Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article describes how to back up Azure virtual machines (VMs) in a Recovery Services vault by using Azure Backup.
In this article, you learn how to:
- Prepare Azure VMs.
- Create a vault.
- Discover VMs and configure a backup policy.
- Enable backup for Azure VMs.
- Run the initial backup.
Note
This article describes how to set up a vault and select VMs to back up. It's useful if you want to back up multiple VMs. Alternatively, you can back up a single Azure VM directly from the VM settings.
Before you start
- Review the Azure VM backup architecture.
- Learn about Azure VM backup and the backup extension.
- Review the support matrix before you configure backup.
In some circumstances, you might also need to install the VM agent on the VM. Azure Backup backs up Azure VMs by installing an extension to the Azure VM agent that runs on the machine. If your VM was created from an Azure Marketplace image, the agent is installed and running. If you create a custom VM or you migrate an on-premises machine, you might need to install the agent manually.
Note
The functionality described in the following sections can also be accessed via Backup center. Backup center is a single unified management experience in Azure. It enables enterprises to govern, monitor, operate, and analyze backups at scale. With this solution, you can perform most of the key backup management operations without being limited to the scope of an individual vault.
Create a Recovery Services vault
A Recovery Services vault is a management entity that stores recovery points that are created over time, and it provides an interface to perform backup-related operations. These operations include taking on-demand backups, performing restores, and creating backup policies.
To create a Recovery Services vault:
Sign in to the Azure portal.
Search for Backup center, and then go to the Backup center dashboard.
On the Overview pane, select Vault.
Select Recovery Services vault > Continue.
On the Recovery Services vault pane, enter the following values:
Subscription: Select the subscription to use. If you're a member of only one subscription, you'll see that name. If you're not sure which subscription to use, use the default subscription. There are multiple choices only if your work or school account is associated with more than one Azure subscription.
Resource group: Use an existing resource group or create a new one. To view a list of available resource groups in your subscription, select Use existing, and then select a resource in the dropdown list. To create a new resource group, select Create new, and then enter the name. For more information about resource groups, see Azure Resource Manager overview.
Vault name: Enter a friendly name to identify the vault. The name must be unique to the Azure subscription. Specify a name that has at least 2 but not more than 50 characters. The name must start with a letter and consist only of letters, numbers, and hyphens.
Region: Select the geographic region for the vault. For you to create a vault to help protect any data source, the vault must be in the same region as the data source.
Important
If you're not sure of the location of your data source, close the window. Go to the list of your resources in the portal. If you have data sources in multiple regions, create a Recovery Services vault for each region. Create the vault in the first location before you create a vault in another location. There's no need to specify storage accounts to store the backup data. The Recovery Services vault and Azure Backup handle that automatically.
After providing the values, select Review + create.
To finish creating the Recovery Services vault, select Create.
It can take a while to create the Recovery Services vault. Monitor the status notifications in the Notifications area at the upper right. After the vault is created, it appears in the list of Recovery Services vaults. If the vault doesn't appear, select Refresh.
Note
Azure Backup now supports immutable vaults that help you ensure that recovery points once created can't be deleted before their expiry as per the backup policy. You can make the immutability irreversible for maximum protection to your backup data from various threats, including ransomware attacks and malicious actors. Learn more.
Modify storage replication
By default, vaults use geo-redundant storage (GRS):
- If the vault is your primary backup mechanism, we recommend that you use GRS.
- Locally redundant storage is a less-expensive option.
- Zone-redundant storage replicates your data in availability zones for data residency and resiliency in the same region.
To modify the storage replication type, follow these steps:
In the new vault, under Settings, select Properties.
On the Properties pane, under Backup Configuration, select Update.
Select the storage replication type, and then select Save.
You can't modify the storage replication type after the vault is set up and contains backup items. If you want to modify the type, you need to re-create the vault.
Apply a backup policy
To apply a backup policy to your Azure VMs, follow these steps:
Go to Backup center. On the Overview tab, select + Backup.
For Datasource type, select Azure Virtual machines, and select the vault that you created. Then select Continue.
Assign a backup policy.
The default policy backs up the VM once a day. The daily backups are retained for 30 days. Instant recovery snapshots are retained for two days.
If you don't want to use the default policy, select Create New, and create a custom policy as described in the next procedure.
Under Virtual Machines, select Add.
On the Select virtual machines pane, select the VMs that you want to back up by using the policy. Then select OK.
Only the selected VMs are validated.
Only VMs in the same region as the vault are eligible to select.
Only a single vault is used for backup for the VMs.
Note
- All the VMs in the same region and subscription as that of the vault are available to configure backup. When you configure backup, you can browse to the VM name and its resource group, even though you don't have the required permission on those VMs. If your VM is in a soft-deleted state, it doesn't appear in this list. If you need to reprotect the VM, wait for the soft-deleted period to expire. You can also restore the VM from the soft-deleted list. For more information, see Soft delete for VMs by using the Azure portal.
