5 2 0:Azure VM Configuration

Welcome to the latest SEP sesam documentation version 5.2.0 Artemis. For previous documentation version(s), check documentation archive.

Are you looking for an alternative for your VMware environment?

SEP supports a range of hypervisors, offering snapshot-based online backup of VMs.

Click HERE to get an overview of the available SEP modules and explore supported features like CBT, Single File Restore, and more.

Overview

Additional resources

Visit SEP sesam YouTube Channel for latest videos and webinars.

Check FAQ to find the answers to most common questions.

Problems? See the Troubleshooting Guide.

If you are using an older SEP sesam version, refer to Documentation archive.

Using SEP sesam for Azure VM backups helps reduce operational complexity and cloud costs while ensuring robust data protection. It provides a consistent backup strategy for complex environments that involve diverse platforms and solutions.

SEP sesam provides reliable backup and restore capabilities for Azure Virtual Machines (VMs), flexible storage options using local or cloud-based storage, and offers advanced threat protection through Si3 deduplication store. By utilizing Azure snapshot technology to capture application-consistent snapshots of VM disks, SEP sesam creates point-in-time backups of VMs, including the operating system, system state, and all attached disks, without requiring downtime.

Additionally, SEP sesam’s monitoring and reporting capabilities provide valuable insights into backup status and overall system performance, enabling efficient backup management and troubleshooting.

Prerequisites

Check SEP sesam OS and Database Support Matrix for the list of supported OS versions.
Azure VM license, see Licensing.
SEP sesam Server v. 5.2.0 Artemis and a SEP sesam data mover. Except for the Azure client itself, any SEP sesam Client, RDS or Server can be used as a data mover for Azure VM backups.
Note that only the COPY level is supported, providing a complete backup of the VM.

Configuring Azure VM environment for backup with SEP sesam

In Azure VM environments, Virtual Machines (VMs) are organized in a Resource Group under a Subscription. When the Azure VM environment is configured for backup with SEP sesam, the SEP sesam integration with Azure VM automatically creates a storage account and a blob container. When the backup is started, SEP sesam accesses the VMs to initiate the creation of snapshots that are temporarily stored in the Azure blob storage container. The snapshots are then backed up to the selected SEP sesam storage, either local or cloud-based. Once the backup is successfully completed, SEP sesam deletes the temporary snapshots from the blob storage to optimize storage efficiency and reduce costs.

To prepare and configure your Azure VM environment for backup with SEP sesam, you need to perform the following steps:

Create Azure application identity for SEP sesam.
Enable access to Azure resources for SEP sesam.
Register Azure subscription to use the Azure namespaces.

Create Azure application identity for SEP sesam

To enable SEP sesam to access the Azure VM resources, you need to create the Service Principal identity. This is an application identity that allows automated task execution in Azure without the need to use a user's personal credentials.

Log in to Microsoft Azure portal (https://portal.azure.com/) and start the Azure CloudShell (AZ CLI).

Create an application identity in Azure Active Directory with the following command:

az ad app create --display-name <app display name> --query appId -o tsv

Expected output: <app ID>

For example:

sepsesam [ ~ ]$ az ad app create --display-name AppRegSEPsesamAzBackup --query appId -o tsv

4m3r160-1497-73rr4n0v4-M4g3l14n

Create a new service principal identity in Azure AD for SEP sesam with the following command:

az ad sp create --id <app ID> --query id -o tsv

Expected output: <service principal ID>

For example:

sepsesam [ ~ ]$ az ad sp create --id 4m3r160-1497-73rr4n0v4-M4g3l14n --query id -o tsv

1e71db65-9d37-4a89-8326-5b62c9e3b0fa

Create a client secret, valid for a set number of years, and generate a password with the following command:

az ad app credential reset --id <app ID> --years <number> --display-name "<secret display name>"

The expected output of this command includes credentials that must be saved securely for use in SEP sesam when adding the Azure VM as a client to the SEP sesam environment.

For example:

sepsesam [ ~ ]$ az ad app credential reset --id 4m3r160-1497-73rr4n0v4-M4g3l14n --years 10 --display-name "secret-10years"

{
  "appId": "4m3r160-1497-73rr4n0v4-M4g3l14n",
  "password": "M9-n4m3~15_n30",
  "tenant": "54n7aM4r14-12oct-1492-242-20m1506a54"
}

Enable access to Azure resources for SEP sesam

To enable SEP sesam access to the Azure resources and blob containers in a storage account, you need to assign the required roles to your Azure subscription:

The Contributor role allows managing resources in the specified scope, and does not allow managing access to the resources.
The Storage Blob Data Contributor role enables SEP sesam access to the Azure blob containers in a storage account.

