Speakers: Trinadh Kotturu, Senthuran Sivananthan, & Rochak Mittal
Site Recovery At Scale
Senthuran Sivananthan
Real Solutions for Real Problems
Customer example: Finastra.
- BCP process: Define RPO/RTO. Document DR failover triggers and approvals.
- Access control: Assign clear roles and ownership. Levarage ASR built-in roles for RBAC. Different RS vault for different BU/tenants. They deployed 1 RSV per app to do this.
- Plan your DR site: Leveraged region pairs – useful for matching GRS replication of storage. Site connectivity needs to be planned. Pick the primary/secondary regions to align service availability and quota availability – change the quotas now, not later when you invoke the BCP.
- Monitor: Monitor replication health. Track configuration changes in environment – might affect recovery plans or require replication changes.
- DR drills: Periodically do test failovers.
Journey to Scale
- Automation: Do things at scale
- Azure Policy: Ensure protection
- Reporting: Holistic view and application breakdown
- Pre- & Post- Scripts: Lower RTO as much as possible and eliminate human error
Demos – ASR
Rochak for demos of recent features. Azure Policies coming soon.
Will assess if VMs are being replicated or not and display non-compliance.
Expanding the monitoring solution.
Demo – Azure Backup & Azure Policy
Trinadh creates an Azure Policy and assigns it to a subscription. He picks the Azure Backup policy definition. He selects a resource group of the vault, selects the vault, and selects the backup policy from the vault. The result is that any VM within the scope of the policy will automatically be backed up to the selected RSV with the selected policy.
Azure Backup & Security
Supports Azure Disk Encryption. KEK and BEK are backed up automatically.
AES 256 protects the backup blobs.
Compliance
- HIPAA
- ISO
- CSA
- GDPR
- PCI-DSS
- Many more
Built-in Roles
Cumulative:
- Backup reader – see only
- Backup Operator: Enable backup & restore
- Backup contributor: Policy management and Delete-Stop Backup
Protect the Roles
PIM can be used to guard the roles – protect against rogue admins.
- JIT access
- MFA
- Multi-user approval
Data Security
- PIN protection for critical actions, e.g. delete
- Alert: Notification on critical actions
- Recovery: Data kept for 14 days after delete. Working on blob soft delete
Backup Center Demo
Being built at the moment. Starting with VMs now but will include all backup items eventually.
All RSVs in the tenant (doh!) managed in a central place.
Aimed at the large enterprise.
They also have Log Analytics monitoring if you like that sort of thing. I’m not a fan of LA – I much prefer Azure Monitor.
Reporting using Power BI
Trinadh demos a Power BI reporting solution that unifies backup data from multiple tenants into a single report.
One thought on “Microsoft Ignite 2018: Implement Cloud Backup & Disaster Recovery At Scale in Azure”