Protect your virtual machines by using Azure Backup

Introduction to Azure Backups

What is Azure backup?

It’s a cloud-based backup solution that provides simple, secure, and cost-effective solutions to back up your data and recover it from the Microsoft Azure cloud.

Although, cloud-native, it is also possible to use Azure Backup on-premises. As already mentioned, Azure Backup is simple to configure and use, and offers consistent copies with security features and management controls via the Azure portal.

Azure backup takes point-in-time backups of your data from different sources: Azure VMs, SQL machines in Azure, SAP HANA databases in Azure, Files , folders, system state, SQL databases from on-premises, VMware VMs, Hyper-V VMs, and much more.

While Azure VMs and the workloads hosted in those VMs are backed up using a backup extension, on-premises workloads can be protected using Microsoft Azure Recovery Services (MARS) agent, Azure backup server (MABS) or through integration with system center Data protection manager (DPM).

So, Azure backup backs up your data, but are Azure servers backed up? The answer to that question is yes, they can be. Servers that are hosted in Azure in IaaS can be protected using Azure backup. It is simple to enable this backup directly from the Azure portal with minimal configuration overhead. The service can be enabled for both Windows and Linux VMs in Azure.

Azure Backups are stored in Azure storage, which is automatically created by the backup service. As Azure storage is billed on a pay-as-you-go basis, this serves as a very inexpensive backup solution for your data estate in the cloud. Azure storage is resilient by design and there will be a minimum of three copies of your data available in the cloud in Azure storage when using locally-redundant storage (LRS) replication. Additional resiliency for the storage is available through geo-redundant storage (GRS) and zone-redundant storage (ZRS)

Azure Backup Features and Scenarios

Both Backup and Site Recovery aim to make the system more resilient to faults and failures. However, while the primary goal of backup is to maintain copies of stateful data that allow you to go back in time, site-recovery replicates the data in almost real time and allows for a failover.

In that sense, if there are issues like network or power outages, you can use availability zones. For a region-wide disaster (such as natural disasters), Site Recovery is used. Backups are used in cases of accidental data loss, data corruption, or ransomware attacks.

Additionally, the choice of a recovery approach depends on the criticality of the application, RPO and RTO requirements, and the cost implications.

Azure Backup has several benefits over more traditional backup solutions as the traditional backups as traditional backup solutions, such as disk and tape, don’t offer the highest level of integration with cloud-based solutions.

Zero-infrastructure backup: Azure Backup eliminates the need to deploy and manage any backup infrastructure or storage. This means there’s no overhead in maintaining backup infrastructure.

Long-term retention: Azure backup meets the compliance and audit requirements of the organizations by retaining backups for several years, and can be easily set as per organizational needs, beyond which the recovery points will be deleted automatically by the built-in lifecycle management capability.

Security: Azure Backup provides security to your backup environment – for data in transit and at rest.

  • Azure role-based access control: RBAC allows you to segregate roles as per organizational needs.
  • Encryption of backups: Backup data is automatically encrypted using Microsoft-managed keys. You can also encrypt your backed-up data using customer-managed keys stored in the Azure Key Vault. 
  • No internet connectivity required: When using Azure VMs, all the data transfer happens only on the Azure backbone network without any need to access your virtual network. Zero access to IPs or FQDNs is required.
  • Soft delete: With soft delete, the backup data is retained for 14 days after the deletion of the backup item. This protects against accidental deletion or malicious deletion scenarios, allowing the recovery of those backups with zero data loss.

Azure Backup also offers the ability to back up virtual machines encrypted with Azure Disk Encryption (ADE).

High availability: Azure Backup offers three types of replication – LRS, GRS, and RA-GRS to keep your backup data highly available and resilient .

Centralized monitoring and management: Azure Backup provides built-in monitoring and alerting capabilities in a Recovery Services vault. These capabilities are available without any additional management infrastructure.

Backup Azure VM using Azure Backup

Azure VMs are backed up by taking snapshots of the underlying disks at user-defined intervals and transferring those snapshots to the Recovery Services Vault as per the customer-defined policy.

And here comes the Recovery Services Vault, which is storage entity used by Azure Backup to manage and store the backup data. As I mentioned earlier, that it is a storage-management entity that houses data, and, therefore,  you do not need to worry about deploying or managing storage accounts. It indeed provides a simple experience to manage and monitor backup and restore operations. You just need to specify the vault you want to back up the VM to. Courtesy to the recovery services vault, the backup data is transferred to the Azure Backup storage accounts in the background. The data is typically copies of data, or configuration information for virtual machines (VMs), workloads, servers, or workstations.

