Snapshot management for Azure VMs

It's a Snap

Azure Private Link

Other settings relate to network access, for which you define how users can access the snapshots. Public access can be enabled or disabled, and private access can be managed, as well. Access to snapshots in Azure can be made even more secure by Azure Private Link (Figure 2). By setting up private endpoints, you can restrict the import and export of managed data media, including snapshots, to a virtual network connection within the Azure backbone network, which means that data traffic is no longer routed across the public Internet.

Figure 2: You can connect snapshots with Azure Private Link for secure access.

To begin, create a disk access resource and link it to a private endpoint that uses an IP address from the virtual network's address range. Next, link a snapshot to this disk access resource to restrict access to the assigned virtual network environment and therefore boost the level of security.

The use of Azure Private Link offers a number of benefits in terms of security requirements, compliance, and performance. On the one hand, it lets your organization set up a zero-trust architecture, because access to Azure services – or in this case, snapshots of Azure VMs – is exclusively over private IP addresses, which rules out public access to critical data. On the other hand, integration with Azure Virtual Network (VNet) ensures minimal latency times, with no unnecessary detours through the public Internet.

Please note that you can import or export a maximum of five volumes or snapshots simultaneously in a setup like this and that you cannot combine disk access resources with volumes that use an encryption set. Besides controlling network access, you can enable data access authentication mode in a snapshot's advanced settings, which lets you secure access by specific authentication mechanisms. Entra ID or Shared Access Signatures (SAS) are possible here.

Once a snapshot has been created, it will appear in the resource group as a Snapshot type. You can select a snapshot to view its details and carry out actions such as copying, deleting, or creating a new disk on the basis of the snapshot.

You can manage access in Access control (IAM) | Check access . The View my access button lets you see who is allowed to work with the snapshot, and the Check access button lets you use the groups and users in Entra ID to define which users have access to the snapshot.

Restoring Snapshots

When restoring a snapshot, you first need to create a new data carrier from the snapshot; then, you can either create a new virtual machine, use the managed data carrier as an operating system data carrier, or dock the data carrier onto an existing virtual machine as a data drive. Copy snapshot in the top menubar lets you do exactly what it says on the label; the settings are similar to those used when you create a snapshot from a data carrier.

Snapshots can also be used to create completely new virtual drives. This step is necessary if you want to restore a VM from the snapshot or create a new VM. You can use the disks as data carriers to create further Azure VMs or to restore an Azure VM, which makes it easy to create many more identically configured Azure VMs from a single VM. You can either use the Azure portal or PowerShell for this operation.

In general, snapshots of a VM can be edited on the Azure portal. After clicking on a snapshot, you can access the Create disk menu item in the portal to restore a VM or create a new one. In the window that opens, enter the name for the new data carrier; snapshot is automatically selected as the data carrier type (Figure 3). After creation, the new data carrier is available for access – you can dock it onto an existing VM or create a new VM. You can also replace a VM's disk with the new one to reset a VM to the snapshot state. Virtual disks can also be created in PowerShell after logging in to Azure:

$diskConfig = New-AzDiskConfig -Location "<Location>" -SourceResourceId $snapshot.Id -CreateOption Copy
$newDisk = New-AzDisk -Disk $diskConfig -ResourceGroupName"<Resource group name>" -DiskName " <disk name>

Figure 3: You have the choice of numerous options for managing snapshots on the Azure portal.

The new disk can also be used to create a new VM. Again, a PowerShell option is available:

$vmConfig = New-AzVMConfig -VMName "<VM name>" -VMSize "Standard_D2s_v3"
vmConfig = Set -AzVMOSDisk -VM $vmConfig -ManagedDiskId $newDisk.Id -CreateOption Attach -Windows
New-AzVM -ResourceGroupName"<resource group name>"-Location "Location" -VM $vmConfig

This process initiates a new VM that uses the data and configuration of the original snapshot.

When working with snapshots, it is important to consider security aspects and keep an eye on costs. To save cash, check the snapshots regularly and delete old ones that are no longer needed. If errors occur during creation, you should check the authorizations and ensure that the snapshot and resource regions match.

Advanced Scenarios

In practice, snapshots are also a useful tool for scenarios such as disaster recovery, testing, and development environments. For example, creating a snapshot before carrying out updates or making major changes to an application can provide a fallback position. If the update fails or has unexpected side effects, you can simply and quickly revert to the snapshot and restore the VM to its original state by creating a new virtual drive from the snapshot, removing the old one from the VM configuration, and adding the new drive.

Development teams can find it useful to create several snapshots at different stages of an application's development. The snapshots can then be used to run different versions of an application in parallel in different test environments without affecting the production systems. The PowerShell command for creating a snapshot of a VM before a critical update would look like

$snapshotName = "PreUpdate_" +(Get-Date -Format "yyyyMMdd_HHmmss")
$snapshot = New-AzSnapshot -Snapshot $snapshotConfig -SnapshotName $snapshotName -ResourceGroupName"<resource group name>"

Another important area of application for snapshots is data migration. If you want to transfer data from one VM to another, simply create a snapshot of the disk and apply it to a new VM in a different region or subscription. The process includes creating the snapshot, transferring the snapshot data, and creating a new disk in the target environment:

$targetLocation = "<NewLocation>"
$diskCopyConfig = New-AzDiskConfig -Location $targetLocation -SourceResourceId $snapshot.Id -CreateOption Copy
$transferredDisk = New-AzDisk -Disk $diskCopyConfig -ResourceGroupName"<new resource group name>" -DiskName "<migrated disk name>"

Snapshots also make it easier to scale applications quickly by cloning existing VMs. As a concrete example, just consider the task of managing a cluster of web servers. You can use a snapshot of an error-free web server and use this snapshot as the basis for further servers to ensure a consistent and error-free state across all instances. The process can be automated, as well (Listing 1).

Listing 1

Automated Web Server Snapshot

masterSnapshot = New-AzSnapshot -SnapshotConfig $snapshotConfig -SnapshotName "<Master webserver name>" -ResourceGroupName "<resource group name>"
for ($i = 1; $i -le 5; $i++) {
  $newDiskConfig = New-AzDiskConfig -Location "<Location>" -SourceResourceId $masterSnapshot.Id -CreateOption Copy
  $newDisk = New-AzDisk -Disk $newDiskConfig -ResourceGroupName "<resource group name>" -DiskName "WebServerDisk$i"
  vmConfig = New-AzVMConfig -VMName "WebServer$i" -VMSize "Standard_D2s_v3
  vmConfig = Set-AzVMOSDisk -VM $vmConfig -ManagedDiskId $newDisk.Id -CreateOption Attach -Windows
  New-AzVM -ResourceGroupName "<resource group name>" -Location "Location" -VM $vmConfig
}

« Previous 1 2 3 4 Next »