This chapter covers Azure Backup, a core service for protecting data in the cloud. As part of Domain 2 (Azure Architecture Services), Objective 2.1 (Identify Azure services for backup and disaster recovery), Azure Backup is a frequently tested topic on the AZ-900 exam. This objective area carries approximately 15-20% of the exam weight, so understanding backup mechanisms, Recovery Services vaults, and backup policies is essential. We'll explore what Azure Backup is, how it works, its components, step-by-step configuration, real-world scenarios, and exam-focused tips to help you ace the questions.
Jump to a section
Imagine you're a business owner with a physical safe in your office containing all your critical documents—customer contracts, financial records, employee files. One night, a fire destroys your office. The safe is ruined, and all documents are lost. That's a disaster. Now, consider this: instead of just one safe, you hire a professional vault service like Fort Knox. They take a copy of every document, store it in a fireproof, bombproof underground vault hundreds of miles away, and test the retrieval process monthly. If your office safe is ever compromised, you simply call Fort Knox, and they deliver exact copies within hours. Azure Backup is that Fort Knox for your digital data. It automatically copies your data (from Azure VMs, SQL databases, file shares) to a separate, geo-redundant storage vault. You define a backup policy (how often, how long to keep copies), and Azure handles the copying, encryption, and periodic recovery testing. The mechanism: Azure Backup uses the Recovery Services vault as the secure storage container. For Azure VMs, it leverages snapshots and the Azure Backup extension to take application-consistent backups without shutting down the VM. Data is transferred over HTTPS and encrypted at rest using Azure Storage Service Encryption. You can restore entire VMs, individual files, or even perform cross-region restores. The key difference from a simple copy: backups are incremental after the first full backup, saving storage and time. The vault also provides monitoring, alerting, and compliance reporting. So, like Fort Knox, Azure Backup gives you peace of mind that your data is recoverable even if your primary location is destroyed.
What is Azure Backup and What Business Problem Does It Solve?
Azure Backup is a cloud-based backup service that protects your data from accidental deletion, corruption, ransomware, or disaster. It eliminates the need for on-premises backup infrastructure like tape drives, backup servers, or offsite storage. The core problem it solves: data loss. According to industry studies, 60% of companies that lose their data go out of business within six months. Azure Backup provides a simple, secure, and cost-effective way to ensure business continuity.
How Does Azure Backup Work? Step-by-Step Mechanism
Recovery Services Vault: This is the central storage container for all backups. You create one per region. It stores backup data, policies, and monitoring information.
Backup Policy: Defines when backups occur (frequency) and how long they are retained (retention). For example, a policy might take a daily backup at 2 AM and keep it for 30 days, plus weekly backups kept for 12 weeks.
Backup Extension: For Azure VMs, Azure Backup installs an extension that coordinates with the VM's Volume Shadow Copy Service (VSS) on Windows or file system consistency on Linux to take application-consistent snapshots.
Initial Backup: The first backup is a full copy of the data. It transfers all data from the source to the vault. This can take time depending on data size and network bandwidth.
Incremental Backups: After the initial full backup, only changes (deltas) are transferred. This reduces storage and time significantly. Azure Backup uses block-level incremental backups, meaning it only sends changed blocks, not entire files.
Data Transfer and Encryption: Data is transferred over HTTPS and encrypted at rest using Azure Storage Service Encryption (SSE) with Microsoft-managed keys or customer-managed keys (CMK).
Restore: You can restore data to the original location or an alternate location. Restore options include: restore full VM, restore files/folders from VM backup, restore disks, or restore to a specific point in time.
Key Components, Tiers, and Pricing
Recovery Services Vault: The core container. Each vault can have multiple backup policies and protected items.
Backup Policy: Consists of schedule (frequency: daily/weekly) and retention (how long to keep daily, weekly, monthly, yearly backups).
Protected Items: The resources being backed up (Azure VMs, SQL Server in Azure VMs, SAP HANA, Azure Files, on-premises Windows servers via MARS agent, etc.).
