Create and configure a Recovery Services vault
Create a Recovery Services vault
A Recovery Services vault is a management entity that stores recovery points created over time and provides an interface to perform backup related operations. These include taking on-demand backups, performing restores, and creating backup policies.
To create a Recovery Services vault, follow these steps.
Sign in to your subscription in the Azure portal.
Search for Backup center in the Azure portal, and navigate to the Backup Center dashboard.
Select +Vault from the Overview tab.
Select Recovery Services vault and click Continue.
The Recovery Services vault dialog box opens. Provide values for the Name, Subscription, Resource group, and Location.
Name: Enter a friendly name to identify the vault. The name must be unique to the Azure subscription. Specify a name that has at least 2 but not more than 50 characters. The name must start with a letter and consist only of letters, numbers, and hyphens.
Subscription: Choose the subscription to use. If you're a member of only one subscription, you'll see that name. If you're not sure which subscription to use, use the default (suggested) subscription. There are multiple choices only if your work or school account is associated with more than one Azure subscription.
Resource group: Use an existing resource group or create a new one. To see the list of available resource groups in your subscription, select Use existing, and then select a resource from the drop-down list. To create a new resource group, select Create new and enter the name. For more information about resource groups, see Azure Resource Manager overview.
Location: Select the geographic region for the vault. To create a vault to protect any data source, the vault must be in the same region as the data source.
If you're not sure of the location of your data source, close the dialog box. Go to the list of your resources in the portal. If you have data sources in multiple regions, create a Recovery Services vault for each region. Create the vault in the first location before you create the vault for another location. There's no need to specify storage accounts to store the backup data. The Recovery Services vault and Azure Backup handle that automatically.
After providing the values, select Review + create.
When you're ready to create the Recovery Services vault, select Create.
It can take a while to create the Recovery Services vault. Monitor the status notifications in the Notifications area at the upper-right corner of the portal. After your vault is created, it's visible in the list of Recovery Services vaults. If you don't see your vault, select Refresh.
We highly recommend you review the default settings for Storage Replication type and Security settings before configuring backups in the vault. For more information, see the Set Storage redundancy section.
Set storage redundancy
Azure Backup automatically handles storage for the vault. You need to specify how that storage is replicated.
Changing Storage Replication type (Locally redundant/ Geo-redundant) for a Recovery Services vault has to be done before configuring backups in the vault. Once you configure backup, the option to modify is disabled.
From the Recovery Services vaults pane, select the new vault. Under the Settings section, select Properties.
In Properties, under Backup Configuration, select Update.
Select the storage replication type, and select Save.
- We recommend that if you're using Azure as a primary backup storage endpoint, continue to use the default Geo-redundant setting.
- If you don't use Azure as a primary backup storage endpoint, then choose Locally redundant, which reduces the Azure storage costs.
- Learn more about geo and local redundancy.
- If you need data availability without downtime in a region, guaranteeing data residency, then choose zone-redundant storage.
The Storage Replication settings for the vault aren't relevant for Azure file share backup as the current solution is snapshot based and there's no data transferred to the vault. Snapshots are stored in the same storage account as the backed up file share.
Set Cross Region Restore
The restore option Cross Region Restore (CRR) allows you to restore data in a secondary, Azure paired region.
It supports the following datasources:
- Azure VMs
- SQL databases hosted on Azure VMs
- SAP HANA databases hosted on Azure VMs
Using Cross Region Restore allows you to:
- Conduct drills when there's an audit or compliance requirement
- Restore the data if there's a disaster in the primary region
When restoring a VM, you can restore the VM or its disk. If you're restoring from SQL/SAP HANA databases hosted on Azure VMs, then you can restore databases or their files.
To choose this feature, select Enable Cross Region Restore from the Backup Configuration pane.
Since this process is at the storage level, there are pricing implications.
Before you begin:
- Review the support matrix for a list of supported managed types and regions.
- The Cross Region Restore (CRR) feature for Azure VMs, SQL and SAP HANA databases are now in general availability in all Azure public and sovereign regions. For information on region availability, see the support matrix.
- CRR is a vault level opt-in feature for any GRS vault (turned off by default).
- After opting-in, it might take up to 48 hours for the backup items to be available in secondary regions.
- Currently, CRR for Azure VMs is supported for Azure Resource Manager Azure VMs and encrypted Azure VMs. Classic Azure VMs won't be supported. When additional management types support CRR, then they'll be automatically enrolled.
- Cross Region Restore currently can't be reverted back to GRS or LRS once the protection is initiated for the first time.
