Enable Automated Backups

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: High (act today)
Rule ID: AppService-013

Ensure that Backup and Restore feature is enabled and configured to create automated (scheduled) backups for your Microsoft Azure App Services applications.

This rule resolution is part of the Cloud Conformity Security & Compliance tool for Azure

Reliability

To protect your Azure App Services web applications against accidental deletion and/or corruption, you can configure application backups to create restorable copies of your app content, its configuration files, and the database connected to your application. Once the Backup and Restore feature is enabled and configured, your applications are backed up according to a precise schedule defined within the backup policy. Then you can restore your applications with their linked databases on-demand to a previous state, or create a new application based on one of the app's backups. You can also configure your application backups to be retained up to an indefinite amount of time.

Note: Application backups require the Azure App Services plan to be in the Standard tier or Premium tier.


Audit

To determine if your Azure App Services applications are configured for automated backups, perform the following actions:

Using Azure Portal

01 Sign in to Azure Management Console.

02 Navigate to App Services blade at https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Web%2Fsites.

03 Click on the name of the App Services application that you want to examine.

04 In the navigation panel, under Settings, choose Backups and check the list of backups available for the selected application. If there are no backups taken, instead the following message is displayed: "Backup is not configured. Click here to configure backup for your app, the Backup and Restore feature is not enabled for the selected Microsoft Azure App Services web application.

05 Repeat step no. 3 and 4 for each Azure App Services application available in the selected account subscription.

06 Repeat steps no. 3 – 5 for other subscriptions created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run webapp list command (Windows/macOS/Linux) using custom query filters to list the names of all App Services applications (and the name of their associated resource groups) deployed in the current Azure subscription:

az webapp list
	--output table
	--query '[*].{name:name, resourceGroup:resourceGroup}'

02 The command output should return a table with requested application information:

Name               ResourceGroup
-----------------  ------------------------------
cc-aspnet-web-app  cloud-shell-storage-westeurope
cc-nodejs-web-app  cloud-shell-storage-westeurope

03 Run webapp config backup show command (Windows/macOS/Linux) using the name of the application that you want to examine as identifier parameter, to describe the backup configuration for the selected App Services application:

az webapp config backup show
	--webapp-name cc-aspnet-web-app
	--resource-group cloud-shell-storage-westeurope

04 The command output should return the requested configuration information:

Backup configuration not found

If the webapp config backup show command output returns "Backup configuration not found" message, as shown in the example above, the Backup and Restore feature is not enabled and configured for the selected Microsoft Azure App Services web application.

05 Repeat step no. 3 and 4 for each Azure App Services application deployed within the current account subscription.

06 Repeat steps no. 1 – 5 for each subscription available in your Microsoft Azure cloud account.

Remediation / Resolution

To enable and configure automated backups for your Microsoft Azure App Services applications, perform the following actions:

Using Azure Portal

01 Sign in to Azure Management Console.

02 Navigate to App Services blade at https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Web%2Fsites.

03 Click on the name of the application that you want to reconfigure (see Audit section part I to identify the right application).

04 In the navigation panel, under Settings, choose Backups and click on the Backup is not configured. Click here to configure backup for your app link to initiate the configuration process.

05 On the Backup Configuration panel, perform the following operations:

  1. In the Backup Storage section, click on Storage Settings tab and select the target container to store your application backups. You can also create a new storage account or a new container using the Storage Settings configuration panels. When you're done, click Select. The Azure Storage account and the required container must be available in the same subscription as the app that you want to back up.
  2. Under Backup Schedule, select On next to Scheduled backup, to configure the schedule for the application backup:
    • Use the Backup Every controls to schedule an application backup every N days or hours, depending on your backup policy.
    • For Start backup schedule from, use the date and time picker controls to specify the backup schedule start time.
    • Provide the optimal backup retention period in the Retention (Days) box.
    • And use the Keep at least one backup setting to specify whether or not to retain at least one application backup.
  3. In the Backup Database section, select the database(s) that you want to include in the app backups. The backup database list is based on the application's configured connection strings.
  4. Click Save to apply the configuration changes. Once configured, a confirmation message with the backup schedule start time and recurrence should be displayed. You can also initiate a manual backup at any time by clicking the Backup button. To restore your Azure App Services app (included its linked databases) on-demand to a previous state, or create a new application based on one of the app's backups, click on the Restore button and select a backup to restore. The restore source can be either an automated application backup or a zip file of a valid backup from the storage container.

