基础结构备份服务参考Infrastructure Backup Service reference

Azure 备份基础结构Azure backup infrastructure

Azure Stack Hub 由许多服务构成,其中包括门户、Azure 资源管理器和整个基础结构管理体验。Azure Stack Hub consists of many services that comprise the portal (Azure Resource Manager) and the overall infrastructure management experience. Azure Stack Hub 的类似于应用的管理体验注重于减轻解决方案操作员面临的复杂性。The app-like management experience of Azure Stack Hub focuses on reducing the complexity exposed to the operator of the solution.

基础结构备份服务旨在将备份和还原基础结构服务数据的复杂性内部化,确保操作员能够专注于管理解决方案,持续为用户履行 SLA。Infrastructure Backup Service is designed to internalize the complexity of backing up and restoring data for infrastructure services, ensuring operators can focus on managing the solution and maintaining an SLA to users.

为避免将备份存储在同一系统上,要求将备份数据导出到外部共享。Exporting the backup data to an external share is required to avoid storing backups on the same system. 要求使用外部共享使得管理员可以根据现有的公司业务连续性/灾难恢复策略来灵活地决定要将数据存储在何处。Requiring an external share gives the admin the flexibility to determine where to store the data based on existing company BC/DR policies.

基础结构备份服务组件Infrastructure Backup Service components

基础结构备份服务包括以下组件:Infrastructure Backup Service includes the following components:

  • 基础结构备份控制器Infrastructure Backup Controller
    基础结构备份控制器随每个 Azure Stack Hub 云一起实例化并驻留在其中。The Infrastructure Backup Controller is instantiated with and resides in every Azure Stack Hub Cloud.
  • 备份资源提供程序Backup Resource Provider
    备份资源提供程序(备份 RP)包括了用户界面和 API 来公开 Azure Stack Hub 基础结构的基本备份功能。The Backup Resource Provider (Backup RP) is composed of the user interface and APIs exposing basic backup functionality for Azure Stack Hub infrastructure.

基础结构备份控制器Infrastructure Backup Controller

基础结构备份控制器是为 Azure Stack Hub 云实例化的一项 Service Fabric 服务。The Infrastructure Backup Controller is a Service Fabric service that gets instantiated for an Azure Stack Hub Cloud. 备份资源是在区域级别创建的,并且从 AD、CA、Azure 资源管理器、CRP、SRP、NRP、Key Vault 和 RBAC 捕获特定于区域的服务数据。Backup resources are created at a regional level and capture region-specific service data from AD, CA, Azure Resource Manager, CRP, SRP, NRP, Key Vault, RBAC.

备份资源提供程序Backup Resource Provider

备份资源提供程序在 Azure Stack Hub 门户中提供了用于进行基本配置并列出备份资源的用户界面。The Backup Resource Provider presents a user interface in the Azure Stack Hub portal for basic configuration and listing of backup resources. 操作员可以在用户界面中执行以下操作:Operators can do the following actions in the user interface:

  • 通过提供外部存储位置、凭据和加密密钥首次启用备份。Enable backup for the first time by providing external storage location, credentials, and encryption key.
  • 查看已完成创建的备份资源和正在创建的资源。View completed created backup resources and status resources under creation.
  • 修改备份控制器在其中放置备份数据的存储位置。Modify the storage location where Backup Controller places backup data.
  • 修改备份控制器用来访问外部存储位置的凭据。Modify the credentials that Backup Controller uses to access external storage location.
  • 修改备份控制器用来加密备份的加密密钥。Modify the encryption key that Backup Controller uses to encrypt backups.

备份控制器要求Backup Controller requirements

本部分介绍基础结构备份服务的重要要求。This section describes the important requirements for Infrastructure Backup Service. 建议在为 Azure Stack Hub 实例启用备份之前仔细查看此信息,并且在进行部署和执行后续操作的过程中按需重新参阅。We recommend you review the info carefully before you enable backup for your Azure Stack Hub instance, and then refer back to it as necessary during deployment and subsequent operation.

这些要求包括:The requirements include:

  • 软件要求 - 介绍了支持的存储位置和大小调整指南。Software requirements - describes supported storage locations and sizing guidance.
  • 网络要求 - 介绍了不同存储位置的网络要求。Network requirements - describes network requirements for different storage locations.

