Azure

Azure Backup Complete Guide: RSV / Backup Vault, Policies, Immutable Backup & Cost Optimization

2026-05-24
NicheeLab Editorial Team

Azure Backup is a Microsoft managed service that centralizes backup for a wide range of workloads, including Azure VMs, Azure Files, Azure SQL DB / Managed Instance, SAP HANA, and Azure Blob. With ransomware defenses such as Immutable Backup and Multi-User Authorization, it enables secure operations and is a must-have in production. This article walks through vault selection, Backup Policy design, how each workload behaves, security features, and cost optimization.

Recovery Services Vault vs Backup Vault

ItemRecovery Services Vault (RSV)Backup Vault
IntroducedLong-standing2021 GA
Supported workloadsAzure VM, Files, SQL on VM, SAP HANA, on-premises, ASR (integrated DR)Azure Disk, Blob, PostgreSQL Flexible, AKS
Storage RedundancyGRS by defaultZRS as standard
Use caseTraditional workloads + DRNext-generation workloads

They are separate resources with separate management surfaces, and you pick one based on the workload. The Backup Center dashboard can display both vault types together.

Backup Policy Design

A Backup Policy is the combination of a backup schedule and a retention period.

Common patterns

  • Daily + 30-day retention: the standard for production VMs
  • GFS (Grandfather-Father-Son): Daily + Weekly (Sunday) + Monthly (1st day) + Yearly (Jan 1st), each with its own retention (7 days daily, 4 weeks weekly, 12 months monthly, 7 years yearly)
  • Every 6 hours + 7-day retention: for a 6-hour RPO

Two-tier architecture

  • Instant Restore Tier: Recovery points held as short-term snapshots, restorable instantly
  • Vault-standard Tier: Transferred to the vault for low-cost long-term retention

Policy tiers by business criticality

  • Tier 1 mission-critical: GFS + Cross-region Restore + Immutable + MUA
  • Tier 2 important: GFS
  • Tier 3 general: Daily + 30 days

How Azure VM Backup Works

Azure VM Backup runs through a VM extension (VMSnapshot).

Consistency Levels

LevelDescriptionUse case
Application ConsistentDB transaction consistency via VSS (Windows) / pre/post scripts (Linux)Highest quality; recommended for production
File System ConsistentOS file system consistencyMid-tier
Crash ConsistentEquivalent to a sudden power lossLowest level

Restore options

  • Full VM Restore: Creates a new resource group
  • Disk-only Restore: Attaches the disk to an existing VM
  • File Restore: Pulls individual files via iSCSI
  • Cross-region Restore: Restores to a different region (for regional outages)

Azure Backup for Blob

Went GA in 2022. Backs up Blob Storage at the container level.

TypeHow it worksRetentionCost
Operational BackupSoft Delete + Versioning + Change Feed enable point-in-time restoreUp to 360 daysLow
Vaulted BackupTransfers the entire container to a Backup VaultUp to 10 yearsHigh (long-term retention)

A typical configuration: Operational Backup 30 days (for instant restore) plus Vaulted Backup Weekly 4 weeks and Monthly 12 months. On storage accounts with massive blob counts, check the monthly cost in the Cost Estimator and tune retention carefully — unplanned Vaulted Backup can cause multi-million-yen monthly bills.

Ransomware Defense

Immutable Backup

  • Recovery points are stored immutably and cannot be deleted or modified
  • Time-based or indefinite lock
  • Even if attackers break in, they cannot destroy backups
  • Vault Soft Delete + Immutable provides two layers of defense

Multi-User Authorization (MUA)

  • Vault-level changes (shortening retention, deleting backups, deleting the vault) require a second approver
  • Blocks insider abuse and compromised account misuse
  • Implemented via a Resource Guard resource

For mission-critical production backups, both features are effectively mandatory and sit at the core of Microsoft's recommended Zero Trust Backup architecture.

