如何使用 Azure API 管理中的服务备份和还原实现灾难恢复How to implement disaster recovery using service backup and restore in Azure API Management

通过 Azure API 管理来发布和管理 API,即可充分利用容错和基础结构功能,否则需手动设计、实现和管理这些功能。By publishing and managing your APIs via Azure API Management, you're taking advantage of fault tolerance and infrastructure capabilities that you'd otherwise design, implement, and manage manually. Azure 平台通过花费少量成本消除大量潜在故障。The Azure platform mitigates a large fraction of potential failures at a fraction of the cost.

若要从影响托管着 API 管理服务的区域的可用性问题中恢复,应随时准备好在另一区域中重建服务。To recover from availability problems that affect the region that hosts your API Management service, be ready to reconstitute your service in another region at any time. 根据恢复时间目标,你可能希望在一个或多个区域中保留备用服务。Depending on your recovery time objective, you might want to keep a standby service in one or more regions. 你还可以根据自己的恢复点目标,尝试将其配置和内容与活动服务保持同步。You might also try to maintain their configuration and content in sync with the active service according to your recovery point objective. 服务备份和还原功能为实现灾难恢复策略提供必要的构建基块。The service backup and restore features provides the necessary building blocks for implementing disaster recovery strategy.

备份和还原操作还可用于在操作环境(例如,开发环境和过渡环境)之间复制 API 管理服务配置。Backup and restore operations can also be used for replicating API Management service configuration between operational environments, e.g. development and staging. 请注意,运行时数据(如用户和订阅)也将被复制,这可能并不总是理想的。Beware that runtime data such as users and subscriptions will be copied as well, which might not always be desirable.

本指南介绍如何自动执行备份和还原操作,以及如何确保 Azure 资源管理器成功验证备份和还原请求。This guide shows how to automate backup and restore operations and how to ensure successful authenticating of backup and restore requests by Azure Resource Manager.

重要

还原操作不会更改目标服务的自定义主机名配置。Restore operation doesn't change custom hostname configuration of the target service. 我们建议对活动服务和备用服务使用相同的自定义主机名和 TLS 证书,以便在还原操作完成后,可以通过简单的 DNS CNAME 更改将流量重定向到备用实例。We recommend to use the same custom hostname and TLS certificate for both active and standby services, so that, after restore operation completes, the traffic can be re-directed to the standby instance by a simple DNS CNAME change.

备份操作不会捕获 Azure 门户的 Analytics 边栏选项卡上显示的报告中使用的预聚合日志数据。Backup operation does not capture pre-aggregated log data used in reports shown on the Analytics blade in the Azure portal.

警告

每个备份都会在 30 天后过期。Each backup expires after 30 days. 如果在 30 天有效期到期后尝试还原备份,还原会失败并显示 Cannot restore: backup expired 消息。If you attempt to restore a backup after the 30-day expiration period has expired, the restore will fail with a Cannot restore: backup expired message.

备注

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

可用性Availability

重要

此功能在 API 管理的“高级”、“标准”、“基本”和“开发人员”层中可用。This feature is available in the Premium, Standard, Basic and Developer tiers of API Management.

对 Azure 资源管理器请求进行身份验证Authenticating Azure Resource Manager requests

重要

用于还原和备份的 REST API 使用 Azure 资源管理器,并且具有与用于管理 API 管理实体的 REST API 不同的身份验证机制。The REST API for backup and restore uses Azure Resource Manager and has a different authentication mechanism than the REST APIs for managing your API Management entities. 本部分中的步骤介绍如何对 Azure 资源管理器请求进行身份验证。The steps in this section describe how to authenticate Azure Resource Manager requests. 有关详细信息,请参阅对 Azure 资源管理器请求进行身份验证For more information, see Authenticating Azure Resource Manager requests.

使用 Azure 资源管理器对资源所进行的所有任务都必须使用以下步骤通过 Azure Active Directory 进行身份验证:All of the tasks that you do on resources using the Azure Resource Manager must be authenticated with Azure Active Directory using the following steps:

  • 向 Azure Active Directory 租户添加应用程序。Add an application to the Azure Active Directory tenant.
  • 为添加的应用程序设置权限。Set permissions for the application that you added.
  • 获取用于对 Azure 资源管理器的请求进行身份验证的令牌。Get the token for authenticating requests to Azure Resource Manager.

