Azure NetApp Files backup was launched in public preview in September of 2021 and is a great native backup solution that builds on top of ANF snapshots.
It being a built-in solution has some big advantages regarding performance, optimization, cost and simplicity. Security however needs some additional consideration, since your data and backups all live in the same Azure subscription. Meaning we need to lock down backup access and operations, utilizing the principle of least privilege.
We’ll do so by creating multiple RBAC roles, each with their own subset of allowed actions, and by configuring Azure Policies, preventing anyone disabling the backups.
I’ve created three separate RBAC roles in .json format; read-only, backup operator and backup administrator. Please refer to this article on how-to import the .json roles utilizing New-AzRoleDefinition.
Click here for a .zip file containing all .json templates.
ANF backup administrator role
The administrator role includes every available ANF backup action, meaning it can configure backups (snapshot policies and backup policies), pause backups, disable backups, create and restore backups etc.
{
"Name":"ANF backup administrator",
"Description":"Administrator role for ANF backup, configure and edit snapshot and backup policies, delete backups.",
"Actions":[
"Microsoft.NetApp/netAppAccounts/read",
"Microsoft.NetApp/netAppAccounts/vaults/read",
"Microsoft.NetApp/netAppAccounts/accountBackups/read",
"Microsoft.NetApp/netAppAccounts/accountBackups/delete",
"Microsoft.NetApp/netAppAccounts/capacityPools/read",
"Microsoft.NetApp/netAppAccounts/capacityPools/volumes/read",
"Microsoft.NetApp/netAppAccounts/capacityPools/volumes/write",
"Microsoft.NetApp/netAppAccounts/capacityPools/volumes/snapshots/read",
"Microsoft.NetApp/netAppAccounts/capacityPools/volumes/backups/read",
"Microsoft.NetApp/netAppAccounts/capacityPools/volumes/backups/write",
"Microsoft.NetApp/netAppAccounts/capacityPools/volumes/backups/delete",
"Microsoft.NetApp/netAppAccounts/capacityPools/volumes/BackupStatus/read",
"Microsoft.NetApp/netAppAccounts/capacityPools/volumes/RestoreStatus/read",
"Microsoft.NetApp/netAppAccounts/backupPolicies/read",
"Microsoft.NetApp/netAppAccounts/backupPolicies/write",
"Microsoft.NetApp/netAppAccounts/backupPolicies/delete",
"Microsoft.NetApp/netAppAccounts/snapshotPolicies/read",
"Microsoft.NetApp/netAppAccounts/snapshotPolicies/write",
"Microsoft.NetApp/netAppAccounts/snapshotPolicies/delete",
"Microsoft.NetApp/netAppAccounts/snapshotPolicies/Volumes/action",
"Microsoft.NetApp/netAppAccounts/snapshotPolicies/ListVolumes/action",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/deployments/read",
"Microsoft.Resources/deployments/validate/action"
],
"NotActions":[
],
"DataActions":[
],
"NotDataActions":[
],
"AssignableScopes":[
"/subscriptions/insert_sub_id_here"
]
}Let’s break down each action entry for better understanding.
"Microsoft.NetApp/netAppAccounts/read"
Read data from the NetApp account."Microsoft.NetApp/netAppAccounts/vaults/read"
Needed to configure backup on volume (vault is automatically selected).
"Microsoft.NetApp/netAppAccounts/accountBackups/read" "Microsoft.NetApp/netAppAccounts/accountBackups/delete"
View and delete backups from the Backups menu under the NetApp account blade.
"Microsoft.NetApp/netAppAccounts/capacityPools/volumes/read"
Read volume information."Microsoft.NetApp/netAppAccounts/capacityPools/volumes/write"
New volume deployment (backup restore).
N.B. this means the backup administrator and operator will be able to edit (not delete) existing volumes."Microsoft.NetApp/netAppAccounts/capacityPools/volumes/snapshots/read"
Read snapshots (restore from existing snapshot).
"Microsoft.NetApp/netAppAccounts/capacityPools/volumes/backups/read""Microsoft.NetApp/netAppAccounts/capacityPools/volumes/backups/write""Microsoft.NetApp/netAppAccounts/capacityPools/volumes/backups/delete"
Read, create and delete backups from the Backups menu under the volume blade.
"Microsoft.NetApp/netAppAccounts/capacityPools/volumes/BackupStatus/read"
Read backup status.
"Microsoft.NetApp/netAppAccounts/capacityPools/volumes/RestoreStatus/read"
Read restore status.
"Microsoft.NetApp/netAppAccounts/backupPolicies/read"
"Microsoft.NetApp/netAppAccounts/backupPolicies/write"
"Microsoft.NetApp/netAppAccounts/backupPolicies/delete"
Read, create, edit and delete backup policies.
"Microsoft.NetApp/netAppAccounts/snapshotPolicies/read" "Microsoft.NetApp/netAppAccounts/snapshotPolicies/write"
"Microsoft.NetApp/netAppAccounts/snapshotPolicies/delete"
Read, create, edit and delete snapshot policies.
"Microsoft.NetApp/netAppAccounts/snapshotPolicies/Volumes/action""Microsoft.NetApp/netAppAccounts/snapshotPolicies/ListVolumes/action"
List volumes assigned to a specific snapshot policy from the snapshot policy blade.