- Currently, secondary region RPO is up to 12 hours from the primary region, even though read-access geo-redundant storage (RA-GRS) replication is 15 minutes.
Configure Cross Region Restore
A vault created with GRS redundancy includes the option to configure the Cross Region Restore feature. Every GRS vault will have a banner, which will link to the documentation. To configure CRR for the vault, go to the Backup Configuration pane, which contains the option to enable this feature.
If you've access to restricted paired regions and still unable to view Cross Region Restore settings in Backup Configuration blade, then re-register the recovery services resource provider.
To re-register the provider, go to your subscription in the Azure portal, navigate to Resource provider on the left navigation bar, then select Microsoft.RecoveryServices and select Re-register.
From the portal, go to your Recovery Services vault > Properties (under Settings).
Under Backup Configuration, select Update.
Select Enable Cross Region Restore in this vault to enable the functionality.
See these articles for more information about backup and restore with CRR:
- Cross Region Restore for Azure VMs
- Cross Region Restore for SQL databases
- Cross Region Restore for SAP HANA databases
Set encryption settings
By default, the data in the Recovery Services vault is encrypted using platform-managed keys. No explicit actions are required from your end to enable this encryption, and it applies to all workloads being backed up to your Recovery Services vault. You may choose to bring your own key to encrypt the backup data in this vault. This is referred to as customer-managed keys. If you wish to encrypt backup data using your own key, the encryption key must be specified before any item is protected to this vault. Once you enable encryption with your key, it can't be reversed.
Configuring a vault to encrypt using customer-managed keys
To configure your vault to encrypt with customer-managed keys, these steps must be followed in this order:
Enable managed identity for your Recovery Services vault
Assign permissions to the vault to access the encryption key in the Azure Key Vault
Enable soft-delete and purge protection on the Azure Key Vault
Assign the encryption key to the Recovery Services vault
Instructions for each of these steps can be found in this article.
Modifying default settings
We highly recommend you review the default settings for Storage Replication type and Security settings before configuring backups in the vault.
Storage Replication type by default is set to Geo-redundant (GRS). Once you configure the backup, the option to modify is disabled.
Soft delete by default is Enabled on newly created vaults to protect backup data from accidental or malicious deletes. Follow these steps to review and modify the settings.
How to change from GRS to LRS after configuring backup
Before deciding to move from GRS to locally redundant storage (LRS), review the trade-offs between lower cost and higher data durability that fit your scenario. If you must move from GRS to LRS, then you have two choices. They depend on your business requirements to retain the backup data:
Don’t need to preserve previous backed-up data
To protect workloads in a new LRS vault, the current protection and data will need to be deleted in the GRS vault and backups configured again.
The following operation is destructive and can't be undone. All backup data and backup items associated with the protected server will be permanently deleted. Proceed with caution.
Stop and delete current protection on the GRS vault:
Disable soft delete in the GRS vault properties. Follow these steps to disable soft delete.
Stop protection and delete backups from the existing GRS vault. In the Vault dashboard menu, select Backup Items. Items listed here that need to be moved to the LRS vault must be removed along with their backup data. See how to delete protected items in the cloud and delete protected items on premises.
If you're planning to move AFS (Azure file shares), SQL servers or SAP HANA servers, then you'll need also to unregister them. In the vault dashboard menu, select Backup Infrastructure. See how to unregister the SQL server, unregister a storage account associated with Azure file shares, and unregister an SAP HANA instance.
Once they're removed from the GRS vault, continue to configure the backups for your workload in the new LRS vault.
Must preserve previous backed-up data
If you need to keep the current protected data in the GRS vault and continue the protection in a new LRS vault, there are limited options for some of the workloads:
For MARS, you can stop protection with retain data and register the agent in the new LRS vault.
- Azure Backup service will continue to retain all the existing recovery points of the GRS vault.
- You'll need to pay to keep the recovery points in the GRS vault.
- You'll be able to restore the backed-up data only for unexpired recovery points in the GRS vault.
- A new initial replica of the data will need to be created on the LRS vault.
For an Azure VM, you can stop protection with retain data for the VM in the GRS vault, move the VM to another resource group, and then protect the VM in the LRS vault. See guidance and limitations for moving a VM to another resource group.
A VM can be protected in only one vault at a time. However, the VM in the new resource group can be protected on the LRS vault as it's considered a different VM.
- Azure Backup service will retain the recovery points that have been backed up on the GRS vault.
- You'll need to pay to keep the recovery points in the GRS vault (see Azure Backup pricing for details).
- You'll be able to restore the VM, if needed, from the GRS vault.
- The first backup on the LRS vault of the VM in the new resource will be an initial replica.