9.5 Recovery Services Vault, Backup Vault, and Backup Policies
Key Takeaways
- Recovery Services vaults protect workloads such as Azure VMs and support Azure Backup and Azure Site Recovery scenarios.
- Backup vaults are used with newer Azure Data Protection workloads and should not be confused with Recovery Services vaults.
- Backup policy decisions include frequency, retention, instant restore, application consistency, vault redundancy, immutability, and soft delete.
- Restore choices depend on workload type, recovery point type, target location, and whether file-level, disk-level, VM-level, or alternate-location recovery is required.
- AZ-104 scenarios often test the difference between backup, snapshots, replication, and archive-style log retention.
Vault choices
Azure has more than one vault concept. A Recovery Services vault is the familiar vault used for Azure VM backup, Azure Backup for several classic workloads, and Azure Site Recovery. A Backup vault is used by Azure Backup's newer data protection platform for workloads such as Azure Disk Backup and certain database or blob protection scenarios depending on service support. For AZ-104, read the workload in the question before choosing the vault.
Portal path for VM backup: Azure portal > Recovery Services vaults > Create, then Backup or Backup Center. Backup Center is a unified management surface that helps discover, configure, monitor, and report backup across vaults and workloads.
| Requirement | Likely service or vault | Reason |
|---|---|---|
| Back up an Azure VM and restore the whole VM | Recovery Services vault | Standard Azure VM backup workflow. |
| Replicate a VM to another region for disaster recovery | Recovery Services vault with Site Recovery | ASR replication and failover, not backup. |
| Operational backup for managed disks using data protection features | Backup vault | Newer backup platform scenario. |
| Keep raw diagnostic logs for compliance | Storage account diagnostic export | Log archive is not a workload backup. |
| Quickly revert a blob version | Blob versioning or soft delete | May be better than vault backup for simple object rollback. |
Do not treat a snapshot as a complete backup strategy. Snapshots can be useful, but Azure Backup adds policy, retention, vault storage, job monitoring, soft delete, RBAC separation, and restore workflows. Also do not confuse backup with Site Recovery. Backup restores from recovery points. Site Recovery replicates workloads for failover to a recovery location.
Backup policy design
A backup policy defines schedule and retention. For Azure VM backup, policies can include backup frequency, time, time zone, daily retention, weekly retention, monthly retention, yearly retention, and instant restore retention. The right answer depends on the recovery point objective, or RPO, and retention requirement. If the business says it can lose at most 24 hours of data, a daily backup may satisfy the RPO. If it can lose at most one hour, ordinary daily VM backup is not enough.
Application consistency matters. A crash-consistent recovery point captures disk state without application coordination. File-system consistent and application-consistent points provide stronger recovery for many workloads when agents and VSS or equivalent mechanisms work. If SQL Server or domain controllers are involved, read the workload requirements carefully and use supported backup patterns.
Vault storage redundancy matters for resilience and cost. Locally redundant storage keeps copies within a region. Geo-redundant storage replicates vault data to a paired region and supports stronger regional resilience. Zone-redundant storage may be available for some vault scenarios. The choice often must be made early and should match recovery requirements. If the requirement says recover if the primary region is unavailable, a locally redundant vault alone is not enough.
Security controls include soft delete, multi-user authorization for critical operations where available, immutability, private endpoints for vault access in supported scenarios, and RBAC separation. Soft delete helps recover backup data after accidental or malicious deletion. Immutability helps protect recovery points from modification or deletion for the configured retention behavior. For exam questions about ransomware resilience, these controls are strong signals.
Azure VM backup workflow
A typical VM backup implementation follows this order:
- Create or select a Recovery Services vault in the target region.
- Configure vault storage redundancy before protecting items when required.
- Create or select a backup policy with schedule and retention.
- Enable backup for VMs at vault, VM, or Backup Center scope.
- Run an initial backup or wait for the schedule.
- Monitor backup jobs and alerts.
- Test restore to prove recovery, not just backup completion.
CLI example:
az backup vault create \
--resource-group rg-recovery \
--name rsv-prod-eastus \
--location eastus
az backup protection enable-for-vm \
--resource-group rg-recovery \
--vault-name rsv-prod-eastus \
--vm vm-app01 \
--policy-name DefaultPolicy
To inspect jobs:
az backup job list \
--resource-group rg-recovery \
--vault-name rsv-prod-eastus \
--output table
Restore options
Restore is where exam scenarios become practical. For an Azure VM, you may restore the entire VM, restore disks, replace existing disks, or recover individual files from a recovery point. File recovery is useful when a user deleted a file and the VM itself is healthy. Disk restore is useful when you want to build a VM manually or inspect data. Full VM restore is useful for a failed or deleted VM.
| Restore need | Likely option | Watch for |
|---|---|---|
| User deleted one file | File recovery | Requires mounting or downloading a recovery script and selecting files. |
| VM OS disk corrupted | Restore disk or replace OS disk | Preserve data disks if needed. |
| VM deleted accidentally | Restore VM | Choose target resource group, network, and name carefully. |
| Test restore without overwriting production | Alternate location restore | Avoid replacing existing resources. |
| Region outage recovery | ASR failover or cross-region restore if configured | Ordinary local backup may not meet outage requirement. |
Monitoring backup
Backup Center, vault jobs, Azure Monitor alerts, and backup reports help administrators monitor protection. Backup reports use Log Analytics when reporting is configured. Alerts can notify on failed backup jobs or unhealthy protection states. In AZ-104, if a scenario asks for centralized backup visibility across subscriptions, Backup Center and reports are more relevant than opening every VM one by one.
Example KQL concept for backup job review, table names vary by reporting configuration:
AzureDiagnostics
| where TimeGenerated > ago(24h)
| where Category has "AzureBackup"
| where JobStatus_s in ("Failed", "Warning")
| project TimeGenerated, Resource, JobOperation_s, JobStatus_s, ErrorDetails_s
| order by TimeGenerated desc
Troubleshooting backup failures
If an Azure VM backup fails, check the backup job error first. Then check VM agent health, extension state, network access to Azure services, disk configuration, unsupported disk or workload constraints, and whether the VM was stopped or deallocated at a bad time. For application-consistent failures, inspect VSS writers on Windows or pre/post script behavior where applicable.
If backup cannot be enabled, check region and vault compatibility, permissions, resource locks, policy restrictions, and whether the VM is already protected by another vault. If restore fails, check target resource naming conflicts, quota, network selection, managed identity or Key Vault access for encrypted disks, and whether the recovery point type supports the selected restore.
Exam traps
If the requirement is "restore a VM to a point in time after deletion," choose Azure Backup, not Azure Monitor. If the requirement is "continue service in another region with minimal downtime," choose Site Recovery, not a nightly backup alone. If the requirement is "retain logs for seven years," choose diagnostic export or archive design, not VM backup. If the requirement is "protect against accidental deletion of backup data," look for soft delete, immutability, and vault security settings.
Which vault is commonly used to back up Azure VMs and also supports Azure Site Recovery scenarios?
A user deleted one file from an otherwise healthy Azure VM. Which restore option is usually most appropriate?
A company needs to protect backup recovery points from accidental or malicious deletion. Which vault features are most relevant?