This chapter covers Azure Backup and the Recovery Services Vault (RSV), the foundational components for protecting workloads in Azure. On the AZ-104 exam, this topic falls under Domain 5 (Monitoring) but is often tested in the context of backup and disaster recovery. Approximately 15-20% of exam questions touch on backup, restore, and vault configuration. You will learn the architecture, configuration steps, backup policies, restore options, and common pitfalls. Mastery of RSV is critical, as it is the only vault type for Azure Backup and is frequently confused with the Backup Center and other vault types.
Jump to a section
Imagine a bank safety deposit box system. The vault (Recovery Services Vault) is the secure room that houses many numbered boxes (backup data). Each box (protected item) is assigned a unique key (encryption key) and is accessible only via a specific slot (backup policy). The bank manager (Azure Backup service) follows a schedule: every night at 10 PM, a bank teller (backup agent) collects a sealed envelope (backup data) from each customer's office (VM/server) and places it into their designated box. The teller records the date and time on a log (recovery point). If a customer's office burns down (disaster), they can request the envelope from a specific date (restore to a point in time). The bank keeps the envelope for a set period (retention policy) — 30 days for daily envelopes, 12 months for monthly envelopes — after which it is shredded (deleted). The vault itself is replicated to another branch (geo-redundant storage) for safety. Customers can only access their own box (role-based access control). If a customer wants to retrieve a file from an envelope without taking the whole envelope (file-level restore), they can open it in a special viewing room (staging VM). The system ensures that no one can tamper with the envelopes (immutable backups) and that the bank manager can recover the entire vault to a different branch (cross-region restore) if the entire city is affected.
What is Azure Backup and Recovery Services Vault?
Azure Backup is Microsoft's native backup-as-a-service (BaaS) solution for protecting Azure VMs, on-premises servers, Azure Files, SQL Server, SAP HANA, and more. The Recovery Services Vault (RSV) is the management and storage container that holds backup data, backup policies, and configuration. It is distinct from the Backup Vault (used for Azure Backup for Azure Disks and Azure Database for PostgreSQL) and the Site Recovery Vault (used for Azure Site Recovery). The RSV is a regional resource, meaning it resides in a specific Azure region and stores backup data in that region unless configured for cross-region restore.
How It Works Internally
When you enable backup for a workload, Azure Backup performs the following steps:
Extension Installation: For Azure VMs, the Azure Backup extension (VMSnapshot for Windows, VMSnapshotLinux for Linux) is installed. For on-premises, the Microsoft Azure Recovery Services (MARS) agent is installed.
Initial Backup: The first backup is a full copy of the data. For Azure VMs, this uses VSS (Volume Shadow Copy Service) on Windows or file-system consistent snapshots on Linux to ensure application consistency. The snapshot is stored in the VM's attached managed disks temporarily, then transferred to the RSV. For on-premises, the MARS agent sends data over the internet or ExpressRoute.
Incremental Backups: Subsequent backups are incremental — only changes since the last backup are transferred. Azure Backup uses block-level tracking (for VMs) or change journal (for SQL) to identify changed blocks. This reduces bandwidth and storage costs.
Data Transfer: Data is compressed and encrypted before transfer. For Azure VMs, the backup data is sent directly from the snapshot to the RSV using HTTPS. For on-premises, the MARS agent compresses and encrypts data using a passphrase you provide.
Storage: The RSV uses Azure Blob Storage in the background. Backup data is stored in blob containers with names like iaasvmcontainer;.... The data is stored in the vault's default storage redundancy: Locally Redundant Storage (LRS), Geo-Redundant Storage (GRS), or Zone-Redundant Storage (ZRS). You choose this at vault creation; it cannot be changed later.
Retention: Backup policies define how long recovery points are kept. Policies include daily, weekly, monthly, and yearly retention points. The vault automatically deletes expired recovery points based on the policy.
Key Components, Values, Defaults, and Timers
Vault Types: Recovery Services Vault vs. Backup Vault. RSV is for Azure VMs, SQL, SAP HANA, Azure Files, on-premises workloads. Backup Vault is for Azure Disks, Azure Database for PostgreSQL, and Blob backup.
Storage Replication: Default is GRS. Options: LRS, GRS, ZRS (for certain regions). Cannot be changed after vault creation.