软件要求Software requirements

支持的存储位置Supported storage locations

存储位置Storage location 详细信息Details
在可信网络环境中的存储设备上托管的 SMB 文件共享。SMB file share hosted on a storage device within the trusted network environment. 位于部署了 Azure Stack Hub 的数据中心内或位于其他数据中心内的 SMB 共享。SMB share in the same datacenter where Azure Stack Hub is deployed or in a different datacenter. 多个 Azure Stack Hub 实例可以使用同一个文件共享。Multiple Azure Stack Hub instances can use the same file share.
Azure 上的 SMB 文件共享。SMB file share on Azure. 目前不支持。Not currently supported.
Azure 上的 Blob 存储。Blob storage on Azure. 目前不支持。Not currently supported.

支持的 SMB 版本Supported SMB versions

SMBSMB 版本Version
SMBSMB 3.x3.x

SMB 加密SMB encryption

如果服务器端启用了 SMB 加密,基础结构备份服务支持将备份数据传输到外部存储位置。Infrastructure Backup Service supports transferring backup data to an external storage location with SMB encryption enabled on the server side. 如果服务器不支持 SMB 加密或未启用该功能,则基础结构备份服务将回退到未加密的数据传输。If the server doesn't support SMB Encryption or doesn't have the feature enabled, Infrastructure Backup Service will fall back to unencrypted data transfer. 外部存储位置上放置的备份数据始终是静态加密的,并且不依赖于 SMB 加密。Backup data placed on the external storage location is always encrypted at rest and isn't dependent on SMB encryption.

存储位置大小调整Storage location sizing

建议每天至少进行两次备份,并且保留最多七天的备份。We recommend you back up at last two times a day and keep at most seven days of backups. 在 Azure Stack Hub 上启用基础结构备份时,这是默认行为。This is the default behavior when you enable infrastructure backups on Azure Stack Hub.

环境规模Environment Scale 预计的备份大小Projected size of backup 所需的空间总量Total amount of space required
4-16 个节点4-16 nodes 20 GB20 GB 280 GB280 GB
ASDKASDK 10 GB10 GB 140 GB140 GB

网络要求Network requirements

存储位置Storage location 详细信息Details
在可信网络环境中的存储设备上托管的 SMB 文件共享。SMB file share hosted on a storage device within the trusted network environment. 如果 Azure Stack Hub 实例驻留在具有防火墙的环境中,则端口 445 是必需的。Port 445 is required if the Azure Stack Hub instance resides in a firewalled environment. 基础结构备份控制器将通过端口 445 启动到 SMB 文件服务器的连接。Infrastructure Backup Controller will initiate a connection to the SMB file server over port 445.
若要使用文件服务器的 FQDN,必须可以通过 PEP 解析该名称。To use FQDN of file server, the name must be resolvable from the PEP.

防火墙规则Firewall rules

请确保设置防火墙规则,以允许在 ERCS VM 与外部存储位置之间建立连接。Make sure to setup firewall rules to allow connectivity between ERCS VMs to the external storage location.

SourceSource 目标Target 协议/端口Protocol/Port
ERCS VM 1ERCS VM 1 存储位置Storage location 445/SMB445/SMB
ERCS VM 2ERCS VM 2 存储位置Storage location 445/SMB445/SMB
ERCS VM 3ERCS VM 3 存储位置Storage location 445/SMB445/SMB

备注

无需打开任何入站端口。No inbound ports need to be opened.

加密要求Encryption Requirements

从 1901 版本开始,基础结构备份服务将在执行云恢复期间,使用包含公钥的证书 (.CER) 来加密备份数据,并使用包含私钥的证书 (.PFX) 来解密备份数据。Starting in 1901, the Infrastructure Backup Service will use a certificate with a public key (.CER) to encrypt backup data and a certificate with the private key (.PFX) to decrypt backup data during cloud recovery.

  • 该证书用于传输密钥,而不会用于建立经过身份验证的安全通信。The certificate is used for transport of keys and isn't used to establish secure authenticated communication. 出于此原因,该证书可以是自签名证书。For this reason, the certificate can be a self-signed certificate. Azure Stack Hub 无需验证此证书的根或信任,因此无需外部 Internet 访问权限。Azure Stack Hub doesn't need to verify root or trust for this certificate so external internet access isn't required.

