This chapter covers Azure Backup Vault design, a critical component of Business Continuity and Disaster Recovery (BCDR) strategy on Azure. For the AZ-305 exam, approximately 10-15% of questions in the 'Design for Business Continuity' domain (Objective 3.1) involve backup vaults, including their configuration, security, and integration with other Azure services. You will learn the architecture, key settings, and best practices for designing a backup solution that meets recovery time objectives (RTO) and recovery point objectives (RPO) while adhering to compliance and security requirements.
Jump to a section
Imagine a bank safety deposit box system. The bank (Azure Backup Vault) provides secure, fireproof, and access-controlled storage for your valuables (backup data). You don't just throw items in; you first place them in a secure container (encryption at rest using platform-managed or customer-managed keys). Each deposit box has a unique identifier (the backup item's identity). The bank has strict access policies: only authorized personnel (RBAC roles like Backup Contributor) can open the vault. When you deposit an item, the bank logs the transaction (immutable storage) and provides a receipt (recovery point). The vault is separate from your daily checking account (Recovery Services Vault) because it's designed for long-term, secure retention rather than frequent operational recoveries. The bank may also offer cross-branch replication (geo-redundant storage) so that if one branch burns down, your items are safe elsewhere. Similarly, Azure Backup Vault supports soft delete (like a 14-day grace period before permanent deletion) and allows you to define retention rules (like keeping items for 7 years for compliance). The bank's security measures (RBAC, private endpoints, encryption) mirror Azure Backup Vault's capabilities, ensuring that only you and your authorized agents can access the backups, even Azure administrators cannot read your data without your key.
What is Azure Backup Vault?
Azure Backup Vault is a storage entity in Azure that houses backup data for certain Azure workloads. It is distinct from the Recovery Services Vault (RSV), which is used for Azure Virtual Machines, SQL Server in Azure VMs, SAP HANA, and Azure Files. The Backup Vault is designed specifically for newer Azure backup workloads, including:
Azure Blob (operational and vaulted backups)
Azure Database for PostgreSQL (single server)
Azure Disks (disk snapshots and vaulted backups)
Azure Kubernetes Service (AKS) via the Backup Extension
It provides a centralized management and compliance boundary for backups, supporting features like soft delete, immutability, encryption at rest with platform-managed keys (PMK) or customer-managed keys (CMK), and role-based access control (RBAC).
Why Backup Vault Exists
Microsoft introduced Backup Vault to address the limitations of Recovery Services Vault for newer workload types. RSV was originally built for classic VM and file backup scenarios, relying on the Azure Backup Agent and the MARS agent. Backup Vault is a more modern architecture that:
Uses Azure Resource Manager (ARM) for management
Supports cross-region restore for blob and disk backups
Integrates natively with Azure Policy and Azure Lighthouse
Provides immutable storage at the vault level (up to 10 years)
Allows granular retention rules using backup policies
How It Works Internally
When you configure a backup for a supported workload (e.g., Azure Blob), the Backup Vault triggers an initial full backup. For blob operational backups, this is a snapshot of the storage account at a point in time. For vaulted backups, data is copied to the vault's storage, which is a separate Azure Blob Storage account managed by Azure Backup. The process involves:
Backup Extension Deployment: For workloads like AKS, the Backup Extension is installed on the cluster to coordinate with the vault.
Data Transfer: Data is transferred from the source to the vault's storage via Azure's internal network, often using the Azure Backup Service's managed identity.
Encryption: All data at rest is encrypted using AES-256. If CMK is enabled, the vault uses Azure Key Vault to wrap the data encryption key (DEK) with a customer-provided key encryption key (KEK).
Recovery Point Creation: A recovery point is a consistent snapshot of the data at a specific time. For vaulted backups, each recovery point is a full copy (not incremental) stored in the vault.
Retention Management: Based on the backup policy, recovery points are retained for specified durations (daily, weekly, monthly, yearly). Expired points are deleted after the retention period, subject to soft delete and immutability settings.