Backup Storage: Data is stored in the vault. You can choose between Locally Redundant Storage (LRS), Geo-Redundant Storage (GRS), or Zone-Redundant Storage (ZRS). GRS is recommended for disaster recovery across regions.
Pricing: You pay for the protected instances (number of VMs, databases) and the storage consumed. There is no upfront cost. For Azure VMs, pricing is per protected instance per month plus storage. For example, backing up a standard 1 TB VM costs roughly $10-20/month depending on region.
Comparison to On-Premises Backup
Traditional on-premises backup requires:
Backup server software (e.g., System Center Data Protection Manager)
Tape drives or disk arrays
Offsite storage for disaster recovery
Manual rotation of tapes
Physical security
Azure Backup eliminates all of that. You pay only for what you use, scale automatically, and never worry about hardware failures or capacity planning. However, for very large datasets (e.g., 100+ TB), initial backup over the internet can be slow; Azure offers offline seeding using Azure Data Box.
Azure Portal and CLI Touchpoints
In the Azure portal, you find Azure Backup under 'Backup and Site Recovery' or by searching 'Recovery Services vaults'. Common CLI commands:
# Create a Recovery Services vault
az backup vault create --resource-group myRG --name myVault --location eastus
# Enable backup for a VM
az backup protection enable-for-vm --resource-group myRG --vault-name myVault --vm myVM --policy-name DefaultPolicy
# Trigger an on-demand backup
az backup item backup --resource-group myRG --vault-name myVault --container-name myVM --item-name myVM --retain-until 01-01-2026
# Restore a VM
az backup restore restore-disks --resource-group myRG --vault-name myVault --container-name myVM --item-name myVM --rp-name "2025-04-01 02:00:00" --storage-account myStoragePowerShell cmdlets are similar: New-AzRecoveryServicesVault, Enable-AzRecoveryServicesBackupProtection, Restore-AzRecoveryServicesBackupItem.
Concrete Business Scenarios
SMB with 5 VMs: A small business runs its line-of-business apps on Azure VMs. They configure daily backups with 30-day retention. If a VM is accidentally deleted, they can restore it within hours, avoiding days of downtime.
Enterprise with SQL Server: A company hosts a critical SQL Server database on an Azure VM. They use Azure Backup for SQL Server, which provides log backup every 15 minutes, allowing point-in-time recovery down to the second. This meets their RPO of 15 minutes.
Healthcare with Compliance: A hospital must retain patient records for 7 years. They configure yearly backups with 7-year retention. Azure Backup's long-term retention meets compliance without managing tapes.
Create a Recovery Services Vault
In the Azure portal, search for 'Recovery Services vaults' and click 'Create'. Choose a subscription, resource group, and vault name. Select a region (should be the same as your resources for lowest latency). Choose storage redundancy: LRS (low cost, single region), GRS (recommended for disaster recovery, replicates to paired region), or ZRS (zone-redundant). For exam: GRS is the default and most common. Click 'Review + Create' then 'Create'. Behind the scenes, Azure provisions a secure storage container with built-in replication. The vault name must be globally unique within your subscription. This vault will hold all backup data and policies.
Define a Backup Policy
In the vault, go to 'Backup policies' and click 'Add'. Choose workload type (e.g., Azure VM). You'll see a default policy (Daily at 2:00 AM, retain for 30 days). You can modify schedule: choose frequency (daily or weekly), time (up to 3 per day), and timezone. For retention, you can set daily retention (1-180 days), weekly (1-104 weeks), monthly (1-60 months), and yearly (1-20 years). The policy defines the Recovery Point Objective (RPO) — how much data loss is acceptable. For exam: know that you can have multiple policies per vault but each protected item uses one policy. The policy is applied at the time of enabling backup.