创建 Azure Active Directory 应用程序Create an Azure Active Directory application

  1. 登录到 Azure 门户Sign in to the Azure portal.

  2. 使用包含 API 管理服务实例的订阅导航到 Azure Active Directory 中的“应用注册”选项卡(Azure Active Directory > 管理/应用注册)。 Using the subscription that contains your API Management service instance, navigate to the App registrations tab in Azure Active Directory (Azure Active Directory > Manage/App registrations).

    备注

    如果 Azure Active Directory 默认目录对帐户不可见,请联系 Azure 订阅的管理员,要求他们向你的帐户授予必要的权限。If the Azure Active Directory default directory isn't visible to your account, contact the administrator of the Azure subscription to grant the required permissions to your account.

  3. 单击“新建应用程序注册” 。Click New application registration.

    此时将在右侧显示“创建”窗口。 The Create window appears on the right. 可以在其中输入 AAD 应用相关信息。That's where you enter the AAD app relevant information.

  4. 输入应用程序的名称。Enter a name for the application.

  5. 对于应用程序类型,选择“本机”。 For the application type, select Native.

  6. 输入占位符 URL,例如,为“重定向 URI” 输入 http://resources,因为它是必填字段,但以后不使用该值。Enter a placeholder URL such as http://resources for the Redirect URI, as it's a required field, but the value isn't used later. 单击此复选框以保存应用程序。Click the check box to save the application.

  7. 单击创建Click Create.

添加应用程序Add an application

  1. 创建应用程序后,单击“设置” 。Once the application is created, click Settings.

  2. 单击“所需权限” 。Click Required permissions.

  3. 单击“+添加” 。Click +Add.

  4. 按“选择 API” 。Press Select an API.

  5. 选择“Windows Azure 服务管理 API”。 Choose Windows Azure Service Management API.

  6. 按“选择” 。Press Select.

    添加权限

  7. 单击新添加的应用程序旁边的“委派的权限” ,选中“访问 Azure 服务管理(预览版)”复选框。 Click Delegated Permissions beside the newly added application, check the box for Access Azure Service Management (preview).

  8. 按“选择” 。Press Select.

  9. 单击“授予权限” 。Click Grant Permissions.

配置应用Configuring your app

在调用可生成备份并还原它的 API 之前,需获取令牌。Before calling the APIs that generate the backup and restore it, you need to get a token. 以下示例使用 Microsoft.IdentityModel.Clients.ActiveDirectory NuGet 包来检索令牌。The following example uses the Microsoft.IdentityModel.Clients.ActiveDirectory NuGet package to retrieve the token.

using Microsoft.IdentityModel.Clients.ActiveDirectory;
using System;

namespace GetTokenResourceManagerRequests
{
    class Program
    {
        static void Main(string[] args)
        {
            var authenticationContext = new AuthenticationContext("https://login.partner.microsoftonline.cn/{tenant id}");
            var result = authenticationContext.AcquireTokenAsync("https://management.chinacloudapi.cn/", "{application id}", new Uri("{redirect uri}"), new PlatformParameters(PromptBehavior.Auto)).Result;

            if (result == null) {
                throw new InvalidOperationException("Failed to obtain the JWT token");
            }

            Console.WriteLine(result.AccessToken);

            Console.ReadLine();
        }
    }
}

根据以下说明替换 {tenant id}{application id}{redirect uri}Replace {tenant id}, {application id}, and {redirect uri} using the following instructions:

  1. {tenant id} 替换为已创建的 Azure Active Directory 应用程序的租户 ID。Replace {tenant id} with the tenant ID of the Azure Active Directory application you created. 可通过单击“应用注册” -> “终结点”访问此 ID。 You can access the ID by clicking App registrations -> Endpoints.

    终结点

  2. {application id} 替换为通过导航到“设置” 页面获得的值。Replace {application id} with the value you get by navigating to the Settings page.

  3. {redirect uri} 替换为 Azure Active Directory 应用程序“重定向 URI”选项卡上的值。 Replace the {redirect uri} with the value from the Redirect URIs tab of your Azure Active Directory application.

