This blog post primarily talks about how Azure Firewall and Azure Backup can be leveraged to provide comprehensive protection to your data. The former protects your network, while the latter backs up your data to the cloud. Azure Firewall, now generally available, is a cloud-based network security service that protects your Azure Virtual Network resources. It is a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability. With Azure Firewall you can centrally create, enforce, and log application and network connectivity policies across subscriptions and virtual networks. It uses a static public IP address for your virtual network resources, allowing outside firewalls to identify traffic originating from your virtual network.
Backup of Azure Virtual Machines
In a typical scenario, you may have Azure Virtual Machines (VMs) running business-critical workloads behind an Azure Firewall. While this is an effective means of shielding your VMs against network threats, you would also want to protect your data in the VMs using Azure VM Backup. This further reduces the odds of being exposed to several risks. Azure Backup protects the data in your VMs by safely storing it in your Recovery Services Vault. This involves moving data from your virtual machine storage to the vault and requires a network. However, all of this communication is performed over the secure Azure backbone network, with no need for accessing your virtual networks. You don’t need to open any ports, shortlist any IPs, or grant any accesses to Azure Backup in your Azure Firewall. Hence, your backups will work under the enhanced security of Azure Firewall without having you perform any actions from your end.
It is worth noting that this capability extends to other security measures that can lock a VM down under network restrictions, for example, NSGs. Hence, backup of Azure VMs will work seamlessly irrespective of network restrictions applied at your end to help keep your data within selected networks and without having to perform any additional actions.
Backup of SQL Server running inside an Azure VM (in preview)
Backup of SQL Servers running inside an Azure VM requires the backup extension to communicate with the Azure Backup service in order to upload backup and emit monitoring information. This extension resides inside the virtual machine and requires network access. Hence, when backing up SQL Servers running inside Azure VMs, you would need to permit the Azure Backup service to access the workload. This is a simple process that makes sure the data is restricted to Azure Backup and maintains your desired level of security.
All you need to do is complete the following steps:
1. Navigate to your Azure Firewall.
2. Go to Rules and select the Application rule collection tab. Here you can create a new application rule collection, or edit existing ones in case you have created application rule collections before.
3. Create a rule with the following details in an existing or new Application Rule Collection, under the FQDN tags section.
Field | Value |
Priority | Enter an appropriate priority for the rule. |
Action | Select Allow from the dropdown. |
Name | Type a name for the rule. |
Source Addresses | Enter * in the text box if you want this rule to be applicable to VMs in all subnets within the scope of the Firewall. Else, specify the desired IP or IP ranges. |
FQDN Tags | Select AzureBackup from the dropdown |
The following is a sample rule for allowing Azure Backup to protect your SQL Servers in Azure VMs.
4. Select Add to create the aforementioned rule.
Once the rule is created, you can back up your databases inside the Azure Virtual Machine without any interruptions. All while making sure it is protected by Azure Firewall from any external threats. For more on backing up your SQL Servers in Azure virtual machines, please read the blog, “Azure Backup for SQL Server on Azure now in public preview.”
Azure Backup and Azure Firewall complement each other well to provide a complete protection to your resources and data in Azure. You do not need any special configurations or infrastructure to reap benefits of using both services together. Read about backing up Azure Virtual Machines and backing up SQL servers inside Azure Virtual Machines for more details.
Leave a Reply