![\"\"](\"http:\/\/www.klaushaller.net\/wp-content\/uploads\/2022\/11\/61b_Figure_1_Real-live_Backup_Scenarios_for_Applications_and_their_VMs-2.png\")
<\/a>Understanding Application-Consistent Backups and their Benefits<\/h1>\n\n\n\n
While private users can save their data by manually copying all their files to a different hard disk or the cloud, this approach is too simplistic for larger applications, even if we focus only on VM disks. If it is a large disk, files with names starting with \u201cA\u201d might get copied at 5:00 am and those starting with \u201cZ\u201d at 5:05 am. Thus, the \u201cZ-files\u201d could have been changed between 5:00 am and 5:05 am, making the A-files and the Z-files inconsistent. Furthermore, copying open files causes issues, changes might be only in the memory and not written to disk, or there could be pending I\/O transactions. Thus, a clean-up of files and their data might be necessary when restarting the application using such file copies. The clean-up can be automated or a manual task for engineers. In any case, it prolongs application outages.<\/p>\n\n\n\n
Application consistency overcomes this challenge. The idea is to perform backups such that applications run after restarting a VM without any clean-up actions. Thus, business-critical applications benefit from lower downtimes, i.e., they can provide better Recovery Time Objectives. Plus, the organization benefits in crisis events, aka business continuity management situations. When a company has to evacuate all workloads to a different cloud data center, the engineers can rely on the VMs to restart and applications to come up without manual intervention. The engineers can focus on fixing more complex issues, e.g., related to integrations with other components, rather than the complete IT department being stuck with cleaning up file systems.<\/p>\n\n\n\n
The most prominent solution for application-consistent backups is Microsoft\u2019s Windows Volume Shadow Copy Service (VSS). Microsoft products come with it, and your organization\u2019s applications (and your third-party software provider) can also implement it for Windows workloads. The exact details of VSS are, however, not so relevant from a cloud security architecture perspective. What matters is the available features for application-consistent backups in AWS, GCP, and Azure.<\/p>\n\n\n\n
Application-Consistent Backups in the Cloud<\/h1>\n\n\n\n
Azure comes with a solution for application-consistent backups for Linux VMs<\/strong>, at least for those deployed with the Azure Resource Manager and not the Service Manager. It is a framework enabling application developers or operations specialists to integrate pre- and post-scripts<\/strong> into Azure\u2019s backup process. Pre-scripts can invoke, for example, \u00a0APIs of the application to tell the application to finish off all \u201cwrite\u201d activities. Then, Azure performs the backup copy. Afterward, Azure invokes the post-script, and normal operations continue. For this purpose, a configuration file (Figure 2) must be on all relevant VMs.<\/p>\n\n\n\n The pre- and post-scripts and this configuration file are critical from a security<\/strong> perspective. They run with root privileges. Thus, they must be secured to prevent attackers having gained access to the VM to change these settings and execute malicious code as root.<\/p>\n\n\n\n The situation for Windows VMs on Azure<\/strong> is much easier compared to the Linux world. By default, all VM backups use the Microsoft VSS service. So, if (and only if!) the applications on the VM implement VSS, all backups are application-consistent without the need for extra VM configurations. If not, the disk backup is not application- but only file-consistent.<\/p>\n\n\n\n Finally, a quick remark on the AWS<\/strong> and the Google Cloud Platform (GCP) <\/strong>features. Both follow the same approach as Azure: pre- and post-scripts for Linux VMs, and Microsoft\u2019s VSS for Windows VMs.<\/p>\n\n\n\n To conclude: Application-consistent backups reduce downtimes of applications by reducing the work for engineers after crashes or VM evacuations. However, the term application consistency can be misleading. When looking again at Figure 1, it is clear that the consistency between the VM disks and the database backups is not guaranteed<\/strong>. Applications have to cover the challenge that the VM disk backup is from 4:07 am, one database backup is from 4:05, and the second from 4:17. So, even with application-consistent backups, there are still exciting tasks and challenges for engineers in the area of backup and recovery!<\/p>\n","protected":false},"excerpt":{"rendered":" Application backups are not as simple as in the world of database lectures. Have you ever heard about the ACID properties with \u201cA\u201d representing \u201catomicity\u201d and \u201cD\u201d durability? After a database commit, everything is on disk. Nothing can get lost. Plus, all commands within the transaction are on disk – or everything is undone. When […]<\/p>\n","protected":false},"author":1,"featured_media":1381,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[48,24,22,25,16,23],"tags":[49,51,50,52],"class_list":["post-1380","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-aws","category-azure","category-cloudsecurity","category-gcp","category-information-security","category-securityarchitecture","tag-backups","tag-bcm","tag-business-continuity-management","tag-desaster-recovery"],"_links":{"self":[{"href":"https:\/\/www.klaushaller.net\/index.php?rest_route=\/wp\/v2\/posts\/1380","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.klaushaller.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.klaushaller.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.klaushaller.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.klaushaller.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1380"}],"version-history":[{"count":1,"href":"https:\/\/www.klaushaller.net\/index.php?rest_route=\/wp\/v2\/posts\/1380\/revisions"}],"predecessor-version":[{"id":1387,"href":"https:\/\/www.klaushaller.net\/index.php?rest_route=\/wp\/v2\/posts\/1380\/revisions\/1387"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.klaushaller.net\/index.php?rest_route=\/wp\/v2\/media\/1381"}],"wp:attachment":[{"href":"https:\/\/www.klaushaller.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1380"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.klaushaller.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1380"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.klaushaller.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1380"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}<\/a>Back to the Big Picture<\/h1>\n\n\n\n