Key Components, Values, Defaults, and Timers
Soft Delete: Enabled by default. Deleted recovery points are retained for 14 days (default) before permanent deletion. Can be disabled, but not recommended.
Immutability: Can be enabled at vault creation or later. Locks the vault to prevent deletion of recovery points before their expiry. Maximum retention: 10 years.
Cross-Region Restore (CRR): For vaulted backups of blobs and disks, you can enable CRR to replicate data to a paired Azure region. This incurs additional storage cost.
Backup Policy: Defines schedule and retention. For blob vaulted backups, default schedule is daily with retention of 30 days. You can customize retention for daily, weekly, monthly, and yearly points.
Storage Redundancy: By default, vault uses Locally Redundant Storage (LRS). You can choose Geo-Redundant Storage (GRS) or Zone-Redundant Storage (ZRS) at vault creation. Changing redundancy later requires re-creating the vault.
Encryption: PMK is default. CMK can be specified using an Azure Key Vault key. The vault must have access to Key Vault.
Private Endpoints: Supported for secure connectivity without public internet. Requires DNS configuration.
Configuration and Verification Commands
Using Azure CLI:
# Create a Backup Vault
az backup vault create --name MyBackupVault --resource-group MyRG --location westus
# Enable soft delete (default is enabled)
az backup vault backup-properties set --name MyBackupVault --resource-group MyRG --soft-delete-state Enabled
# Enable immutability (once enabled, cannot be disabled)
az backup vault backup-properties set --name MyBackupVault --resource-group MyRG --immutability-state Locked
# Create a backup policy for blob vaulted backup
az backup policy create --backup-management-type AzureBlob --vault-name MyBackupVault --resource-group MyRG --policy-name MyBlobPolicy --schedule "R/2023-01-01T00:00:00+00:00/P1D" --retention-duration 30
# List recovery points
az backup recoverypoint list --vault-name MyBackupVault --resource-group MyRG --backup-management-type AzureBlob --container-name MyStorageAccountUsing PowerShell:
New-AzDataProtectionBackupVault -SubscriptionId $subId -ResourceGroupName MyRG -VaultName MyBackupVault -Location westus -StorageSetting @{type="LocallyRedundant"; datastoreType="VaultStore"}
Update-AzDataProtectionBackupVault -SubscriptionId $subId -ResourceGroupName MyRG -VaultName MyBackupVault -SoftDeleteState "On"How It Interacts with Related Technologies
Azure Policy: You can enforce backup policies across subscriptions using Azure Policy. For example, require that all storage accounts have backup configured.
Azure Monitor: Backup health, job status, and storage metrics are sent to Azure Monitor. Alerts can be configured for failures.
Azure Key Vault: Required for CMK. The vault must have a system-assigned managed identity with Get, UnwrapKey, and WrapKey permissions on the key in Key Vault.
Azure Private Link: Allows Backup Vault to be accessed via private endpoints, ensuring traffic never traverses the public internet.
Azure Lighthouse: Managed service providers can manage backup vaults across multiple tenants.
Design Considerations
RPO and RTO: For blob operational backups, RPO is 1 hour (snapshot frequency), RTO is minutes (restore from snapshot). For vaulted backups, RPO is 1 day (daily backup), RTO is hours (copy from vault).
Cost: Vaulted backup storage is more expensive than operational snapshots. Use operational backups for short-term recovery and vaulted for long-term retention.
Compliance: Enable immutability and CRR for regulatory requirements.
Security: Use private endpoints and CMK for sensitive data. Disable public network access if not needed.
Exam Traps
Confusing Backup Vault with Recovery Services Vault: The exam tests scenarios where Backup Vault is required (e.g., Azure Database for PostgreSQL) vs. RSV (e.g., Azure VMs).
Soft Delete vs. Immutability: Soft delete only delays deletion; immutability prevents deletion until retention expires. Both can be used together.
CRR Availability: CRR is only available for vaulted backups, not operational backups.
Storage Redundancy Change: Cannot be changed after vault creation; must plan ahead.