    指定这些值后,代码示例应返回类似于以下示例的令牌:Once the values are specified, the code example should return a token similar to the following example:

    令牌

    备注

    该令牌可能在一段时间后过期。The token may expire after a certain period. 再次执行示例代码以生成新令牌。Execute the code sample again to generate a new token.

调用备份和还原操作Calling the backup and restore operations

REST API 为 Api 管理服务 - 备份Api 管理服务 - 还原The REST APIs are Api Management Service - Backup and Api Management Service - Restore.

在调用以下部分中所述的“备份和还原”操作之前,为 REST 调用设置授权请求标头。Before calling the "backup and restore" operations described in the following sections, set the authorization request header for your REST call.

request.Headers.Add(HttpRequestHeader.Authorization, "Bearer " + token);

备份 API 管理服务 Back up an API Management service

若要备份 API 管理服务问题,请发送以下 HTTP 请求:To back up an API Management service issue the following HTTP request:

POST https://management.azure.cn/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ApiManagement/service/{serviceName}/backup?api-version={api-version}

其中:where:

  • subscriptionId - 订阅的 ID,该订阅包含的 API 管理服务是你尝试备份的subscriptionId - ID of the subscription that holds the API Management service you're trying to back up
  • resourceGroupName - Azure API 管理服务的资源组名称resourceGroupName - name of the resource group of your Azure API Management service
  • serviceName - 正在创建其备份的 API 管理服务的名称,在创建时指定serviceName - the name of the API Management service you're making a backup of specified at the time of its creation
  • api-version - 替换为 2018-06-01-previewapi-version - replace with 2018-06-01-preview

在请求正文中,指定目标 Azure 存储帐户名称、访问密钥、blob 容器名称和备份名称:In the body of the request, specify the target Azure storage account name, access key, blob container name, and backup name:

{
  "storageAccount": "{storage account name for the backup}",
  "accessKey": "{access key for the account}",
  "containerName": "{backup container name}",
  "backupName": "{backup blob name}"
}

Content-Type 请求标头的值设置为 application/jsonSet the value of the Content-Type request header to application/json.

备份是长时间运行的操作,可能需要数分钟才能完成。Backup is a long running operation that may take more than a minute to complete. 如果请求已成功且备份过程已开始,则会收到带有 Location 标头的 202 Accepted 响应状态代码。If the request succeeded and the backup process began, you receive a 202 Accepted response status code with a Location header. Location 标头中的 URL 发出“GET”请求以查明操作状态。Make 'GET' requests to the URL in the Location header to find out the status of the operation. 当备份正在进行时,将继续收到“202 已接受”状态代码。While the backup is in progress, you continue to receive a '202 Accepted' status code. 响应代码 200 OK 指示备份操作成功完成。A Response code of 200 OK indicates successful completion of the backup operation.

发出备份请求时请注意以下限制:Note the following constraints when making a backup request:

  • 请求正文中指定的容器 必须存在Container specified in the request body must exist.
  • 当备份正在进行时,请避免更改服务管理,例如 SKU 升级或降级、域名更改等。While backup is in progress, avoid changes in service management such as SKU upgrade or downgrade, change in domain name, and more.
  • 从创建时开始,备份还原仅保证 30 天Restore of a backup is guaranteed only for 30 days since the moment of its creation.
  • 用于创建分析报表的用法数据 不包括在备份中。Usage data used for creating analytics reports isn't included in the backup. 使用 Azure API 管理 REST API 定期检索分析报表以保证安全。Use Azure API Management REST API to periodically retrieve analytics reports for safekeeping.
  • 此外,以下项不是备份数据的一部分:自定义域 SSL 证书、客户上传的任何中间或根证书、开发人员门户内容和虚拟网络集成设置。In addition, the following items are not part of the backup data: custom domain SSL certificates and any intermediate or root certificates uploaded by customer, developer portal content, and virtual network integration settings.
  • 执行服务备份的频率将影响恢复点目标。The frequency with which you perform service backups affect your recovery point objective. 为了最大程度减少它,建议实施定期备份,以及在对 API 管理服务进行更改后执行按需备份。To minimize it, we recommend implementing regular backups and performing on-demand backups after you make changes to your API Management service.
  • 备份操作正在进行时对服务配置(例如 API、策略、开发人员门户外观)所做的更改 可能不包含在备份中,会丢失Changes made to the service configuration, (for example, APIs, policies, and developer portal appearance) while backup operation is in process might be excluded from the backup and will be lost.
  • 允许从控制平面访问 Azure 存储帐户。Allow access from control plane to Azure Storage Account. 客户应在其存储帐户上打开以下一组入站 IP 以进行备份。Customer should open the following set of Inbound IPs on their Storage Account for Backup.

