概要了解 Azure VM 备份An overview of Azure VM backup

本文介绍 Azure 备份服务如何备份 Azure 虚拟机 (VM)。This article describes how the Azure Backup service backs up Azure virtual machines (VMs).

Azure 备份提供独立且隔离的备份来防止 VM 上的数据被意外破坏。Azure Backup provides independent and isolated backups to guard against unintended destruction of the data on your VMs. 备份存储在提供恢复点内置管理的恢复服务保管库中。Backups are stored in a Recovery Services vault with built-in management of recovery points. 配置和缩放很简单,备份经过优化,可以轻松地根据需要还原。Configuration and scaling are simple, backups are optimized, and you can easily restore as needed.

在备份过程中,将创建快照,并会将数据传输到恢复服务保管库,而不影响生产工作负荷。As part of the backup process, a snapshot is taken, and the data is transferred to the Recovery Services vault with no impact on production workloads. 快照提供了不同的一致性级别,如此文所述。The snapshot provides different levels of consistency, as described here.

Azure 备份还针对数据库工作负荷(例如 SQL ServerSAP HANA)提供了专门的工作负荷感知型产品/服务,可提供 15 分钟 RPO(恢复点目标),并允许备份和还原单个数据库。Azure Backup also has specialized offerings for database workloads like SQL Server and SAP HANA that are workload-aware, offer 15 minute RPO (recovery point objective), and allow backup and restore of individual databases.

备份过程Backup process

下面介绍 Azure 备份如何对 Azure VM 完成备份:Here's how Azure Backup completes a backup for Azure VMs:

  1. 对于选择进行备份的 Azure VM,Azure 备份服务将根据指定的备份计划启动备份作业。For Azure VMs that are selected for backup, Azure Backup starts a backup job according to the backup schedule you specify.

  2. 首次备份期间,如果 VM 已运行,则会在 VM 上安装备份扩展。During the first backup, a backup extension is installed on the VM if the VM is running.

  3. 对于正在运行的 Windows VM,备份服务将与卷影复制服务 (VSS) 互相配合,来创建 VM 的应用一致性快照。For Windows VMs that are running, Backup coordinates with Windows Volume Shadow Copy Service (VSS) to take an app-consistent snapshot of the VM.

    • 备份服务默认创建完整的 VSS 备份。By default, Backup takes full VSS backups.
    • 如果备份服务无法创建应用一致性快照,则会创建基础存储的文件一致性快照(因为当 VM 停止时,不会发生应用程序写入)。If Backup can't take an app-consistent snapshot, then it takes a file-consistent snapshot of the underlying storage (because no application writes occur while the VM is stopped).
  4. 对于 Linux VM,Azure 备份将创建文件一致性备份。For Linux VMs, Backup takes a file-consistent backup. 对于应用一致性快照,需要手动自定义前脚本/后脚本。For app-consistent snapshots, you need to manually customize pre/post scripts.

  5. 备份服务创建快照后,会将数据传输到保管库。After Backup takes the snapshot, it transfers the data to the vault.

    • 可以通过并行备份每个 VM 磁盘来优化备份。The backup is optimized by backing up each VM disk in parallel.
    • 对于每个要备份的磁盘,Azure 备份将读取磁盘上的块,识别并只传输自上次备份以来已发生更改的数据块(增量传输)。For each disk that's being backed up, Azure Backup reads the blocks on the disk and identifies and transfers only the data blocks that changed (the delta) since the previous backup.
    • 快照数据可能不会立即复制到保管库。Snapshot data might not be immediately copied to the vault. 在高峰期,可能需要好几个小时才能完成复制。It might take some hours at peak times. 每日备份策略规定的 VM 备份总时间不会超过 24 小时。Total backup time for a VM will be less than 24 hours for daily backup policies.
  6. 在 Windows VM 上启用 Azure 备份后,对 VM 所做的更改包括:Changes made to a Windows VM after Azure Backup is enabled on it are:

    • 在 VM 中安装 Microsoft Visual C++ 2013 Redistributable(x64) - 12.0.40660Microsoft Visual C++ 2013 Redistributable(x64) - 12.0.40660 is installed in the VM
    • 将卷影复制服务 (VSS) 的启动类型从手动更改为自动Startup type of Volume Shadow Copy service (VSS) changed to automatic from manual
    • 添加 IaaSVmProvider Windows 服务IaaSVmProvider Windows service is added
  7. 数据传输完成后,会删除快照并创建恢复点。When the data transfer is complete, the snapshot is removed, and a recovery point is created.