Soft Delete: Enabled by default for RSVs. Retains deleted backup data for 14 days (default). Can be disabled.
Backup Policy: Can be Standard (default) or Enhanced. Standard policies allow up to 100 backup schedules per policy. Enhanced policies support hourly backups (minimum 4-hour frequency) and up to 1000 VMs per policy.
Maximum Retention: Daily: 9999 days, Weekly: 5163 weeks, Monthly: 1188 months, Yearly: 999 years.
Initial Backup Time: Can be scheduled (e.g., 10:00 PM) or immediate.
Consistency Types: Crash-consistent, File-system consistent, Application-consistent. Application-consistent is the default for Windows VMs with VSS.
Backup Limits: Up to 250 protected items per RSV (soft limit, can be increased).
MARS Agent: Maximum file size for backup: 54,000 GB (54 TB).
Configuration and Verification Commands
To create a Recovery Services Vault using Azure CLI:
az backup vault create --resource-group MyRG --name MyRSVault --location eastusTo enable backup for an Azure VM:
az backup protection enable-for-vm --resource-group MyRG --vault-name MyRSVault --vm MyVM --policy-name DefaultPolicyTo list recovery points:
az backup recoverypoint list --resource-group MyRG --vault-name MyRSVault --container-name MyVM --item-name MyVMTo restore a VM:
az backup restore restore-disks --resource-group MyRG --vault-name MyRSVault --container-name MyVM --item-name MyVM --rp-name <recovery-point-id> --storage-account MyStorageAccountTo check backup job status:
az backup job list --resource-group MyRG --vault-name MyRSVault --status InProgressFor PowerShell:
New-AzRecoveryServicesVault -ResourceGroupName MyRG -Name MyRSVault -Location eastus
Enable-AzRecoveryServicesBackupProtection -ResourceGroupName MyRG -Name MyRSVault -Policy $policy -VM $vmInteraction with Related Technologies
Azure Policy: Can enforce backup compliance by requiring VMs to have backup enabled.
Azure Monitor: Backup health metrics and alerts can be sent to Log Analytics.
Azure Site Recovery: Often used together for disaster recovery; RSV is separate from Site Recovery vault.
Azure Disk Encryption: Backup works with encrypted disks; the vault does not store keys.
Private Endpoints: Can be used to secure backup data transfer without public internet.
Azure Backup Center: A unified management blade that aggregates backups across multiple vaults.
Common Exam Scenarios
Cross-Region Restore: Available only if the vault uses GRS and the feature is enabled at vault creation. Allows restoring a backup to a paired region.
Restore to a Specific Point: You can choose from daily, weekly, monthly, yearly recovery points.
File-Level Restore: For Azure VMs, you can mount a recovery point as a drive (Windows) or NFS share (Linux) to copy individual files.
Backup of Azure Files: Requires a storage account with file shares; backup policy is applied to the file share.
Backup of SQL Server in Azure VM: Requires a backup policy with specific scheduling for log backups (every 15 minutes to 1 hour).
Backup of SAP HANA: Similar to SQL, but requires a different extension and pre-registration steps.
Important Defaults and Timers
Soft Delete Retention: 14 days (default), configurable from 14 to 180 days.
Backup Frequency: Minimum 4 hours for Enhanced policy, 1 day for Standard policy.
Retention for Daily: Default 30 days.
Snapshot Retention: For Azure VMs, the snapshot is retained temporarily (usually 1-2 days) until transferred to vault.
Data Transfer: For on-premises, the initial backup can take hours; use seeding (Azure Import/Export) for large data.
Troubleshooting Commands
To view backup errors:
az backup job show --resource-group MyRG --vault-name MyRSVault --name <job-id>To re-register extension:
az vm extension set --resource-group MyRG --vm-name MyVM --name VMSnapshot --publisher Microsoft.Azure.RecoveryServices --settings '{}'Create Recovery Services Vault
Navigate to the Azure portal, search for 'Recovery Services Vault', and click 'Create'. Provide a resource group, vault name, and region. Choose storage replication type: LRS (low-cost, data stays in region), GRS (default, replicates to paired region), or ZRS (zone-redundant). You cannot change this later. Optionally enable Cross-Region Restore (only with GRS). Click 'Review + Create' then 'Create'. The vault is created with default backup policies (DailyPolicy, WeeklyPolicy, etc.) and a default security configuration (soft delete enabled, 14 days retention).