Azure Files Backup

  • Supports both Azure Files Standard and Premium
  • Based on Share Snapshots, contained within the storage account (no vault transfer; low cost)
  • Retention up to 10 years
  • File / folder level restore is possible
  • Cross-region restore is achieved by combining with ASR

Azure SQL Backup

Azure SQL Database / Managed Instance comes with automated backup (PITR + LTR) as a standard feature, managed independently and not integrated with Azure Backup.

  • SQL on VM is covered by Azure Backup (RSV + SQL Agent VM Extension)
  • Azure SQL DB / MI uses automated backup (PITR 1-35 days + LTR up to 10 years), managed separately
  • See Azure SQL DB vCore Detailed Design for details

Cost Optimization

Major cost drivers

  • Protected Instance fees (per VM, per month)
  • Vault Storage fees (priced by LRS / GRS / ZRS / GZRS)
  • Instant Restore snapshot fees

Cost-reduction tactics

  1. Minimize retention to match real business requirements (kill excessive retention)
  2. Choose Vault Storage redundancy carefully (LRS < ZRS < GRS < GZRS)
  3. Shorten the Instant Restore Tier snapshot window (default 2 days)
  4. Enable Cross-region Restore only when needed
  5. Use Vaulted Backup (cheaper tier) for long-term retention
  6. Skip backups or use minimum frequency for non-production
  7. Reserved Capacity for Backup Storage (1- or 3-year commitment)

Backup Center Dashboard

  • Centralized visibility into backup health across the entire organization
  • Unified view across multiple vaults and multiple subscriptions
  • Lists failed backups, jobs, restore points, and compliance status
  • Integrates with Azure Monitor Alerts to notify the SOC
  • Automatically generates monthly backup reports

Operational Best Practices

  1. Production: GFS Policy + Immutable + MUA
  2. Tier policies by business criticality
  3. Use Cross-region Restore to handle regional outages
  4. Run periodic restore tests (at least twice a year)
  5. Run monthly reports and cost reviews in Backup Center
  6. Three layers of defense: Soft Delete + Immutable + MUA
  7. Forward backup events to Microsoft Sentinel
  8. Use Azure Policy to enforce backup coverage
  9. Optimize cost with Reserved Capacity
  10. Run disaster recovery drills (Cross-region Restore drills)

Related Certifications

Frequently Asked Questions

What is Azure Backup?

Azure Backup is a Microsoft managed service that centralizes backup for a wide range of workloads: Azure VMs, Azure Files, Azure SQL DB / Managed Instance, SAP HANA, Azure Blob, Azure Database for PostgreSQL, on-premises Windows / Linux, System Center DPM, and more. Everything is consolidated into a Recovery Services Vault or Backup Vault, and Backup Policies define backup frequency and retention in one place. The Backup Center dashboard surfaces backup health across the entire organization. Ransomware defenses include Soft Delete, Immutable Backup, and Multi-User Authorization (MUA). It is a must-have in production, sitting at the core of compliance audits and BCP / DR strategies.

What is the difference between Recovery Services Vault and Backup Vault?

Recovery Services Vault (RSV): the original vault, supporting both Azure Backup and Azure Site Recovery (ASR), covering a broad range of workloads (Azure VMs, Azure Files, SQL on VM, SAP HANA on VM, on-premises), defaulting to Geo-redundant Storage. Backup Vault: the next-generation vault that went GA in 2021, designed for newer workloads (Azure Disk, Azure Blob, Azure Database for PostgreSQL Flexible Server, Azure Kubernetes Service (AKS)) with Zone-redundant Storage as standard. They are separate resources with separate management surfaces, and you pick one based on the workload. New workloads keep landing on Backup Vault as GA expands; traditional workloads stay on RSV. The Backup Center dashboard can display both vault types together so you can manage backups across the entire organization from one pane.

How do you design Backup Policies?