Azure 虚拟机备份体系结构

加密 Azure VM 备份Encryption of Azure VM backups

使用 Azure 备份备份 Azure VM 时,将使用存储服务加密 (SSE) 对 VM 进行静态加密。When you back up Azure VMs with Azure Backup, VMs are encrypted at rest with Storage Service Encryption (SSE). Azure 备份还可以备份使用 Azure 磁盘加密进行加密的 Azure VM。Azure Backup can also back up Azure VMs that are encrypted by using Azure Disk Encryption.

加密Encryption 详细信息Details 支持Support
Azure 磁盘加密Azure Disk Encryption Azure 磁盘加密可以加密 Azure VM 的 OS 磁盘和数据磁盘。Azure Disk Encryption encrypts both OS and data disks for Azure VMs.

Azure 磁盘加密与在 Key Vault 中作为机密受到保护的 BitLocker 加密密钥 (BEK) 相集成。Azure Disk Encryption integrates with BitLocker encryption keys (BEKs), which are safeguarded in a key vault as secrets. Azure 磁盘加密还与 Azure Key Vault 密钥加密密钥 (KEK) 相集成。Azure Disk Encryption also integrates with Azure Key Vault key encryption keys (KEKs).
Azure 备份支持备份仅使用 BEK 加密的,或者同时使用 BEK 和 KEK 加密的托管型和非托管型 Azure VM。Azure Backup supports backup of managed and unmanaged Azure VMs encrypted with BEKs only, or with BEKs together with KEKs.

BEK 和 KEK 都会得到备份和加密。Both BEKs and KEKs are backed up and encrypted.

由于 KEK 和 BEK 都会得到备份,拥有相应权限的用户可根据需要,将密钥和机密还原到 Key Vault。Because KEKs and BEKs are backed up, users with the necessary permissions can restore keys and secrets back to the key vault if needed. 这些用户还可以恢复已加密的 VM。These users can also recover the encrypted VM.

未经授权的用户或 Azure 无法读取已加密的密钥和机密。Encrypted keys and secrets can't be read by unauthorized users or by Azure.
SSESSE Azure 存储使用 SSE 提供静态加密,在存储数据之前,它会自动加密数据。With SSE, Azure Storage provides encryption at rest by automatically encrypting data before storing it. Azure 存储还会在检索数据之前解密数据。Azure Storage also decrypts data before retrieving it. Azure 备份使用 SSE 对 Azure VM 进行静态加密。Azure Backup uses SSE for at-rest encryption of Azure VMs.

对于托管和非托管 Azure VM,备份服务支持仅经过 BEK 加密的或者同时经过 BEK 和 KEK 加密的 VM。For managed and unmanaged Azure VMs, Backup supports both VMs encrypted with BEKs only or VMs encrypted with BEKs together with KEKs.

备份的 BEK(机密)和 KEK(密钥)将会加密。The backed-up BEKs (secrets) and KEKs (keys) are encrypted. 只有在经授权的用户将它们还原到 Key Vault 之后,才能读取和使用它们。They can be read and used only when they're restored back to the key vault by authorized users. 未经授权的用户和 Azure 都无法读取或使用备份的密钥或机密。Neither unauthorized users, or Azure, can read or use backed-up keys or secrets.

同时会备份 BEK。BEKs are also backed up. 因此,在 BEK 丢失的情况下,经授权的用户可将 BEK 还原到 Key Vault 并恢复加密的 VM。So, if the BEKs are lost, authorized users can restore the BEKs to the key vault and recover the encrypted VMs. 只有拥有所需的权限级别的用户才可以备份和还原加密的 VM 或密钥和机密。Only users with the necessary level of permissions can back up and restore encrypted VMs or keys and secrets.

快照创建Snapshot creation

Azure 备份根据备份计划创建快照。Azure Backup takes snapshots according to the backup schedule.

  • Windows VM: 对于 Windows VM,备份服务将与 VSS 相配合,来创建 VM 磁盘的应用一致性快照。Windows VMs: For Windows VMs, the Backup service coordinates with VSS to take an app-consistent snapshot of the VM disks. 默认情况下,Azure 备份会执行完整的 VSS 备份(它在备份时会截断 SQL Server 等应用程序的日志,以获取应用程序级别的一致备份)。By default, Azure Backup takes a full VSS backup (it truncates the logs of application such as SQL Server at the time of backup to get application level consistent backup). 如果在 Azure VM 备份时使用 SQL Server 数据库,则可以修改设置以执行 VSS 副本备份(以保留日志)。If you are using a SQL Server database on Azure VM backup, then you can modify the setting to take a VSS Copy backup (to preserve logs). 有关详细信息,请参阅此文章For more information, see this article.

