Audit and enforce backup for Managed Disks using Azure Policy

One of the key responsibilities of a Backup or Compliance Admin in an organization is to ensure that all business-critical machines are backed up with the appropriate retention.

Today, Azure Backup provides various built-in policies (using Azure Policy) to help you automatically ensure that your Azure Managed Disks are configured for backup. Depending on how your backup teams and resources are organized, you can use any one of the below policies:

Use an audit-only policy to identify disks which don't have backup enabled. However, this policy doesn't automatically configure backups for these disks. It is useful when you're only looking to evaluate the overall compliance of the disks but not looking to take action immediately.

A central backup team of an organization can use this policy to configure backup to an existing central Backup vault in the same subscription and location as the Managed Disks being governed. You can choose to include Disks that contain a certain tag, in the scope of this policy.

This policy works the same as Policy 2 above, with the only difference being that you can use this policy to exclude Disks that contain a certain tag, from the scope of this policy.

Before you audit and enforce backups for AKS clusters, see the following scenarios supported:

• The built-in policy is currently supported only for Azure Managed Disks. Ensure that the Backup Vault and backup policy specified during assignment is a Disk backup policy.

• The Policies 2 and 3 can be assigned to a single location and subscription at a time. To enable backup for Disks across locations and subscriptions, multiple instances of the policy assignment need to be created, one for each combination of location and subscription.

• For the Policies 1, 2 and 3, management group scope is currently unsupported.

• For the Policies 2 and 3, the specified vault and the disks configured for backup can be under different resource groups.

The below steps describe the end-to-end process of assigning Policy 2: Configure backup for Azure Disks (Managed Disks) with a given tag to an existing backup vault in the same region . Similar instructions are applicable for the other policies. Once assigned, any new Managed Disk created in the scope is automatically configured for backup.

To assign Policy 2, follow these steps:

1. Sign in to the Azure portal and navigate to the Policy Dashboard.

2. Select Definitions in the left menu to get a list of all built-in policies across Azure Resources.

3. Filter the list for Category=Backup and select the policy named Configure backup for Azure Disks (Managed Disks) with a given tag to an existing backup vault in the same region.

4. Select the name of the policy. You're then redirected to the detailed definition for this policy.

5. Select the Assign button at the top of the pane. This redirects you to the Assign Policy pane.

6. Under Basics, select the three dots next to the Scope field. It opens up a right context pane where you can select the subscription for the policy to be applied on. You can also optionally select a resource group, so that the policy is applied only for Disks in a particular resource group.

7. In the Parameters tab, choose a location from the drop-down, and select the vault, backup policy to which the Disks in the scope must be associated, and resource group where these disk snapshots are stored. You can also choose to specify a tag name and an array of tag values. A Disk that contains any of the specified values for the given tag is included in the scope of the policy assignment.

8. Ensure that Effect is set to deployIfNotExists.

9. Navigate to Review+create and select Create.

Learn more about Azure Policy