A Backup Policy is a combination of a backup schedule and a retention period. Common patterns: 1) Daily Backup + 30-day retention (the standard for production VMs), 2) Daily + Weekly (Sunday) + Monthly (1st of month) + Yearly (Jan 1st), each with its own retention (7 days daily, 4 weeks weekly, 12 months monthly, 7 years yearly) for long-term retention (the GFS — Grandfather-Father-Son — rotation), 3) every 6 hours + 7-day retention (for a 6-hour RPO). The architecture is a two-tier setup: Instant Restore Tier (recovery points held as short-term snapshots for instant restore) plus Vault-standard Tier (transferred to the vault for low-cost long-term retention). Policies are defined at the vault level and can be applied across multiple vaults. In production, the standard is to tier policies by business criticality: Tier 1 mission-critical, Tier 2 important, Tier 3 general.

How does Azure VM Backup work?

Azure VM Backup runs through a VM extension (VMSnapshot). Application Consistent Backup uses VSS (Volume Shadow Copy Service) on Windows VMs and pre/post scripts on Linux VMs to guarantee DB / application transaction consistency. File System Consistent sits above Crash Consistent but below Application Consistent in quality. Crash Consistent is the lowest level, equivalent to a sudden power loss. The standard backup flow: 1) the VM extension takes a snapshot (Instant Restore Tier, fast because it stays in the same region as the disk), 2) the snapshot is transferred to the vault (compressed, encrypted, deduplicated), 3) it is stored as a recovery point. Restore options include Full VM Restore (creates a new resource group), Disk-only Restore (attaches the disk to an existing VM), and File Restore (mounts the recovery point via iSCSI to grab individual files). Cross-region Restore is also supported, enabling DR for regional outages.

How do you use Azure Backup for Blob?

Azure Backup for Blob went GA in 2022 and backs up Blob Storage at the container level. There are two flavors. Operational Backup: combines Soft Delete + Versioning + Change Feed to enable point-in-time container restore (up to 360 days), requires no vault, stays low-cost, and is managed inside the storage account. Vaulted Backup: transfers and stores the entire container in a Backup Vault, using vault storage for long-term retention (up to 10 years), supports Immutable Backup, and is a key ransomware defense. A typical configuration is Operational Backup 30 days (for instant restore) plus Vaulted Backup Weekly 4 weeks and Monthly 12 months (for long-term retention). On storage accounts with massive blob counts you must check monthly cost in the Cost Estimator and tune retention carefully — unplanned Vaulted Backup can balloon into multi-million-yen monthly bills.

What are Immutable Backup and Multi-User Authorization?

These are critical ransomware defenses. Immutable Backup: stores recovery points immutably so they can be neither deleted nor modified, with a time-based or indefinite lock — even an attacker who breaches the environment cannot destroy the backups. Combined with the vault's Soft Delete, this gives you two layers of defense. Multi-User Authorization (MUA): requires a second approver for sensitive vault-level changes (shortening retention, deleting backups, deleting the vault), blocking insider abuse and compromised account misuse. It is implemented through an Azure Resource Manager Resource Guard. Typical scenario: an attacker using a compromised account tries to delete backups — MUA blocks the request, and Immutable forces them to wait until the time lock expires. Both features are effectively mandatory for mission-critical production backups and form the core of Microsoft's recommended Zero Trust Backup architecture.

What is the cost optimization strategy?

The major cost drivers are: Protected Instance fees (per VM per month), Vault Storage fees (priced by LRS / GRS / ZRS / GZRS), and Instant Restore snapshot fees. Cost-reduction tactics: 1) minimize retention to match real business requirements (kill excessive retention), 2) choose vault storage redundancy carefully (LRS < ZRS < GRS < GZRS — use LRS for anything non-mission-critical), 3) shorten the Instant Restore Tier snapshot window (default is 2 days, tune to 1-3 days based on production needs), 4) enable Cross-region Restore only when needed (it incurs additional storage cost), 5) use Vaulted Backup (cheaper tier) for long-term retention, 6) skip backups or use minimum frequency for non-production, 7) buy Reserved Capacity for Backup Storage (1- or 3-year commitment) for a discount. In production, review cost trends monthly in Backup Center and keep tuning retention — this is what actually keeps the bill in check.

Which certifications cover Azure Backup?