  • Linux VM: 若要创建 Linux VM 的应用一致性快照,请使用 Linux 前脚本和后脚本框架编写自己的自定义脚本,以确保一致性。Linux VMs: To take app-consistent snapshots of Linux VMs, use the Linux pre-script and post-script framework to write your own custom scripts to ensure consistency.

    • Azure 备份只调用你编写的前脚本/后脚本。Azure Backup invokes only the pre/post scripts written by you.
    • 如果前脚本和后脚本成功执行,Azure 备份会将恢复点标记为应用程序一致。If the pre-scripts and post-scripts execute successfully, Azure Backup marks the recovery point as application-consistent. 但是,在使用自定义脚本时,你最终需要为应用程序一致性负责。However, when you're using custom scripts, you're ultimately responsible for the application consistency.
    • 详细了解如何配置脚本。Learn more about how to configure scripts.

快照一致性Snapshot consistency

下表解释了不同的快照一致性类型:The following table explains the different types of snapshot consistency:

快照Snapshot 详细信息Details 恢复Recovery 注意事项Consideration
应用程序一致Application-consistent 应用一致性备份捕获内存内容和挂起的 I/O 操作。App-consistent backups capture memory content and pending I/O operations. 应用一致性快照使用 VSS 编写器(或适用于 Linux 的前/后脚本)来确保备份之前的应用数据一致性。App-consistent snapshots use a VSS writer (or pre/post scripts for Linux) to ensure the consistency of the app data before a backup occurs. 使用应用一致性快照恢复 VM 时,VM 将会启动。When you're recovering a VM with an app-consistent snapshot, the VM boots up. 不会发生数据损坏或丢失。There's no data corruption or loss. 应用将以一致的状态启动。The apps start in a consistent state. Windows:所有 VSS 编写器均成功Windows: All VSS writers succeeded

Linux:前/后脚本已配置并成功Linux: Pre/post scripts are configured and succeeded
文件系统一致性File-system consistent 文件系统一致性备份通过同时创建所有文件的快照来提供一致性。File-system consistent backups provide consistency by taking a snapshot of all files at the same time.

使用文件系统一致性快照恢复 VM 时,VM 将会启动。When you're recovering a VM with a file-system consistent snapshot, the VM boots up. 不会发生数据损坏或丢失。There's no data corruption or loss. 应用需要实现自己的“修复”机制以确保还原的数据一致。Apps need to implement their own "fix-up" mechanism to make sure that restored data is consistent. Windows:部分 VSS 编写器失败Windows: Some VSS writers failed

Linux:默认值(如果前/后脚本未配置或失败)Linux: Default (if pre/post scripts aren't configured or failed)
崩溃一致Crash-consistent 如果在备份时 Azure VM 关闭,则往往会发生崩溃一致性快照。Crash-consistent snapshots typically occur if an Azure VM shuts down at the time of backup. 仅会捕获和备份备份时磁盘上已存在的数据。Only the data that already exists on the disk at the time of backup is captured and backed up. 从 VM 启动过程开始,然后进行磁盘检查以修复损坏错误。Starts with the VM boot process followed by a disk check to fix corruption errors. 在崩溃之前未传输到磁盘的任何内存中数据或写入操作将会丢失。Any in-memory data or write operations that weren't transferred to disk before the crash are lost. 应用实现自身的数据验证。Apps implement their own data verification. 例如,数据库应用可以使用其事务日志进行验证。For example, a database app can use its transaction log for verification. 如果事务日志中有条目不在数据库中,则数据库软件将回滚事务,直到数据一致。If the transaction log has entries that aren't in the database, the database software rolls transactions back until the data is consistent. VM 处于关闭(已停止/已解除分配)状态。VM is in shutdown (stopped/ deallocated) state.

备份和还原注意事项Backup and restore considerations

注意事项Consideration 详细信息Details
DiskDisk 备份 VM 磁盘属于并行操作。Backup of VM disks is parallel. 例如,如果 VM 有 4 个磁盘,则备份服务会尝试并行备份所有 4 个磁盘。For example, if a VM has four disks, the Backup service attempts to back up all four disks in parallel. 备份是增量式的(仅备份已更改的数据)。Backup is incremental (only changed data).
计划Scheduling 若要减少备份流量,请在一天的不同时间备份不同的 VM,并确保时间不重叠。To reduce backup traffic, back up different VMs at different times of the day and make sure the times don't overlap. 同时备份 VM 会导致流量拥塞。Backing up VMs at the same time causes traffic jams.
准备备份Preparing backups 注意准备备份所需的时间。Keep in mind the time needed to prepare the backup. 准备时间包括安装或更新备份扩展,以及根据备份计划触发快照。The preparation time includes installing or updating the backup extension and triggering a snapshot according to the backup schedule.
数据传输Data transfer 考虑 Azure 备份识别上一备份中的增量更改所需的时间。Consider the time needed for Azure Backup to identify the incremental changes from the previous backup.