Now, let’s talk about snapshots. A snapshot is a point-in-time backup of all disks on the virtual machine. If we talk about Azure VMs, Azure Backup uses different extensions for each supporting operating system. For Windows, we have VMSnapshot and for Linux OS, we have VMSnapshotLinux.

Talking about the Recovery Services Vault, we can define the backup policies for backup frequency and the data retention period. The backups for VMs can be taken daily or weekly and can be retained for multiple years based on the organization needs.

There are two access tiers of the backed up data –

  • Snapshot Tier – It is also called the Instant Restore. Snapshots are stored locally for a maximum period of 5 days. For operational recoveries, use the snapshot tier as it is much faster.
  • Vault Tier – Then we have the Vault tier,  where the snapshots are transferred to the vault for added security and longer retention.

Here’s how Azure Backup completes a backup for Azure VMs:

For Azure VMs that are selected for backup, Azure Backup starts a backup job according to the backup frequency you specify in the backup policy. During the first backup, a backup extension is installed on the VM, if the VM is running.

  • For Windows VMs, the VMSnapshot extension is installed.
  • For Linux VMs, the VMSnapshotLinux extension is installed.

The snapshot that is taken is stored locally as well transferred to the vault. Azure Backup is intelligent enough to read the blocks on the disk and identify the data blocks that has changed since previous backup (the delta) and transfers only that data.

The backups are optimized by backing up each VM disk in parallel.

We discussed about the extensions for Windows and Linux OS. The extension for windows (VMSnapshot) works with Volume Shadow Copy Service (VSS) to take the copy of the data on the disk as well as in the memory, whereas, the extension for Linux (VMSnapshotLinux), the snapshot is only the copy of the disk.

Depending on the snapshot and what it includes, we can achieve different levels of consistency:

Application consistent
The snapshot captures the virtual machine as a whole. As explained above, it uses VSS writers to capture the content of the machine memory and any pending I/O operations. For Linux OS, we need to write custom pre or post scripts per application to capture the application state.

File system consistent
If VSS fails or the pre and post scripts fails, Azure Backup will still create a file-system-consistent snapshot and while recovery, no corruption occurs. But all the installed apps are required to do their own cleanup during to become consistent.

Crash consistent
This level of consistency typically occurs if the VM is shut down during backup. No I/O operations or memory contents are captured during this type of backup. This method doesn’t guarantee data consistency for the OS or app.

As we had discussed earlier, we can either instantly restore from the snapshot tier or from the vault tier. There are different restore options. Let us discuss them one at a time now.

  • Create a new virtual machine from a restore point – You can quickly create and get a basic VM up and running from a restore point. The is a caveat though that the new VM must be created in the same region as the source VM.

  • Restore a virtual machine disk. Can b used to create a new virtual machine – We can restore a virtual machine disk, which again can then be used to create a new VM. Basically, Azure Backup provides a template which can be used to customize and create a new VM. There are other ways as well. You can attach the disk to an existing VM, or create a new VM. There might be questions as to why this option is useful. This actually helps in case you want to add a configuration settings that was not there when the backup was taken.

  • Replace a disk on the existing Virtual Machine – We can also restore a disk and use it to replace an existing disk on a VM. How it works is that Azure VM takes the snapshot of the existing VM and stores it in the staging location. The condition is that the VM must exist, else this option does not work.

  • Restoring Azure Virtual Machine in the secondary region – This option is used to restore the Azure VM in a secondary region, which is paired with the primary Azure region. This is only available for the first two options and not for the third option.

Taking security into considerations, Azure Backup supports the backup and restorations of virtual machine encrypted using Azure Disk Encryption, which works with the Azure Key Vault in order to manage the secrets and keys associated with the encrypted VM.

We can have an additional layer of security as well on top of it. For that, we can use the Key vault Encryption Keys (KEKs) to encrypt the secret before it is written in the vault.

Certain limitations apply when you restore encrypted virtual machines: 1.

  • Azure Backup supports only standalone key encryption. Any key that’s part of a certificate isn’t supported currently.
  • File or folder level restores are not supported with encrypted VMs. To restore to that level of granularity, the whole virtual machine has to be restored. You can then manually copy the file or folders.
  • The Replace existing VM option does not work for encrypted virtual machines.

Download PDF

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Blog at

Up ↑

%d bloggers like this: