Azure Backup & Vaults
Losing data is every admin's nightmare. Azure Backup protects VMs, databases, and files with automated backup policies, instant restore snapshots, and geo-redundant vaults. Learn the difference between Recovery Services vaults and Backup vaults, and how to configure both.
What is Azure Backup?
Azure Backup is like a safety deposit box for your data β except the box is in Microsoftβs secure vault, and it takes snapshots automatically on a schedule.
On-prem, you had backup software, tape drives, and offsite storage to worry about. Azure Backup replaces all of that with a cloud-native service. You tell it what to back up, how often, and how long to keep it. Azure handles the rest β snapshots, storage, encryption, and retention.
Everything goes into a vault β a secure container that stores your backup data, often replicated to another Azure region for disaster protection.
Recovery Services Vault vs Backup Vault
| Feature | Recovery Services Vault | Backup Vault |
|---|---|---|
| Supported workloads | Azure VMs, SQL in VMs, Azure Files, SAP HANA, Azure File Share | Azure Managed Disks, Azure Blobs, Azure Database for PostgreSQL |
| Site Recovery support | Yes (DR replication) | No |
| Maturity | Original vault type, widely used | Newer vault type for modern workloads |
| Soft delete | 14 additional days by default | 14 additional days by default |
| Cross-region restore | Supported (GRS vaults) | Varies by workload |
| When to use | VM backup, SQL backup, file share backup | Disk backup, blob backup, PostgreSQL backup |
Exam tip: Know which vault for which workload
The exam tests whether you know which vault type supports which workload. Quick rule: if itβs a VM, SQL, or file share β use a Recovery Services vault. If itβs a managed disk, blob, or PostgreSQL β use a Backup vault. Azure Site Recovery (disaster recovery) only works with Recovery Services vaults.
Storage replication options
When creating a vault, you choose how backup data is replicated:
| Replication | How It Works | Use Case |
|---|---|---|
| LRS (Locally Redundant) | 3 copies in the same datacentre | Lowest cost, protects against hardware failure |
| GRS (Geo-Redundant) | LRS + 3 copies in the paired region | Protects against entire region failure |
| ZRS (Zone-Redundant) | 3 copies across availability zones in the same region | Protects against zone failure, data stays in region |
Important: You must set replication BEFORE configuring any backup items. Changing replication after backups are configured is not supported.
Backup policies
A backup policy defines the schedule, retention, and snapshot behaviour:
Policy components:
- Schedule: How often to back up (daily, weekly, or hourly for enhanced policies)
- Instant restore snapshots: VM snapshots retained locally for fast restores (1-5 days)
- Daily retention: How many daily backups to keep
- Weekly retention: How many weekly backups to keep
- Monthly retention: How many monthly backups to keep
- Yearly retention: How many yearly backups to keep
Real-world: TechCorp's backup strategy
TechCorp Solutions creates two backup policies in their Recovery Services vault:
Production policy:
- Daily backup at 02:00
- Instant restore snapshots: 5 days (fast VM restore)
- Daily retention: 30 days
- Weekly retention: 12 weeks
- Monthly retention: 12 months
- Yearly retention: 3 years
- Vault replication: GRS (backup data in paired region)
Dev/Test policy:
- Daily backup at 04:00
- Instant restore snapshots: 2 days
- Daily retention: 7 days
- No weekly/monthly/yearly retention
- Vault replication: LRS (cheapest option for non-critical data)
Alex saves 60% on backup costs for dev/test while keeping production fully protected.
Backup and restore operations
Backup types
| Backup Type | How It Works |
|---|---|
| Scheduled backup | Runs automatically per policy (most common) |
| On-demand backup | Manual backup triggered outside the schedule |
Restore options for VMs
| Restore Option | What It Does |
|---|---|
| Create new VM | Restores backup as a brand-new VM |
| Replace existing | Replaces the existing VMβs disks with the backup |
| Restore disk | Restores only the managed disks (you attach them to a VM manually) |
| File-level recovery | Mount the backup as a drive and recover individual files |
| Cross-region restore | Restore from GRS-replicated data in the paired region |
Exam tip: Soft delete protects backup data
Soft delete is enabled by default on Recovery Services vaults and Backup vaults. When you stop backup and delete backup data, the data is retained for an additional 14 days. During this period, it can be recovered at no extra cost. This protects against accidental or malicious deletion of backup data.
The exam may describe a scenario where someone deletes backup data and ask if it can be recovered β the answer is yes, within 14 days.
Backup reports and alerts
Backup reports use a Log Analytics workspace to provide cross-vault analytics:
- Backup jobs status (success, failure, in progress)
- Backup storage consumption trends
- Protected items count
- Policy compliance
Backup alerts:
- Built-in alerts for job failures (enabled by default)
- Custom alert rules using Log Analytics data
- Azure Monitor integration for consistent alerting across all resources
Knowledge check
CloudFirst Labs needs to back up their Azure Managed Disks. Which vault type should they use?
An admin at Meridian Financial accidentally deletes the backup data for a critical production VM. The deletion happened 10 days ago. Can the backup data be recovered?
Alex needs to restore a single configuration file from a VM backup without restoring the entire VM. Which restore option should he use?
π¬ Video coming soon