基础结构备份服务最佳做法Infrastructure Backup Service best practices

在部署和管理 Azure Stack Hub 时,请遵循这些最佳做法,这样有助于在发生灾难性故障时减少数据丢失。Follow these best practices when you deploy and manage Azure Stack Hub to help mitigate data loss if there's a catastrophic failure.

定期复查最佳做法以验证当对操作流进行了更改时你的安装是否仍然符合最佳做法。Review the best practices regularly to verify that your installation is still in compliance when changes are made to the operation flow. 如果实现这些最佳做法时遇到任何问题,请联系 Azure 支持以寻求帮助。If you come across any issues while implementing these best practices, contact Azure Support for help.

配置最佳实践Configuration best practices


在部署每个 Azure Stack Hub 云后启用基础结构备份。Enable Infrastructure Backup after deployment of each Azure Stack Hub Cloud. 可以使用 Azure Stack Hub PowerShell 计划从任何能够访问操作员管理 API 终结点的客户端/服务器进行的备份。Using Azure Stack Hub PowerShell, you can schedule backups from any client/server with access to the operator management API endpoint.


路径的通用命名约定 (UNC) 字符串必须使用完全限定的域名 (FQDN)。The Universal Naming Convention (UNC) string for the path must use a fully qualified domain name (FQDN). 如果无法进行名称解析,则可以使用 IP 地址。IP address can be used if name resolution isn't possible. UNC 字符串指定资源(例如共享文件或设备)的位置。A UNC string specifies the location of resources such as shared files or devices.


版本 1901 及更新版本Version 1901 and newer

加密证书用来对导出到外部存储的备份数据进行加密。The encryption certificate is used to encrypt backup data that gets exported to external storage. 证书可以是自签名证书,因为证书仅用于传输密钥。The certificate can be a self-signed certificate since the certificate is only used to transport keys. 有关如何创建证书的更多信息,请参阅 New-SelfSignedCertificate。Refer to New-SelfSignedCertificate for more info on how to create a certificate.

密钥必须存储在安全位置(例如,全局 Azure 密钥保管库证书)。The key must be stored in a secure location (for example, global Azure Key Vault certificate). CER 格式的证书用于加密数据。The CER format of the certificate is used to encrypt data. 在对 Azure Stack Hub 进行云恢复部署期间,必须使用 PFX 格式来解密备份数据。The PFX format must be used during cloud recovery deployment of Azure Stack Hub to decrypt backup data.


1811 版及更低版本1811 and older

加密密钥用来对导出到外部存储的备份数据进行加密。The encryption key is used to encrypt backup data that gets exported to external storage. 此密钥在使用 PowerShell 为 Azure Stack Hub 启用备份的过程中生成。The key is generated as part of enabling backup for Azure Stack Hub with PowerShell.

密钥必须存储在安全位置(例如,全局 Azure 密钥保管库机密)。The key must be stored in a secure location (for example, global Azure Key Vault secret). 在重新部署 Azure Stack Hub 期间,必须使用此密钥。This key must be used during redeployment of Azure Stack Hub.


操作最佳实践Operational best practices


  • 备份作业在系统正在运行时执行,因此管理体验或用户应用不会出现停机的情况。Backup jobs execute while the system is running so there's no downtime to the management experiences or user apps. 对于负载合理的解决方案,备份作业预计要花费 20-40 分钟。Expect the backup jobs to take 20-40 minutes for a solution that's under reasonable load.
  • 在执行修补、更新和 FRU 操作期间,自动备份将不会启动。Automatic backups will not start during patch and update and FRU operations. 默认情况下,将跳过计划的备份作业。Scheduled backups jobs will get skipped by default. 在执行这些操作的过程中,也会阻止按需备份请求。On-demand requests for backups are blocked as well during these operations.
  • 根据 OEM 提供的说明,应将手动备份的网络交换机和硬件生命周期主机 (HLH) 存储在基础结构备份控制器存储控制平面备份数据的同一备份共享上。Using OEM provided instructions, manually backed up network switches and the hardware lifecycle host (HLH) should be stored on the same backup share where the Infrastructure Backup Controller stores control plane backup data. 请考虑将交换机和 HLH 配置存储在区域文件夹中。Consider storing switch and HLH configurations in the region folder. 如果在同一区域中有多个 Azure Stack Hub 实例,请考虑对属于某个缩放单元的每个配置使用一个标识符。If you have multiple Azure Stack Hub instances in the same region, consider using an identifier for each configuration that belongs to a scale unit.

