Azure File Share for your Infrastructure Backup

While working on a small problem with the infrastructure backup on one of our connected Stacks, I wondered if this could work with an Azure File Share. We now have a dedicated file server that we need to license and manage which might be a little bit old school in 2019?

I put out a tweet and quickly got a reply from @ThomasMaurer that he had already done this. Cool! So, let’s try this out.

Note! This configuration is still not officially supported by Microsoft (January 2019).

Step 1 – Create a storage account in your public Azure subscription

In my case I used the tenant where this Azure Stack is registered under. I created a resource group called “region-infrabackup” and a storage account called “regionbck1”.

Go to File Service – Files and create a folder. In my case I called it “backup”.

Click on the folder and from the top click Connect. The information you need to connect to the share appears on the right. I copied the one with the “net use” command and pasted it in a notepad.

You can extract the file share, username and password from this information:

Fileshare \\regionbck1.file.core.windows.net\backup
Username AZURE\regionbck1
Password WGpoVG1QdnpGWUdwb3FTYXdrV1FKcnBiZkRXdEFIY25HZG5Hb3Z3SkpIRnhsa1p5bEJRcXRpaXJBUUxSR0laVQ==

Step 2 – Test the Azure File Share

You can go ahead and try to configure the infrastructure backup first, but there is another way to test if the SMB share is available and works. If it does not, it will give you some extra information that can be helpful.

Connect to your PEP and run the following command:

Don’t be afraid, it won’t run a complete Test-AzureStack, only the tests for AzsBackupShareAccessibility.

The output hopefully looks like this:

Then you are good to go and can continue configuring your infrastructure backup. If not, I will give you some tips at the end of this post.

Step 3 – Configure the infrastructure backup

This is business as usual for an Azure Stack Operator. Use the information gathered in step 1. Small side note, it is important to use a proper encryption key. You can create one via PowerShell with the command New-AzsEncryptionKeyBase64. Do not forget to change your key on a regular basis.

Run a backup and see if it works.

Step 4 – Secure the storage account (optional)

I chose to secure the storage account with an IP filter. You can do this by adding the IP-ranges to the Firewall rules of the storage account. You can find this under “Firewall and Virtual Networks”.

I also added the Public VIP range of this Azure Stack… You never know if they change it. 😉

If you want, you can encrypt the share even more with Azure Key Vault.

This is it. Enjoy your As a Service SMB share for your Azure Stack Infrastructure Backup.


Now, what if the Test-AzureStack command gives something like this:

Then, like it says, we can call Get-AzureStackLog for additional diagnostics.

During a call with Support I learned that this information can be found in the SeedRing log. I tend to use the ERCS_AzureStackLogs.ps1 script to collect logs, only choosing the SeedRing logs in the time-frame needed.

Get the file Seedring-timestamp.zip from the AzureStackLogs-timestamp folder. Then copy it to C:\tmp\ and extract it. In one of the ERCS folders you’ll find a HTML file called AzureStack_Validation_Summary_timestamp.html. Open this file and here you will find more information. It will tell you if the SMB-share is reachable and writable and could provide you with some clues if not.

Spread the word. Share this post!