Check for Sufficient Instant Restore Retention Period

01 Sign in to your Cloud Conformity account, access Sufficient Instant Restore Retention Period rule settings and note the retention period configured for the conformity rule.

02 Sign in to Azure Management Console.

03 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

04 Choose the Azure subscription that you want to access from the Subscription filter box.

05 From the Type filter box, select Virtual machine to list the virtual machines launched in the selected subscription.

06 Click on the name of the Azure virtual machine (VM) that you want to examine.

07 On the navigation panel, under Operations, select Backup to view the Azure Backup service configuration settings available for the selected virtual machine.

08 On the Backup page, under Summary, click on the name of the backup policy defined for the selected resource.

09 On the Backup policy panel, check the retention period set for the Instant Restore configuration attribute. If the retention period configured for the instant recovery snapshots taken by the selected virtual machine is not greater than or equal to the retention period identified at step no. 1, the selected Microsoft Azure virtual machine does not have a sufficient instant restore retention period configured.

10 Repeat steps no. 6 – 9 for each Azure virtual machine deployed in the selected subscription.

11 Repeat steps no. 4 – 10 for each subscription available in your Microsoft Azure cloud account.

01 Sign in to your Cloud Conformity account, access Sufficient Instant Restore Retention Period rule settings and note the retention period configured for the conformity rule.

02 Run backup vault list command (Windows/macOS/Linux) using custom query filters to list the name of each Azure Recovery Services vault available in the current subscription. A Recovery Services vault is a storage entity that retains backup data for various Azure resources such as virtual machines and SQL databases:

az backup vault list
    --resource-group cloud-shell-storage-westeurope
    --query '[*].name'

03 The command output should return the requested vault name(s):

[
  "cc-main-backup-vault"
]

04 Run backup item list command (Windows/macOS/Linux) using the name of the Azure Recovery Services vault that you want to examine as identifier parameter and custom query filters to describe the name of the backup policy set for each virtual machine launched in the current subscription. A backup policy specifies frequency and time at which specified Azure resources will be backed up and how long the backups/snapshots are retained:

az backup item list
    --resource-group cloud-shell-storage-westeurope
    --vault-name cc-main-backup-vault
    --output table
    --query '[*].properties.{"VirtualMachineName":friendlyName,"BackupPolicyName":policyName}'

05 The command output should return a table with the names of the virtual machines that use the Azure Backup service and the names of their associated backup policies:

VirtualMachineName    BackupPolicyName
------------------    ------------------
cc-project5-server    ProductionPolicy
cc-database-server    DatabasePolicy

06 Run backup policy show command (Windows/macOS/Linux) using the name of the backup policy that you want to examine as identifier parameter and custom query filters to obtain the retention period configured for instant recovery snapshots, that the selected policy has configured for its associated Azure virtual machine:

az backup policy show
    --resource-group cloud-shell-storage-westeurope
    --vault-name cc-main-backup-vault
    --name ProductionPolicy
    --query 'properties.instantRpRetentionRangeInDays'

07 The command output should return the number of days configured for instant restore retention period, within the selected backup policy:

2

08 Repeat step no. 6 and 7 for each Microsoft Azure virtual machine with a backup policy configured, deployed in the current subscription.

09 Repeat steps no. 2 – 8 for each subscription available in your Microsoft Azure cloud account.

01 Sign in to your Cloud Conformity account, access Sufficient Instant Restore Retention Period conformity rule settings and copy the retention period configured for the specified rule.

02 Sign in to Azure Management Console.

03 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

04 Choose the Azure subscription that you want to access from the Subscription filter box.

05 From the Type filter box, select Virtual machine to list only the virtual machines launched in the selected subscription.

06 Click on the name of the Azure virtual machine that you want to reconfigure.

07 On the navigation panel, under Operations, select Backup to access the Azure Backup service configuration settings available for the selected virtual machine.

08 On the Backup page, under Summary, click on the name of the Azure Recovery Services vault associated with the selected VM to access the necessary backup vault.

09 In the navigation panel, under Manage, select Backup policies to access the vault's backup policies.

10 On the Backup policies page, click on the backup policy associated with the selected virtual machine (see Audit section part I to identify the right policy).

11 On the policy configuration page, within Instant Restore section, replace the value available in the Retain instant recovery snapshot(s) for box with the value copied at step no. 1, to change the instant restore retention period configured for the Azure virtual machine associated with the selected backup policy. Click Save to apply the configuration changes.

12 Repeat steps no. 6 – 11 for each Azure virtual machine (VM) that you need to reconfigure, available in the selected subscription.

13 Repeat steps no. 4 – 12 for each subscription created in your Microsoft Azure cloud account.

01 Sign in to your Cloud Conformity account, access Sufficient Instant Restore Retention Period conformity rule settings and copy the retention period configured for the specified rule.

