Azure Backup Vault and Azure Database for PostgreSQL Flexible Server Backups - amatthew.eu | blog

%% Use bold for emphasises and italics for quotes or phrases %% ## Sections %% ## What problem does it solve %% ### Azure Backup Vault Azure Backup Vault is a special type of storage that integrates with selected services on Azure to allow execution of (scheduled) Backup Policies, which are tied to Backup Instances. Currently supported services (as of 12.2025) are: - On-premises - Azure VMs - Azure Managed Disks - Azure Files shares - SQL Server in Azure VMs - SAP HANA databases in Azure VMs - **Azure Database for PostgreSQL servers** - Azure Blobs - ==Azure Database for PostgreSQL Flexible server== - Azure Kubernetes service - Azure Database for MySQL - Flexible Server backup (preview) - SAP ASE (Sybase) database backup on Azure VMs (preview) %% ## How does it solve it %% ### Flavours of PostgreSQL > *I will have some Azure Cosmos DB for PostgreSQL Clusters with Citus coordinator nodes and 10 worker nodes, with the side of Azure Database for PostgreSQL Flexible Servers with burstable computes ~~and two Azure Database for PostgreSQL Servers~~. No elastic clusters, thank you.* Azure currently offers ~3 services for PostgreSQL databases: <sup>(I am using 'proper' service names as the 'official' Customer-facing names are ambiguous).</sup> - 'Microsoft.DBforPostgreSQL/servers' - Azure Database for PostgreSQL Server (deprecated by 2025) - 'Microsoft.DBforPostgreSQL/flexibleServers' - Azure Database for PostgreSQL Flexible Servers - 'Microsoft.DBforPostgreSQL/serverGroupsv2' - Azure Cosmos DB for PostgreSQL Cluster #### Technical distinction ![[Pasted image 20251204220424.png]] As seen - even though PostgreSQL 'server groups' are grouped together with the other two, they are not the same, as only the 'flexibleServers' and 'servers' are supported by Azure Backup Vault. The explanation is fairly simple, the 'serverGroupsv2' is a special type of service, which is not 'CosmosDB' (CosmosDB supports backups) and not a traditional PostgreSQL database, but a 'Citus' based cluster which runs PostgreSQL distributed-tables underneath. <sup>This is a topic for another article :)</sup> Hence, 'serverGroupsv2' are both **vertically** (compute hardware) and **horizontally** (nodes) scalable, while 'flexibleServers' remain scalable only **vertically** (compute hardware). %% ## How to use it %% ### Backup and Restoration of Azure Database for PostgreSQL Flexible Servers I will not describe how to perform the backup a step by step, as it constitutes a conceptually trivial routine on its own. The process involves creating an Azure Backup Vault instance with a Managed Identity (User-assigned Managed Identity is recommended), which has access to CMK encryption key in Secrets Vault. The backup itself is configured through Backup Instances and Backup Policies. Overall feature support varies by the deployment Provider, be it AzureRM, AzAPI or Azure Portal. I would like to outline what the documentation highlights as requirements. #### Backup ![[Pasted image 20251204221531.png]] ![[Pasted image 20251204221544.png]] #### Restoration ![[Pasted image 20251204221713.png]] ![[Pasted image 20251204221835.png]] ![[Pasted image 20251204221927.png]] #### The problem Everything looks simple - the Operator creates an Azure Backup Vault, Backup Policy, Backup Instance. The design involves a Storage Account, Secrets Vault, PostgreSQL Flexible Server database and a User-assigned Managed Identity with RBAC roles. The documentation outlines: - ['PostgreSQL Flexible Server Long Term Retention Backup Role'](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/databases#postgresql-flexible-server-long-term-retention-backup-role) on the database for the purposes of performing backups. - ['Reader'](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/general#reader) on the Resource Group. - ['Storage Blob Data Contributor'](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/storage#storage-blob-data-contributor) on the Storage Account for the purpose of restoring backup files into blob containers. Sounds clear, so why would User-assigned Managed Identity **have all those roles and still fail** when attempted to restore the backup files from Azure Backup Vault into a Storage Account's blob container? Why would both the manual assignment and automatic (Azure Portal's) assignment result in greyed-out =='Assign missing roles'== button with one hardly relevant error message of =="Restore parameters validation failed. View details"==? This problem took me 2-3 days to track down and I found the solution just before opening a ticket with the Support. **Let's scroll up.** ![[Pasted image 20251204221835.png]] **Let's enhance.** ![[Pasted image 20251204222952.png]] Quote: > *"Ensure the target storage account for restoring backup as a file is ==accessible via a public network==. ==If the storage account uses a private endpoint, update its public network access settings== before executing a restore operation."* <center><img src="https://media.tenor.com/r8tcf2YZ5TIAAAAM/blinking-eyes-white-guy.gif"></center> A presumably ==Private Endpoint secured==, ==non-public Storage Account== must be made **public** to restore backup files into it. Not only does it contradict most of the Microsoft Defender for Cloud warnings, it also does not make sense in the context of Azure Backup Vaults being able to backup databases in private networks (performing backups is possible, restoration is not). **However, in case you do encounter this problem - this was the solution.** ## References ### Section 1 - Azure Backup Vault - https://learn.microsoft.com/en-us/azure/backup/backup-vault-overview - https://learn.microsoft.com/en-us/azure/backup/backup-overview ### Section 2 - Flavours of PostgreSQL - https://learn.microsoft.com/en-us/azure/templates/microsoft.dbforpostgresql/flexibleservers - https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/concepts-supported-versions ### Section 3 - Backup and Restoration of Azure Database for PostgreSQL Flexible Servers - https://github.com/hashicorp/terraform-provider-azurerm/issues/29028 - https://learn.microsoft.com/en-us/azure/backup/tutorial-restore-postgresql-flex - https://docs.azure.cn/en-us/backup/backup-azure-database-postgresql-flex-overview - https://learn.microsoft.com/en-us/azure/backup/restore-azure-database-postgresql - https://learn.microsoft.com/en-us/azure/backup/restore-azure-database-postgresql-flex - https://learn.microsoft.com/en-us/azure/backup/backup-azure-database-postgresql-flex-restore-cli GitHub Gist ## Metadata Date of creation: 2025-12-04 Date of revision: <...>