Enable Backup on a Resource
In the vault, go to 'Backup' under 'Getting Started'. Select 'Azure Virtual Machine' as workload, choose the VM(s) to protect, and select the backup policy. Click 'Enable Backup'. Azure then installs the backup extension on the VM (if not already present) and triggers the initial full backup. This initial backup may take hours depending on size. You can monitor progress in 'Backup jobs'. For SQL or SAP HANA, you need to register the database first. For on-premises servers, you download and install the MARS agent. Important: The VM must be running for the backup extension to work. If the VM is stopped, backups fail.
Monitor Backup Jobs and Alerts
Go to 'Backup jobs' in the vault to see all backup operations (initial, incremental, restore). Each job shows status, start time, duration, and data transferred. You can set up alerts in 'Alerts' to notify you via email when backups fail or succeed. Azure also provides a Backup Health dashboard showing overall protection status. For exam: know that backup failures can occur due to VM shutdown, network issues, or insufficient permissions. You can configure alerts for critical failures. Also, Azure Backup integrates with Azure Monitor for advanced logging.
Perform a Restore
To restore, go to 'Backup items' in the vault, select the protected item (e.g., VM), and click 'Restore VM'. Choose a restore point (from the list of recovery points). Options: 'Create new VM' (restores to a new VM with same configuration), 'Restore disks' (creates managed disks that you can attach to existing VM), or 'Replace existing' (overwrites the original VM — risky). You can also restore files/folders from a VM backup by mounting the restore point as a drive. For SQL, you can restore to a point in time. The restore process uses the backup data in the vault and creates resources in your subscription. Monitor progress in 'Backup jobs'. After restore, verify the data is correct.
Scenario 1: E-commerce Company Protecting Production VMs
An online retailer runs its web servers and database on Azure VMs. They configure Azure Backup with a policy of daily backups at 1 AM and weekly backups kept for 4 weeks. One day, a developer accidentally deletes a critical configuration file on a web server. They use Azure Backup's file-level restore to recover the file from the most recent backup in under 15 minutes, avoiding hours of manual reconfiguration. The team also sets up alerts so the IT manager receives an email if any backup fails. Cost: approximately $50/month for 3 VMs. If they had no backup, the cost of downtime could exceed $10,000 per hour.
Scenario 2: Financial Services with Long-Term Compliance
A bank must retain transaction records for 7 years to meet regulatory requirements. They use Azure Backup for SQL Server running on Azure VMs. They configure log backups every 15 minutes (RPO of 15 minutes) and full backups daily with 7-year yearly retention. This allows point-in-time recovery to any second within the retention period. The bank's compliance team can generate reports showing backup frequency and retention. They also enable soft delete on the vault to protect against accidental or malicious deletion of backups. The cost: higher due to log backup frequency and long retention, but still cheaper than tape storage.
Scenario 3: Healthcare Provider with Cross-Region Disaster Recovery
A hospital uses Azure Backup with GRS storage to protect patient data. They have a primary datacenter in East US and replicate backups to West US (paired region). If a regional outage occurs, they can restore VMs and databases in West US using the replicated data. They test disaster recovery quarterly by performing a restore to a test environment. Common mistake: forgetting to enable GRS at vault creation (cannot be changed later). They also use Azure Site Recovery (ASR) for replication of entire workloads, but Azure Backup provides the long-term backup for compliance. Cost: GRS storage is about 2x the cost of LRS, but provides essential geo-redundancy.
What Goes Wrong When Set Up Incorrectly?
Incorrect policy: Setting too short retention (e.g., 1 day) may lose data needed for compliance.
VM not running: Backups fail if VM is stopped; missed backups create gaps in protection.
Insufficient permissions: The backup extension needs appropriate IAM roles; if missing, backup fails silently.
No alerts: A backup failure goes unnoticed, leading to data loss.
Wrong storage redundancy: Choosing LRS when GRS is needed for DR means data cannot be restored in a different region.