02 Run backup policy show command (Windows/macOS/Linux) using the name of the backup policy that you want to update as identifier parameter (see Audit section part II to identify the right backup policy), to list the configuration properties available for the selected policy:

az backup policy show
    --resource-group cloud-shell-storage-westeurope
    --vault-name cc-main-backup-vault
    --name ProductionPolicy

03 The command output should return the requested configuration properties. This information is required later when the selected policy is updated with the correct retention period:

{
  "eTag": null,
  "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourcegroups/cloud-shell-storage-westeurope/providers/microsoft.recoveryservices/vaults/cc—main-backup-vault/backupPolicies/ProductionPolicy",
  "location": null,
  "name": "ProductionPolicy",
  "properties": {
    "backupManagementType": "AzureIaasVM",
    "instantRPDetails": {},
    "instantRpRetentionRangeInDays": 2,
    "protectedItemsCount": 1,
    "retentionPolicy": {
      "dailySchedule": {
        "retentionDuration": {
          "count": 30,
          "durationType": "Days"
        },
        "retentionTimes": [
          "2019-10-31T00:00:00+00:00"
        ]
      },
      "monthlySchedule": null,
      "retentionPolicyType": "LongTermRetentionPolicy",
      "weeklySchedule": null,
      "yearlySchedule": null
    },
    "schedulePolicy": {
      "schedulePolicyType": "SimpleSchedulePolicy",
      "scheduleRunDays": null,
      "scheduleRunFrequency": "Daily",
      "scheduleRunTimes": [
        "2019-10-31T00:00:00+00:00"
      ],
      "scheduleWeeklyFrequency": 0
    },
    "timeZone": "UTC"
  },
  "resourceGroup": "cloud-shell-storage-westeurope",
  "tags": null,
  "type": "Microsoft.RecoveryServices/vaults/backupPolicies"
}

04 Update the backup policy returned at the previous step by replacing the instant restore retention period for virtual machine snapshots, available as value for the "properties.instantRpRetentionRangeInDays" configuration attribute (highlighted), with the value copied at step no. 1. Once the selected policy is updated, save the JSON document to a file named instant-recovery-backup-policy.json:

{
  "eTag": null,
  "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourcegroups/cloud-shell-storage-westeurope/providers/microsoft.recoveryservices/vaults/cc—main-backup-vault/backupPolicies/ProductionPolicy",
  "location": null,
  "name": "ProductionPolicy",
  "properties": {
    "backupManagementType": "AzureIaasVM",
    "instantRPDetails": {},
    "instantRpRetentionRangeInDays": 5,
    "protectedItemsCount": 1,
    "retentionPolicy": {
      "dailySchedule": {
        "retentionDuration": {
          "count": 30,
          "durationType": "Days"
        },
        "retentionTimes": [
          "2019-10-31T00:00:00+00:00"
        ]
      },
      "monthlySchedule": null,
      "retentionPolicyType": "LongTermRetentionPolicy",
      "weeklySchedule": null,
      "yearlySchedule": null
    },
    "schedulePolicy": {
      "schedulePolicyType": "SimpleSchedulePolicy",
      "scheduleRunDays": null,
      "scheduleRunFrequency": "Daily",
      "scheduleRunTimes": [
        "2019-10-31T00:00:00+00:00"
      ],
      "scheduleWeeklyFrequency": 0
    },
    "timeZone": "UTC"
  },
  "resourceGroup": "cloud-shell-storage-westeurope",
  "tags": null,
  "type": "Microsoft.RecoveryServices/vaults/backupPolicies"
}

05 Run backup policy set command (Windows/macOS/Linux) using the name of backup policy document defined at the previous step as value for the --policy parameter (i.e. instant-recovery-backup-policy.json) to update the selected backup policy in order to set the optimal instant restore retention period for the associated Azure virtual machine (VM):

az backup policy set
    --ids "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourcegroups/cloud-shell-storage-westeurope/providers/microsoft.recoveryservices/vaults/cc—main-backup-vault/backupPolicies/ProductionPolicy"
    --policy instant-recovery-backup-policy.json

06 The command output should return the configuration metadata for the modified policy:

{
  "eTag": null,
  "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourcegroups/cloud-shell-storage-westeurope/providers/microsoft.recoveryservices/vaults/cc—main-backup-vault/backupPolicies/ProductionPolicy",
  "location": null,
  "name": "ProductionPolicy",
  "properties": {
    "backupManagementType": "AzureIaasVM",
    "instantRPDetails": {},
    "instantRpRetentionRangeInDays": 5,
    "protectedItemsCount": 1,
    "retentionPolicy": {
      "dailySchedule": {
        "retentionDuration": {
          "count": 30,
          "durationType": "Days"
        },
        "retentionTimes": [
          "2019-10-31T00:00:00+00:00"
        ]
      },
      "monthlySchedule": null,
      "retentionPolicyType": "LongTermRetentionPolicy",
      "weeklySchedule": null,
      "yearlySchedule": null
    },
    "schedulePolicy": {
      "schedulePolicyType": "SimpleSchedulePolicy",
      "scheduleRunDays": null,
      "scheduleRunFrequency": "Daily",
      "scheduleRunTimes": [
        "2019-10-31T00:00:00+00:00"
      ],
      "scheduleWeeklyFrequency": 0
    },
    "timeZone": "UTC"
  },
  "resourceGroup": "cloud-shell-storage-westeurope",
  "tags": null,
  "type": "Microsoft.RecoveryServices/vaults/backupPolicies"
}

07 Repeat steps no. 2 – 6 for each Azure virtual machine (VM) that you need to update, available in the current subscription.

08 If required, repeat steps no. 2 – 7 for each subscription created in your Microsoft Azure cloud account.