Azure Backup is a Microsoft managed service that centralizes backup for a wide range of workloads, including Azure VMs, Azure Files, Azure SQL DB / Managed Instance, SAP HANA, and Azure Blob. With ransomware defenses such as Immutable Backup and Multi-User Authorization, it enables secure operations and is a must-have in production. This article walks through vault selection, Backup Policy design, how each workload behaves, security features, and cost optimization.
| Item | Recovery Services Vault (RSV) | Backup Vault |
|---|---|---|
| Introduced | Long-standing | 2021 GA |
| Supported workloads | Azure VM, Files, SQL on VM, SAP HANA, on-premises, ASR (integrated DR) | Azure Disk, Blob, PostgreSQL Flexible, AKS |
| Storage Redundancy | GRS by default | ZRS as standard |
| Use case | Traditional workloads + DR | Next-generation workloads |
They are separate resources with separate management surfaces, and you pick one based on the workload. The Backup Center dashboard can display both vault types together.
A Backup Policy is the combination of a backup schedule and a retention period.
Azure VM Backup runs through a VM extension (VMSnapshot).
| Level | Description | Use case |
|---|---|---|
| Application Consistent | DB transaction consistency via VSS (Windows) / pre/post scripts (Linux) | Highest quality; recommended for production |
| File System Consistent | OS file system consistency | Mid-tier |
| Crash Consistent | Equivalent to a sudden power loss | Lowest level |
Went GA in 2022. Backs up Blob Storage at the container level.
| Type | How it works | Retention | Cost |
|---|---|---|---|
| Operational Backup | Soft Delete + Versioning + Change Feed enable point-in-time restore | Up to 360 days | Low |
| Vaulted Backup | Transfers the entire container to a Backup Vault | Up to 10 years | High (long-term retention) |
A typical configuration: Operational Backup 30 days (for instant restore) plus Vaulted Backup Weekly 4 weeks and Monthly 12 months. On storage accounts with massive blob counts, check the monthly cost in the Cost Estimator and tune retention carefully — unplanned Vaulted Backup can cause multi-million-yen monthly bills.
For mission-critical production backups, both features are effectively mandatory and sit at the core of Microsoft's recommended Zero Trust Backup architecture.
Azure SQL Database / Managed Instance comes with automated backup (PITR + LTR) as a standard feature, managed independently and not integrated with Azure Backup.
What is Azure Backup?
Azure Backup is a Microsoft managed service that centralizes backup for a wide range of workloads: Azure VMs, Azure Files, Azure SQL DB / Managed Instance, SAP HANA, Azure Blob, Azure Database for PostgreSQL, on-premises Windows / Linux, System Center DPM, and more. Everything is consolidated into a Recovery Services Vault or Backup Vault, and Backup Policies define backup frequency and retention in one place. The Backup Center dashboard surfaces backup health across the entire organization. Ransomware defenses include Soft Delete, Immutable Backup, and Multi-User Authorization (MUA). It is a must-have in production, sitting at the core of compliance audits and BCP / DR strategies.
What is the difference between Recovery Services Vault and Backup Vault?
Recovery Services Vault (RSV): the original vault, supporting both Azure Backup and Azure Site Recovery (ASR), covering a broad range of workloads (Azure VMs, Azure Files, SQL on VM, SAP HANA on VM, on-premises), defaulting to Geo-redundant Storage. Backup Vault: the next-generation vault that went GA in 2021, designed for newer workloads (Azure Disk, Azure Blob, Azure Database for PostgreSQL Flexible Server, Azure Kubernetes Service (AKS)) with Zone-redundant Storage as standard. They are separate resources with separate management surfaces, and you pick one based on the workload. New workloads keep landing on Backup Vault as GA expands; traditional workloads stay on RSV. The Backup Center dashboard can display both vault types together so you can manage backups across the entire organization from one pane.
How do you design Backup Policies?
