Azure: Services & Architecture
by Sergey Okinchuk
Storage AccountChapter 3: Databases
Azure Backup
Service 15

Azure Backup

BackupManaged

Azure Backup is a centralized, policy-driven backup service. You define what to protect and a retention policy; it captures recovery points into a vault and restores from them — with no backup infrastructure to deploy, scale, or patch. It protects Azure VMs, file shares, SQL and SAP HANA running in VMs, and on-premises servers.

Backup is not redundancy and not a snapshot. Redundancy protects against hardware loss; a snapshot is a point-in-time copy in the same subscription; backup is an independent, retained, policy-governed copy designed to survive deletion, corruption, and ransomware. Conflating them is how data is lost while everyone believed it was safe.

Vaults

Recovery points land in a Recovery Services vault (for VMs, files, and workloads in VMs) or a Backup vault (for newer workloads like Azure Disks, Blobs, and PostgreSQL). The vault is the management, retention, and access boundary, and its redundancy setting — LRS, ZRS, or GRS — determines whether backups survive a regional disaster.

What It Protects

The estate Azure Backup covers spans Azure VMs, Azure Files shares, SQL Server and SAP HANA inside VMs, Azure Blobs and Disks, and on-premises Windows servers and files through the MARS agent or a backup server. One service and one policy model covers cloud and on-premises, which is much of its value.

Policies and Retention

A backup policy sets the schedule and the retention — daily for weeks, weekly for months, monthly or yearly for compliance. Soft delete is now enabled by default on every vault and cannot be turned off in most regions: deleted backups stay recoverable for 14 days (extendable to 180), so a malicious or accidental deletion is reversible. Immutable vaults go further, blocking any operation that could remove or shorten a recovery point before its retention expires — both aimed squarely at ransomware and malicious insiders.

Restore

Recovery options range from full VM restore to file-level recovery and cross-region restore from a GRS vault. The restore that has never been tested is the one that fails during the incident, so a recovery point is only as good as a rehearsed restore — backups are validated by restoring, not by existing.

Azure Backup vs Snapshots vs Azure Site Recovery

Azure Backup — Retained, policy-governed recovery points that survive deletion and corruption. The tool for backup and long-term retention.

Snapshots — Fast point-in-time copies in the same subscription. Good for quick clones and short-term rollback, not a retention or DR strategy.

Azure Site Recovery — Continuous replication for disaster recovery with low RPO and orchestrated failover. The tool for keeping a workload running, not for retaining history.

Common Mistakes
  • Confusing redundancy or snapshots with backup — none of them protects against accidental deletion, corruption, or ransomware the way a retained backup does.
  • Putting backups in an LRS vault for data that must survive a regional disaster, when GRS is the point.
  • Leaving immutable vaults off for high-value backups — soft delete is on by default, but immutability is opt-in and is what blocks an attacker from shortening retention.
  • Setting a backup schedule and never testing a restore — the untested restore fails during the incident.
  • Backing up the VM but forgetting the application-consistent option for databases, getting crash-consistent recovery points that need repair.
  • Assuming Azure Backup handles disaster-recovery failover — that is Azure Site Recovery; Backup restores data, it does not keep a workload running.
Best Practices
  • Treat backup as independent of redundancy and snapshots — keep retained, policy-governed recovery points for anything you cannot lose.
  • Use a GRS vault for data that must survive a regional disaster.
  • Enable immutable vaults for high-value backups (soft delete is already on by default) to defend against ransomware and malicious deletion.
  • Rehearse restores on a schedule; a recovery point is only proven by a successful restore.
  • Use application-consistent backups for databases so recovery points need no repair.
  • Use Azure Site Recovery for low-RPO failover and Azure Backup for retention — they solve different problems.
Comparable servicesAWS BackupGCP Backup and DR Service

Knowledge Check

How does a backup differ from redundancy or a snapshot?

  • It is an independent, retained, policy-governed copy built to survive deletion, corruption, and ransomware
  • It is simply a faster snapshot stored alongside the source data in the very same storage account and subscription
  • It replaces the need for any redundancy setting on the storage account
  • It is a continuous live replica kept warm in a paired region for instant failover of the workload

What do soft delete and immutable vaults protect against?

  • Ransomware and malicious deletion — backups stay recoverable and unalterable until retention expires
  • Regional disasters, by replicating every recovery point to the geographically paired Azure region automatically on each backup
  • Slow restores, by caching recent recovery points on local SSD for faster reads
  • Backup policy misconfiguration, by validating every schedule before it runs

A team needs low-RPO failover to keep a workload running through a regional outage. Which service fits?

  • Azure Site Recovery — continuous replication with orchestrated failover
  • Azure Backup — scheduled point-in-time recovery points retained on a policy in a Recovery Services vault
  • Periodic disk snapshots kept in the same subscription
  • GRS redundancy on the storage account alone, with no compute

You got correct