Exactly What AZ-900 Tests on This Objective (2.1)
The AZ-900 exam objective 2.1 states: 'Identify Azure services for backup and disaster recovery.' Questions focus on:
Purpose of Azure Backup vs. Azure Site Recovery (ASR).
Components: Recovery Services vault, backup policy, protected items.
Storage redundancy options: LRS, GRS, ZRS.
Supported workloads: Azure VMs, SQL, SAP HANA, Azure Files, on-premises (via MARS).
Backup types: full, incremental, log (for SQL).
RPO and RTO concepts.
Common Wrong Answers and Why Candidates Choose Them
'Azure Backup replicates data in real-time to another region.' Wrong because Azure Backup is not real-time; it's scheduled (e.g., daily). Real-time replication is Azure Site Recovery. Candidates confuse backup (point-in-time copies) with replication (continuous sync).
'Backup data is stored in the same storage account as the source VM.' Wrong. Backup data goes to a Recovery Services vault, a separate secure container. Candidates think it's just another blob container.
'You can use Azure Backup to migrate VMs to another region.' Wrong. Azure Backup is for restore, not migration. For migration, use Azure Migrate or ASR.
'Backup policies can be changed after enabling backup without affecting existing recovery points.' Partially true: you can change policy, but retention changes affect new backups only; existing points retain their original retention. Candidates think changes apply retroactively.
Specific Terms and Values That Appear Verbatim
Recovery Services vault: The only container name for backups.
GRS (Geo-Redundant Storage): The default and most recommended redundancy.
Initial backup is a full backup: Subsequent backups are incremental.
Maximum retention: 99 years for yearly retention (but practical limit is 20 years in portal).
Soft delete: Enabled by default, retains backups for 14 days after deletion.
Edge Cases and Tricky Distinctions
Azure Backup vs. Azure Site Recovery: Backup is for long-term retention and point-in-time recovery; ASR is for short-term replication and failover during disasters. Both are used together for complete DR.
Backup of Azure Files: Azure Backup can protect Azure file shares; this is different from file share snapshots.
On-premises backup: Azure Backup can protect on-premises Windows servers using the MARS agent, but it requires internet connectivity.
Cross-region restore: Only possible if the vault uses GRS and you enable cross-region restore setting.
Memory Trick or Decision Tree
Decision tree for backup questions: - Need to restore a file from 3 weeks ago? → Azure Backup. - Need to failover to another region in minutes? → Azure Site Recovery. - Need both? → Use both.
Mnemonic for backup types: 'F I L' (Full, Incremental, Log) – Full first, then Incremental for VMs, plus Log for SQL databases.
Azure Backup stores data in a Recovery Services vault, not in the source resource's storage.
Initial backup is a full backup; subsequent backups are incremental (block-level).
Storage redundancy options: LRS (single region), GRS (geo-redundant, default), ZRS (zone-redundant).
Backup policies define schedule (daily/weekly) and retention (daily, weekly, monthly, yearly up to 99 years).
Supported workloads: Azure VMs, SQL/SAP HANA in Azure VMs, Azure Files, and on-premises Windows servers (MARS agent).
Soft delete is enabled by default, retaining deleted backup data for 14 days.
Azure Backup is for point-in-time recovery; Azure Site Recovery is for continuous replication and failover.
Cross-region restore is only possible with GRS and enabling the cross-region restore setting.
These come up on the exam all the time. Here's how to tell them apart.
Azure Backup
Purpose: Long-term data retention and point-in-time recovery
Recovery Point Objective (RPO): Typically hours (daily backups) or minutes (SQL log backups)
Recovery Time Objective (RTO): Hours to days (restore time depends on data size)
Data replication: Periodic (scheduled backups) to Recovery Services vault
Use case: Protect against accidental deletion, corruption, ransomware, compliance
Azure Site Recovery (ASR)
Purpose: Disaster recovery and business continuity with failover
RPO: Seconds to minutes (continuous replication)
RTO: Minutes (automated failover to secondary region)
Data replication: Continuous replication to paired region (Azure-to-Azure)
Use case: Protect against regional outages, planned failover for maintenance
Mistake
Azure Backup automatically replicates data to another region.