Create the Backup Vault
In the Azure portal, navigate to Backup Center > Vaults > + Backup Vault. Provide a name, subscription, resource group, region, and storage redundancy (LRS, GRS, ZRS). Choose the vault type: Backup Vault (not Recovery Services Vault). The region should be the same as the workloads being backed up to minimize latency. After creation, configure properties like soft delete (default on) and immutability (off by default). Immutability, once enabled, cannot be reversed and locks the vault for a specified duration (up to 10 years). This step sets the foundation for all subsequent backup operations.
Configure Backup Policies
A backup policy defines the schedule and retention rules. For each workload type (blob, disk, PostgreSQL, AKS), create a policy with appropriate frequency (e.g., daily for vaulted) and retention (e.g., 30 days daily, 12 monthly, 7 yearly). Policies are attached to backup instances. For blob vaulted, the schedule can be set to run at a specific time (e.g., 2:00 AM UTC). Retention rules are cumulative: a recovery point can be kept for multiple durations (e.g., daily and weekly). The policy must be in the same region as the vault.
Assign RBAC Roles
Grant permissions to users or service principals to manage backups. The built-in roles are: Backup Contributor (full backup management), Backup Operator (can backup but not delete or change policies), Backup Reader (read-only). For CMK, the vault's managed identity needs Key Vault Crypto Service Encryption User role on the key. Also, the source resources (e.g., storage account) must have the Backup Contributor role assigned to the vault's managed identity to allow data transfer. This step ensures least privilege and secure operations.
Configure Security Settings
Enable soft delete (default) to protect against accidental deletion. Optionally enable immutability for compliance – once enabled, it prevents deletion of recovery points before their expiry. For encryption, choose between PMK and CMK. If CMK, select the key vault and key. Also configure network access: either public (with firewall rules) or private endpoints. Private endpoints require a DNS configuration to resolve the vault's private IP. Security settings should align with organizational policies and regulatory requirements.
Create Backup Instances
For each workload (e.g., an Azure Storage account for blob backup), create a backup instance. Select the source resource, the backup policy, and optionally configure CRR for vaulted backups. The vault's managed identity must have appropriate permissions on the source (e.g., Storage Account Backup Contributor role). The initial backup will run according to the policy schedule. For blob operational backups, a snapshot is taken immediately; for vaulted, the first backup runs at the scheduled time. Monitor the backup job status in Backup Center.
Enterprise Scenario 1: Financial Services Compliance
A multinational bank must retain transaction logs stored in Azure Blob Storage for 7 years to meet regulatory requirements. They use Azure Backup Vault with vaulted backups set to daily with a 7-year yearly retention. Immutability is enabled to prevent tampering, and CRR replicates backups to a paired region for disaster recovery. The vault uses CMK stored in a managed HSM (Hardware Security Module) to satisfy key sovereignty. Private endpoints are configured to ensure backup traffic never leaves the corporate network. The bank monitors backup health via Azure Monitor and sets alerts for any failures. A common issue is that the vault's managed identity lacks permissions on the key vault, causing backup failures. They resolved this by assigning the 'Key Vault Crypto Service Encryption User' role at the key scope.
Enterprise Scenario 2: E-commerce Platform with AKS
An e-commerce company runs containerized applications on AKS. They use Azure Backup Vault to back up persistent volumes and application state via the Backup Extension. They configure a daily backup policy with 30-day retention. The backup extension is deployed on the AKS cluster with a managed identity that has permissions to read the cluster and write to the vault. They also enable operational backups for the AKS cluster's etcd data. A challenge they faced was that the backup extension's pod could not pull images from a private container registry; they had to grant ACR pull permissions. They also use Azure Backup's restore capabilities to quickly spin up a new cluster in a different region for disaster recovery testing.