    13.84.189.17/32、13.85.22.63/32、23.96.224.175/32、23.101.166.38/32、52.162.110.80/32、104.214.19.224/32、13.64.39.16/32、40.81.47.216/32、51.145.179.78/32、52.142.95.35/32、40.90.185.46/32、20.40.125.155/3213.84.189.17/32, 13.85.22.63/32, 23.96.224.175/32, 23.101.166.38/32, 52.162.110.80/32, 104.214.19.224/32, 13.64.39.16/32, 40.81.47.216/32, 51.145.179.78/32, 52.142.95.35/32, 40.90.185.46/32, 20.40.125.155/32

还原 API 管理服务 Restore an API Management service

若要从之前创建的备份还原 API 管理服务,请发出以下 HTTP 请求:To restore an API Management service from a previously created backup, make the following HTTP request:

POST https://management.azure.cnsubscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ApiManagement/service/{serviceName}/restore?api-version={api-version}

其中:where:

  • subscriptionId - 订阅 ID,该订阅包含的 API 管理服务是需要将备份还原到其中的subscriptionId - ID of the subscription that holds the API Management service you're restoring a backup into
  • resourceGroupName - 资源组的名称,该资源组包含的 Azure API 管理服务是需要将备份还原到其中的resourceGroupName - name of the resource group that holds the Azure API Management service you're restoring a backup into
  • serviceName - 要将备份还原到其中的 API 管理服务的名称,在创建时指定serviceName - the name of the API Management service being restored into specified at its creation time
  • api-version - 替换为 2018-06-01-previewapi-version - replace with 2018-06-01-preview

在请求正文中,指定备份文件位置。In the body of the request, specify the backup file location. 也就是说,添加 Azure 存储帐户名称、访问密钥、Blob 容器名称和备份名称:That is, add the Azure storage account name, access key, blob container name, and backup name:

{
  "storageAccount": "{storage account name for the backup}",
  "accessKey": "{access key for the account}",
  "containerName": "{backup container name}",
  "backupName": "{backup blob name}"
}

Content-Type 请求标头的值设置为 application/jsonSet the value of the Content-Type request header to application/json.

还原是长时间运行的操作,可能需要长达 30 分钟或更长时间才能完成。Restore is a long running operation that may take up to 30 or more minutes to complete. 如果请求已成功且还原过程已开始,则会收到带有 Location 标头的 202 Accepted 响应状态代码。If the request succeeded and the restore process began, you receive a 202 Accepted response status code with a Location header. Location 标头中的 URL 发出“GET”请求以查明操作状态。Make 'GET' requests to the URL in the Location header to find out the status of the operation. 当还原正在进行时,将继续收到“202 已接受”状态代码。While the restore is in progress, you continue to receive '202 Accepted' status code. 响应代码 200 OK 指示还原操作成功完成。A response code of 200 OK indicates successful completion of the restore operation.

重要

要还原到的服务的 SKU 必须与正在还原的已备份服务的 SKU 匹配The SKU of the service being restored into must match the SKU of the backed-up service being restored.

还原操作正在进行时对服务配置(例如 API、策略、开发人员门户外观)所做的更改 可能会被覆盖Changes made to the service configuration (for example, APIs, policies, developer portal appearance) while restore operation is in progress could be overwritten.

备注

也可分别使用 PowerShell Backup-AzApiManagementRestore-AzApiManagement 命令,执行备份和还原操作。Backup and restore operations can also be performed with PowerShell Backup-AzApiManagement and Restore-AzApiManagement commands respectively.

后续步骤Next steps

有关备份/还原过程的不同演练,请查看以下资源。Check out the following resources for different walkthroughs of the backup/restore process.