Feature Request: Automated Backup Management for Shared VM Storage in Azure TRE

[james-annages]

Is your feature request related to a problem? Please describe.

Currently, we have a need to back up data stored in Shared VM storage within Azure TRE workspaces. At the moment, we rely on an external Azure Function that periodically discovers new file shares and manually adds them to an Azure Recovery Services Vault for backup. This approach is not scalable and lacks built-in visibility into backup status.

Describe the solution you'd like

A shared service that can be deployed within Azure TRE to automate the deployment and configuration of Azure Recovery Vaults for workspace storage, ensuring all shared VM storage is backed up efficiently.

Key Features:

• Automated Azure Recovery Vault Deployment

  • Deploy and configure Azure Recovery Services Vault as a shared service.
  • Automatically detect and add new file shares in selected workspacesfor backup.

• Per-Workspace Backup Configuration

  • Ability to opt-in or opt-out of backups per workspace.
  • Automatically update backup configurations when new shares are created.

• Backup Retention & Storage Options

  • Set retention policies for backups (e.g., 30/60/90 days).
  • Choose between Snapshot-based backups (faster recovery) or full Recovery Vault backups (for disaster recovery).

• Backup Monitoring & Status Dashboard

  • View last backup timestamp, status (success/failure), and list of available backups.
  • Integrate with Azure Monitor for backup failure alerts.

Describe alternatives you've considered

Currently, we have deployed an external Azure Function that runs on a schedule to scan for new shares and manually add them to an Azure Recovery Services Vault. This method is inefficient and lacks visibility into backup status, retention settings, and failure monitoring.

Additional Context

Implementing this feature as a shared service would provide a native, integrated solution within Azure TRE, eliminating the need for external automation and providing a centralized view of backup operations.

[marrobi]

@james-annages that sounds great and is something the project would greatly benefit from. Is it something you are intending to work on and could contribute a PR?

[james-annages]

@marrobi I am working on the the external function for my org atm but would be happy to throw some time at smashing my head in to that brick wall (I jest).

I will have a look at mocking up something and see what happens.

I'm thinking the best best would be to add it in to the workspace terraform code as a check/if call? Open to other suggestions?

[marrobi]

I think need to break it down into stages, happy to help do that. I there is a solid design its much easier to implement.

One question I have is does each workspace have its own backup vault. Not sure if there would be any benefits in that? We have some work that might be done soon allowing different workspaces to sit in different subscriptions. I'm not sure if we can backup to a vault in another subscription.

[marrobi]

Nope, see note on this page: https://learn.microsoft.com/en-us/azure/backup/backup-azure-move-recovery-services-vault#use-azure-portal-to-move-recovery-services-vault-to-a-different-subscription

Cross subscription backup (RS vault and protected VMs are in different subscriptions) isn't a supported scenario. Also, storage redundancy option from local redundant storage (LRS) to global redundant storage (GRS) and vice versa can't be modified during the vault move operation.

So think this would need a vault in the workspace, in a way this simplifies things as its a flag in the workspace. Shared services/core would have to be considered independently.

Thoughts?

[marrobi]

Something like - https://charbelnemnom.com/auto-protect-azure-file-shares-in-azure-backup/

Albeit we don't have much PowerShell in the project (mostly az cli).

[james-annages]

So looking at the project board just seen the mulitiple subs idea.
From a deployment that would simplify things (ether a tick box on a work space deploy or a workspace servise). would also mean that accsesing the backups could be simpaler.
on that note, a MVP im thinking is:

• Deploy of backup vault + any needed rg permsions.
• Auto register of the objects.
• Deploy a default policy.
• Allow selection of types of objects to cover (SQL, VM's, Files Shares, etc)

In addition it might be worth also having a shared serivise if you are only wanting to backup file shares but need to investigate that further.

[marrobi]

I think keep it in the workspace, rather than a service, then its an explicit opt in/out, and less bundles to manage.

You ok to give this a go? Happy to support as needed. Thank you!

[james-annages]

Happy to give this a kick and see what happens. May need some poking to get other bits to work correctly for auto registration of resources vms, shares etc.

[james-annages]

some progress.
have terraform code to deploy the backup vault, deploy the policys, register the main storage accouts and share.
Also have the backup as a tick box for enabling.

currently doing a test deployment (going to leave it going while i go to bed)

if it works next steps will be to add to the DB for the policy id's for the vm backup and the vault name.
May need to pick someones brain on the UI/API/DB side of things.

[marrobi]

That's great, if you have some code and want to open draft PR, feel free, we can try iterate from there. Happy to help on the UI/API side.

[james-annages]

PR opened.

I was thinking of as a base just try and get a report in to a tab for backups.

What do people think?