使用 Azure Policy 在创建 VM 时自动启用备份Auto-Enable Backup on VM Creation using Azure Policy

在一个组织中,备份或法规符合性管理员的主要职责之一是确保所有业务关键型计算机都以适当的保留期进行备份。One of the key responsibilities of a Backup or Compliance Admin in an organization is to ensure that all business-critical machines are backed up with the appropriate retention.

目前,Azure 备份提供了一个内置策略(使用 Azure Policy),可以将其分配给“订阅或资源组中指定位置的所有 Azure VM”。Today, Azure Backup provides a built-in policy (using Azure Policy) that can be assigned to all Azure VMs in a specified location within a subscription or resource group. 将此策略分配到给定范围时,该范围中创建的所有新 VM 都将自动配置为备份到位于“同一位置和订阅中的现有保管库”。When this policy is assigned to a given scope, all new VMs created in that scope are automatically configured for backup to an existing vault in the same location and subscription. 用户可以指定备份的 VM 应关联的保管库和保留策略。The user can specify the vault and the retention policy to which the backed up VMs should be associated.

支持的方案Supported Scenarios

  • 内置策略当前仅支持 Azure VM。The built-in policy is currently supported only for Azure VMs. 用户必须确保分配期间指定的保留策略是 VM 保留策略。Users must take care to ensure that the retention policy specified during assignment is a VM retention policy.

  • 策略一次可以分配给一个位置和订阅。The policy can be assigned to a single location and subscription at a time. 若要跨位置和订阅启用 VM 备份,需要创建策略分配的多个实例,位置和订阅的每个组合都需要创建一个实例。To enable backup for VMs across locations and subscriptions, multiple instances of the policy assignment need to be created, one for each combination of location and subscription.

  • 指定的保管库和为备份配置的 VM 可以位于不同的资源组下。The specified vault and the VMs configured for backup can be under different resource groups.

  • 当前不支持管理组范围。Management Group scope is currently unsupported.

  • 内置策略当前在国家/地区云中不可用。The built-in policy is currently not available in national clouds.

使用内置策略Using the built-in policy

若要将策略分配到所需的范围,请执行以下步骤:To assign the policy to the required scope, please follow the below steps:

  1. 登录到 Azure 门户并导航到“策略”仪表板。Sign in to the Azure Portal and navigate to the Policy Dashboard.
  2. 在左边的菜单中选择“定义”以获取跨 Azure 资源的所有内置策略的列表。Select Definitions in the left menu to get a list of all built-in policies across Azure Resources.
  3. 在列表中筛选“类别=备份”的项。Filter the list for Category=Backup. 你将看到该列表显示按名为“将某个位置的 VM 上的备份配置到同一位置的现有中央保管库”的策略进行筛选后的结果。You will see the list filtered down to a single policy named 'Configure backup on VMs of a location to an existing central Vault in the same location'. Policy 仪表板Policy Dashboard
  4. 单击该策略的名称。Click on the name of the policy. 随后会重定向到此策略的详细定义。You will be redirected to the detailed definition for this policy. 策略定义边栏选项卡Policy Definition Blade
  5. 单击边栏选项卡顶部的“分配”按钮。Click on the Assign button at the top of the blade. 随后会重定向到“分配策略”边栏选项卡。This redirects you to the Assign Policy blade.
  6. 在“基础”下,单击“范围”字段旁边的三个点 。Under Basics, click on the three dots next to the Scope field. 随即在右侧打开一个上下文边栏选项卡,可以在其中选择要应用策略的订阅。This opens up a right context blade where you can select the subscription for the policy to be applied on. 还可以选择资源组,使该策略仅应用于特定资源组中的 VM。You can also optionally select a resource group, so that the policy is applied only for VMs in a particular resource group. 策略分配基础知识Policy Assignment Basics
  7. 在“参数”选项卡中,从下拉列表中选择一个位置,然后选择范围中的 VM 必须关联的保管库和备份策略。In the Parameters tab, choose a location from the drop-down, and select the vault and backup policy to which the VMs in the scope must be associated. 策略分配参数Policy Assignment Parameters
  8. 确保将“效果”设置为 deployIfNotExists。Ensure that Effect is set to deployIfNotExists.
  9. 导航到“查看+创建”,然后单击“创建” 。Navigate to Review+create and click Create.

Note

也可以通过使用修正,在现有 VM 上使用 Azure Policy。Azure Policy can also be used on existing VMs, using remediation.

Note

建议不要一次将此策略分配给超过 200 个 VM。It is recommended that this policy is not assigned to more than 200 VMs at a time. 如果将此策略分配给超过 200 个 VM,则可能导致备份触发时间比计划指定的时间晚几个小时。If the policy is assigned to more than 200 VMs, it can result in the backup getting triggered a few hours later than that specified by the schedule.

后续步骤Next Steps

了解有关 Azure Policy 的详细信息Learn more about Azure Policy