- To change the Recovery Services vault of a VM, stop the backup and then assign a new vault to the VM.
In Backup, select Enable backup. This action deploys the policy to the vault and the VMs and installs the backup extension on the VM agent that runs on the Azure VM.
After you enable backup:
- Azure Backup installs the backup extension irrespective of the VM's running state.
- An initial backup runs in accordance with your backup schedule.
- When backups run:
- A VM that's running has the greatest chance for capturing an application-consistent recovery point.
- Even if the VM is turned off, it's backed up. Such a VM is called an offline VM. In this case, the recovery point is crash consistent.
- Explicit outbound connectivity isn't required to allow backup of Azure VMs.
Create a custom policy
To create a new backup policy, fill in the following policy settings and then select OK:
Policy name: Specify a meaningful name.
Backup schedule: Specify the timing for backups. You can take daily or weekly backups for Azure VMs.
Instant restore: Specify how long you want to retain snapshots locally for Instant Restore:
- When you restore, backed up VM disks are copied from storage across the network to the recovery storage location. With Instant Restore, you can use locally stored snapshots taken during a backup job. You don't have to wait for transfer of backup data to the vault.
- You can retain snapshots for Instant Restore for one to five days. The default setting is two days.
Retention range: Specify how long you want to keep your daily or weekly backup points.
Retention of monthly backup point and Retention of yearly backup point: Specify whether you want to keep a monthly or yearly backup of your daily or weekly backups.
To store the restore point collection, Azure Backup creates a separate resource group. This resource group is different than the resource group of the VM. Learn more about resource groups for VMs.
Azure Backup doesn't support automatic clock adjustment for daylight-saving time changes for Azure VM backups. As time changes occur, modify backup policies manually as required.
If you want hourly backups, configure the Enhanced backup policy. For more information, see Back up an Azure VM by using the Enhanced policy.
Trigger the initial backup
The initial backup runs based on the schedule, but you can also run it immediately:
Go to Backup center and select the Backup Instances menu item.
For Datasource type, select Azure Virtual machines. Then search for the VM that you configured for backup.
Right-click the relevant row or select More (…), and then select Backup Now.
On Backup Now, use the calendar control to select the last day that the recovery point should be retained. Then select OK.
Monitor the portal notifications.
To monitor the job progress, go to Backup center > Backup Jobs and filter the list for jobs that are in progress. Depending on the size of your VM, creating the initial backup might take a while.
Verify the backup job status
The backup job details for each VM backup consist of two phases: Snapshot is followed by Transfer data to vault.
Snapshot: Ensures that the availability of a recovery point is stored along with the disks for Instant Restore and is available for a maximum of five days depending on the snapshot retention configured by the user.
Transfer data to vault: Creates a recovery point in the vault for long-term retention. Transfer data to vault starts only after Snapshot is finished.
Two subtasks run at the back end. One is for the front-end backup job that you can check on the Backup pane under Job Details.
Transfer data to vault can take multiple days to finish depending on the size of the disks, the churn per disk, and other factors.
Job status can vary depending on the following scenarios:
| Snapshot | Transfer data to vault | Job status |
|---|---|---|
| Completed | In progress | In progress |
| Completed | Skipped | Completed |
| Completed | Completed | Completed |
| Completed | Failed | Completed with warning |
| Failed | Failed | Failed |
Now with this capability, for the same VM, two backups can run in parallel. In either phase (Snapshot or Transfer data to vault), only one subtask can run. In scenarios where a backup job in progress might result in a failure of the next day's backup, this decoupling functionality avoids it. Subsequent days' backups can have the snapshot finished, while Transfer data to vault is skipped if an earlier day's backup job is in progress.
The incremental recovery point created in the vault captures all the churn from the most recent recovery point that was created in the vault. There's no cost impact for users.
Optional steps
Install the VM agent
Azure Backup backs up Azure VMs by installing an extension to the Azure VM agent that runs on the machine. If your VM was created from an Azure Marketplace image, the agent is installed and running. If you create a custom VM or you migrate an on-premises machine, you might need to install the agent manually, as summarized in the following table.
| VM | Details |
|---|---|
| Windows | 1. Download and install the agent MSI file. 2. Install with admin permissions on the machine. 3. Verify the installation. In C:\WindowsAzure\Packages on the VM, right-click WaAppAgent.exe > Properties. On the Details tab, Product Version should be 2.6.1198.718 or later. If you update the agent, make sure that no backup operations are running and reinstall the agent. |
| Linux | Install by using an RPM or a DEB package from your distribution's package repository. This method is preferred for installing and upgrading the Azure Linux agent. All the endorsed distribution providers integrate the Azure Linux agent package into their images and repositories. The agent is available on GitHub, but we don't recommend installing from there. If you update the agent, make sure that no backup operations are running and update the binaries. |
Related content
- Troubleshoot any issues with Azure VM agents or Azure VM backup.
- Restore Azure VMs.