A Backup Policy is a combination of a backup schedule and a retention period. Common patterns: 1) Daily Backup + 30-day retention (the standard for production VMs), 2) Daily + Weekly (Sunday) + Monthly (1st of month) + Yearly (Jan 1st), each with its own retention (7 days daily, 4 weeks weekly, 12 months monthly, 7 years yearly) for long-term retention (the GFS — Grandfather-Father-Son — rotation), 3) every 6 hours + 7-day retention (for a 6-hour RPO). The architecture is a two-tier setup: Instant Restore Tier (recovery points held as short-term snapshots for instant restore) plus Vault-standard Tier (transferred to the vault for low-cost long-term retention). Policies are defined at the vault level and can be applied across multiple vaults. In production, the standard is to tier policies by business criticality: Tier 1 mission-critical, Tier 2 important, Tier 3 general.
How does Azure VM Backup work?
Azure VM Backup runs through a VM extension (VMSnapshot). Application Consistent Backup uses VSS (Volume Shadow Copy Service) on Windows VMs and pre/post scripts on Linux VMs to guarantee DB / application transaction consistency. File System Consistent sits above Crash Consistent but below Application Consistent in quality. Crash Consistent is the lowest level, equivalent to a sudden power loss. The standard backup flow: 1) the VM extension takes a snapshot (Instant Restore Tier, fast because it stays in the same region as the disk), 2) the snapshot is transferred to the vault (compressed, encrypted, deduplicated), 3) it is stored as a recovery point. Restore options include Full VM Restore (creates a new resource group), Disk-only Restore (attaches the disk to an existing VM), and File Restore (mounts the recovery point via iSCSI to grab individual files). Cross-region Restore is also supported, enabling DR for regional outages.
How do you use Azure Backup for Blob?
Azure Backup for Blob went GA in 2022 and backs up Blob Storage at the container level. There are two flavors. Operational Backup: combines Soft Delete + Versioning + Change Feed to enable point-in-time container restore (up to 360 days), requires no vault, stays low-cost, and is managed inside the storage account. Vaulted Backup: transfers and stores the entire container in a Backup Vault, using vault storage for long-term retention (up to 10 years), supports Immutable Backup, and is a key ransomware defense. A typical configuration is Operational Backup 30 days (for instant restore) plus Vaulted Backup Weekly 4 weeks and Monthly 12 months (for long-term retention). On storage accounts with massive blob counts you must check monthly cost in the Cost Estimator and tune retention carefully — unplanned Vaulted Backup can balloon into multi-million-yen monthly bills.
What are Immutable Backup and Multi-User Authorization?
These are critical ransomware defenses. Immutable Backup: stores recovery points immutably so they can be neither deleted nor modified, with a time-based or indefinite lock — even an attacker who breaches the environment cannot destroy the backups. Combined with the vault's Soft Delete, this gives you two layers of defense. Multi-User Authorization (MUA): requires a second approver for sensitive vault-level changes (shortening retention, deleting backups, deleting the vault), blocking insider abuse and compromised account misuse. It is implemented through an Azure Resource Manager Resource Guard. Typical scenario: an attacker using a compromised account tries to delete backups — MUA blocks the request, and Immutable forces them to wait until the time lock expires. Both features are effectively mandatory for mission-critical production backups and form the core of Microsoft's recommended Zero Trust Backup architecture.
What is the cost optimization strategy?
The major cost drivers are: Protected Instance fees (per VM per month), Vault Storage fees (priced by LRS / GRS / ZRS / GZRS), and Instant Restore snapshot fees. Cost-reduction tactics: 1) minimize retention to match real business requirements (kill excessive retention), 2) choose vault storage redundancy carefully (LRS < ZRS < GRS < GZRS — use LRS for anything non-mission-critical), 3) shorten the Instant Restore Tier snapshot window (default is 2 days, tune to 1-3 days based on production needs), 4) enable Cross-region Restore only when needed (it incurs additional storage cost), 5) use Vaulted Backup (cheaper tier) for long-term retention, 6) skip backups or use minimum frequency for non-production, 7) buy Reserved Capacity for Backup Storage (1- or 3-year commitment) for a discount. In production, review cost trends monthly in Backup Center and keep tuning retention — this is what actually keeps the bill in check.
