Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Automated Backups

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: AppService-013

Ensure that Backup and Restore feature is enabled and configured to create custom backups for your Microsoft Azure App Service applications.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Reliability

To protect your App Service applications against accidental deletion and/or corruption, you can configure application backups to create restorable copies of your app content, its configuration files, and the database connected to your application. There are two types of backups in Azure App Service: automatic and custom backups. Although automatic backups offer simplicity and convenience, it's important to note that these backups are stored within the same Azure App Service datacenter and should not be considered a reliable disaster recovery solution. Consequently, automatic backups may not align with your specific backup requirements and retention policies. For better control and flexibility, it is recommended that your App Service applications employ custom backups. Custom backups allow you to schedule backups at specific times, retain backups for longer periods (up to an indefinite amount of time), and store them in custom, dedicated storage accounts, ensuring data protection tailored to your needs.

Note: Application backups require the Azure App Service plan to be in the Standard tier or Premium tier.


Audit

To determine if your Azure App Service applications are configured to create custom backups, perform the following actions:

Using Azure Portal

01 Sign in to Azure Management Console.

02 Navigate to App Services blade at https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Web%2Fsites.

03 Click on the name of the App Services application that you want to examine.

04 In the navigation panel, under Settings, choose Backups and check the list of backups available for the selected application. If there are no backups taken (i.e. the backups list is empty), instead the following message is displayed: "No backup data to display, the Backup and Restore feature is not enabled for the selected Microsoft Azure App Service application.

05 Repeat step no. 3 and 4 for each Azure App Service application available in the selected account subscription.

06 Repeat steps no. 3 – 5 for other subscriptions created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run webapp list command (Windows/macOS/Linux) using custom query filters to list the names of all App Services applications (and the name of their associated resource groups) deployed in the current Azure subscription:

az webapp list
  --output table
  --query '[*].{name:name, resourceGroup:resourceGroup}'

02 The command output should return a table with requested application information:

Name               ResourceGroup
-----------------  ------------------------------
cc-aspnet-web-app  cloud-shell-storage-westeurope
cc-nodejs-web-app  cloud-shell-storage-westeurope

03 Run webapp config backup show command (Windows/macOS/Linux) using the name of the application that you want to examine as identifier parameter, to describe the backup configuration for the selected App Services application:

az webapp config backup show
  --webapp-name cc-aspnet-web-app
  --resource-group cloud-shell-storage-westeurope

04 The command output should return the requested configuration information:

Backup configuration not found

If the webapp config backup show command output returns "Backup configuration not found" message, as shown in the example above, the Backup and Restore feature is not enabled and configured for the selected Microsoft Azure App Service application.

05 Repeat step no. 3 and 4 for each Azure App Service application deployed within the current account subscription.

06 Repeat steps no. 1 – 5 for each subscription available in your Microsoft Azure cloud account.

Remediation / Resolution

To enable and configure custom backups for your Microsoft Azure App Service applications, perform the following actions:

Using Azure Portal

01 Sign in to Azure Management Console.

02 Navigate to App Services blade at https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Web%2Fsites.

03 Click on the name of the application that you want to configure.

04 In the navigation panel, under Settings, select Backups and choose Configure custom backups.

05 On the Configure custom backups panel, perform the following operations:

  1. For Basics, choose the appropriate subscription, select the storage account and the target container to store your application backups. The Azure Storage account and the required container must be available in the same subscription as the app that you want to back up. Under Set schedule, select Set schedule to configure the schedule for the application backup:
    • Use the Repeats every controls to schedule an application backup every N days or hours, depending on your backup policy.
    • For Start time, use the date and time picker controls to specify the backup schedule start time.
    • For Time zone, set the required time zone, depending on your backup policy.
    • Provide the optimal backup retention period in the Days box.
    • And use the Keep at least one backup at all time setting to specify whether or not to retain at least one application backup. Choose Next : Advanced > to continue the setup.
  2. For Advanced, select the database(s) that you want to include in the app backups.
  3. Choose Configure to apply the configuration changes. Once applied, a confirmation message with the backup schedule start time and recurrence should be displayed. You can also initiate a manual backup at any time by clicking the Backup Now button. To restore your Azure App Service app (included its linked databases) on-demand to a previous state, or create a new application based on one of the app's backups, click on the Restore button and select a custom application backup to restore.

06 Repeat steps no. 3 – 5 for each Azure App Service application that you want to configure in order to enable and configure custom backups, available in the selected subscription.

