Recently, I’ve been in the need of taking backups of my web roles and worker roles to deploy them in a different subscription (since I haven’t got the source code). I couldn’t find more than one way to take these backups so, I found interesting to show you how to do this.

I’ll be using the REST API to make this work so, this is a list of what you will need:

  • A tool to execute POST requests using a certificate to authenticate. My preference here is to use Postman for desktop: (you could also use Chrome extension but, the way you handle the certificates is managed by the browser and it is less intuitive).
  • OpenSSL to create a self-signed certificate. A good option is to use the tool that it comes along with the installation of Git for Windows ( There is also a wiki available with some third-party binary distributions (
  • Service administrator or Co-administrator access in the subscription in which you have the web/worker roles (we need this to upload a management certificate to Azure).
  • In the same subscription, a storage account and a container to save the backups (I use a classic storage account since we are making backups of classic resources. I haven’t tried with a “modern” storage account).

These are the steps you must follow:

Give co-admin access in Azure:

In case you are using the Service administrator account you won’t need this but, if you need a different user to do this, go to and open the “Subscriptions” blade. Select your subscription and within the “Access control (IAM)” pane you can add the person you want as an owner by clicking on the Add button:

admin access Azure

After that you will be able to give Co-administrator rights to that person by clicking on the ellipsis at the right side:

admin access Azure2

Create a container in the storage account:

Go to the storage account that you will use to save the backups and click on “Container” under the “Blob Service” section. Click on “Container” to add a new one and set the access level to Private:

admin access Azure3

Create the self-signed certificate with OpenSSL:

If you are using the openssl application that comes with the installation of Git, you can just double-click the .exe file here: C:\Program Files\Git\usr\bin. That will open a console with the application loaded.

We need to create a certificate with “.crt” extension and the “.key” file associated. Use this command to do this: req -newkey rsa:2048 -nodes -keyout 'C:\temp\mynewcert.key' -x509 -days 1 -out 'C:\temp\mynewcert.crt' -subj '/'

Notice that the most important thing here is the “-subj” part. The subject name must match the domain used to access the cloud service so, I’ll use “” in my case.

Once you have created these files, we also need the certificate in “.cer” format. To do this, double-click on the “.crt” file and in the “Details” tab, click on the “Copy to File…” button:

admin access Azure4
A wizard will be opened, and you must select the first option to export the certificate (DER encoded binary X.509 (.CER):

admin access Azure

Upload the certificate to Azure:

To upload the certificate, go to and open the “Subscriptions” blade. Select your subscription and within the “Management certificates” pane click on the “Upload” button to upload the new certificate you’ve just created. You must select the “.cer” file for this:

admin access Azure6

Use Postman to make the backup with the REST API:

Open Postman and open the Settings pane:

admin access Azure7

In the certificates section, add a new one and put as the “Host”: “”. Select the “.crt” and “.key” files and click the “Add” button (you don’t need a passphrase since we haven’t used any):

admin access Azure8

Now, in postman, go to the “Headers” tab and put these two:

x-ms-version -> 2012-03-01
ContentLength -> 0

admin access Azure9

I’m using the “Get Package” operation to make the backup. This is the url to the documentation from Microsoft:

To use this with postman, I’ve chosen the option in which I indicate the deployment slot:<subscription-id>/services/hostedservices/<cloudservice-name>/deploymentslots/<deployment-slot>/package. At the end of the url we must use two parameters, “containerUri” and “overwriteExisting”. The containerUri must be the url of the storage account with the name of the container at the end. Something like “”. The “overwriteExisting” can be true or false depending if you want to overwrite a previous backup or not.

At the end you should have a url like this example:

Paste the URL in Postman, select the “POST” method and click on “SEND”. If everything goes well, you should get the Status “202 Accepted”:

admin access Azure10

And in Azure you will get two files under the container, one “.cscfg” and one “.cspkg”. You can use these to redeploy the web or worker role in Azure:

admin access Azure11

I hope that you find this helpful to make a proper backup of your web and worker roles in Azure.

Author bio

Ivan Chesa
Ivan Chesa
Junior Developer
I’m part of the SharePoint development team. Besides working on client and internal projects, I enjoy learning more about other technologies like Azure. In my spare time I love playing video games with friends and I also like to watch TV shows.


comments powered by Disqus

Related Articles

Sign up to our ClearThought newsletter

Get inspired and learn something new by subscribing to our FREE newsletter. It’s full of ClearPeople's thought-leadership whitepapers, blogs, events, and much more. We promise to not use your email for spam.

Closing this message and/or accessing our website tells us you are happy to receive all cookies on the ClearPeople website.
However, if you would like to, you can change your cookies settings at any time.