Azure 备份的软删除Soft delete for Azure Backup

对安全问题(例如恶意软件、勒索软件、入侵)的关注在逐渐上升。Concerns about security issues, like malware, ransomware, and intrusion, are increasing. 这些安全问题可能会代价高昂(就金钱和数据来说)。These security issues can be costly, in terms of both money and data. 为了防范此类攻击,Azure 备份现提供可帮助保护备份数据(即使数据已删除)的安全功能。To guard against such attacks, Azure Backup now provides security features to help protect backup data even after deletion.

其中的一项功能是软删除。One such feature is soft delete. 在使用软删除的情况下,即使恶意行动者删除了备份(或用户意外删除了备份数据),备份数据也仍会保留 14 天,因此可以恢复该备份项,而不会丢失数据。With soft delete, even if a malicious actor deletes a backup (or backup data is accidentally deleted), the backup data is retained for 14 additional days, allowing the recovery of that backup item with no data loss. 以“软删除”状态将备份数据额外保留 14 天不会向客户收取任何费用。The additional 14 days retention of backup data in the "soft delete" state don't incur any cost to the customer.

软删除保护适用于以下服务:Soft delete protection is available for these services:

此流程图显示了启用软删除时备份项的不同步骤和状态:This flow chart shows the different steps and states of a backup item when Soft Delete is enabled:


启用和禁用软删除Enabling and disabling soft delete

软删除在新创建的保管库上默认启用,目的是防止意外或恶意删除备份数据。Soft delete is enabled by default on newly created vaults to protect backup data from accidental or malicious deletes. 建议不要禁用此功能。Disabling this feature isn't recommended. 唯一应该考虑禁用软删除的情况是,你打算将受保护的项移到新保管库,需要在删除后重新进行保护,因此等不及要求的 14 天(例如在测试环境中)。只有保管库所有者可以禁用此功能。The only circumstance where you should consider disabling soft delete is if you're planning on moving your protected items to a new vault, and can't wait the 14 days required before deleting and reprotecting (such as in a test environment.) Only the vault owner can disable this feature. 如果禁用此功能,将来删除任何受保护项将导致立即删除,而无法还原。If you disable this feature, all future deletions of protected items will result in immediate removal, without the ability to restore. 禁用此功能之前,以软删除状态存在的备份数据将在 14 天内保持软删除状态。Backup data that exists in soft deleted state before disabling this feature, will remain in soft deleted state for the period of 14 days. 若要立即永久删除这些项,则需先取消删除,然后再次将其删除,这样就可以永久删除它们。If you wish to permanently delete these immediately, then you need to undelete and delete them again to get permanently deleted.

请记住,禁用软删除后,将为所有类型的工作负载(包括 SQL server 和 SAP HANA 工作负载)禁用该功能。It's important to remember that once soft delete is disabled, the feature is disabled for all the types of workloads, including SQL server and SAP HANA workloads. 例如,为某个订阅启用了 SQL Server/SAP HANA 预览后,就不可能仅对 SQL Server 或 SAP HANA DB 禁用软删除而仍为同一保管库中的虚拟机保留软删除的启用状态。For example, once the SQL Server/ SAP HANA preview is enabled for a subscription it is not possible to disable soft delete only for SQL server or SAP HANA DBs while keeping it enabled for virtual machines in the same vault. 可以创建单独的保管库以进行精细控制。You can create separate vaults for granular control.

使用 Azure 门户禁用软删除Disabling soft delete using Azure portal

若要禁用软删除,请执行以下步骤:To disable soft delete, follow these steps:

  1. 在 Azure 门户中转到保管库,然后转到“设置” -> “属性”。 In the Azure portal, go to your vault, and then go to Settings -> Properties.
  2. 在“属性”窗格中选择“安全设置” -> “更新”。 In the properties pane, select Security Settings -> Update.
  3. 在“安全设置”窗格的“软删除”下,选择“禁用”。 In the security settings pane, under Soft Delete, select Disable.


使用 Azure PowerShell 禁用软删除Disabling soft delete using Azure PowerShell


使用 Azure PS 软删除所需的 Az.RecoveryServices 版本最低为 2.2.0。The Az.RecoveryServices version required to use soft-delete using Azure PS is min 2.2.0. 可使用 Install-Module -Name Az.RecoveryServices -Force 获取最新版本。Use Install-Module -Name Az.RecoveryServices -Force to get the latest version.

若要禁用,请使用 AzRecoveryServicesVaultBackupProperty PS cmdlet。To disable, use the Set-AzRecoveryServicesVaultBackupProperty PS cmdlet.

