File Level restore on an Azure VM with encrypted disks

At one of my costumers, we were review the backup strategy for Azure VMs. We choose to use the Azure Backup Service to accomplish that. During the brainstorming about this topic, come this point: What about file restore on an Azure VM with encrypted disks?

After a quick search, I come across with this article Back up and restore encrypted Azure VM. But inside on this article, one of the limitations is “Encrypted VMs can’t be recovered at the file/folder level. You need to recover the entire VM to restore files and folders.”

Right after that, come the discussion, what to do in case of large VM disks (>1TB) which requires frequent file restores (example: File Server). In this case, spending time to design a solution to attend all the requirements it’s important.

There are a few points that you need to consider:

  • Not enable encrypted disks on the Azure VM – This option allows you to be able to restore at files and folders level. Although you are not having the best practices when it comes to Azure VM security and you get a lower score at the Azure Security Center
  • Restore only the Azure VM Disk instead of the full Azure VM – This option just eliminates the Azure VM creation with all other disks. In this case, the Azure VM had 4 data disks, beside the OS disk. This allows us to reduce time on the recovery process, but we still need to recover a large disk.
  • Restore the full Azure VM – This option is the most common one and the default one. In this case the most time consuming and the most expensive one as well.
  • Change the organization policy to enable just restore file from the last 12 hours to 24 hours (this was only applicable on this scenario) – This allows the organization to have a daily task to restore the large disk with a bigger window.

What was the final solution for this scenario?

We use a hybrid approach. We decide to use the restore the Azure VM disk only, on an existing VM changing at the same time the restore policy. We use an automation process when the backup of the File Server is done, to restore the Azure VM Disks to a storage account and then attach to an existing Azure VM.


Marcos Nogueira
Azure MVP
Twitter: @mdnoga

Marcos Nogueira

With more than 18 years experience in Datacenter Architectures, Marcos Nogueira is currently working as a Principal Cloud Solution Architect. He is an expert in Private and Hybrid Cloud, with a focus on Microsoft Azure, Virtualization and System Center. He has worked in several industries, including Aerospace, Transportation, Energy, Manufacturing, Financial Services, Government, Health Care, Telecoms, IT Services, and Gas & Oil in different countries and continents. Marcos was a Canadian MVP in System Center Cloud & Datacenter Managenment and he has +14 years as Microsoft Certified, with more than 100+ certifications (MCT, MCSE, and MCITP, among others). Marcos is also certified in VMware, CompTIA and ITIL v3. He assisted Microsoft in the development of workshops and special events on Private & Hybrid Cloud, Azure, System Center, Windows Server, Hyper-V and as a speaker at several Microsoft TechEd/Ignite and communities events around the world.

Leave a Reply

Your email address will not be published. Required fields are marked *