Backup Server Installation Guide
What is the Backup Server?
Windows Azure Table Storage does not support backup & restore, so such an operation must be handled by a third-party component.
The backup server is exposes additional endpoints for backing up and restoring table storage data. You need to use one of your existing Web or Worker roles to host the backup server.
Choosing to host in a Worker Role or a Web Role
The backup service can be hosted in either a Windows Azure Worker Role or Web Role. Deciding which role to choose will depend on your Azure configuration. For example, if you have a web role that users interact with and a worker role that processes background
tasks, then the best choice would be the worker role as a backup operation will not interfere with system performance for users.
However you may only be running a web role in which case this is where your backup service will need to be hosted.
Choosing a Protocol
The backup service supports both the Https & Tcp protocols. For the least amount of trouble communicating through a firewall the Https protocol is the best option, however you must use the Tcp protocol with Worker Roles due to a limitation with Windows
For any backup or restore operation to be performed, the account credentials of your storage accounts must be sent to the backup server – credentials are not stored on the server itself.
All communication with the server uses transport security via SSL, meaning your account credentials are protected. However it is important to note that anyone with your storage account credentials will be able to perform backup operations.
This method of security is very similar to the way Azure Table Storage works.
The following steps assume you have an existing Windows Azure project and you are using Microsoft Visual Studio.
SSL Certificate Creation
If you do not already have an SSL certificate configured for your Web or Worker role you will need to create one. The backup service does not require a trusted certificate, so you can create a self-signed certificate.
To create a self-signed certificate:
- Open a command-line window and navigate to the Windows SDK directory, typically located here: C:\Program Files\Microsoft SDKs\Windows\v6.0A\Bin
- Run the makecert tool, passing the following parameters:
- makecert -sr LocalMachine -ss My -a sha1 -n CN=yourdomain.cloudapp.net -sky exchange -pe
- Note: Ensure you change yourdomain.cloudapp.net to the domain name of your hosted service.
- Click Start > Run..., type mmc and press enter.
- Click File > Add/Remove Snap-in..., click on Certificates and click
Add > and select My user account. Click OK.
- Click Certificates – Current User > Personal > Certificates.
- Right-click on your newly created certificate and select All Tasks >
- Click Next >. Click Yes, export the private key. Click Next > &
Next > again.
- Type & confirm & password and click Next >.
- Specify a path to export to and click Next > & Finish.
Upload SSL Certificate to Windows Azure
- Log into the Windows Azure web portal and navigate to your Hosted Service.
- In the Certificates section click Manage.
- In Upload Certificate, click Browse and select your exported certificate file (.pfx). Type your password and click
Worker Role Configuration
- In Visual Studio, in your Windows Azure project, right-click on your role and select
- Click on the Endpoints tab and click Add Endpoint.
- Enter the following settings:
- Name: BackupService
- Type: Input
- Protocol: Tcp
- Port: Any valid port number, the default of 10000 is OK.
- Click on the Certificates tab and click Add Certificate.
- Enter the following settings:
- Name: TableStorageBackup
- Store Location: LocalMachine
- Store Name: My
- Thumbprint: Click ... and select your newly created certificate
- Add the following libraries to your Worker Role project by right-clicking on the
References folder in Visual Studio:
- AntsCode.TableStorageBackupLib.dll (included in this project)
- ICSharpCode.SharpZipLib.dll (included in this project)
- Microsoft.WindowsAzure.StorageClient.dll (included in the Windows Azure SDK)
- System.ServiceModel.dll (included in the .NET framework)
- In the entry point for your Worker Role (typically WorkerRole.cs), add the following code:
public class WorkerRole : RoleEntryPoint
/// ServiceHost object for backup endpoint.
private ServiceHost backupServiceHost;
public override void Run()
// Start the backup service
RoleInstanceEndpoint externalEndPoint = RoleEnvironment.CurrentRoleInstance.InstanceEndpoints["BackupService"];
this.backupServiceHost = BackupService.GetServiceHost(
"YOUR AUTHENTICATION KEY HERE",
"YOUR DOMAIN HERE");
System.Diagnostics.Trace.TraceInformation("Backup Service started on endpoint: " + externalEndPoint.IPEndpoint.ToString());
catch (Exception e)
System.Diagnostics.Trace.TraceError("Could not start Backup Service: " + e.Message);
*Replace YOUR AUTHENTICATION KEY HERE
with a secret key that the backup client must provide to access the service.
*Replace YOUR DOMAIN HERE
with the domain of your hosted service. This must match the subject name of your SSL certificate.