Back up an encrypted Azure virtual machine with PowerShell

This script creates a Recovery Services vault with geo-redundant storage (GRS) for an encrypted Azure virtual machine. The default protection policy is applied to the vault. The policy generates a daily backup for the virtual machine, and retains each backup for 365 days. The script also triggers the initial recovery point for the virtual machine and retains that recovery point for 30 days.

This sample requires Azure PowerShell Az 1.0 or later. Run Get-Module -ListAvailable Az to see which versions are installed. If you need to install, see Install Azure PowerShell module.

Run Connect-AzAccount -Environment AzureChinaCloud to sign in to Azure.

If you don't have an Azure subscription, create a trial account before you begin.

Sample script

Note

We recommend that you use the Azure Az PowerShell module to interact with Azure. To get started, see Install Azure PowerShell. To learn how to migrate to the Az PowerShell module, see Migrate Azure PowerShell from AzureRM to Az.

# Edit these global variables with your unique Recovery Services Vault name, resource group name and location
$rsVaultName = "myRsVault"
$rgName = "myResourceGroup"
$location = "China North"

# Register the Recovery Services provider and create a resource group
Register-AzResourceProvider -ProviderNamespace "Microsoft.RecoveryServices"
New-AzResourceGroup -Location $location -Name $rgName

# Create a Recovery Services Vault and set its storage redundancy type
New-AzRecoveryServicesVault `
    -Name $rsVaultName `
    -ResourceGroupName $rgName `
    -Location $location 
$vault1 = Get-AzRecoveryServicesVault –Name $rsVaultName
Set-AzRecoveryServicesProperties ` 
    -Vault $vault1 `
    -BackupStorageRedundancy GeoRedundant
    
# Set Recovery Services Vault context and create protection policy
Get-AzRecoveryServicesVault -Name $rsVaultName | Set-AzRecoveryServicesVaultContext 
$schPol = Get-AzRecoveryServicesSchedulePolicyObject -WorkloadType "AzureVM"
$retPol = Get-AzRecoveryServicesRetentionPolicyObject -WorkloadType "AzureVM"
New-AzRecoveryServicesProtectionPolicy `
    -Name "NewPolicy" `
    -WorkloadType "AzureVM" ` 
    -RetentionPolicy $retPol `
    -SchedulePolicy $schPol
    
# Provide permissions to Azure Backup to access key vault and enable backup on the VM
Set-AzKeyVaultAccessPolicy `
    -VaultName "KeyVaultName" `
    -ResourceGroupName "KyeVault-RGName" ` 
    -PermissionsToKeys backup,get,list `
    -PermissionsToSecrets backup,get,list ` 
    -ServicePrincipalName 262044b1-e2ce-469f-a196-69ab7ada62d3
$pol = Get-AzRecoveryServicesProtectionPolicy -Name "NewPolicy" `
Enable-AzRecoveryServicesProtection `
    -Policy $pol `
    -Name "myVM" `
    -ResourceGroupName "VM-RGName" 
    
# Modify protection policy
$retPol = Get-AzRecoveryServicesRetentionPolicyObject -WorkloadType "AzureVM"
$retPol.DailySchedule.DurationCountInDays = 365
$pol = Get-AzRecoveryServicesProtectionPolicy -Name "NewPolicy"
Set-AzRecoveryServicesProtectionPolicy `
    -Policy $pol `
    -RetentionPolicy $RetPol
    
# Trigger a backup and monitor backup job
$namedContainer = Get-AzRecoveryServicesContainer -ContainerType "AzureVM" -Status "Registered" -FriendlyName "myVM"
$item = Get-AzRecoveryServicesBackupItem -Container $namedContainer -WorkloadType "AzureVM"
$job = Backup-AzRecoveryServicesBackupItem -Item $item
$joblist = Get-AzRecoveryServicesJob -Status "InProgress"
Wait-AzRecoveryServicesJob `
        -Job $joblist[0] `
        -Timeout 43200

Clean up deployment

Run the following command to remove the resource group, VM, and all related resources.

Remove-AzResourceGroup -Name myResourceGroup

Script explanation

This script uses the following commands to create the deployment. Each item in the table links to command specific documentation.

Command Notes
New-AzResourceGroup Creates a resource group in which all resources are stored.
New-AzRecoveryServicesVault Creates a Recovery Services vault to store backups.
Set-AzRecoveryServicesBackupProperty Sets backup storage properties on Recovery Services vault.
New-AzRecoveryServicesBackupProtectionPolicy Creates protection policy using schedule policy and retention policy in Recovery Services vault.
Set-AzKeyVaultAccessPolicy Sets permissions on the Key Vault to grant the service principal access to encryption keys.
Enable-AzRecoveryServicesBackupProtection Enables backup for an item with a specified Backup protection policy.
Set-AzRecoveryServicesBackupProtectionPolicy Modifies an existing Backup protection policy.
Backup-AzRecoveryServicesBackupItem Starts a backup for a protected Azure Backup item that isn't tied to the backup schedule.
Wait-AzRecoveryServicesBackupJob Waits for an Azure Backup job to finish.
Remove-AzResourceGroup Removes a resource group and all resources contained within.

Next steps

For more information on the Azure PowerShell module, see Azure PowerShell documentation.