Azure Backup
Last updated:
AZUREBACKUPRESILIENCY
Part of [[202404071304 Resiliency Overview]]
We backup because we want to restore. Service backups are different like SQL.
- Backup Center provides single pane of glass focused on the protected workload
- At the simplest level Azure also provides backup services via recovery vaults & backup
- These can be used by backup applications and many Azure components (including VMs via extension) in addition to hybrid
- Data can then be recovered when needed / [[202408131927 Azure restore from backup|Restore from backups]]
- Delta-based storage with many recovery points
- Retention settings enable day, week, month and year retention goals
- Default: snapshots kept for 2 days
- Default: VM for 30 days
- Integration layer
- storage - snapshots for vms or files etc
- stream - for databases
- Availability and security
- [[202404061249 Azure RBAC|Azure RBAC]] and encryption
- Vaults can have local, zone-redundant or geo-redundant configuration
- soft-delete feature (deleted data stored for 14 days)
- can be used for-
- onprem (agent based)
- azure (built-in)
- Microsoft Azure Recovery Services (MARS) agent for backing up files or specific disks etc
- [[202408011914 Azure Backup Access Tiers|Azure Backup Access Tiers]]
- Recovery services vault must be in the same region as the resources you want to backup
- Scheduled backups still run even if vm is shutdown
- Upto 100 VMs can be attached to a single backup policy
Protecting backups
- Use [[202401121503 Entra Privileged Identity Management|pim]] maybe for JIT access for Backup admins. But assume they will have access.
- Create a resource guard
- in different subscription, maybe different aad
- For any critical operation they have to use [[202401121503 Entra Privileged Identity Management|pim]] to go up to resource guard level. So someone has to approve.
- Also have immutable vaults/can’t be deleted before expiry time