07 Repeat steps no. 3 – 6 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run storage account create command (Windows/macOS/Linux) to create the Microsoft Azure Storage account required to hold your Azure App Service application backups:

az storage account create
  --name ccwebstorageaccount
  --resource-group cloud-shell-storage-westeurope
  --sku Standard_LRS

02 The command output should return the information available for the new Azure Storage account:

{
	"accessTier": "Hot",
	"allowBlobPublicAccess": true,
	"allowCrossTenantReplication": null,
	"allowSharedKeyAccess": null,
	"allowedCopyScope": null,
	"azureFilesIdentityBasedAuthentication": null,
	"blobRestoreStatus": null,
	"creationTime": "2023-10-31T15:24:47.566177+00:00",
	"customDomain": null,
	"defaultToOAuthAuthentication": null,
	"dnsEndpointType": null,
	"enableHttpsTrafficOnly": true,
	"enableNfsV3": null,
	"extendedLocation": null,
	"failoverInProgress": null,
	"geoReplicationStats": null,
	"identity": null,
	"immutableStorageWithVersioning": null,
	"isHnsEnabled": null,
	"isLocalUserEnabled": null,
	"isSftpEnabled": null,
	"keyPolicy": null,
	"kind": "StorageV2",
	"largeFileSharesState": null,
	"lastGeoFailoverTime": null,
	"location": "westeurope",
	"minimumTlsVersion": "TLS1_0",
	"name": "ccwebstorageaccount",
	"networkRuleSet": {
		"bypass": "AzureServices",
		"defaultAction": "Allow",
		"ipRules": [],
		"resourceAccessRules": null,
		"virtualNetworkRules": []
	},
	"primaryEndpoints": {
		"blob": "https://ccwebstorageaccount.blob.core.windows.net/",
		"dfs": "https://ccwebstorageaccount.dfs.core.windows.net/",
		"file": "https://ccwebstorageaccount.file.core.windows.net/",
		"internetEndpoints": null,
		"microsoftEndpoints": null,
		"queue": "https://ccwebstorageaccount.queue.core.windows.net/",
		"table": "https://ccwebstorageaccount.table.core.windows.net/",
		"web": "https://ccwebstorageaccount.z6.web.core.windows.net/"
	},
	"primaryLocation": "westeurope",
	"privateEndpointConnections": [],
	"provisioningState": "Succeeded",
	"publicNetworkAccess": null,
	"resourceGroup": "cloud-shell-storage-westeurope",
	"routingPreference": null,
	"sasPolicy": null,
	"secondaryEndpoints": null,
	"secondaryLocation": null,
	"sku": {
		"name": "Standard_LRS",
		"tier": "Standard"
	},
	"statusOfPrimary": "available",
	"statusOfSecondary": null,
	"storageAccountSkuConversionStatus": null,
	"tags": {},
	"type": "Microsoft.Storage/storageAccounts"
  }

03 Run storage container create command (Windows/macOS/Linux) using the name of the newly created Microsoft Azure Storage account as the command parameter to create the storage container required to store your Azure App Service application backups:

az storage container create
  --account-name ccwebstorageaccount
  --name cc-app-backup-container

04 The command output should return the storage container create request confirmation status:

{
	"created": true
}

05 Run storage container generate-sas command (Windows/macOS/Linux) to generate a Shared Access Signature (SAS) token for the storage container created at the previous steps. A SAS token enables you to grant limited access to the containers and the blobs within your storage account. When you create a SAS token, you specify its constraints, including which permissions it has on those Azure resources, and how long the token is valid:

az storage container generate-sas
  --name cc-app-backup-container
  --account-name ccwebstorageaccount
  --permissions rwdl
  --expiry 2024-05-01

06 The command output should return the new Shared Access Signature (SAS) token:

"se=2024-05-01&sp=rwdl&sv=2022-11-02&sr=c&sig=abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd"

07 Run webapp config backup update command (Windows/macOS/Linux) to enable custom backups for the selected Azure App Service application by configuring a backup schedule for the specified app. Construct the required storage container URL using the following format: "https://<storage-account-name>.blob.core.windows.net/<storage-container-name>?<storage-container-sas-token>" (the command does not produce an output):

az webapp config backup update
  --webapp-name cc-aspnet-web-app
  --resource-group cloud-shell-storage-westeurope
  --backup-name cc-custom-daily-backup
  --container-url https://ccwebstorageaccount.blob.core.windows.net/cc-app-backup-container?se=2024-05-01&sp=rwdl&sv=2022-11-02&sr=c&sig=abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd
  --frequency 1d
  --retention 7
  --retain-one true

08 Repeat step no. 7 for each Azure App Service application that you want to configure in order to enable and configure custom backups, available within the current subscription.

09 Repeat steps no. 1 – 8 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Sep 30, 2019