AZ-104 (Administrator) is the headline certification for this topic, testing Azure Backup deeply in Domain 5 (Monitoring and maintenance, 10-15%). AZ-305 (Solutions Architect Expert) covers BCP / DR architecture design, DP-300 (DBA) covers SQL backup strategy, SC-100 (Cybersecurity Architect Expert) covers ransomware defense and Immutable Backup, and AZ-800 / AZ-801 (Windows Server Hybrid) covers hybrid backup. Backup is also a critical requirement for compliance frameworks (SOC2 Type II, ISO 27001), so the knowledge is needed across many organizational roles.

Related Articles & Technical Deep Dives

Azure SQL Database vs Managed Instance vs SQL on VM 完全比較|SQL Server プラットフォーム選定ガイド【2026 年版】

Azure 上の SQL Server プラットフォーム 3 選択肢 SQL Database・Managed Instance・SQL on VM を完全比較。互換性・機能差・サービスティア (GP/BC/Hyperscale)・vCore vs DTU・HADR・コスト・セキュリティを表形式で整理。関連認定試験 (DP-300 / AZ-305 / SC-100) を日本語で網羅。

Azure Policy 完全ガイド|Effect・Built-in/Custom・Initiative・Remediation・コンプライアンス【2026 年版】

Azure Policy の完全ガイド。Effect 7 種類 (Deny/Audit/Modify/DeployIfNotExists/Append/AuditIfNotExists/Disabled) の使い分け、Built-in vs Custom Policy、Initiative (Policy Set)、Assignment Scope、Remediation、Microsoft Cloud Security Benchmark コンプライアンス活用、関連認定試験 (AZ-104 / SC-100 / AZ-305) を日本語で網羅。

Azure Architect キャリアロードマップ|AZ-900 → AZ-305 → SC-100 シニアアーキテクトへの道【2026 年版】

Azure Solutions Architect になるための認定取得ロードマップ完全版。AZ-900 → AZ-104 → AZ-305 の王道ルート、AZ-400 / SC-100 / AZ-700 との二刀流 / 三刀流戦略、マルチクラウド対応 (AWS / GCP)、未経験から 7-12 ヶ月の学習プラン、年収レンジまで日本語で網羅。

Azure Key Vault 完全ガイド|Secret/Key/Certificate 管理・Managed Identity 統合・セキュリティベストプラクティス【2026 年版】

Azure Key Vault の完全ガイド。Standard vs Premium vs Managed HSM ティア選定、Secret / Key / Certificate の使い分け、RBAC ベースアクセス制御、Managed Identity 統合 (シークレットレスアプリ)、Soft Delete / Purge Protection、Private Endpoint、Microsoft Defender for Key Vault、関連認定試験 (AZ-204 / SC-300 / SC-100) を日本語で網羅。

The technical information in this article is based on the Azure Backup Documentation. This article is not an official Microsoft Corporation product and has no partnership or sponsorship relationship with Microsoft. Microsoft and Azure are trademarks of the Microsoft group of companies. Information is based on official public materials as of May 24, 2026. Always check the official pages for the latest information.

Check what you learned with practice questions

Practice with certification-focused question sets

View Azure exam prep page
Author

NicheeLab Editorial Team

NicheeLab editorial team focused on data engineering and cloud certification learning. Content is structured around practical study needs and official exam domains.


Related articles
Azure

AZ-900 Azure Fundamentals: Complete Exam Guide (2026)

Pass AZ-900 — cloud concepts, Azure architecture, management...

Azure

Azure Certification Roadmap: Which Cert to Take Next (2026)

Choose your Azure certification path — Fundamentals, Associa...

Azure

AI-901 Azure AI Fundamentals (Beta): Complete Guide (2026)

Pass AI-901 — Microsoft Foundry, generative AI, responsible ...

Azure

Microsoft Entra ID Fundamentals for Azure Certs (2026)

Entra ID basics every cert candidate needs — tenants, identi...

Azure

DP-900 Azure Data Fundamentals: Complete Guide (2026)

Pass DP-900 — relational, non-relational, analytics, Power B...

Browse all Azure articles (104)
© 2026 NicheeLab All rights reserved.