06 Repeat steps no. 3 – 5 for each Azure App Services application that you want to reconfigure in order to enable Backup and Restore feature, available in the selected subscription.

07 Repeat steps no. 3 – 6 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run storage account create command (Windows/macOS/Linux) to create the Microsoft Azure Storage account required to hold your Azure App Services application backups:

az storage account create
	--name ccwebstorageaccount
	--resource-group cloud-shell-storage-westeurope
	--sku Standard_LRS

02 The command output should return the metadata available for the new Azure Storage account:

{
  "accessTier": "Hot",
  "azureFilesIdentityBasedAuthentication": null,
  "blobRestoreStatus": null,
  "customDomain": null,
  "enableHttpsTrafficOnly": true,
  "isHnsEnabled": null,
  "kind": "StorageV2",
  "largeFileSharesState": null,
  "lastGeoFailoverTime": null,
  "location": "westeurope",

  ...

  "name": "ccwebstorageaccount",

  ...

  "primaryLocation": "westeurope",
  "provisioningState": "Succeeded",
  "resourceGroup": "cloud-shell-storage-westeurope",
  "sku": {
    "name": "Standard_LRS",
    "tier": "Standard"
  },
  "statusOfPrimary": "available",
  "statusOfSecondary": null,
  "tags": {},
  "type": "Microsoft.Storage/storageAccounts"
}

03 Run storage container create command (Windows/macOS/Linux) using the name of the newly created Microsoft Azure Storage account as parameter to create the storage container required to store your Azure App Services application backups:

az storage container create
	--account-name ccwebstorageaccount
	--name cc-app-backup-container

04 The command output should return the storage container create request confirmation status:

{
  "created": true
}

05 Run storage container generate-sas command (Windows/macOS/Linux) to generate a Shared Access Signature (SAS) token for the storage container created at the previous steps. A SAS token enables you to grant limited access to the containers and the blobs within your storage account. When you create a SAS token, you specify its constraints, including which permissions it has on those Azure resources, and how long the token is valid:

az storage container generate-sas
	--name cc-app-backup-container
	--account-name ccwebstorageaccount
	--permissions rwdl
	--expiry 2020-05-01

06 The command output should return the new Shared Access Signature (SAS) token:

"se=2020-05-01&sp=rwdl&sv=2018-11-09&sr=c&sig=abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd"

07 Run webapp config backup update command (Windows/macOS/Linux) to enable automated backups for the selected Azure App Services application by configuring a backup schedule for the specified app. Construct the required storage container URL using the following format: "https://<storage-account-name>.blob.core.windows.net/<storage-container-name>?<storage-container-sas-token>" (the command does not produce an output):

az webapp config backup update
	--webapp-name cc-aspnet-web-app
	--resource-group cloud-shell-storage-westeurope
	--backup-name cc-web-app-daily-backup
	--container-url "https://ccwebstorageaccount.blob.core.windows.net/cc-app-backup-container?se=2020-05-01&sp=rwdl&sv=2018-11-09&sr=c&sig=abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd"
	--frequency 1d
	--retention 7
	--retain-one true

08 Repeat step no. 7 for each Azure App Services application that you want to reconfigure in order to enable Backup and Restore feature, available within the current subscription.

09 Repeat steps no. 1 – 8 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Sep 30, 2019

Unlock the Remediation Steps


Gain free unlimited access
to our full Knowledge Base


Over 750 rules & best practices
for AWS and Azure

You are auditing:

Enable Automated Backups

Risk level: High