Configure Backup Policy
In the vault, go to 'Backup policies' and create a new policy or modify the default. For Azure VM backup, define a schedule: frequency (daily, weekly, hourly) and time. For retention, set how long to keep daily (e.g., 30 days), weekly (e.g., 12 weeks), monthly (e.g., 12 months), yearly (e.g., 3 years). For SQL/SAP, also configure log backup frequency (every 15-60 minutes). The policy is assigned to one or more protected items. Note: Each policy can have up to 100 backup schedules (Standard) or 1000 VMs (Enhanced).
Enable Backup for Azure VM
In the vault, go to 'Backup' and select 'Azure Virtual Machine'. Choose a backup policy. Select the VM(s) to protect. Click 'Enable Backup'. This triggers installation of the backup extension (VMSnapshot) on the VM (if not already present). The first backup will run according to the schedule (or immediately if you choose). The VM must be running for the extension to install. Backup is now enabled; you can view the protected item in the vault.
Monitor Backup Jobs
Go to 'Backup jobs' in the vault to see status of all backup operations. Jobs can be InProgress, Completed, or Failed. For failures, click the job to see error details. Common failures include: VM not running, extension not responding, insufficient permissions, or storage account not accessible. You can also set up alerts via Azure Monitor to notify on failures. Use CLI: `az backup job list` to query jobs programmatically.
Restore a VM from Recovery Point
In the vault, go to 'Backup items' and select the VM. Click 'Restore VM'. Choose a recovery point (date/time). Select restore type: 'Create new VM' (will create a new VM with the same configuration), 'Replace existing VM' (overwrites the original VM), or 'Restore disks' (restore to a storage account). For 'Create new VM', specify VM name, resource group, virtual network, and storage account for the restore. Click 'Restore'. The restore job creates a new VM from the snapshot. For file-level restore, select 'File Recovery' and download a script to mount the recovery point.
Test Cross-Region Restore
If you enabled Cross-Region Restore at vault creation, you can restore to the paired region. Go to 'Backup items', select the VM, and choose 'Cross Region Restore'. Select a recovery point and target region (paired region). Provide a storage account in that region. Click 'Restore'. This is useful for disaster recovery if the primary region goes down. Note: Cross-Region Restore is only available for GRS vaults and must be enabled at creation. The secondary region is determined by Azure; you cannot choose any region.
Scenario 1: Enterprise VM Backup with Compliance Requirements
A financial services company must retain VM backups for 7 years for regulatory compliance. They create a Recovery Services Vault with GRS storage and enable soft delete with 180-day retention. They configure a backup policy with daily backups (retained 30 days), weekly (52 weeks), monthly (60 months), and yearly (7 years). They use Azure Policy to enforce that all production VMs are backed up to this vault. They monitor backup health via Azure Monitor and set up alerts for failures. A common issue is that VMs with ephemeral disks cannot be backed up; they must use managed disks. Another issue is that large VMs (e.g., 32 TB disks) require careful planning to avoid backup timeouts. They use the Enhanced policy to allow hourly backups for critical databases. They also enable Cross-Region Restore for disaster recovery. Misconfiguration: if they had chosen LRS, they could not restore if the region went down, leading to data loss.
Scenario 2: On-Premises Server Backup to Azure
A retail chain has 50 on-premises Windows servers that need offsite backup. They deploy the MARS agent on each server and register them with a Recovery Services Vault. They configure a backup policy with daily backups and retention of 90 days. They use a passphrase for encryption (must be saved securely). Initial backup is large (500 GB per server), so they use Azure Import/Export to seed the data: they export the initial backup to a disk and ship it to Azure. Subsequent backups are incremental. They monitor via the MARS console and Azure portal. Common problems: network throttling (use ExpressRoute), agent crashes (update to latest version), and passphrase loss (cannot restore). They also enable soft delete to protect against accidental deletion.
