2020 11:15 AM
  • The Azure Databox is basically an "offline seeding", the Azure Data Box devices gives us the opportunity the easily and quickly move data to Azure, there are two ways of moving the data, either online or offline.

    You can use Azure Data Box to seed your large initial Microsoft Azure Recovery Services (MARS) backups offline (without using network) to a Recovery Services vault. This process saves time and network bandwidth that would otherwise be consumed moving large amounts of backup data online over a high-latency network.

    More information will come out once support for DPM has arrived, currently only Microsoft Azure Backup Server (UR1) has support for this, you can however read more how it works here:
    https://docs.microsoft.com/en-us/azure/backup/offline-backup-azure-data-box

    MABS is based on DPM so they will work in the same fashion.

    As for the recommendations, you need to ensure that you have sufficient bandwidth to back up your workloads to Azure, so that you don't get any backlog.

    An express route is not mandatory, but you need to verify which option is best suited for you. 
    That is; which alternative can handle the amount of data in the specified time requirements that you have.


    Blog: https://thesystemcenterblog.com LinkedIn:

    Monday, July 6, 2020 11:27 AM
  • Hi,

    Thanks. What about the best practices for High availability of DPM server ? For example - If my DPM server fails then and it may take some time to build new DPM server using the existing database, so how the availability will work ?

    Monday, July 6, 2020 12:53 PM
  • For a different topic, I would highly advise to create a separate question, so we keep the forum tidy and not mix up different topics.

    Blog: https://thesystemcenterblog.com LinkedIn:

    Monday, July 6, 2020 1:00 PM
  • Hi Leon,

    Sure, I'll do that. However, in our infra we'll not expose DPM directly to internet, so what do we need to configure probably in firewalls or other devices to make sure that DPM can communicate to recovery service vault.

    Monday, July 6, 2020 1:17 PM
  • If you have a firewall or a proxy that is preventing access to Azure, you need to allow the following domain addresses in the firewall/proxy profile:

    • http://www.msftncsi.com/ncsi.txt
    • *.Microsoft.com
    • *.WindowsAzure.com
    • *.microsoftonline.com
    • *.windows.net

    If you are using ExpressRoute Microsoft peering, please select the following services/regions:

    • Azure Active Directory (12076:5060)
    • Microsoft Azure Region (according to the location of your Recovery Services vault)
    • Azure Storage (according to the location of your Recovery Services vault)


    Blog: https://thesystemcenterblog.com LinkedIn:

    Monday, July 6, 2020 1:19 PM
  • Hi Leon,

    Does that mean we need to allow the traffic both ways ? Also, can you please direct me towards official link from Microsoft that lists the ports and domains required to be allowed on firewall.

    Wednesday, July 15, 2020 11:33 AM