Correct
Only if you choose GRS storage at vault creation. LRS keeps data only in the primary region. Replication is not automatic; you must select it.
Mistake
Azure Backup can back up any Azure service.
Correct
It supports specific workloads: Azure VMs, SQL/SAP HANA in VMs, Azure Files, and on-premises Windows servers (via MARS). It does not natively back up Azure App Service, Azure Functions, or Azure SQL Database (use built-in backups for those).
Mistake
Backups are real-time and continuous.
Correct
Backups are scheduled (daily/weekly) or triggered on-demand. Only SQL log backups can be as frequent as every 15 minutes, but not continuous real-time.
Mistake
You can restore a VM to a different region even with LRS storage.
Correct
Cross-region restore requires GRS and the cross-region restore setting enabled. LRS does not allow restoration to another region.
Mistake
Deleting a Recovery Services vault immediately deletes all backup data.
Correct
Soft delete is enabled by default: after deletion, backup data is retained for 14 days. You can recover the vault and data within that period.
A Recovery Services vault is a storage container in Azure that holds backup data, backup policies, and monitoring information. It is the central entity for managing Azure Backup. You create one per region, and it stores all backups for protected items like VMs, SQL databases, and Azure Files. The vault also provides access to restore operations and backup job monitoring. For the exam, remember that the vault is the target for backup data, not the source.
Azure Backup is for long-term data protection and point-in-time recovery, with scheduled backups (e.g., daily) and retention up to years. Azure Site Recovery (ASR) is for disaster recovery, providing continuous replication to another region with automatic failover. Backup is used to recover from accidental deletion or corruption, while ASR is used to recover from a full regional outage. On the exam, if the scenario mentions 'disaster recovery' or 'failover', think ASR; if it mentions 'backup' or 'retention', think Azure Backup.
Yes, you can back up on-premises Windows servers to Azure Backup using the Microsoft Azure Recovery Services (MARS) agent. The agent is installed on the server, registers it with a Recovery Services vault, and then you can configure backup schedules and retention. The data is encrypted and transferred over HTTPS. For Linux on-premises, you can use Azure Backup Server (MABS) which supports Linux file servers. This is a common exam scenario: Azure Backup is not limited to Azure resources.
Soft delete is a security feature enabled by default on Recovery Services vaults. When you delete a backup item (or the vault itself), the backup data is not immediately purged. Instead, it is retained in a soft-deleted state for 14 days. During this period, you can recover the data by undeleting the backup item. After 14 days, the data is permanently deleted. This protects against accidental or malicious deletion. On the exam, know that soft delete is on by default and the retention period is 14 days.
To restore a single file, go to the Recovery Services vault, select the VM backup item, and choose 'File Recovery'. Azure will mount the selected recovery point as a drive on a temporary VM (or directly on the original VM if it's running). You can then browse the mounted drive and copy the file. After you're done, unmount the drive. This is a cost-effective way to recover individual files without restoring the entire VM. The exam may ask about file-level restore for VMs.
When you enable backup for an Azure VM, a default backup policy is applied: daily backup at 2:00 AM (local time of the vault region), with retention of 30 days. You can customize the policy. The default policy also includes weekly retention (12 weeks) and monthly retention (12 months) if you edit it. For the exam, know that the default schedule is daily and default retention is 30 days.
No, you cannot change the storage redundancy (LRS, GRS, ZRS) after the vault is created. You must choose the redundancy at creation time. If you need a different redundancy, you must create a new vault and reconfigure backups. This is a common exam trap: candidates think they can switch from LRS to GRS later. So, plan ahead: for disaster recovery, choose GRS from the start.
You've just covered Azure Backup Service — now see how well it sticks with free AZ-900 practice questions. Full explanations included, no account needed.
Done with this chapter?