在增量备份中,Azure 备份将通过计算块的校验和来确定更改。In an incremental backup, Azure Backup determines the changes by calculating the checksum of the block. 如果某个块发生更改,则将该块标识为要传输到保管库。If a block is changed, it's marked for transfer to the vault. 该服务将分析已标识的块,以试图进一步地尽量减少要传输的数据量。The service analyzes the identified blocks to attempt to further minimize the amount of data to transfer. 评估所有已更改的块后,Azure 备份会将更改传输到保管库。After evaluating all the changed blocks, Azure Backup transfers the changes to the vault.

创建快照之后,可能要经过一段滞后时间才会将它复制到保管库。There might be a lag between taking the snapshot and copying it to vault. 在高峰时段,将快照传输到保管库可能需要长达 8 小时的时间。At peak times, it can take up to eight hours for the snapshots to be transferred to the vault. 对于每日备份,VM 的备份时间小于 24 小时。The backup time for a VM will be less than 24 hours for the daily backup.
初始备份Initial backup 增量备份的总备份时间不超过 24 小时,但是,首次备份可能并非如此。Although the total backup time for incremental backups is less than 24 hours, that might not be the case for the first backup. 初始备份所需的时间取决于数据大小和备份处理时间。The time needed for the initial backup will depend on the size of the data and when the backup is processed.
还原队列Restore queue Azure 备份同时处理来自多个存储账户的还原作业,因此还原请求会排入队列中。Azure Backup processes restore jobs from multiple storage accounts at the same time, and it puts restore requests in a queue.
还原副本Restore copy 在还原过程中,将保管库中的数据复制到存储帐户。During the restore process, data is copied from the vault to the storage account.

总还原时间取决于存储帐户的每秒 I/O 操作次数 (IOPS) 和吞吐量。The total restore time depends on the I/O operations per second (IOPS) and the throughput of the storage account.

若要减少复制时间,请选择一个不带其他应用程序写入和读取负载的存储帐户。To reduce the copy time, select a storage account that isn't loaded with other application writes and reads.

备份性能Backup performance

这些常见的场景可能会影响总备份时间:These common scenarios can affect the total backup time:

  • 将新磁盘添加到受保护的 Azure VM: 如果 VM 正在进行增量备份,此时将一个新磁盘添加到其中,则备份时间将会增大。Adding a new disk to a protected Azure VM: If a VM is undergoing incremental backup and a new disk is added, the backup time will increase. 总备份时间可能会超过 24 小时,因为需要对新磁盘进行初始复制,并且需要对现有磁盘进行增量复制。The total backup time might last more than 24 hours because of initial replication of the new disk, along with delta replication of existing disks.
  • 磁盘有碎片: 如果磁盘上的更改是相邻的,则备份操作会更快。Fragmented disks: Backup operations are faster when disk changes are contiguous. 如果更改分散在磁盘的各个位置并出现碎片,则备份会变慢。If changes are spread out and fragmented across a disk, backup will be slower.
  • 磁盘变动率: 如果正在进行增量备份的受保护磁盘的每日变动率超过 200 GB,则备份可能需要花费很长时间(8 小时以上)才能完成。Disk churn: If protected disks that are undergoing incremental backup have a daily churn of more than 200 GB, backup can take a long time (more than eight hours) to complete.
  • 备份版本: 最新版本的备份(称为“即时还原”版本)使用比校验和比较更佳的优化进程来识别更改。Backup versions: The latest version of Backup (known as the Instant Restore version) uses a more optimized process than checksum comparison for identifying changes. 但是,如果使用即时还原并删除了备份快照,则备份将改用校验和比较。But if you're using Instant Restore and have deleted a backup snapshot, the backup switches to checksum comparison. 在这种情况下,备份操作将超过 24 小时(或失败)。In this case, the backup operation will exceed 24 hours (or fail).

