Install the Microsoft Azure Recovery Services (MARS) agent - Azure Backup (2023)

This article explains how to install the Microsoft Azure Recovery Services (MARS) agent. MARS is also known as the Azure Backup agent.

About the MARS agent

Azure Backup uses the MARS agent to back up files, folders, and system state from on-premises machines and Azure VMs. Those backups are stored in a Recovery Services vault in Azure. You can run the agent:

• Directly on on-premises Windows machines. These machines can back up directly to a Recovery Services vault in Azure.
• On Azure VMs that run Windows side by side with the Azure VM backup extension. The agent backs up specific files and folders on the VM.
• On a Microsoft Azure Backup Server (MABS) instance or a System Center Data Protection Manager (DPM) server. In this scenario, machines and workloads back up to MABS or Data Protection Manager. Then MABS or Data Protection Manager uses the MARS agent to back up to a vault in Azure.

The data that's available for backup depends on where the agent is installed.

Before you start

• Learn how Azure Backup uses the MARS agent to back up Windows machines.
• Learn about the backup architecture that runs the MARS agent on a secondary MABS or Data Protection Manager server.
• Review what's supported and what you can back up by the MARS agent.
• Make sure that you have an Azure account if you need to back up a server or client to Azure. If you don't have an account, you can create a free one in just a few minutes.
• Verify internet access on the machines that you want to back up.
• Ensure the user installing and configuring the MARS agent has local administrator privileges on the server to be protected.
• Ensure your server is running on TLS 1.2.
• To prevent errors during vault registration, ensure that the latest MARS agent version is used. If not, we recommend you to download it from here or from the Azure portal as mentioned in this section.

Create a Recovery Services vault

A Recovery Services vault is a management entity that stores recovery points that are created over time, and it provides an interface to perform backup-related operations. These operations include taking on-demand backups, performing restores, and creating backup policies.

To create a Recovery Services vault:

1. Sign in to the Azure portal.

2. Search for Backup center, and then go to the Backup center dashboard.

   

3. On the Overview pane, select Vault.

   

4. Select Recovery Services vault > Continue.

   (Video) Azure Backup 02, Azure Backup MARS Agent

   

5. On the Recovery Services vault pane, enter the following values:

   • Subscription: Select the subscription to use. If you're a member of only one subscription, you'll see that name. If you're not sure which subscription to use, use the default subscription. There are multiple choices only if your work or school account is associated with more than one Azure subscription.

   • Resource group: Use an existing resource group or create a new one. To view a list of available resource groups in your subscription, select Use existing, and then select a resource in the dropdown list. To create a new resource group, select Create new, and then enter the name. For more information about resource groups, see Azure Resource Manager overview.

   • Vault name: Enter a friendly name to identify the vault. The name must be unique to the Azure subscription. Specify a name that has at least 2 but not more than 50 characters. The name must start with a letter and consist only of letters, numbers, and hyphens.

   • Region: Select the geographic region for the vault. For you to create a vault to help protect any data source, the vault must be in the same region as the data source.

     Important

     If you're not sure of the location of your data source, close the window. Go to the list of your resources in the portal. If you have data sources in multiple regions, create a Recovery Services vault for each region. Create the vault in the first location before you create a vault in another location. There's no need to specify storage accounts to store the backup data. The Recovery Services vault and Azure Backup handle that automatically.

   

6. After providing the values, select Review + create.

7. To finish creating the Recovery Services vault, select Create.

   It can take a while to create the Recovery Services vault. Monitor the status notifications in the Notifications area at the upper right. After the vault is created, it appears in the list of Recovery Services vaults. If the vault doesn't appear, select Refresh.

   

Modify storage replication

By default, vaults use geo-redundant storage (GRS).

• If the vault is your primary backup mechanism, we recommend that you use GRS.
• You can use locally redundant storage (LRS) to reduce Azure storage costs.

To modify the storage replication type:

1. In the new vault, select Properties under the Settings section.

   (Video) Azure Backup On Premise Server Backing up with the MARS Agent

2. On the Properties page, under Backup Configuration, select Update.

3. Select the storage replication type, and select Save.

   

Verify internet access

The MARS agent requires access to Azure Active Directory, Azure Storage, and Azure Backup service endpoints. To obtain the public IP ranges, see the JSON file. Allow access to the IPs corresponding to Azure Backup (AzureBackup), Azure Storage (Storage), and Azure Active Directory (AzureActiveDirectory). Also, depending on your Windows version, network connectivity checks of the operating system will need access to www.msftconnecttest.com, or www.msftncsi.com.

If your machine has limited internet access, ensure that firewall, proxy, and network settings allow access to the following FQDNs and public IP addresses.

URL and IP access

FQDNs

• *.microsoft.com
• *.windowsazure.com
• *.microsoftonline.com
• *.windows.net
• *.blob.core.windows.net
• *.queue.core.windows.net
• *.blob.storage.azure.net

If you are a US Government customer, ensure that you have access to the following URLs:

• www.msftncsi.com
• *.microsoft.com
• *.windowsazure.us
• *.microsoftonline.us
• *.windows.net
• *.usgovcloudapi.net
• *.blob.core.windows.net
• *.queue.core.windows.net
• *.blob.storage.azure.net

Access to all of the URLs and IP addresses listed above uses the HTTPS protocol on port 443.

