Wenenu

Azure Backup VM test step

The Azure Backup VM test step restores and deletes backed up Azure virtual machines from a recovery vault. It is always added to the step list as a pair of test steps, one for restoring the virtual machines and one for deleting them. Other test steps between the start and stop steps can be used to test the restored virtual machines.

Virtual machines restored by the test step generate Wenenu usage charges. See our pricing page for the details. A virtual machine restored from the same protected item multiple times in the same monthly billing period generates charges only once.

When the start step is executed, the selected Azure virtual machine protected items are restored in the given virtual network. The restored virtual machines are placed in the specified resource group. A staging location, which is an Azure storage account, must be specified that is used by Azure during the restore. Every restored VM is placed into the specified subnet of the target virtual network. The restore uses the last available restore point for every protected item. If there is no restore point for the protected item, the restore of that item is skipped.

Azure enforces a 15 character limit on the name of the restored virtual machines. Because of this limitation, the name of the restored virtual machine does not contain the name of the backed-up virtual machine. The name of the restored VM is wenenu-<identifier>. The name change only applies to the Azure resource name of the VM, the hostname is unchanged.

Users can select subnets in the target virtual network to instruct Wenenu to start test agent virtual machines in those subnets. The started test agents can be used as an execution point for subsequent test steps. The test agent virtual machines run Ubuntu 18.04-LTS and they are Standard_D2_v3 size with a single NIC and OS disk. They will be placed in the same resource group in which the restored VMs are placed with the name of wenenu-testagent-<identifier>.

When the stop step is executed, Wenenu first deletes the test agent virtual machines and then deletes the restored virtual machines. Wenenu also deletes all the network interfaces, managed disks and public IP addresses associated with the restored VMs.

If additional network interfaces, managed disks or IP addresses are associated with the VMs after they are restored, Wenenu will try to delete them too.

The step uses an Azure Service Principal service connector to communicate with the Azure ARM API. The service principal must have the appropriate Azure rights to restore and delete the selected virtual machines as well as to start and stop test agent VMs if necessary.

This test step is executed by special Wenenu agents, it is not required to specify a test agent for the place of execution. This way the credentials of the used service connector never leave our secure environment.

The created cloud resources generate Azure charges. Wenenu implements a robust retry mechanism to ensure the cleanup of the Azure resources, but despite all of our efforts, errors, for example, network segregation or hardware failure can prevent the cleanup of resources. As a best practice, users should check whether the Azure resources are cleaned up if a start or stop step ends with failure.

Service connector Azure permissions

The service connector used by the test step must have the following Azure built-in roles for the different cloud resources. Alternatively, users can create custom roles with the listed permissions for more fine-grained access control.

Resource	Built-in role	Custom role permissions
Recovery vault	Backup Operator	Microsoft.RecoveryServices/Vaults/backupJobs/operationResults/read Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/read Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/restore/action Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationResults/read
Source (backed up) VM	Virtual Machine Contributor	Microsoft.Compute/virtualMachines/read Microsoft.Compute/virtualMachines/write
Target resource group	Contributor	Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Resources/subscriptions/resourceGroups/write Microsoft.Compute/virtualMachines/read Microsoft.Compute/virtualMachines/write Microsoft.Compute/virtualMachines/delete Microsoft.Compute/disks/delete Microsoft.Network/networkInterfaces/read Microsoft.Network/networkInterfaces/delete Microsoft.Network/publicIPAddresses/delete Microsoft.Network/networkInterfaces/write¹ Microsoft.Network/networkInterfaces/join/action¹ Microsoft.Compute/virtualMachines/runCommand/action¹
Staging location	Storage Account Contributor	Microsoft.Storage/storageAccounts/read Microsoft.Storage/storageAccounts/write
Virtual network	Network Contributor	Microsoft.Network/virtualNetworks/read Microsoft.Network/networkInterfaces/write Microsoft.Network/virtualNetworks/subnets/join/action

Resource

Built-in role

Custom role permissions

Recovery vault

Backup Operator

Microsoft.RecoveryServices/Vaults/backupJobs/operationResults/read
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/read
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/restore/action
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationResults/read

Source (backed up) VM

Virtual Machine Contributor

Microsoft.Compute/virtualMachines/read
Microsoft.Compute/virtualMachines/write

Target resource group

Contributor

Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Resources/subscriptions/resourceGroups/write
Microsoft.Compute/virtualMachines/read
Microsoft.Compute/virtualMachines/write
Microsoft.Compute/virtualMachines/delete
Microsoft.Compute/disks/delete
Microsoft.Network/networkInterfaces/read
Microsoft.Network/networkInterfaces/delete
Microsoft.Network/publicIPAddresses/delete
Microsoft.Network/networkInterfaces/write¹
Microsoft.Network/networkInterfaces/join/action¹
Microsoft.Compute/virtualMachines/runCommand/action¹

Staging location

Storage Account Contributor

Microsoft.Storage/storageAccounts/read
Microsoft.Storage/storageAccounts/write

Virtual network

Network Contributor

Microsoft.Network/virtualNetworks/read
Microsoft.Network/networkInterfaces/write
Microsoft.Network/virtualNetworks/subnets/join/action

¹ The permission is needed only if the test step starts test agent(s)

UI settings

Figure 1. Azure Backup VM step UI settings

Arbitrary name of the test step up to 64 characters

List of the available Azure Service Principal service connectors. Selecting one populates the available subscriptions.

List of the available subscriptions to which the selected service connector has access. After selecting one, the available recovery vaults and resource groups are populated.

List of the available recovery vaults in the selected subscription to which the service connector has access. Selecting one populates the target virtual networks and staging locations.