Which certifications cover Azure Backup?
AZ-104 (Administrator) is the headline certification for this topic, testing Azure Backup deeply in Domain 5 (Monitoring and maintenance, 10-15%). AZ-305 (Solutions Architect Expert) covers BCP / DR architecture design, DP-300 (DBA) covers SQL backup strategy, SC-100 (Cybersecurity Architect Expert) covers ransomware defense and Immutable Backup, and AZ-800 / AZ-801 (Windows Server Hybrid) covers hybrid backup. Backup is also a critical requirement for compliance frameworks (SOC2 Type II, ISO 27001), so the knowledge is needed across many organizational roles.
Related Articles & Technical Deep Dives
Azure SQL Database vs Managed Instance vs SQL on VM 完全比較|SQL Server プラットフォーム選定ガイド【2026 年版】
Azure 上の SQL Server プラットフォーム 3 選択肢 SQL Database・Managed Instance・SQL on VM を完全比較。互換性・機能差・サービスティア (GP/BC/Hyperscale)・vCore vs DTU・HADR・コスト・セキュリティを表形式で整理。関連認定試験 (DP-300 / AZ-305 / SC-100) を日本語で網羅。
Azure Policy 完全ガイド|Effect・Built-in/Custom・Initiative・Remediation・コンプライアンス【2026 年版】
Azure Policy の完全ガイド。Effect 7 種類 (Deny/Audit/Modify/DeployIfNotExists/Append/AuditIfNotExists/Disabled) の使い分け、Built-in vs Custom Policy、Initiative (Policy Set)、Assignment Scope、Remediation、Microsoft Cloud Security Benchmark コンプライアンス活用、関連認定試験 (AZ-104 / SC-100 / AZ-305) を日本語で網羅。
Azure Architect キャリアロードマップ|AZ-900 → AZ-305 → SC-100 シニアアーキテクトへの道【2026 年版】
Azure Solutions Architect になるための認定取得ロードマップ完全版。AZ-900 → AZ-104 → AZ-305 の王道ルート、AZ-400 / SC-100 / AZ-700 との二刀流 / 三刀流戦略、マルチクラウド対応 (AWS / GCP)、未経験から 7-12 ヶ月の学習プラン、年収レンジまで日本語で網羅。
Azure Key Vault 完全ガイド|Secret/Key/Certificate 管理・Managed Identity 統合・セキュリティベストプラクティス【2026 年版】
Azure Key Vault の完全ガイド。Standard vs Premium vs Managed HSM ティア選定、Secret / Key / Certificate の使い分け、RBAC ベースアクセス制御、Managed Identity 統合 (シークレットレスアプリ)、Soft Delete / Purge Protection、Private Endpoint、Microsoft Defender for Key Vault、関連認定試験 (AZ-204 / SC-300 / SC-100) を日本語で網羅。
The technical information in this article is based on the Azure Backup Documentation. This article is not an official Microsoft Corporation product and has no partnership or sponsorship relationship with Microsoft. Microsoft and Azure are trademarks of the Microsoft group of companies. Information is based on official public materials as of May 24, 2026. Always check the official pages for the latest information.
Practice with certification-focused question sets
View Azure exam prep pageNicheeLab Editorial Team
NicheeLab editorial team focused on data engineering and cloud certification learning. Content is structured around practical study needs and official exam domains.
AZ-900 Azure Fundamentals: Complete Exam Guide (2026)
Pass AZ-900 — cloud concepts, Azure architecture, management...
Azure Certification Roadmap: Which Cert to Take Next (2026)
Choose your Azure certification path — Fundamentals, Associa...
AI-901 Azure AI Fundamentals (Beta): Complete Guide (2026)
Pass AI-901 — Microsoft Foundry, generative AI, responsible ...
Microsoft Entra ID Fundamentals for Azure Certs (2026)
Entra ID basics every cert candidate needs — tenants, identi...
DP-900 Azure Data Fundamentals: Complete Guide (2026)
Pass DP-900 — relational, non-relational, analytics, Power B...