Scenario 3: Healthcare with Azure Database for PostgreSQL
A healthcare provider uses Azure Database for PostgreSQL (Single Server) for patient data. They use Azure Backup Vault for long-term retention of database backups. They configure a weekly full backup with monthly retention for 1 year. To meet HIPAA compliance, they enable soft delete and immutability. They also use CRR to replicate backups to a secondary region. A common misconfiguration is that the vault's storage redundancy is set to LRS, but they needed GRS for cross-region failover. They had to recreate the vault with GRS. They also learned that the vault's backup policy cannot be changed after creation for PostgreSQL; they had to create a new policy and attach it.
What AZ-305 Tests on Backup Vault Design
The AZ-305 exam objective 3.1 (Design for Business Continuity) includes designing backup solutions. Specifically, you must know:
When to use Backup Vault vs. Recovery Services Vault.
How to configure backup policies for different workloads (blob, disk, PostgreSQL, AKS).
Security features: soft delete (14-day default), immutability (up to 10 years), encryption (PMK/CMK).
Cross-region restore (CRR) only for vaulted backups.
Storage redundancy options (LRS, GRS, ZRS) and that they are set at vault creation and cannot be changed.
RBAC roles: Backup Contributor, Operator, Reader.
Common Wrong Answers on Exam Questions
Using Recovery Services Vault for Azure Database for PostgreSQL backups: Candidates often assume RSV is the default vault for all backups. The exam tests that PostgreSQL (Single Server) uses Backup Vault. Wrong answer: 'Create a Recovery Services Vault.' Correct: 'Create a Backup Vault.'
Enabling CRR for operational blob backups: Operational backups are snapshots within the same region; CRR is only for vaulted backups. Candidates might select CRR for operational because they think it's a global feature.
Changing storage redundancy after vault creation: Many believe you can update redundancy settings. The exam tests that you cannot; you must create a new vault.
Soft delete vs. immutability: Candidates may think soft delete prevents deletion entirely. Soft delete only delays deletion by 14 days; immutability prevents deletion until retention expires.
Specific Numbers and Terms
Soft delete retention: 14 days (default).
Immutability maximum duration: 10 years.
Backup vault supports: Azure Blob (operational and vaulted), Azure Disks (snapshot and vaulted), Azure Database for PostgreSQL (Single Server), AKS.
CRR is available for: vaulted backups of blobs and disks.
Storage redundancy options: LRS, GRS, ZRS (set at creation).
Edge Cases and Exceptions
If you enable immutability, you cannot disable it. Plan carefully.
For AKS backups, the Backup Extension must be installed on the cluster.
Backup vault does not support Azure Files; use RSV for that.
For PostgreSQL, only single server is supported; flexible server is not.
Backup vault can be deleted only after removing all backup instances and disabling soft delete (if enabled).
How to Eliminate Wrong Answers
If the question mentions 'long-term retention' or 'compliance' and the workload is blob or disk, look for Backup Vault with immutability.
If the question says 'operational backup' for blob, it means snapshot-only; do not select CRR.
If the question asks about 'replication to paired region', only vaulted backups support CRR.
Always check the workload type: VM? -> RSV. Blob? -> Backup Vault. PostgreSQL? -> Backup Vault.
Backup Vault is used for Azure Blob, Azure Disks, PostgreSQL (Single Server), and AKS backups.
Soft delete is enabled by default with a 14-day retention period.
Immutability can be enabled at vault creation (up to 10 years) and cannot be disabled.
Cross-Region Restore is only available for vaulted backups (not operational).
Storage redundancy (LRS, GRS, ZRS) is set at vault creation and cannot be changed.
RBAC roles: Backup Contributor, Backup Operator, Backup Reader.
Backup Vault supports private endpoints for secure connectivity.
For CMK, the vault's managed identity needs Key Vault Crypto Service Encryption User permissions.
These come up on the exam all the time. Here's how to tell them apart.
Backup Vault
Supports Azure Blob (operational and vaulted), Azure Disks, PostgreSQL (Single Server), AKS
Uses modern ARM-based management
Supports immutability (up to 10 years)
Supports Cross-Region Restore for vaulted backups
Encryption at rest with PMK or CMK
Recovery Services Vault
Supports Azure VMs, SQL Server in Azure VMs, SAP HANA, Azure Files
Uses classic management with MARS agent
Does not support immutability at vault level
Supports Cross-Region Restore for VMs and SQL/SAP HANA
Encryption at rest with PMK or CMK (but different implementation)
Mistake
Backup Vault and Recovery Services Vault are interchangeable for all workloads.
