• Home
  • Blog
  • Technical
  • Three ways to protect your customer’s on-premises data with Azure: Part 2 – Azure Backup Server

Three ways to protect your customer’s on-premises data with Azure: Part 2 – Azure Backup Server

Back to Blog
28Nov2017

Three ways to protect your customer’s on-premises data with Azure: Part 2 – Azure Backup Server

In the previous post, we looked at Azure Backup using the MARS agent, which can only do file, folder & system state data, and must be configured on the local machine. As you may already be aware, there are no local backup copies in that solution–you would need to provide for your own separately if that were a requirement (and it usually is). Furthermore, you cannot use it to backup application data such as SQL and Exchange databases, or virtual machine data from Hyper-V or VMware.

Today we will look at Microsoft Azure Backup Server (MABS), which will solve all of these pieces. This solution is a watered down (and free) version of Microsoft’s Data Protection Manager software–which is otherwise prohibitively expensive for many SMB’s (it is sold in the System Center suite of products). I have previously described how to set this product up on this blog.

Image credit: Alex Fields, ITProMentor.com

In this solution, you will need a small appliance or server with some cheap SATA storage: about 1.5-2x whatever is the aggregate of your production servers. You can download and install the Azure Backup Server software to this appliance, and configure it to backup your on-premises workloads. You can use it to backup entire virtual machines (Hyper-V AND VMware), as well as SQL and Exchange data. So in case you were wondering, the answer is yes: you can do bare metal restores with this solution, folks.

How does it work?

The way it works is simple: MABS will use Data Protection Manager (DPM) agents on the local servers that you are backing up, and it will itself contain a MARS agent for pairing up to an Azure Recovery Vault. Similar to the MARS setup, you need to provide vault credentials to get this relationship all setup, and then you can easily choose your own retention settings and so forth.

For a detailed step-by-step, see my walk-through, and this document from Azure, which is what I follow when setting this up.

Pricing considerations

The Azure Backup Server follows the same pricing model as Azure Backup, where you pay per instance (instance=something you are backing up, like an individual server or workstation) and based on how much storage you consume. It is actually quite affordable. See Azure’s pricing details and calculator.

It is also worth noting that running Azure Backup Server will require a Windows Server License, not unlike running a “BDR” appliance, if you are familiar with those solutions (usually sold bundled with some third-party software & licensing).

You could even have two tiers of storage attached to this server, if you wanted to enable the Hyper-V role and use some faster disks for restoring & running VM’s for example. Yes: this would cost a little extra, but probably still be competitive with your BDR appliance–most likely cheaper.

Retention 

Again, as with the MARS solution we looked at before, retention is phenomenal for cloud storage (9,999 retention points at the time of this writing).  The only downside/catch here is that they limit you to two backups per day with Azure Backup Server (it is three per day with Azure Backup/MARS agent).

However, by default, the MABS server will only want to hold on to a very small amount of data on-premises: 5 days out of the box. The point of having the most recent images on-premises is in case you’d need to restore something more quickly / in a short time frame (don’t have to wait for a download from Azure before starting restore).

Therefore, the RTO is excellent in certain scenarios–hours not days, provided you have hardware to restore to. The RPO, of course, is limited by those two backups per day–so in a typical 8 hour workday, maybe 4 (business) hours.

Other considerations

This solution solves a lot of problems, and I’m honestly surprised by its low adoption rate so far. I think this is mostly owed to the fact that nobody seems to know it exists. The other factor at play, is that service providers aren’t really incentivized to sell it;  it can be argued that it would make our jobs more difficult since it is impossible to get a view or reports across all of our customers in the present iteration. But if service providers could solve this, even with their own tools and practices, it would be a huge win for them, in my opinion.

You can quickly restore entire workloads or individual files/folders on-premises from the MABS server, or, you can (if needed) refer to the cloud vault and restore your data from there. This is all seamless from the Azure Backup Server console.

Key takeaway: I would still recommend a monitoring/reporting solution be paired up with this; something that would allow you to manage multiple customers’ instances, and scale more easily. What logic could you build into your existing monitoring agents to take this to the next level for you?

Technical , , , 0 Comments
Share:

Leave a Reply

Back to Blog

Related Posts

08Sep

2016 Essentials Integration: Azure Virtual Network, part 2

In the previous post, we enabled the Windows Server Essentials integration with Azure Virtual Network, and configured a virtual network in the cloud with a Site-to-site VPN right from our Dashboard. While we wait for the connection to become active, we can deploy a virtual... read more
Limitations with MDB Standalone
02Jun

What are the limitations with Microsoft Defender for Business Standalone?

Most of my readers will already be familiar with Microsoft Defender for Business (MDB), which is included with Microsoft 365 Business Premium. And a majority of those will be deploying MDB as one part of a broader security solution which includes other services within the... read more
08Apr

Managing Hybrid Exchange environments: a Cheat Sheet

Office 365 Exchange Online is pretty simple to manage if you are a "cloud-only" organization. Especially now that many edits can be made easily via the Microsoft 365 admin center, without even going into the Exchange Online admin area, separately. But, for those of us who... read more
Can Windows 365 be a PAW?
06Jun

Can I use Windows 365 as a Privileged Access Workstation?

It has been a while since we did a question from a reader. This one has been in my inbox for a while now, but since I just recently covered Windows 365 with our peer group, my offline conversation from a few months ago came... read more
11Apr

New ransomware variant also finds & deletes backups?!

I recently came across this forum thread on Veeam's website, which scared the crap out of me. Coincidentally, Veeam published this article the same day. If these reports are accurate, then it means most organizations have some work to do to better secure themselves against... read more
27Aug

How to configure Advanced Threat Protection (ATP) part 3: safe links

This will be our last post in this series on Advanced Threat Protection (ATP). We have previously covered anti-phishing policies and safe attachments. Now we will consider safe links. Safe links are basically just taking hyperlinks which exist in Exchange email messages or other content in... read more
21Jan

How-to Complete your Office 365 Setup and Exchange E-Mail Migration

When setting up a new Office 365 tenancy or migrating from an on-premises or hosted Email system to Office 365, one last step will be to add all the necessary DNS records to your DNS zone file, and then make the appropriate changes to your... read more
24Sep

Using Security & Compliance Center to manage retention policies

Today I want to discuss retention policies, which can be administered via the Security & Compliance admin center in Microsoft 365 / Office 365. Retention policies exist to protect and/or purge (delete) certain types of information. Some organizations have very strict archive and retention policies... read more
14Mar

Office 365 Email encryption vs. Rights Management templates

This is a four-part post on Azure Rights Management for Office 365. The Azure RMS service is a powerful tool that we can use to prevent data leakage and share information securely with users inside & outside of the organization. Follow along as we explore how to: Activate Azure Rights Management... read more
19Oct

Azure Virtual Network: What is the difference between Policy-based and Route-based VPN?

You want to configure a Site-to-Site (S2S) VPN tunnel from an on-premises hardware VPN device, such as your firewall, and an Azure Virtual Network. For this, you require several objects in Azure. One of those is a "virtual network gateway"--which is basically just a software... read more

Helping IT Consultants Succeed in the Microsoft Cloud

Have a Question? Contact me today.

Contact Me