自签名证书有两个部分,一个部分包含公钥,另一个部分包含私钥:The self-signed certificate comes in two parts, one with the public key and one with the private key:

  • 加密备份数据:包含公钥的证书(导出到 .CER 文件)用于加密备份数据。Encrypt backup data: Certificate with the public key (exported to .CER file) is used to encrypt backup data.
  • 解密备份数据:包含私钥的证书(导出到 .PFX 文件)用于解密备份数据。Decrypt backup data: Certificate with the private key (exported to .PFX file) is used to decrypt backup data.

内部机密轮换不会管理包含公钥的证书 (.CER)。The certificate with the public key (.CER) isn't managed by internal secret rotation. 若要轮换证书,需要创建新的自签名证书,并使用新的文件 (.CER) 更新备份设置。To rotate the certificate, you need to create a new self-signed certificate and update backup settings with the new file (.CER).

  • 所有现有备份将使用以前的公钥保持加密状态。All existing backups remain encrypted using the previous public key. 新备份将使用新的公钥。New backups use the new public key.

出于安全原因,Azure Stack Hub 不会保留云恢复期间使用的包含私钥的证书 (.PFX)。The certificate used during cloud recovery with the private key (.PFX) is not persisted by Azure Stack Hub for security reasons. 在云恢复期间,需要显式提供此文件。This file will need to be provided explicitly during cloud recovery.

后向兼容性模式从 1901 版本开始,加密密钥支持已弃用,将来的版本会将其删除。Backwards compatibility mode Starting in 1901, encryption key support is deprecated and will be removed in a future release. 如果已从 1811 版本更新,并且已使用加密密钥启用了备份,则 Azure Stack Hub 将继续使用加密密钥。If you updated from 1811 with backup already enabled using an encryption key, Azure Stack Hub will continue to use the encryption key. 至少有三个版本会继续支持后向兼容性模式。Backwards compatibility mode will be supported for at least three releases. 在此之后,需要使用证书。After that time, a certificate will be required.

  • 从加密密钥更新到证书是单向操作。Updating from encryption key to certificate is a one-way operation.
  • 所有现有备份将使用加密密钥保持加密状态。All existing backups will remain encrypted using the encryption key. 新备份将使用证书。New backups will use the certificate.

基础结构备份限制Infrastructure Backup Limits

在计划、部署和操作 Azure Stack Hub 实例时请考虑这些限制。Consider these limits as you plan, deploy, and operate your Azure Stack Hub instances. 下表介绍了这些限制。The following table describes these limits.

基础结构备份限制Infrastructure Backup limits

限制标识符Limit identifier 限制Limit 注释Comments
备份类型Backup type 仅限完整Full only 基础结构备份控制器仅支持完整备份。Infrastructure Backup Controller only supports full backups. 不支持增量备份。Incremental backups aren't supported.
计划的备份Scheduled backups 计划和手动Scheduled and manual 备份控制器支持计划备份和按需备份。Backup controller supports scheduled and on-demand backups.
最大并发备份作业数Maximum concurrent backup jobs 11 备份控制器的每个实例仅支持一个活动备份作业。Only one active backup job is supported per instance of Backup Controller.
网络交换机配置Network switch configuration 不在范围内Not in scope 管理员必须使用 OEM 工具备份网络交换机配置。Admin must back up network switch configuration using OEM tools. 请参阅每个 OEM 供应商提供的 Azure Stack Hub 文档。Refer to documentation for Azure Stack Hub provided by each OEM vendor.
硬件生命周期主机Hardware Lifecycle Host 不在范围内Not in scope 管理员必须使用 OEM 工具备份硬件生命周期主机。Admin must back up Hardware Lifecycle Host using OEM tools. 请参阅每个 OEM 供应商提供的 Azure Stack Hub 文档。Refer to documentation for Azure Stack Hub provided by each OEM vendor.
最大文件共享数Maximum number of file shares 11 只能使用一个文件共享来存储备份数据。Only one file share can be used to store backup data.
备份应用服务、函数、SQL、mysql 资源提供程序数据Backup App Services, Function, SQL, mysql resource provider data 不在范围内Not in scope 请参阅已发布的用于部署和管理由 Microsoft 创建的增值 RP 的指南。Refer to guidance published for deploying and managing value-add RPs created by Microsoft.
备份第三方资源提供程序Backup third-party resource providers 不在范围内Not in scope 请参阅已发布的用于部署和管理由第三方供应商创建的增值 RP 的指南。Refer to guidance published for deploying and managing value-add RPs created by third-party vendors.

后续步骤Next steps