Set-AzRecoveryServicesVaultProperty -VaultId $myVaultID -SoftDeleteFeatureState Disable

StorageModelType       :
StorageType            :
StorageTypeState       :
EnhancedSecurityState  : Enabled
SoftDeleteFeatureState : Disabled

使用 REST API 禁用软删除Disabling soft delete using REST API

若要使用 REST API 禁用软删除功能,请参阅此处所述的步骤。To disable the soft-delete functionality using REST API, refer to the steps mentioned here.

永久删除软删除的备份项Permanently deleting soft deleted backup items

如果在禁用此功能之前备份数据处于软删除状态,则会保持软删除状态。Backup data in soft deleted state prior disabling this feature, will remain in soft deleted state. 若要立即永久删除这些项,请取消删除,然后再次将其删除,这样就可以永久删除它们。If you wish to permanently delete these immediately, then undelete and delete them again to get permanently deleted.

使用 Azure 门户Using Azure portal

执行以下步骤:Follow these steps:

  1. 按照步骤禁用软删除Follow the steps to disable soft delete.

  2. 在 Azure 门户中,请切换到保管库,转到“备份项”并选择已软删除的项。In the Azure portal, go to your vault, go to Backup Items, and choose the soft deleted item.


  3. 选择“撤消删除”选项。Select the option Undelete.


  4. 此时会出现一个窗口。A window will appear. 选择“撤消删除”。Select Undelete.


  5. 选择“删除备份数据”,永久删除备份数据。Choose Delete backup data to permanently delete the backup data.


  6. 键入备份项的名称以确认你要删除恢复点。Type the name of the backup item to confirm that you want to delete the recovery points.


  7. 若要删除项的备份数据,请选择“删除”。To delete the backup data for the item, select Delete. 一条通知消息将让你获悉备份数据已删除。A notification message lets you know that the backup data has been deleted.

使用 Azure PowerShellUsing Azure PowerShell

如果在禁用软删除之前删除了项,则它们将处于已软删除状态。If items were deleted before soft-delete was disabled, then they will be in a soft-deleted state. 若要立即删除它们,需要反转删除操作,然后再次执行。To immediately delete them, the deletion operation needs to reversed and then performed again.

确定处于已软删除状态的项。Identify the items that are in soft-deleted state.

Get-AzRecoveryServicesBackupItem -BackupManagementType AzureVM -WorkloadType AzureVM -VaultId $myVaultID | Where-Object {$_.DeleteState -eq "ToBeDeleted"}

Name                                     ContainerType        ContainerUniqueName                      WorkloadType         ProtectionStatus     HealthStatus         DeleteState
----                                     -------------        -------------------                      ------------         ----------------     ------------         -----------
VM;iaasvmcontainerv2;selfhostrg;AppVM1    AzureVM             iaasvmcontainerv2;selfhostrg;AppVM1       AzureVM              Healthy              Passed               ToBeDeleted

$myBkpItem = Get-AzRecoveryServicesBackupItem -BackupManagementType AzureVM -WorkloadType AzureVM -VaultId $myVaultID -Name AppVM1

然后反转启用软删除时执行的删除操作。Then reverse the deletion operation that was performed when soft-delete was enabled.

Undo-AzRecoveryServicesBackupItemDeletion -Item $myBKpItem -VaultId $myVaultID -Force

WorkloadName     Operation            Status               StartTime                 EndTime                   JobID
------------     ---------            ------               ---------                 -------                   -----
AppVM1           Undelete             Completed            12/5/2019 12:47:28 PM     12/5/2019 12:47:40 PM     65311982-3755-46b5-8e53-c82ea4f0d2a2

由于软删除现在已禁用,删除操作将导致立即删除备份数据。Since the soft-delete is now disabled, the deletion operation will result in immediate removal of backup data.

Disable-AzRecoveryServicesBackupProtection -Item $myBkpItem -RemoveRecoveryPoints -VaultId $myVaultID -Force

WorkloadName     Operation            Status               StartTime                 EndTime                   JobID
------------     ---------            ------               ---------                 -------                   -----
AppVM1           DeleteBackupData     Completed            12/5/2019 12:44:15 PM     12/5/2019 12:44:50 PM     0488c3c2-accc-4a91-a1e0-fba09a67d2fb


如果在禁用软删除之前删除了项,则它们将处于已软删除状态。If items were deleted before soft-delete was disabled, then they will be in a soft-deleted state. 若要立即删除它们,需要反转删除操作,然后再次执行。To immediately delete them, the deletion operation needs to reversed and then performed again.

