Agentless, cloud-native backup for Microsoft Azure
michelkeus
Novice
Posts: 5
Liked: never
Joined: Nov 28, 2016 10:27 am
Full Name: Michel Keus
Contact:

Tags during Restore

Post by michelkeus »

Hey everyone,

Hope someone can help me out...

In our Azure tenant we have a policy enforced that requires a specific tag to be set on all resources (tag-name is Application); without it creation of an object will be denied.

Currently we need to create a subscription-wide exemption because during restore VBA creates resource groups and other objects without adhering to the tags originally set on the object that is in the backup. This requires someone with a very high privilege level to be involved (usually a Global Admin of which we only have 4 in our global company).

Is there a way to make VBA set the tags originally set on the original VM that was backupped during the restore process so we can adhere to the policy that is in-place?

Else this is a feature that I'd like to request; to either inherit the tags from the original object or manually define a set of tags that Veeam then uses in their intermediate process.

Vitaliy S.
Product Manager
Posts: 25814
Liked: 2399 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: Tags during Restore

Post by Vitaliy S. »

Hi Michel,

Can you please clarify what version of VB you're using as well as what type of restore you are doing (back to the original location or a new one)? Tags should be restored, at least this is what I have just confirmed with the RnD team.

Thanks!

michelkeus
Novice
Posts: 5
Liked: never
Joined: Nov 28, 2016 10:27 am
Full Name: Michel Keus
Contact:

Re: Tags during Restore

Post by michelkeus »

Hi Vitaly,

As far as I can tell I am using the latest version:

Server version: 3.0.1.34
Worker version: 3.0.1.34
FLR service version: 4.0.0.360
Support Code: DBBC

Last time I tried a restore it was a restore back to the original location and it was based on the present snapshot.
Tags are indeed restored but only to the last/final step and not the intermediate steps. E.g. a restore of a disk goes to a seperate resource group first and that RG and disk do not have any tags and are hence denied by policy.

Vitaliy S.
Product Manager
Posts: 25814
Liked: 2399 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: Tags during Restore

Post by Vitaliy S. » 1 person likes this post

Michel,

Ah, I see. So you want tags to be assigned when restoring to a temp RG as well. Not sure it can be changed at the moment, but I will bring this up internally.

Thanks!

Vitaliy S.
Product Manager
Posts: 25814
Liked: 2399 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: Tags during Restore

Post by Vitaliy S. »

@michelkeus , a quick question from the RnD team > can you please share a bit more info on how this policy works? Does it deny any resource without a tag or denies resources that do not have the specific tag? Any overlap with Veeam tags that we create?

michelkeus
Novice
Posts: 5
Liked: never
Joined: Nov 28, 2016 10:27 am
Full Name: Michel Keus
Contact:

Re: Tags during Restore

Post by michelkeus »

Hi Vitaly,

We have a policy in place that simply requires a specific tag ("Application"; but it's value can be anything) to be present on the Resource Group. Other policies make sure all the objects below inherit it from above.

Here is the XML from the policy:

Code: Select all

{
  "properties": {
    "displayName": "Require a tag on resource groups",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Enforces existence of a tag on resource groups.",
    "metadata": {
      "version": "1.0.0",
      "category": "Tags"
    },
    "parameters": {
      "tagName": {
        "type": "String",
        "metadata": {
          "displayName": "Tag Name",
          "description": "Name of the tag, such as 'environment'"
        }
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Resources/subscriptions/resourceGroups"
          },
          {
            "field": "[concat('tags[', parameters('tagName'), ']')]",
            "exists": "false"
          }
        ]
      },
      "then": {
        "effect": "deny"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/96670d01-0a4d-4649-9c89-2d3abc0a5025",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "96670d01-0a4d-4649-9c89-2d3abc0a5025"
}
The Parameter ID and Parameter Name in this case are defined as "tagName" and the Parameter Value in our case is "Application".
You can see the defined "effect" if "exists: false" is deny. So any RG without this tag will fail validation and hence cannot be created.

I hope this helps?

Vitaliy S.
Product Manager
Posts: 25814
Liked: 2399 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: Tags during Restore

Post by Vitaliy S. »

Yes, it does help, but when we are restoring to the original location we create a temp resource group (removed after the restore) without any tags, so I assume that would be a problem in your case? The workaround to this, would be to go "another location" option and select the original location manually.

michelkeus
Novice
Posts: 5
Liked: never
Joined: Nov 28, 2016 10:27 am
Full Name: Michel Keus
Contact:

Re: Tags during Restore

Post by michelkeus »

Hi Vitaly,

I will try and test that. If that workaround is doable I will make a note of it in our internal documentation.

Will you and your team know what the outcome of it is.

Vitaliy S.
Product Manager
Posts: 25814
Liked: 2399 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: Tags during Restore

Post by Vitaliy S. »

Michel, yes, please keep us updated on this, as we can definitely assign tags to the restored resources in the temp RG, but that probably wouldn't help since the RG will be with no tags.

Vitaliy S.
Product Manager
Posts: 25814
Liked: 2399 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: Tags during Restore

Post by Vitaliy S. »

@michelkeus, any updates on your experiments?

kbouchard
Influencer
Posts: 14
Liked: never
Joined: Jan 24, 2017 7:44 pm
Full Name: Kevin Bouchard
Contact:

Re: Tags during Restore

Post by kbouchard »

We have a similar problem. We have a policy that blocks VM creation if they don't have a tag. Is there a method to ensure that the tags are restored at the same time as the vm or this feature will be implemented in a future version?

