Back Up and Restore Nerdio Manager Configuration

This topic discusses how to back up and restore the Nerdio Manager configuration.

Nerdio Manager is an Azure application consisting of several PaaS services. When backing up Nerdio Manager, the following components should be considered:

  • Azure Key Vault: This contains service principal secrets and AD domain joiner user account passwords. The contents of the Key Vault are fairly static and do not need to be backed up on a regular basis.

  • Azure SQL Database: This contains auto-scale configuration (for example, scheduling), logs, and auto-scale history data. The relevant contents of the database change when auto-scale settings are modified. A recurring backup is recommended.

  • Azure App Service: This runs the Nerdio Manager application and does not contain actual data beyond the application binaries. The contents of the app service change when the application is upgraded to the latest version.

Tip: The recommended method for backing up Nerdio Manager is to enable App Service backups and directly retrieve contents of the Key Vault used by Nerdio Manager to a .zip file. SQL database backups are automatically included with the App service backups. Otherwise, you need to perform the procedures described below.

Prerequisites

Scripts Download:

  • Select this link to download the zip file that contains the scripts used in the steps below. Once you download the zip file, unzip it on your local computer.

Azure:

  • The app service plan must be a Standard or Premium one (for example, S3 or P2V2) because only standard and premium plans support the built-in Back Up and Restore functionality. By default, Nerdio Manager is deployed using a Basic plan (B3), which does not support backups.

  • A non-guest account with at least Contributor role permissions on the Key Vault, which can be inherited from the subscription the Key Vault is tied to.

  • A storage account used by the app-service-backup.ps1 script needs to be created.

  • If the SQL Server has been hardened (limiting network access to known VNets & IPs only), all IP addresses associated with the app service cluster must be added as permitted IPs on the SQL Server firewall (associated IP addresses are displayed under the Networking tab of the app service). Otherwise, the backup services for the app service are unable to connect to the SQL server and save the backup successfully.

    • App service backups occur in the app service cluster, and do not use any configured private endpoints or VNet integration.

Local System:

  • PowerShell 6.2.4 or PowerShell 5.1 for Windows

    • The entire Azure PowerShell Module "Az", or individual modules "Az.Accounts", "Az.KeyVault", "Az.Resources", "Az.Storage", and "Az.Websites". See this MS Doc for details

  • .Net Framework 4.7.2 or better

App Service and SQL DB Backup

The following procedure backs up the App Service and SQL database.

To back up the App Service and SQL database:

  1. Locate the downloaded script app-service-backup.ps1 on your local computer.

  2. Obtain the following values:

    • Azure Subscription ID: Nerdio Manager > Settings >Azure environment > Azure subscriptions tile.

      Note: Both the app service and backup storage account should be located in the same Azure subscription.

    • App Service Resource Group Name: Nerdio Manager > Settings >Azure environment > Linked resource groups tile.

    • App Service Name: Azure portal > Resource groups > Look up the name.

    • Storage Account Resource Group: Azure portal > Resource groups > Look up the name.

      Note: This can be the same as the app service resource group.

    • Storage Account Name: Azure portal > Resource groups > Look up the name.

  3. On your local computer, run the script app-service-backup.ps1 and supply the values as requested.

    Note: When prompted for a sign in, supply an account with permissions to the app service and storage account. A user with Contributor permissions on the subscription is recommended.

  4. After script execution, backups of the app service and SQL database are performed automatically daily with a retention of 10 days.

    Note: By default, the script sets a retention period of 10 days and occurs every day at the time you ran the script. This can be changed by navigating to the Backups blade under settings in the App Service portal and selecting Configure. Ensure the SQL connection string is present before selecting Save. If the value is missing, it can be retrieved from the Key Vault provisioned by Nerdio, under the name 'ConnectionStrings--DefaultConnection'.

Key Vault Backup

The Key Vault is backed up using a PowerShell script that retrieves the secrets and certificates stored in the Key Vault and saves the contents to a local zip file named keyvault-backup.zip in the same directory the script is run in. The contents of the zip file are encrypted and can only be decrypted in Azure.

To back up the Key Vault:

  1. Locate the downloaded script key-vault-backup.ps1 on your local computer.

  2. Obtain the following values:

    • Azure Subscription ID: Nerdio Manager > Settings >Azure environment > Azure subscriptions tile.

    • Key Vault Name: Azure portal > Look up the name.

  3. On your local computer, run the script key-vault-backup.ps1 and supply the values as requested.

    Note: When prompted for a sign in, supply an non-guest account with Access policies and permissions for the Key Vault. A user with Owner role is recommended.

  4. After script execution, the backup file keyvault-backup.zip is present in the directory.

    Note: Be sure to save the backup file (keyvault-backup.zip) to be used in a future restore, if needed.

App Service Restore

Restoring the App Service can be done using the portal option within the App Service, or using the files stored in the storage account under the blob container nmw-backup.

See these articles for additional details:

Key Vault Restore

The following procedure restores the Key Vault from a backup.

To restore the Key Vault from a backup:

  1. Locate the downloaded script key-vault-restore.ps1 on your local computer.

  2. Move the key-vault-restore.ps1 script to the same directory as the keyvault-backup.zip file.

  3. Run the script key-vault-restore.ps1.

    Note: The script only restores secrets and certificates that do not exist. If they have been deleted, but not purged, you receive a conflict error from the script. When restoring to a key vault with existing values, those values are not be overwritten.

Note: Old secrets can be restored manually from the portal by selecting the "Older Versions" of the secret. This is useful if a specific value has been changed and needs to be reverted, such as the password used by the AD account.