I’ll be using the REST API to make this work so, this is a list of what you will need:
- A tool to execute POST requests using a certificate to authenticate. My preference here is to use Postman for desktop: https://www.getpostman.com/apps (you could also use Chrome extension but, the way you handle the certificates is managed by the browser and it is less intuitive).
- OpenSSL to create a self-signed certificate. A good option is to use the tool that it comes along with the installation of Git for Windows (https://git-scm.com/downloads). There is also a wiki available with some third-party binary distributions (https://wiki.openssl.org/index.php/Binaries).
- Service administrator or Co-administrator access in the subscription in which you have the web/worker roles (we need this to upload a management certificate to Azure).
- In the same subscription, a storage account and a container to save the backups (I use a classic storage account since we are making backups of classic resources. I haven’t tried with a “modern” storage account).
These are the steps you must follow:
Give co-admin access in Azure:
In case you are using the Service administrator account you won’t need this but, if you need a different user to do this, go to https://portal.azure.com and open the “Subscriptions” blade. Select your subscription and within the “Access control (IAM)” pane you can add the person you want as an owner by clicking on the Add button:
After that you will be able to give Co-administrator rights to that person by clicking on the ellipsis at the right side:
Create a container in the storage account:
Go to the storage account that you will use to save the backups and click on “Container” under the “Blob Service” section. Click on “Container” to add a new one and set the access level to Private:
Create the self-signed certificate with OpenSSL:
If you are using the openssl application that comes with the installation of Git, you can just double-click the .exe file here: C:\Program Files\Git\usr\bin. That will open a console with the application loaded.
We need to create a certificate with “.crt” extension and the “.key” file associated. Use this command to do this: req -newkey rsa:2048 -nodes -keyout 'C:\temp\mynewcert.key' -x509 -days 1 -out 'C:\temp\mynewcert.crt' -subj '/CN=clearpeople.com'
Notice that the most important thing here is the “-subj” part. The subject name must match the domain used to access the cloud service so, I’ll use “clearpeople.com” in my case.
Once you have created these files, we also need the certificate in “.cer” format. To do this, double-click on the “.crt” file and in the “Details” tab, click on the “Copy to File…” button:
A wizard will be opened, and you must select the first option to export the certificate (DER encoded binary X.509 (.CER):
Upload the certificate to Azure:
To upload the certificate, go to https://portal.azure.com and open the “Subscriptions” blade. Select your subscription and within the “Management certificates” pane click on the “Upload” button to upload the new certificate you’ve just created. You must select the “.cer” file for this:
Use Postman to make the backup with the REST API:
Open Postman and open the Settings pane:
In the certificates section, add a new one and put as the “Host”: “management.core.windows.net”. Select the “.crt” and “.key” files and click the “Add” button (you don’t need a passphrase since we haven’t used any):
Now, in postman, go to the “Headers” tab and put these two:
x-ms-version -> 2012-03-01
ContentLength -> 0
I’m using the “Get Package” operation to make the backup. This is the url to the documentation from Microsoft: https://docs.microsoft.com/en-us/previous-versions/azure/reference/jj154121(v=azure.100)
To use this with postman, I’ve chosen the option in which I indicate the deployment slot: https://management.core.windows.net/<subscription-id>/services/hostedservices/<cloudservice-name>/deploymentslots/<deployment-slot>/package. At the end of the url we must use two parameters, “containerUri” and “overwriteExisting”. The containerUri must be the url of the storage account with the name of the container at the end. Something like “https://mystorageaccount.blob.core.windows.net/mybackupscontainer”. The “overwriteExisting” can be true or false depending if you want to overwrite a previous backup or not.
At the end you should have a url like this example: https://management.core.windows.net/33814246-eb86-4919-a840-16d146bb1586/services/hostedservices/mycloudservice/deploymentslots/production/package?containerUri=https://mystorageaccount.blob.core.windows.net/mybackupscontainer&overwriteExisting=true
Paste the URL in Postman, select the “POST” method and click on “SEND”. If everything goes well, you should get the Status “202 Accepted”:
And in Azure you will get two files under the container, one “.cscfg” and one “.cspkg”. You can use these to redeploy the web or worker role in Azure:
I hope that you find this helpful to make a proper backup of your web and worker roles in Azure.