Vitaliy S.
Product Manager
Posts: 25814
Liked: 2399 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: Tags during Restore

Post by Vitaliy S. »

Hi Kevin,

Tags are restored together with the VM. Can you please answer the questions I've asked Michel? When we restore to the original location, a temp RG is created, is it the case you're referring to or you have the same issues when restoring to another location too?

Thanks!

kbouchard
Influencer
Posts: 14
Liked: never
Joined: Jan 24, 2017 7:44 pm
Full Name: Kevin Bouchard
Contact:

Re: Tags during Restore

Post by kbouchard »

I have this issue when i try to restore in the original location.

Vitaliy S.
Product Manager
Posts: 25814
Liked: 2399 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: Tags during Restore

Post by Vitaliy S. »

During restoring to the original location, a temp resource group (RG) is created to restore VMs and then move them to the original RG. Does you policy prohibit creating this temp RG too?

kbouchard
Influencer
Posts: 14
Liked: never
Joined: Jan 24, 2017 7:44 pm
Full Name: Kevin Bouchard
Contact:

Re: Tags during Restore

Post by kbouchard »

The policy block the creation of RG without tag and the temp RG don't have.

Vitaliy S.
Product Manager
Posts: 25814
Liked: 2399 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: Tags during Restore

Post by Vitaliy S. »

Yes, this is my point. The temp RG is required to do restore to the original location while the original resource is still in place. Temp RG cannot have any tags, since it is created and removed on the fly without "knowing" what destination target is going to be.

Can you please share how would you resolve this case? Do you want to assign the required tags manually during the restore process or make an exclusion, let's say, for a "Veeam" tag, in your policy?

kbouchard
Influencer
Posts: 14
Liked: never
Joined: Jan 24, 2017 7:44 pm
Full Name: Kevin Bouchard
Contact:

Re: Tags during Restore

Post by kbouchard »

If it is possible to put a tag on the temporary group resource when it is created, that will solve the problem.

Vitaliy S.
Product Manager
Posts: 25814
Liked: 2399 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: Tags during Restore

Post by Vitaliy S. »

Yep, should it be the same one as the original "source" or you want to do that in the VB UI in one of the steps of the restore wizard?

kbouchard
Influencer
Posts: 14
Liked: never
Joined: Jan 24, 2017 7:44 pm
Full Name: Kevin Bouchard
Contact:

Re: Tags during Restore

Post by kbouchard »

Both, will be good.

Vitaliy S.
Product Manager
Posts: 25814
Liked: 2399 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: Tags during Restore

Post by Vitaliy S. »

Unfortunately, you have to make a choice what will work best and I will start discussing it with devs for the next release ;)

kbouchard
Influencer
Posts: 14
Liked: never
Joined: Jan 24, 2017 7:44 pm
Full Name: Kevin Bouchard
Contact:

Re: Tags during Restore

Post by kbouchard »

The best thing will be to copy the tags from the original and add the possibility to add the tag from the wizard when we restore.

Vitaliy S.
Product Manager
Posts: 25814
Liked: 2399 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: Tags during Restore

Post by Vitaliy S. »

Ok, thanks for the feedback! We will see what we can do in our next updates.

Vitaliy S.
Product Manager
Posts: 25814
Liked: 2399 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: Tags during Restore

Post by Vitaliy S. »

@kbouchard , do you have separate tags for VM, disks and resource groups? Will adding our "Veeam" tag to the policy resolve the issue? Also, can you share the policy you use for our QA team to apply it in our labs?

kbouchard
Influencer
Posts: 14
Liked: never
Joined: Jan 24, 2017 7:44 pm
Full Name: Kevin Bouchard
Contact:

Re: Tags during Restore

Post by kbouchard »

We have tags for everything. Haha!
But, the problem with the actual policy, Veeam Azure create temporary ressource group without tag.

Vitaliy S.
Product Manager
Posts: 25814
Liked: 2399 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: Tags during Restore

Post by Vitaliy S. »

So if we add the Veeam tag to it, you will be able to adjust your policy and make it work, right?

Vitaliy S.
Product Manager
Posts: 25814
Liked: 2399 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: Tags during Restore

Post by Vitaliy S. »

A quick update > according to our QA team we do assign a Veeam tag to the temp resource group, so adding this to your policy should resolve the issue right away. Let me know if that helps! If it doesn't, please share your policy via a private message.

kbouchard
Influencer
Posts: 14
Liked: never
Joined: Jan 24, 2017 7:44 pm
Full Name: Kevin Bouchard
Contact:

Re: Tags during Restore

Post by kbouchard »

Thanks Vitaliy

Vitaliy S.
Product Manager
Posts: 25814
Liked: 2399 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: Tags during Restore

Post by Vitaliy S. »

@kbouchard, so have you tried adding a "Veeam" tag to the policy config you've shared with me via the PM? Our QA team believes it should resolve the problem. Thanks!

kbouchard
Influencer
Posts: 14
Liked: never
Joined: Jan 24, 2017 7:44 pm
Full Name: Kevin Bouchard
Contact:

Re: Tags during Restore

Post by kbouchard »

I talked with my colleagues, we have other policies. We need four different types of tags to respect all policies.

Vitaliy S.
Product Manager
Posts: 25814
Liked: 2399 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: Tags during Restore

Post by Vitaliy S. »

By other policies, do you mean that you have other conditions over there or something else?

Post Reply

Who is online

Users browsing this forum: No registered users and 2 guests