文件夹名称Folder Names

  • 基础结构会自动创建 MASBACKUP 文件夹。Infrastructure creates MASBACKUP folder automatically. 这是由 Microsoft 管理的一个共享。This is a Microsoft-managed share. 你可以在与 MASBACKUP 相同的级别创建共享。You can create shares at the same level as MASBACKUP. 建议不要在 Azure Stack Hub 未创建的 MASBACKUP 内创建文件夹或存储数据。It's not recommended to create folders or storage data inside of MASBACKUP that Azure Stack Hub doesn't create.
  • 在文件夹名称中使用 FQDN 和区域来区分来自不同云的备份数据。User FQDN and region in your folder name to differentiate backup data from different clouds. Azure Stack Hub 部署和终结点的 FQDN 是区域参数和外部域名参数的组合。The FQDN of your Azure Stack Hub deployment and endpoints is the combination of the Region parameter and the External Domain Name parameter. 有关详细信息,请参阅 Azure Stack Hub 数据中心集成 - DNSFor more info, see Azure Stack Hub datacenter integration - DNS.

例如,备份共享是 fileserver01.contoso.com 上托管的 AzSBackups。For example, the backup share is AzSBackups hosted on fileserver01.contoso.com. 在该文件共享中,每个 Azure Stack Hub 部署可能有一个使用外部域名的文件夹和一个使用区域名称的子文件夹。In that file share there may be a folder per Azure Stack Hub deployment using the external domain name and a subfolder that uses the region name.

FQDN:contoso.comFQDN: contoso.com
区域:nycRegion: nyc


MASBackup 文件夹是 Azure Stack Hub 存储其备份数据的地方。MASBackup folder is where Azure Stack Hub stores its backup data. 不要使用此文件夹来存储你自己的数据。Don't use this folder to store your own data. OEM 也不应使用此文件夹来存储任何备份数据。OEMs shouldn't use this folder to store any backup data either.

建议 OEM 将其组件的备份数据存储在区域文件夹下。OEMs are encouraged to store backup data for their components under the region folder. 每台网络交换机、硬件生命周期主机 (HLH) 等等可以存储在其自己的子文件夹中。Each network switch, hardware lifecycle host (HLH), and so on, may be stored in its own subfolder. 例如:For example:



系统支持以下警报:The following alerts are supported by the system:

警报Alert 说明Description 补救Remediation
备份由于文件共享中的容量不足而失败。Backup failed because the file share is out of capacity. 文件共享中的容量不足,并且备份控制器无法将备份文件导出到此位置。File share is out of capacity and backup controller can't export backup files to the location. 增加更多存储容量并重试备份。Add more storage capacity and try back up again. 删除现有的备份(从最旧的备份开始)以释放空间。Delete existing backups (starting from oldest first) to free up space.
备份由于连接问题而失败。Backup failed due to connectivity problems. Azure Stack Hub 与文件共享之间的网络出现了问题。Network between Azure Stack Hub and the file share is experiencing issues. 解决网络问题,然后重试备份。Address the network issue and try backup again.
备份由于路径中的错误而失败。Backup failed due to a fault in the path. 无法解析文件共享路径。The file share path can't be resolved. 从另一台计算机映射共享,以确保共享可供访问。Map the share from a different computer to ensure the share is accessible. 如果路径不再有效,可能需要更新路径。You may need to update the path if it's no longer valid.
备份由于身份验证问题而失败。Backup failed due to authentication issue. 可能存在影响身份验证的凭据问题或网络问题。There might be an issue with the credentials or a network issue that impacts authentication. 从另一台计算机映射共享,以确保共享可供访问。Map the share from a different computer to ensure the share is accessible. 如果凭据不再有效,可能需要更新凭据。You may need to update credentials if they're no longer valid.
备份由于一般错误而失败。Backup failed due to a general fault. 请求失败可能是由间歇性问题导致的。The failed request could be due to an intermittent issue. 重试备份。Try to back up again. 致电支持人员。Call support.

后续步骤Next steps

查看基础结构备份服务的参考资料。Review the reference material for the Infrastructure Backup Service.

启用基础结构备份服务Enable the Infrastructure Backup Service.