Streamlining Data Protection: Automated Backup & Retention for Azure Web Apps

As organizations increasingly move their critical workloads to the cloud, the need for robust backup and disaster recovery strategies becomes paramount. One of the common challenges faced by Azure Web App administrators is the lack of built-in functionality for automated weekly or monthly retention policies within the Azure Web App Backup options.

In this article, we will discuss a PowerShell-based workaround for creating and retaining Azure Web App backups on a weekly and monthly basis using Azure Automation, ensuring that compliance and retention policies are met.

The Challenge: Limited Built-in Retention Options for Azure Web App Backups

Azure Web App Backup offers a variety of features for backing up applications, databases, and content to a storage account. However, it does not natively offer the flexibility to schedule backups with a strict retention policy such as weekly or monthly backups that are stored for long periods. Administrators may find themselves needing a custom approach to address these retention needs.

Azure’s backup options are more geared towards daily, on-demand backups, with some limited ability to configure retention for such backups. As a result, many organizations are forced to manually manage backup retention or use external services to meet compliance requirements.

Before running the PowerShell scripts for Azure Web App backups and retention, you need to ensure that certain prerequisites are in place. These include having the necessary Azure resources:

1. Automation Account with Az PowerShell Module
2. Storage Account

The Solution: Using PowerShell Automation for Backup Scheduling

The script provided below addresses the need for automated weekly and monthly backup creation, as well as retention management. It acts as a workaround by leveraging Azure Automation and PowerShell scripts to automatically create backups on a weekly and monthly schedule and enforce retention policies.

Here’s an overview of the two main scripts that automate the backup process for Azure Web Apps:

1. Creating Weekly Backups Using PowerShell

This script first logs into your Azure account, retrieves all the Azure Web Apps in a subscription, and creates backups for each one. The backups are stored in an Azure Storage Account with a 1-day SAS token for security.

# Login to Azure account
Connect-AzAccount

# Set your subscription
$subscriptionId = "<your-subscription-id>"
Set-AzContext -SubscriptionId $subscriptionId

# Get list of all Azure Web Apps
$webApps = Get-AzWebApp

# Define storage account and container details
$location = "<Storage Account Region>"
$container = "<Container Name>"
$backupname = "<Prefix Name>"
$StorageaccRG = "<Storage Account RG>"
$Storageaccname = "<Storage Account Name>"

# Loop through each web app and create a backup
foreach ($webApp in $webApps) {
    $timezone = [System.TimeZoneInfo]::FindSystemTimeZoneById("India Standard Time")
    $istTime = [System.TimeZoneInfo]::ConvertTimeFromUtc((Get-Date).ToUniversalTime(), $timezone)
    $timestamp = $istTime.ToString("yyyy-MM-ddTHH.mm.ss")
    $webappname = $webApp.Name

    # Get storage account context
    $storageAccount = Get-AzStorageAccount -ResourceGroupName $StorageaccRG -Name $Storageaccname
    $storageContext = $storageAccount.Context

    # Generate an SAS token valid for 1 days
    $sasUrl = New-AzStorageContainerSASToken -Name $container -Permission rwdl `
    -Context $storageContext -ExpiryTime (Get-Date).AddDays(1) -FullUri

    # Create an on-demand backup
    Write-Host "Creating backup for $webappname..."
    New-AzWebAppBackup -ResourceGroupName $webApp.ResourceGroup `
        -Name $webappname -StorageAccountUrl $sasUrl -BackupName $backupname-$webappname-$timestamp
}

Write-Host "Backup process completed for all web apps."        

How This Script Helps:

• Automatic Backup Creation: It automates the process of creating backups for all Azure Web Apps in your subscription.
• Centralized Storage: All backups are stored in a central storage account, which simplifies management and access.
• Time zone Awareness: The script uses India Standard Time (IST) to ensure that backups are timestamped accurately, regardless of the Azure data center's time zone.

2. Enforcing Weekly and Monthly Retention Policies

The second part of the solution focuses on retention. This script checks all the previous backups for each web app, identifies those that are older than 90 days, and removes them to ensure compliance with a retention policy. It uses Azure Automation and PowerShell to automate this task.

# Get list of all Azure Web Apps
$webApps = Get-AzWebApp

# Loop through each web app and check backup status
foreach ($webApp in $webApps) {
    $BackupList = Get-AzWebAppBackupList -ResourceGroupName $webApp.ResourceGroup -Name $webApp.Name

    # Find the IST time zone
    $istZone = [System.TimeZoneInfo]::FindSystemTimeZoneById("India Standard Time")

    foreach ($backup in $BackupList) {
        try {
            # Parse UTC 'Created' and 'Finished' times
            $createdUtc = [DateTime]::ParseExact($backup.Created, "M/d/yyyy HH:mm:ss", $null)
            $finishedUtc = [DateTime]::ParseExact($backup.Finished, "M/d/yyyy HH:mm:ss", $null)
            
            # Convert the UTC times to IST
            $createdIst = [System.TimeZoneInfo]::ConvertTimeFromUtc($createdUtc, $istZone)
            $finishedIst = [System.TimeZoneInfo]::ConvertTimeFromUtc($finishedUtc, $istZone)

            # Get the creation date of the web app
            $createdDate = $createdIst

            # Check if the created date is more than 90 days ago
            $utcDate = (Get-Date).AddDays(-90).ToUniversalTime()
            $istDate = [System.TimeZoneInfo]::ConvertTimeFromUtc($utcDate, $istZone)

            # If the backup is older than 90 days, remove it
            if ($createdDate -lt $istDate) {
                Remove-AzWebAppBackup -ResourceGroupName $webApp.ResourceGroup -Name $webApp.Name -BackupId $backup.BackupId
            }
        } catch {
            Write-Host "Error parsing date for Backup ID: $($backup.BackupId)"
            Write-Host $_.Exception.Message
        }
    }
}

Write-Host "The retention check for all web apps has been completed."        

Benefits of Using This Approach:

1. Compliance with Retention Policies: The script allows you to maintain weekly and monthly backup retention policies, which are crucial for meeting compliance requirements in industries like healthcare, finance, and government.
2. Automation: By using Azure Automation and PowerShell, this solution eliminates manual intervention, reducing human error and ensuring that backup tasks are performed regularly.
3. Cost Efficiency: The solution is cost-effective as it uses Azure’s built-in backup mechanisms and centralizes storage, reducing the need for additional third-party backup tools.
4. Flexibility: This method offers flexibility in backup scheduling and retention policies, enabling organizations to tailor their backup approach based on specific business needs.
5. Time zone-Aware Backups: The script ensures that backups are scheduled based on the local time zone (IST), ensuring accurate time-stamping.

How This Helps Stay Compliant:

This workaround helps organizations stay compliant with backup retention policies by automating the backup creation and retention process. By retaining backups for the necessary time periods (e.g., weekly or monthly), organizations can ensure that they meet regulatory requirements and internal policies without having to manually track and manage backups.

Summary:

The lack of built-in weekly and monthly backup retention policies in Azure Web App Backup can present a challenge to organizations looking to meet compliance and data protection requirements. The solution outlined in this article provides a flexible and automated approach to creating and managing backups on a weekly and monthly basis, ensuring that retention policies are adhered to without manual intervention. By utilizing Azure Automation and PowerShell scripts, organizations can streamline their backup processes and ensure that their data is always protected.