For Azure VMs, you can restore full VMs, restore guest files and folders, and restore a disk and attach it to an existing VM.
End User Restores
End users can restore VMs either in place or out of place. For this scenario, the VM display name option is the only value the user can change on the Restore options dialog box.
Users can also restore a VM disk to an existing VM. The disks are restored and attached to the destination VM.
If the VM display name is the same as an existing VM on the destination, the restore fails.
Considerations
-
An application security group (ASG) is retained on a restored VM only if the VM is restored to the same network. If the VM is restored to a different region or a different network, then the ASG is not retained.
-
For Azure managed disks that have virtual machines configured with Availability Zones in their Azure regions:
-
If the selected region of the destination VM supports Availability Zones, the Availability Zone information will be restored to the destination VM. The restore completes successfully.
-
If the selected region of the destination VM does not support Availability Zones, the Availability Zone information will not be restored to the destination VM. The restore completes successfully.
-
-
You can back up and restore Azure managed disks that are enabled with encryption at host. This capability applies to Azure managed disks that reside on Windows or Linux VMs.
-
Restores to different hypervisors are supported when a VM is encrypted with customer-managed encryption keys.
VMs Encrypted with Azure Key Vault
-
Full VM restores are supported per source subscription. However, restores of encrypted VMs to a different subscription are not supported due to an Azure limitation with restoring Key Vault across subscriptions.
-
Restoring to a different region under the same subscription will create a new key vault automatically, and the restore job will complete successfully. To resolve this issue, try the following:
-
Create a new Key Vault or search for an existing Key Vault that the restore process might have created under the destination region with name format [SourceKeyvaultname+regionname].
-
Assign the required permissions to the managed identity-enabled virtual machine to the new key vault in the destination region as described in Adding Permissions to Back Up Azure VMs Encrypted with Azure Key Vault.
-
Retry the restore job. The VM should restore successfully.
-
-
Keys and secrets are not accessible to subscription users by default when the Key Vault itself is restored. The restore operation will add only the application's service principal in the Key Vault access control as an authorized user. If necessary, the subscription administrator can make changes to these permissions using the Azure portal.
- Microsoft restrictions for virtual machines encrypted using Azure Key Vault also apply to encrypted Azure virtual machines in your Commcell environment for restoring your VM and Key Vault. For more information, see Azure Key Vault.
-
For VMs encrypted with customer-managed encryption keys, full VM restores complete successfully. However, for full VM restores from streaming backups, the customer-managed encryption key settings or disk encryption sets (DES) are not applied to the destination VM. You must manually apply the DES settings to the destination VM in Azure.
-
During full VM restores, a storage account must exist in the region of the restored VM (an Azure Standard or Premium general-purpose storage account). This account acts as a staging area when VM is restored as managed VM.