Scenario 3: SQL Server in Azure VM Backup
A SaaS company runs SQL Server on Azure VMs. They enable Azure Backup for SQL Server in Azure VM. They create a policy with full backup every Sunday, differential every weekday, and transaction log backup every 15 minutes. Retention: full backups for 30 days, differential for 14 days, logs for 7 days. They use the Enhanced policy for faster restores. They test file-level restore to retrieve specific .bak files. They also configure long-term retention for monthly and yearly backups. A common mistake is not pre-registering the SQL VM with the vault (requires running a registration script). Another issue is that the backup extension may fail if SQL Server is not running or if the VSS writer is corrupted. They monitor backup jobs via Azure Monitor and set up alerts for log backup failures.
What AZ-104 Tests on This Topic
AZ-104 objective 5.2 (Monitor and backup Azure resources) specifically tests your ability to implement backup and restore solutions. Key sub-objectives include:
Create and configure a Recovery Services Vault
Configure backup policies for Azure VMs, Azure Files, SQL Server, and on-premises workloads
Perform restore operations (VM restore, file-level restore, cross-region restore)
Configure soft delete and security features
Monitor backup jobs and alerts
Common Wrong Answers and Why Candidates Choose Them
Choosing Backup Vault instead of Recovery Services Vault: Many candidates confuse the two. Backup Vault is for Azure Disks, PostgreSQL, and Blob backup. Recovery Services Vault is for VMs, SQL, SAP HANA, Azure Files, and on-premises. The exam often presents a scenario with VM backup and lists both vault types; the correct answer is always Recovery Services Vault.
Selecting LRS for a production VM backup: Candidates think LRS is cheaper and sufficient. However, for production VMs, GRS is recommended for disaster recovery. The exam tests that you understand Cross-Region Restore requires GRS. If the scenario mentions disaster recovery or compliance, GRS is the correct choice.
Disabling soft delete for a critical workload: Soft delete is enabled by default and provides 14 days of protection against accidental deletion. Some candidates disable it to simplify management, but the exam expects you to keep it enabled for critical data.
Choosing a restore option that overwrites the original VM without backup: When you choose 'Replace existing VM', the original VM is overwritten. Candidates may think this is safe, but the exam tests that you should first create a new VM or restore disks to avoid data loss.
Specific Numbers and Terms That Appear on the Exam
Soft delete retention: 14 days (default), configurable 14-180 days.
Maximum daily retention: 9999 days.
Backup frequency: Minimum 4 hours for Enhanced policy.
Storage replication options: LRS, GRS, ZRS (ZRS only in certain regions).
Cross-Region Restore: Only available with GRS and enabled at vault creation.
MARS agent: For on-premises Windows machines.
Backup extension: VMSnapshot (Windows), VMSnapshotLinux (Linux).
Consistency types: Crash-consistent, file-system consistent, application-consistent.
Edge Cases and Exceptions
Azure VM with unmanaged disks: Can be backed up, but disks must be in the same storage account.
Azure VM with premium SSD: Backups work, but there is a limit on the number of concurrent snapshots (200 per storage account).
Azure VM with Azure Disk Encryption: Backup works; the vault does not store encryption keys.
Backup of Azure Files: Requires the storage account to have file shares; the backup policy is applied to the file share, not the storage account.
Backup of Linux VMs: Application-consistent backups require pre-scripts and post-scripts.
Restore to a different region: Only possible with Cross-Region Restore (GRS).
How to Eliminate Wrong Answers
If the question asks about backing up an Azure VM, eliminate any answer that mentions 'Backup Vault' or 'Site Recovery Vault'.
If the question mentions disaster recovery or cross-region, ensure the vault uses GRS and Cross-Region Restore is enabled.
If the question is about restoring a single file, look for 'File Recovery' option (not full VM restore).
If the question involves on-premises backup, the answer must include the MARS agent or DPM/MABS.
For SQL backup, look for log backup frequency (15-60 minutes) and the requirement to pre-register the VM.
Recovery Services Vault (RSV) is the primary vault for Azure Backup of VMs, SQL, SAP HANA, Azure Files, and on-premises servers.
Storage replication type (LRS, GRS, ZRS) is chosen at vault creation and cannot be changed later.
Soft delete is enabled by default with a 14-day retention period; can be extended up to 180 days.
Cross-Region Restore requires GRS and must be enabled at vault creation.
Backup policies can be Standard (up to 100 schedules) or Enhanced (up to 1000 VMs, hourly backups).
Azure VM backup uses VMSnapshot extension; on-premises uses MARS agent.
