Prepare Azure Environment for Virtual Machine Restore

Before You Begin

Before restoring disk images or VM backups to Azure VM, ensure that the used Microsoft Azure account meets one of the following criteria:

  • The account is an organizational account with an active subscription.
  • The account is a personal account that has been explicitly invited into an organization with an active subscription.

By following the current procedure, your Microsoft Azure account will be prepared for restoring image-based or VM backups as an Azure VM instance. As part of this process, the following entities will be created and/or configured:

  • Resource Group: a container that holds related resources for an Azure solution
  • Storage account and Storage container: a structure to store temporary data required for VM restore
  • Azure Virtual Network: a way to present logical networking services to connected workloads
  • Network Security Group: a container for security rules that allow or deny network traffic

Prepare Your Environment

Follow the instructions below to pass the preparations through:

Create a Resource Group

  1. Select the Resource groups entry from the Azure portal menu:

  1. Click on Create:

  1. Specify the Resource group name. Select the subscription and the region for the Resource group.

For faster uploads and downloads, select the closest location. You can check the location latency on http://azurespeedtest.azurewebsites.net/.

  1. Click on Review + create to finish or continue to the Tags section:

  1. Click on Go to resource group:

  1. Alternatively, you can click on the resource group from the list:

Create a Storage Account and Storage Container

You can use an existing Storage account, unless it has Data Lake Storage Gen2 capabilities enabled

  1. Make sure you selected the relevant Resource group. If not, go to Home > Resource groups section and select it from the list:

  1. Click on Create.

  1. Locate the Storage Account entry using the search box and choose Create > Storage account:

  1. Specify a unique Storage account name, proper Region, as well as the parameters listed below for one of the recommended storage configurations (the default values can be used for all other parameters):

VM HDD container:

  • Performance: Standard or Premium
  • Redundancy: LRS, GRS, RA-GRS
  • Access tier: Hot

Boot diagnostic storage (if required):

  • Performance: Standard
  • Redundancy: LRS, GRS, ZRS, RA-GRS
  • Access tier: Hot
  1. Wait until the Storage account has been deployed and click on Go to resource:

  1. Locate the Containers section and select it:

Create a container that will be used to store temporary data required for VM restore:

Creating a Virtual Network with Correct Subnet

  1. Make sure you selected the relevant Resource group. If not, go to Home > Resource groups section and select it from the list:

  1. Click on Create.

  1. Locate the Virtual network entry using the search box and click on Create > Virtual network:

  1. Specify the virtual network name and select the same region as for the used Resource group. Then click on Next: IP addresses.

  1. Change the IP Addresses settings for the new virtual network or go with the default settings: IPv4 address space 10.0.0.0/16, default subnet 10.0.0.0/24.

In case the backed-up server uses a static IP address, create a corresponding subnet in the Azure Virtual Network to be able to connect to the restored machine via the Internet. Consider, Azure reserves the first three IP addresses in a subnet for internal usage

  1. Click on Next: Security if you would like to change the default parameters:

  1. Add tags in the corresponding section, if needed.
  2. Wait until the settings have been validated

  1. Click on Create.

Creating a Network Security Group

For security reasons, it is strongly recommended to create a Network Security Group and associate it with a Subnet. The main goal of inbound and outbound security rules is to limit the access of traffic in and out of a network.

To manage the restored system, it is necessary to enable inbound traffic on the appropriate port for the remote management protocol being used, such as port 3389 for Windows RDP or port 22 for Linux SSH. Additionally, to enhance security, access to the restored system may be restricted to originate from specific IP addresses or ranges of IP addresses only.

Outbound traffic can be limited to the resources specified in the following article. However, cloud storage service providers only specify service URLs and do not disclose the utilized IP addresses on their websites, so using outbound traffic filtering will require additional research.

  1. Make sure you selected the relevant Resource group. If not, go to Home > Resource groups section and select it from the list:

  1. Click on Create.

  1. Locate the Network security group entry using the search box and click on Create > Network security group:

  1. Give the security group a name and select the correct Subscription, Resource group, and Region:

  1. After it has been validated, click on Create:

  1. After the deployment is complete, click on Go to resource:

  1. Navigate to Inbound Security Rules in the Settings section, and click on +Add:

  1. In the sidebar, change the Destination port ranges to 3389 for Windows RDP or port 22 for Linux SSH. Keep all other parameters to their defaults unless you have a specific objective to accomplish. Click on Add:

  1. Navigate to Outbound Security Rules in the Settings section and click on +Add:

  1. In the sidebar, change the Destination port ranges to 443. Keep all other parameters to their defaults unless you have a specific objective to accomplish. Click on Add:

Associate Network Security Group With a Subnet

Once all required rules are added, associate the Network Security Group with the previously created subnet.

  1. Select the Subnets entry in the Settings group of the relevant Security group and clock on Associate:

  1. Select the relevant virtual network and subnet, then click OK:

Enable Serial Console

For testing or troubleshooting purposes, it is recommended to enable Serial Console in your Linux or Windows Machine. Then you will be able to configure and troubleshoot your Azure VM in the Azure Portal command line. To learn more, follow the links below: For Windows VMs: Virtual Machine Serial Console For Linux VMs: Accessing serial console for Linux

For troubleshooting refer to the following knowledge base article

Establishing Available VM Sizes

This information will be required when configuring the restore job in the backup agent. Failing to specify an available VM size will result in restore failing.

  1. Select Virtual machines from the main menu and click on Create:

  1. Make sure the relevant Region is selected:

  1. Scroll down to the Size section and click on the See all sizes hyperlink:

  1. Gather information on the VM sizes that will match your needs for the production machine as well as the temporary instance:

https://git.cloudberrylab.com/egor.m/doc-help-mbs.git