When backing up files and folders from Azure VMs using the MARS Agent, you also need to configure the Azure virtual network to allow access. If you use Network Security Groups (NSG), use the AzureBackup service tag to allow outbound access to Azure Backup. In addition to the Azure Backup tag, you also need to allow connectivity for authentication and data transfer by creating similar NSG rules for Azure AD (AzureActiveDirectory) and Azure Storage (Storage).

To create a rule for the Azure Backup tag, follow these steps:

1. In All Services, go to Network security groups and select the network security group.
2. Select Outbound security rules under Settings.
3. Select Add.
4. Provide all required details for creating a new rule as described in security rule settings.
   Ensure the options are set as below:
   • Destination is set to Service Tag.
   • Destination service tag is set to AzureBackup.
5. Select Add to save the newly created outbound security rule.

You can similarly create NSG outbound security rules for Azure Storage and Azure AD. To learn more about service tags, see Virtual network service tags.

Azure ExpressRoute support

You can back up your data through Azure ExpressRoute by using public peering (available for old circuits). We don’t support Microsoft peering Backup over private peering.

To use public peering, ensure that the following domains and addresses have HTTPS access on port 443 to:

• *.microsoft.com
• *.windowsazure.com
• *.microsoftonline.com
• *.windows.net
• *.blob.core.windows.net
• *.queue.core.windows.net
• *.blob.storage.azure.net

To use Microsoft peering, select the following services, regions, and relevant community values:

• Azure Active Directory (12076:5060)
• Azure region, according to the location of your Recovery Services vault
• Azure Storage, according to the location of your Recovery Services vault

Learn more about ExpressRoute routing requirements.

Private Endpoint support

You can now use Private Endpoints to back up your data securely from servers to your Recovery Services vault. As Azure AD can’t be accessed via private endpoints, you need to allow IPs and FQDNs required for Azure AD for outbound access separately.

When you use the MARS agent to back up your on-premises resources, ensure that your on-premises network (containing your resources to be backed up) is peered with the Azure VNet that contains a private endpoint for the vault. You can then continue to install the MARS agent and configure backup. However, you must ensure all communication for backup happens through the peered network only.

If you remove private endpoints for the vault after a MARS agent has been registered to it, you'll need to re-register the container with the vault. You don't need to stop protection for them. For more information, see Private endpoints for Azure Backup.

Throttling support

Download the MARS agent

Download the MARS agent so that you can install it on the machines that you want to back up.

If you've already installed the agent on any machines, ensure you're running the latest agent version. Find the latest version in the portal, or download from here.

1. In the vault, under Getting Started, select Backup.

   

2. Under Where is your workload running?, select On-premises. Select this option even if you want to install the MARS agent on an Azure VM.

3. Under What do you want to back up?, select Files and folders. You can also select System State. Many other options are available, but these options are supported only if you're running a secondary backup server. Select Prepare Infrastructure.

   

4. For Prepare infrastructure, under Install Recovery Services agent, download the MARS agent.

   

5. In the download menu, select Save. By default, the MARSagentinstaller.exe file is saved to your Downloads folder.

   (Video) How To Backup File/Folder in Azure I MARS Agent I Microsoft Azure Backup

6. Select Already download or using the latest Recovery Services Agent, and then download the vault credentials.

   

7. Select Save. The file is downloaded to your Downloads folder. You can't open the vault credentials file.

Install and register the agent

1. Run the MARSagentinstaller.exe file on the machines that you want to back up.

2. In the MARS Agent Setup Wizard, select Installation Settings. There, choose where to install the agent, and choose a location for the cache. Then select Next.

   • Azure Backup uses the cache to store data snapshots before sending them to Azure.
   • The cache location should have free space equal to at least 5 percent of the size of the data you'll back up.

   

3. For Proxy Configuration, specify how the agent that runs on the Windows machine will connect to the internet. Then select Next.

   • If you use a custom proxy, specify any necessary proxy settings and credentials.
   • Remember that the agent needs access to specific URLs.

   

4. For Installation, review the prerequisites, and select Install.

5. After the agent is installed, select Proceed to Registration.

6. In Register Server Wizard > Vault Identification, browse to and select the credentials file that you downloaded. Then select Next.

   

7. On the Encryption Setting page, specify a passphrase that will be used to encrypt and decrypt backups for the machine. Learn more about the allowed passphrase characters.

   • Save the passphrase in a secure location. You need it to restore a backup.
   • If you lose or forget the passphrase, Microsoft can't help you recover the backup data.

   

8. Select Finish. The agent is now installed, and your machine is registered to the vault. You're ready to configure and schedule your backup.

   If you are running into issues during vault registration, see the troubleshooting guide.

   Note

   We strongly recommend you save your passphrase in an alternate secure location, such as the Azure key vault. Microsoft can't recover the data without the passphrase. Learn how to store a secret in a key vault.

   (Video) Backup On-Prem Workloads to Azure using Azure Backup Server and MABS Agent (DEMO)

Next steps

Learn how to Back up Windows machines by using the Azure Backup MARS agent