File-level restore for Azure VMs is done by mounting a recovery point as a drive.
Backup of SQL Server in Azure VM requires log backup frequency of 15-60 minutes.
Maximum daily retention is 9999 days; yearly retention can be up to 999 years.
Azure Backup Center provides a unified view of backups across multiple vaults.
These come up on the exam all the time. Here's how to tell them apart.
Recovery Services Vault (RSV)
Used for Azure VMs, SQL, SAP HANA, Azure Files, on-premises workloads
Supports MARS agent, DPM, MABS
Default storage replication is GRS
Soft delete enabled by default (14 days)
Cross-Region Restore available with GRS
Backup Vault
Used for Azure Disks, Azure Database for PostgreSQL, Blob backup
Does not support MARS agent
Default storage replication is LRS
Soft delete not available (for disks)
No Cross-Region Restore
Mistake
Recovery Services Vault and Backup Vault are the same thing.
Correct
They are different. Recovery Services Vault is used for Azure VMs, SQL, SAP HANA, Azure Files, and on-premises workloads. Backup Vault is used for Azure Disks, Azure Database for PostgreSQL, and Blob backup. The exam distinguishes them.
Mistake
You can change the storage replication type after creating the vault.
Correct
Storage replication (LRS, GRS, ZRS) is selected at vault creation and cannot be changed later. You must create a new vault if you need a different type.
Mistake
Soft delete permanently deletes backup data after 14 days.
Correct
Soft delete retains deleted backup data for 14 days (default) during which you can undelete it. After the retention period, the data is permanently deleted. You can configure the retention between 14 and 180 days.
Mistake
Cross-Region Restore is available for any vault with GRS.
Correct
Cross-Region Restore must be explicitly enabled at vault creation. It is not automatically available even if the vault uses GRS. You cannot enable it after creation.
Mistake
Azure Backup for Azure VMs requires the VM to be running all the time.
Correct
The VM must be running for the initial backup and for scheduled backups to trigger. However, if the VM is stopped, the backup will fail. You can use the 'Backup on a schedule' feature, but the VM must be powered on at the scheduled time.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Recovery Services Vault (RSV) is used for backing up Azure VMs, SQL Server, SAP HANA, Azure Files, and on-premises workloads via MARS agent or DPM. Backup Vault is a newer vault type for Azure Disks, Azure Database for PostgreSQL, and Blob backup. RSV supports GRS and Cross-Region Restore; Backup Vault does not. On the exam, if the scenario involves VM backup, the answer is always Recovery Services Vault.
No, you cannot change the storage replication type (LRS, GRS, ZRS) after vault creation. You must delete the vault and create a new one with the desired replication type. This is a common exam trap: they may ask you to modify replication, but the correct answer is to create a new vault.
Soft delete protects backup data from accidental deletion. When you delete a backup item or stop protection with delete data, the data is retained in a soft-deleted state for 14 days by default (configurable from 14 to 180 days). During this period, you can undelete the data. After the retention period, data is permanently deleted. Soft delete is enabled by default for Recovery Services Vaults.
In the Recovery Services Vault, go to 'Backup items', select the VM, and click 'File Recovery'. Choose a recovery point. A script will be generated that, when run on a Windows or Linux machine, mounts the recovery point as a drive (Windows) or NFS share (Linux). You can then copy individual files. This is faster than restoring the entire VM.
Cross-Region Restore allows you to restore a backup to the paired Azure region (e.g., East US to West US). It is only available if the vault uses Geo-Redundant Storage (GRS) and the feature was enabled at vault creation. It cannot be enabled later. This is critical for disaster recovery scenarios.
No, Azure Backup does not support VMs with ephemeral disks. The VM must have managed disks (standard or premium) to be backed up. Ephemeral disks are not persisted, so backup would be meaningless. This is a common exam fact.
Standard policy supports up to 100 backup schedules per policy and minimum backup frequency of 1 day. Enhanced policy supports up to 1000 VMs per policy, hourly backups (minimum 4-hour frequency), and faster restores. Enhanced policy is recommended for large-scale deployments and critical workloads.
You've just covered Azure Backup and Recovery Services Vault — now see how well it sticks with free AZ-104 practice questions. Full explanations included, no account needed.
Done with this chapter?