最佳实践Best practices

我们建议在配置 VM 备份时遵循以下做法:When you're configuring VM backups, we suggest following these practices:

  • 修改策略中设置的默认计划时间。Modify the default schedule times that are set in a policy. 例如,如果策略中的默认时间是凌晨 12:00,请将时间递增几分钟,确保以最佳方式使用资源。For example, if the default time in the policy is 12:00 AM, increment the timing by several minutes so that resources are optimally used.
  • 如果从单个保管库还原 VM,强烈建议你使用不同的常规用途 v2 存储帐户,以确保目标存储帐户不会受到限制。If you're restoring VMs from a single vault, we highly recommend that you use different general-purpose v2 storage accounts to ensure that the target storage account doesn't get throttled. 例如,每个 VM 必须具有不同的存储帐户。For example, each VM must have a different storage account. 例如,如果还原 10 个 VM,请使用 10 个不同的存储帐户。For example, if 10 VMs are restored, use 10 different storage accounts.
  • 若要通过 Instant Restore 备份使用高级存储的 VM,建议从总的已分配存储空间中分配 50% 的可用空间,这在首次备份时是必需的。For backup of VMs that are using premium storage, with Instant Restore, we recommend allocating 50% free space of the total allocated storage space, which is required only for the first backup. 首次备份完成后,50% 的可用空间不再是备份的要求The 50% free space is not a requirement for backups after the first backup is complete
  • 每个存储帐户的磁盘数量限制与在基础结构即服务 (IaaS) VM 上运行的应用程序访问磁盘的频率有关。The limit on the number of disks per storage account is relative to how heavily the disks are being accessed by applications that are running on an infrastructure as a service (IaaS) VM. 通常情况下,如果单个存储帐户上存在 5 至 10 个或以上磁盘,则通过将一些磁盘移动到单独的存储帐户以均衡负载。As a general practice, if 5 to 10 disks or more are present on a single storage account, balance the load by moving some disks to separate storage accounts.

备份成本Backup costs

使用 Azure 备份进行备份的 Azure VM 按 Azure 备份定价计费。Azure VMs backed up with Azure Backup are subject to Azure Backup pricing.

第一个备份成功完成后才会开始计费。Billing doesn't start until the first successful backup finishes. 存储和受保护的 VM 也会在此同时开始计费。At this point, the billing for both storage and protected VMs begins. 只要针对 VM 的任何备份数据存储在保管库中,就会持续计费。Billing continues as long as any backup data for the VM is stored in a vault. 如果对 VM 停止保护,但保管库中存在该 VM 的备份数据,则会继续计费。If you stop protection for a VM, but backup data for the VM exists in a vault, billing continues.

针对特定 VM 的计费仅在停止保护并且删除全部备份数据后才会停止。Billing for a specified VM stops only if the protection is stopped and all backup data is deleted. 当停止保护并且没有活动的备份作业时,最后一个成功的 VM 备份的大小将成为用于每月帐单的受保护实例大小。When protection stops and there are no active backup jobs, the size of the last successful VM backup becomes the protected instance size used for the monthly bill.

受保护实例大小计算基于 VM 的实际大小。The protected-instance size calculation is based on the actual size of the VM. VM 的大小是 VM 中除临时存储以外的所有数据之和。The VM's size is the sum of all the data in the VM, excluding the temporary storage. 定价基于数据磁盘中存储的实际数据,而不是附加到 VM 的每个数据磁盘的最大支持大小。Pricing is based on the actual data that's stored on the data disks, not on the maximum supported size for each data disk that's attached to the VM.

与此类似,备份存储的收费是基于 Azure 备份中存储的数据量,即每个恢复点中实际数据之和。Similarly, the backup storage bill is based on the amount of data that's stored in Azure Backup, which is the sum of the actual data in each recovery point.

以 A2-Standard 大小的 VM 为例,该 VM 有两个额外的数据磁盘,其最大大小各为 32 TB。For example, take an A2-Standard-sized VM that has two additional data disks with a maximum size of 32 TB each. 下表显示了其中每个磁盘上存储的实际数据:The following table shows the actual data stored on each of these disks:

DiskDisk 最大大小Max size 实际存在的数据Actual data present
OS 磁盘OS disk 32 TB32 TB 17 GB17 GB
本地/临时磁盘Local/temporary disk 135 GB135 GB 5 GB(不包括在备份中)5 GB (not included for backup)
数据磁盘 1Data disk 1 32 TB32 TB 30 GB30 GB
数据磁盘 2Data disk 2 32 TB32 TB 0 GB0 GB

此示例中,VM 的实际大小为 17 GB + 30 GB + 0 GB = 47 GB。The actual size of the VM in this case is 17 GB + 30 GB + 0 GB = 47 GB. 此受保护实例大小 (47 GB) 成为按月计费的基础。This protected-instance size (47 GB) becomes the basis for the monthly bill. 随着 VM 中数据量的增长,用于计费的受保护实例大小也会相应变化。As the amount of data in the VM grows, the protected-instance size used for billing changes to match.

后续步骤Next steps

现在请准备进行 Azure VM 备份Now, prepare for Azure VM backup.