"Microsoft.Network/virtualNetworks/read"
Read the ANF delegated subnet for new volume deployment (backup restore).
"Microsoft.Resources/subscriptions/resourceGroups/read"
Needed for new volume deployment (backup restore).
"Microsoft.Resources/deployments/write"
"Microsoft.Resources/deployments/read""Microsoft.Resources/deployments/validate/action"
Needed to validate, submit and read new volume deployment (backup restore).
ANF backup operator role
The operator role can perform on-demand backups and backup restores. The operator cannot enable, edit or disable snapshot/backup policies.
{
"Name":"ANF backup operator",
"Description":"Operator role for ANF backup, perform on-demand backups and restores.",
"Actions":[
"Microsoft.NetApp/netAppAccounts/read",
"Microsoft.NetApp/netAppAccounts/accountBackups/read",
"Microsoft.NetApp/netAppAccounts/capacityPools/read",
"Microsoft.NetApp/netAppAccounts/capacityPools/volumes/read",
"Microsoft.NetApp/netAppAccounts/capacityPools/volumes/write",
"Microsoft.NetApp/netAppAccounts/capacityPools/volumes/snapshots/read",
"Microsoft.NetApp/netAppAccounts/capacityPools/volumes/backups/read",
"Microsoft.NetApp/netAppAccounts/capacityPools/volumes/backups/write",
"Microsoft.NetApp/netAppAccounts/capacityPools/volumes/BackupStatus/read",
"Microsoft.NetApp/netAppAccounts/capacityPools/volumes/RestoreStatus/read",
"Microsoft.NetApp/netAppAccounts/backupPolicies/read",
"Microsoft.NetApp/netAppAccounts/snapshotPolicies/read",
"Microsoft.NetApp/netAppAccounts/snapshotPolicies/Volumes/action",
"Microsoft.NetApp/netAppAccounts/snapshotPolicies/ListVolumes/action",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/deployments/validate/action",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/deployments/read"
],
"NotActions":[
],
"DataActions":[
],
"NotDataActions":[
],
"AssignableScopes":[
"/subscriptions/insert_sub_id_here"
]
}ANF backup reader role
I don’t think the read-only role needs further explanation 🙂
{
"Name":"ANF backup reader",
"Description":"Read-only role for ANF backup.",
"Actions":[
"Microsoft.NetApp/netAppAccounts/read",
"Microsoft.NetApp/netAppAccounts/accountBackups/read",
"Microsoft.NetApp/netAppAccounts/capacityPools/read",
"Microsoft.NetApp/netAppAccounts/capacityPools/volumes/read",
"Microsoft.NetApp/netAppAccounts/capacityPools/volumes/snapshots/read",
"Microsoft.NetApp/netAppAccounts/capacityPools/volumes/backups/read",
"Microsoft.NetApp/netAppAccounts/capacityPools/volumes/BackupStatus/read",
"Microsoft.NetApp/netAppAccounts/capacityPools/volumes/RestoreStatus/read",
"Microsoft.NetApp/netAppAccounts/backupPolicies/read",
"Microsoft.NetApp/netAppAccounts/snapshotPolicies/read",
"Microsoft.NetApp/netAppAccounts/snapshotPolicies/Volumes/action",
"Microsoft.NetApp/netAppAccounts/snapshotPolicies/ListVolumes/action"
],
"NotActions":[
],
"DataActions":[
],
"NotDataActions":[
],
"AssignableScopes":[
"/subscriptions/insert_sub_id_here"
]
}ANF backup Azure Policy
Moving on to Azure Policy, the following custom policy prevents anyone from either suspending the backup policy or disabling the backup entirely, which results in all backups for the volume being deleted.
{
"properties":{
"displayName":"ANF backup deny suspending or disabling policy",
"description":"Denies suspending or disabling the ANF backup policy for a volume",
"mode":"all",
"policyRule":{
"if":{
"anyOf":[
{
"field":"Microsoft.NetApp/netAppAccounts/backupPolicies/enabled",
"equals":"false"
},
{
"field":"Microsoft.NetApp/netAppAccounts/capacityPools/volumes/dataProtection.backup.policyEnforced",
"equals":"false"
},
{
"field":"Microsoft.NetApp/netAppAccounts/capacityPools/volumes/dataProtection.backup.backupEnabled",
"equals":"false"
}
]
},
"then":{
"effect":"deny"
}
}
}
}Let’s examine each policyRule in more detail.
"Microsoft.NetApp/netAppAccounts/backupPolicies/enabled""equals":"false"
Prevents setting the Policy State to Disabled when modifying the backup policy (NetApp account blade–> Backups –> Backup Policies).
"Microsoft.NetApp/netAppAccounts/capacityPools/volumes/dataProtection.backup.policyEnforced""equals":"false"
Prevents setting the Policy State to Suspend from the backup Configure option (volume blade–> Backups).
"Microsoft.NetApp/netAppAccounts/capacityPools/volumes/dataProtection.backup.backupEnabled"
"equals":"false"
Prevents setting Enabled to Off from the backup Configure option (volume blade–> Backups).
Thanks for reading 🙂