Azure Virtual Machines

Low VM Instant Restore Backup Retention Limit

Ensures that the instant restore backup retention limit is set to a sufficient amount.

Risk Level: Medium

Description

This plugin guarantees that all Azure Virtual Machines (VM) have the instant restore backup retention limit configured to retain backups for the desired number of days. Instant Restore offers a number of features, such as reducing the wait time for snapshots to copy to the vault before triggering restore. It reduces backup and restore times by retaining snapshots locally and also supports disk sizes up to 32 TB, and many other features. To know more, read here.

About the Service

Azure Virtual Machines:

Azure Virtual Machines (VM) are one of several forms of scalable, on-demand computing resources offered by Azure. VMs are typically used when you require more control over the computing environment than the other options provide.  To know more, read here.

Impact

Without Instant Restore, the backup will be unable to access many of the additional features that make it more efficient and effective. This is important because it assists data recovery in the event of data loss, corruption, or failure.

Configuration Parameters

VM Instant Restore Backup Retention Period: This parameter specifies the number of days that a VM instant restore backup will be retained. An issue is created when the instant restore period is lesser than the provided limit.

By default, the value is 5, therefore it will return a vulnerability alert if the retention period is lesser than 5 days.

Steps to Reproduce

Using Azure Console-

  1. Log In to your Azure Console.
  2. Navigate to the Home portal of the Azure Console and click on All services.
  3. Select Virtual machine under Compute to access all the virtual machines present in the directory. You can use this link here to navigate directly if you’re already logged in.
  4. In the list of Virtual Machines (VM) displayed, select a VM you wish to investigate.


  5. From the navigation panel on the left side of the console, go to Backup in the Operations section.
  6. Click on the backup policy under Summary to view the policy defined for the selected VM.


  7. On the Change Backup Policy page, check the Instant Restore section and verify if the retention period is not equal to or greater than the configured period. (This can be checked in your PingSafe dashboard by checking the above-mentioned configuration parameter) If it isn’t, then the policy must be modified to meet the requirements.
  8. Repeat steps 4 to 7 for all the Virtual Machines you want to investigate in the selected directory.
  9. If you have multiple directories, repeat steps 2 to 8 for each directory in your Azure Console. 

Steps for Remediation

Follow the steps given below to make the necessary changes.
Using GCP Console-

  1. Log In to your Azure Console.
  2. Navigate to the Home portal of the Azure Console and click on All services.
  3. Select Virtual machine under Compute to access all the virtual machines present in the directory. You can use this link here to navigate directly if you’re already logged in.
  4. In the list of Virtual Machines (VM) displayed, select a VM you wish to re-configure.  (In case you aren’t sure which one needs to be configured, follow the steps to reproduce listed above to determine which VM to choose.)


 

  1. From the navigation panel on the left side of the console, go to Backup in the Operations section.
  2. Click on the recovery services vault under Summary to access the vault of the selected VM.
  3. From the navigation panel on the left side of the console, go to Backup policies in the Manage section.
  4. In the list of backup policies displayed, click on the policy corresponding to the selected VM (Check the steps to reproduce listed above to determine which policy to select)
  5. On the Modify policy page, change the Instant Restore setting according to the desired value and click on the Update button to save the changes.
  6. Repeat steps 3 to 9 for all the VM scale sets you want to reconfigure in the selected directory.
  7. If you have multiple directories, repeat steps 2 to 10 for each directory in your Azure Console.