Correct
Backup Vault supports Azure Blob, Azure Disks, PostgreSQL (Single Server), and AKS. Recovery Services Vault supports Azure VMs, SQL Server in Azure VMs, SAP HANA, and Azure Files. Using the wrong vault type results in unsupported configurations.
Mistake
Soft delete and immutability are the same thing.
Correct
Soft delete retains deleted recovery points for 14 days (default) before permanent deletion, allowing recovery. Immutability prevents deletion of recovery points before their retention expiry, even by administrators. They are complementary but serve different purposes.
Mistake
Cross-region restore is available for all backup types in Backup Vault.
Correct
CRR is only available for vaulted backups (blob and disk). Operational backups (snapshots) are stored locally and cannot be restored to another region. For CRR, you must enable it at vault creation and use GRS storage.
Mistake
You can change storage redundancy after creating a Backup Vault.
Correct
Storage redundancy (LRS, GRS, ZRS) is set at vault creation and cannot be changed later. To use a different redundancy, you must create a new vault and migrate backups.
Mistake
Backup Vault supports Azure Files backups.
Correct
Azure Files backups are supported only by Recovery Services Vault, not Backup Vault. Backup Vault is for blob, disk, PostgreSQL, and AKS workloads.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Azure Backup Vault supports Azure Blob (operational and vaulted backups), Azure Disks (snapshot and vaulted), Azure Database for PostgreSQL (Single Server), and Azure Kubernetes Service (AKS) via the Backup Extension. It does not support Azure VMs, Azure Files, SQL Server, or SAP HANA – those use Recovery Services Vault. For the exam, remember that Backup Vault is for newer workload types; RSV is for classic workloads.
No. Cross-Region Restore (CRR) is only available for vaulted backups in Backup Vault. Operational blob backups are snapshots stored in the same region as the source storage account. To use CRR, you must configure vaulted backups with GRS storage. On the exam, if a question asks for CRR, ensure the backup type is vaulted, not operational.
Soft delete retains deleted recovery points for 14 days (default) before permanent deletion, allowing recovery during that window. Immutability prevents deletion of recovery points before their scheduled retention expiry, even if someone attempts to delete them. Both can be used together. Immutability is often required for compliance (e.g., SEC 17a-4). On the exam, know that soft delete is reversible (can be disabled), while immutability cannot be disabled once enabled.
You cannot change the storage redundancy (LRS, GRS, ZRS) after the vault is created. You must create a new vault with the desired redundancy and migrate your backup policies and instances. This is a common exam trap: always plan redundancy at creation time. For exam questions, if a scenario requires GRS but the vault is LRS, the correct answer is to create a new vault.
Yes, you can use CMK for encryption at rest. You must provide an Azure Key Vault key and grant the vault's system-assigned managed identity the 'Key Vault Crypto Service Encryption User' role on that key. The vault will use that key to encrypt all backup data. If you use CMK, you are responsible for key rotation and access management. The exam may test that CMK is supported and requires Key Vault permissions.
To delete a Backup Vault, you must first delete all backup instances (which removes recovery points) and disable soft delete (if enabled). If immutability is enabled, you must wait until all recovery points expire (or delete them if allowed by policy). Once no resources remain, you can delete the vault. This process ensures no accidental data loss. On the exam, know that soft delete must be disabled before deletion.
The built-in roles are: Backup Contributor (full management), Backup Operator (can perform backups but not delete or change policies), and Backup Reader (read-only access). For CMK, additional permissions on Key Vault are needed. For the exam, remember that Backup Contributor is the most permissive role for backup management.
You've just covered Azure Backup Vault Design — now see how well it sticks with free AZ-305 practice questions. Full explanations included, no account needed.
Done with this chapter?