When you enable Azure Virtual Network (VNet) protection, in-place restores create the network infrastructure—VNets, subnets, and network security groups (NSGs)—along with the VM. This feature is supported for in-place restores of streaming and snap backups.
Network Resources That Are Backed Up
-
Virtual network
-
Address space (IPV6, IPV4)
-
DDoS protection association
-
DNS servers
-
-
Subnet
-
AddressPrefix
-
Associated network security groups
-
NAT gateway association
-
Route table association
-
Service endpoints
-
Subnet delegation
-
Network policy for private endpoints
-
-
NSGs
-
Network security rules
-
Network security groups attached to a network interface
-
Network security groups attached to a subnet
-
Properties/Resources That Are Not Backed Up
- Azure Bastion service of the VNet
- Peering of the VNet
- Firewall of the VNet
- Network Manager of the VNet
- Private endpoints of the VNet
Restore
During in-place restores, the VNet, subnet, network interface NSG, subnet NSG, and network interface are created. The NAT gateway, route table, and DDoS are reused.
Additional Permissions Required for Restores
In addition to the permissions defined in CVBackupRole, the following permissions are required:
-
Microsoft.Network/virtualNetworks/write: Creates a virtual network or update an existing virtual network
-
Microsoft.Network/networkSecurityGroups/write: Creates a network security group or update an existing network security group
-
Microsoft.Network/routeTables/join/action: Joins a route table
-
Microsoft.Network/ddosProtectionPlans/join/action: Joins a DDoS Protection plan
Enabling VNet Protection
Add the following entity settings to all Azure access nodes:
-
bAzureBackupNetworkConfig: Enables backups of Azure network configuration
-
bAzureRestoreNetworkConfig: Enable restores of network resources