A company wants to back up their Azure VMs (running Windows and Linux) to a Recovery Services vault. The backup data must be encrypted at rest using customer-managed keys. They also need to retain monthly backups for 5 years for compliance. Which configuration should they use?
Azure Backup supports customer-managed keys for encrypting backup data. Configure the Recovery Services vault with a customer-managed key from Key Vault and create a backup policy that includes daily and monthly retention points.
Why this answer
Option A is correct because Azure Backup supports encryption at rest using customer-managed keys (CMK) via Azure Disk Encryption or Azure Disk Encryption Set (DES) with a key vault. For long-term retention, the backup policy can be configured to retain monthly recovery points for up to 5 years, meeting compliance requirements. The Recovery Services vault stores encrypted backup data, and CMK ensures the customer controls the encryption keys.
Exam trap
The trap here is that candidates often confuse Azure Backup with Azure Site Recovery or assume that platform-managed encryption (SSE) satisfies customer-managed key requirements, but only CMK via a key vault meets the compliance need for customer-controlled encryption keys.
How to eliminate wrong answers
Option B is wrong because it suggests using Azure Backup with Azure Site Recovery, which is for disaster recovery, not backup retention; Site Recovery does not support monthly retention for 5 years. Option C is wrong because it proposes using Azure Backup with Azure Storage Service Encryption (SSE) using platform-managed keys, which does not meet the customer-managed key requirement. Option D is wrong because it recommends using Azure Backup with Azure Disk Encryption (ADE) but without specifying a key vault for CMK, which is required for customer-managed keys; ADE alone uses Azure-managed keys unless a key vault is explicitly configured.