List of the available resource groups in the selected subscription to which the service connector has access. The restored VMs will be placed in the selected resource group.

List of the storage accounts in the same subscription and location as the selected recovery vault. The selected storage acocunt will be used as staing location during VM restores.

List of Azure virtual networks in the same subscription and location as the selected recovery vault. Restored VMs will be placed in the selected virtual network.

List of Azure subnets in the selected virtual network. Users can select subnets and Wenenu will start a test agent virtual machine in the selected subnets when the step is executed.

List of the Azure Virtual Machine protected items that will be restored when the step executes.

The Azure friendly name of the protected item

The virtual machine will be restored into the selected subnet of the taget virtual netowork.

JSON

Example JSON object of an Azure Backup VM start step:

{
  "displayName": "Azure Backup VM test step", 
  "type": "azbackupvm", 
  "id": "e0531619-1163-4265-ab66-91519a4a15d2", 
  "endStepId": "1005e3c6-492b-4cdd-9594-d86c6ab3bde3", 
  "serviceConnectorId": "e17af98a-2bff-4bed-8834-fdd6ff726985", 
  "resourceGroupId": "/subscriptions/c0748b16-3a1a-45fa-acbd-dc0f684fbe84/resourceGroups/wenenu-tutorial", 
  "vnetId": "/subscriptions/c0748b16-3a1a-45fa-acbd-dc0f684fbe84/resourceGroups/wenenu-tutorial/providers/Microsoft.Network/virtualNetworks/wenenu-tutorial-vnet", 
  "stagingLocationId": "/subscriptions/c0748b16-3a1a-45fa-acbd-dc0f684fbe84/resourceGroups/wenenu-frank-tests/providers/Microsoft.Storage/storageAccounts/wenenustoragefranktest", 
  "location": "northeurope", 
  "protectedItems": [ 
    {
      "protectedItemId": "/subscriptions/c0748b16-3a1a-45fa-acbd-dc0f684fbe84/resourceGroups/wenenu-tutorial/providers/Microsoft.RecoveryServices/vaults/wenenu-tutorial-north/backupFabrics/Azure/protectionContainers/IaasVMContainer;iaasvmcontainerv2;wenenu-tutorial;db1/protectedItems/VM;iaasvmcontainerv2;wenenu-tutorial;db1", 
      "sourceResourceId": "/subscriptions/c0748b16-3a1a-45fa-acbd-dc0f684fbe84/resourceGroups/wenenu-tutorial/providers/Microsoft.Compute/virtualMachines/db1", 
      "subnetId": "/subscriptions/bf61d717-736f-4c61-a0a6-362fe5e60a89/resourceGroups/wenenu-tutorial/providers/Microsoft.Network/virtualNetworks/wenenu-tutorial-vnet/subnets/db" 
    },
    {
      "protectedItemId": "/subscriptions/c0748b16-3a1a-45fa-acbd-dc0f684fbe84/resourceGroups/wenenu-tutorial/providers/Microsoft.RecoveryServices/vaults/wenenu-tutorial-north/backupFabrics/Azure/protectionContainers/IaasVMContainer;iaasvmcontainerv2;wenenu-tutorial;web1/protectedItems/VM;iaasvmcontainerv2;wenenu-tutorial;web1", 
      "sourceResourceId": "/subscriptions/c0748b16-3a1a-45fa-acbd-dc0f684fbe84/resourceGroups/wenenu-tutorial/providers/Microsoft.Compute/virtualMachines/web1", 
      "subnetId": "/subscriptions/bf61d717-736f-4c61-a0a6-362fe5e60a89/resourceGroups/wenenu-tutorial/providers/Microsoft.Network/virtualNetworks/wenenu-tutorial-vnet/subnets/web" 
    }
  ],
  "subnetIds": [ 
    "/subscriptions/c0748b16-3a1a-45fa-acbd-dc0f684fbe84/resourceGroups/wenenu-tutorial/providers/Microsoft.Network/virtualNetworks/wenenu-tutorial-vnet/subnets/db",
    "/subscriptions/c0748b16-3a1a-45fa-acbd-dc0f684fbe84/resourceGroups/wenenu-tutorial/providers/Microsoft.Network/virtualNetworks/wenenu-tutorial-vnet/subnets/web"
  ]
}

	Arbitrary name of the test step up to 64 characters
	Type of the test step, must be 'azbackupvm'
	Version 4 unique identifier of the test step, must be unique within the test scenario
	Version 4 unique identifier of step that deletes the restored VMs
	Wenenu identifier of the Azure Service Principal service connector that is used to communicate with the Azure API
	Azure identifier of the resource group in which the Azure VMs will be restored
	Azure identifier of the virtual network in which the restored VMs will join
	Azure identifier of the storage account that will be used as staging location for the VM restores
	Azure location of the recovery vault from which the VMs will be restored
	List of protected item objects that will be restored
	Azure identifier of the protected item that will be restored
	Azure identifier of the virtual machine that is backed up by the protected item
	Azure identifier of the subnet in which the restored VM will be placed
	List of the Azure subnet identifiers of the target virtual network in which Wenenu will place a test agent VM

Example JSON object of an Azure Backup VM stop step

{
  "displayName": "Stop: Azure Backup VM test step", 
  "type": "stopazbackupvm", 
  "id": "1005e3c6-492b-4cdd-9594-d86c6ab3bde3", 
  "startStepId": "e0531619-1163-4265-ab66-91519a4a15d2" 
}

	Arbitrary name of the test step up to 64 characters
	Type of the test step, must be 'stopazbackupvm'
	Version 4 unique identifier of the test step, must be unique within the test scenario
	Version 4 unique identifier of the corresponding Azure Backup VM start step

Essential cookies
Analytics cookies