  1. 首先,使用此处提到的步骤撤消删除操作。First, undo the delete operations with the steps mentioned here.
  2. 然后遵循此处所述的步骤,使用 REST API 禁用软删除功能。Then disable the soft-delete functionality using REST API using the steps mentioned here.
  3. 然后,使用此处所述的 REST API 删除备份。Then delete the backups using REST API as mentioned here.

常见问题Frequently asked questions

是否需要对每个保管库启用软删除功能?Do I need to enable the soft-delete feature on every vault?

否。此功能是内置的,为所有恢复服务保管库而设计,默认已启用。No, it's built-in and enabled by default for all the recovery services vaults.

是否可以配置在完成删除操作后,以软删除状态保留数据的天数?Can I configure the number of days for which my data will be retained in soft-deleted state after the delete operation is complete?

否。删除操作完成后,数据将额外保留固定的 14 天。No, it's fixed to 14 days of additional retention after the delete operation.

是否需要支付这额外 14 天数据保留的费用?Do I need to pay the cost for this additional 14-day retention?

否。14 天额外保留是软删除功能免费附送的。No, this 14-day additional retention comes free of cost as a part of soft-delete functionality.

如果数据处于软删除状态,是否可以执行还原操作?Can I perform a restore operation when my data is in soft delete state?

否。需要取消删除已软删除的资源才能还原。No, you need to undelete the soft deleted resource in order to restore. 取消删除操作会将资源恢复到“停止保护并保留数据”状态,然后,你可以还原到任意时间点。The undelete operation will bring the resource back into the Stop protection with retain data state where you can restore to any point in time. 在此状态下,垃圾回收器将保持暂停状态。Garbage collector remains paused in this state.

快照的生命周期是否与保管库中恢复点的生命周期相同?Will my snapshots follow the same lifecycle as my recovery points in the vault?


如何针对软删除的资源再次触发计划的备份?How can I trigger the scheduled backups again for a soft-deleted resource?

先取消删除,然后执行恢复操作,即可再次保护资源。Undelete followed by a resume operation will protect the resource again. 恢复操作将关联某个备份策略,以触发具有选定保持期的计划备份。The resume operation associates a backup policy to trigger the scheduled backups with the selected retention period. 此外,在恢复操作完成后,垃圾回收器会立即运行。Also, the garbage collector runs as soon as the resume operation completes. 若要从超出到期日期的恢复点执行还原,建议在触发恢复操作之前执行此还原操作。If you wish to perform a restore from a recovery point that is past its expiration date, you're advised to do it before triggering the resume operation.

如果保管库中存在软删除的项,我是否可以删除该保管库?Can I delete my vault if there are soft deleted items in the vault?

如果保管库中存在处于软删除状态的备份项,则无法删除恢复服务保管库。The Recovery Services vault can't be deleted if there are backup items in soft-deleted state in the vault. 完成删除操作 14 天后,软删除的项将永久删除。The soft-deleted items are permanently deleted 14 days after the delete operation. 如果不能等 14 天,则请禁用软删除,接着取消删除软删除的项,然后再次将其删除,这样就可以永久删除它们。If you can't wait for 14 days, then disable soft delete, undelete the soft deleted items, and delete them again to permanently get deleted. 在确保没有受保护项和软删除项以后,可以删除保管库。After ensuring there are no protected items and no soft deleted items, the vault can be deleted.

是否可以在删除后的 14 天软删除期之前删除数据?Can I delete the data earlier than the 14 days soft-delete period after deletion?

否。No. 不能强制删除已软删除的项。You can't force delete the soft-deleted items. 它们将在 14 天后自动删除。They're automatically deleted after 14 days. 启用此安全功能是为了保护备份的数据不被意外删除或恶意删除。This security feature is enabled to safeguard the backed-up data from accidental or malicious deletes. 你应等待 14 天,然后再对该项执行任何其他操作。You should wait for 14 days before performing any other action on the item. 不会对已软删除的项收费。Soft-deleted items won't be charged. 如果需要重新保护新保管库中 14 天内标记为软删除的项,请联系 Microsoft 客户支持。If you need to reprotect the items marked for soft-delete within 14 days in a new vault, then contact Microsoft support.

是否可以在 PowerShell 或 CLI 中执行软删除操作?Can soft delete operations be performed in PowerShell or CLI?

可以使用 PowerShell 执行软删除操作。Soft delete operations can be performed using PowerShell. 目前不支持 CLI。Currently, CLI is not supported.

后续步骤Next steps