Use the following command to list the accounts:

az account list --output table

For example:

sepsesam [ ~ ]$ az account list --output table

Name                CloudName    SubscriptionId             TenantId                              State    IsDefault
------------------  -----------  -------------------------  ------------------------------------  -------  ---------
Azure subscription  AzureCloud   w31c0m3-70-7h3-r341-w0r1d  54n7aM4r14-12oct-1492-242-20m1506a54  Enabled  True

Assign the roles Contributor and Storage Blob Data Contributor to your Azure subscription separately with the following commands:

az role assignment create --assignee <app ID> --role "Contributor" --scope <resource scope>
az role assignment create --assignee <app ID> --role "Storage Blob Data Contributor" --scope <resource scope>

The <resource scope> defines your Azure subscription in the format /subscriptions/<subscription ID>.

Expected output: <resource scope>

Example command:

sepsesam [ ~ ]$ az role assignment create --assignee 4m3r160-1497-73rr4n0v4-M4g3l14n --role "Contributor" --scope /subscriptions/7w31c0m3-70-7h3-r341-w0r1d --query "scope" -o tsv

/subscriptions/w31c0m3-70-7h3-r341-w0r1d

Example command:

sepsesam [ ~ ]$ az role assignment create --assignee 4m3r160-1497-73rr4n0v4-M4g3l14n --role "Storage Blob Data Contributor" --scope /subscriptions/7w31c0m3-70-7h3-r341-w0r1d --query "scope" -o tsv

/subscriptions/w31c0m3-70-7h3-r341-w0r1d

Note

You can restrict role assignment to a specific resource group by setting the appropriate scope. However, ensure that all relevant resource groups are included. For example, a virtual network (VNet) might reside in a different group (e.g., wm). To avoid missing permissions, it’s essential to identify and account for all related dependencies. If multiple resource groups are involved, you must assign roles to each one individually.

In such cases, the <resource scope> would be defined as:

--scope /subscriptions/<subscription ID>/resourceGroups/<resource group name>

Register Azure subscription to use the Azure namespaces

By default, your Azure subscription is not registered to use the Azure namespaces and must be registered manually. You need to register to the following namespaces:

Microsoft.Compute
Microsoft.Network
Microsoft.Storage
Microsoft.ContainerRegistry
Microsoft.ContainerInstance

Register your subscription to use the Azure namespaces separately with the following command:

az provider register --namespace <Azure namespace> --subscription "<subscription ID>"

For example:

sepsesam [ ~ ]$ az provider register --namespace Microsoft.Compute --subscription "w31c0m3-70-7h3-r341-w0r1d"
sepsesam [ ~ ]$ az provider register --namespace Microsoft.Network --subscription "w31c0m3-70-7h3-r341-w0r1d"
sepsesam [ ~ ]$ az provider register --namespace Microsoft.Storage --subscription "w31c0m3-70-7h3-r341-w0r1d"
sepsesam [ ~ ]$ az provider register --namespace Microsoft.ContainerRegistry --subscription "w31c0m3-70-7h3-r341-w0r1d"
sepsesam [ ~ ]$ az provider register --namespace Microsoft.ContainerInstance --subscription "w31c0m3-70-7h3-r341-w0r1d"

Check the status of the registration for a namespace with the following command:

az provider show --namespace <Azure namespace> --subscription "<subscription ID>" --query "registrationState"

For example:

sepsesam [ ~ ]$ az provider show --namespace Microsoft.Compute --subscription "w31c0m3-70-7h3-r341-w0r1d" --query "registrationState"
sepsesam [ ~ ]$ az provider show --namespace Microsoft.Network --subscription "w31c0m3-70-7h3-r341-w0r1d" --query "registrationState"
sepsesam [ ~ ]$ az provider show --namespace Microsoft.Storage --subscription "w31c0m3-70-7h3-r341-w0r1d" --query "registrationState"
sepsesam [ ~ ]$ az provider show --namespace Microsoft.ContainerRegistry --subscription "w31c0m3-70-7h3-r341-w0r1d" --query "registrationState"
sepsesam [ ~ ]$ az provider show --namespace Microsoft.ContainerInstance --subscription "w31c0m3-70-7h3-r341-w0r1d" --query "registrationState"

If the subscription is successfully registered, the output for each namespace is "Registered".

What's next?

Azure VM Backup

External resources

Azure Command-Line Interface (CLI) documentation

Overview

Prerequisites

Configuring Azure VM environment for backup with SEP sesam

Create Azure application identity for SEP sesam

Enable access to Azure resources for SEP sesam

Register Azure subscription to use the Azure namespaces

What's next?

External resources

See also