Back up Azure VMs in a Recovery Services vault

This article describes how to back up Azure VMs in a Recovery Services vault, using the Azure Backup service.

In this article, you learn how to:

  • Prepare Azure VMs.
  • Create a vault.
  • Discover VMs and configure a backup policy.
  • Enable backup for Azure VMs.
  • Run the initial backup.

Note

This article describes how to set up a vault and select VMs to back up. It's useful if you want to back up multiple VMs. Alternatively, you can back up a single Azure VM directly from the VM settings.

Before you start

In addition, there are a couple of things that you might need to do in some circumstances:

  • Install the VM agent on the VM: Azure Backup backs up Azure VMs by installing an extension to the Azure VM agent running on the machine. If your VM was created from an Azure Marketplace image, the agent is installed and running. If you create a custom VM, or you migrate an on-premises machine, you might need to install the agent manually.

Note

The functionality described in the following sections can also be accessed via Backup Center. Backup Center is a single unified management experience in Azure. It enables enterprises to govern, monitor, operate, and analyze backups at scale. With this solution, you can perform most of the key backup management operations without being limited to the scope of an individual vault.

Create a Recovery Services vault

A Recovery Services vault is a management entity that stores recovery points created over time and provides an interface to perform backup related operations. These include taking on-demand backups, performing restores, and creating backup policies.

To create a Recovery Services vault, follow these steps.

  1. Sign in to your subscription in the Azure portal.

  2. On the left menu, select All services.

    Select All services

  3. In the All services dialog box, enter Recovery Services. The list of resources filters according to your input. In the list of resources, select Recovery Services vaults.

    Enter and choose Recovery Services vaults

    The list of Recovery Services vaults in the subscription appears.

  4. On the Recovery Services vaults dashboard, select Add.

    Add a Recovery Services vault

    The Recovery Services vault dialog box opens. Provide values for the Name, Subscription, Resource group, and Location.

    Configure the Recovery Services vault

    • Name: Enter a friendly name to identify the vault. The name must be unique to the Azure subscription. Specify a name that has at least 2 but not more than 50 characters. The name must start with a letter and consist only of letters, numbers, and hyphens.

    • Subscription: Choose the subscription to use. If you're a member of only one subscription, you'll see that name. If you're not sure which subscription to use, use the default (suggested) subscription. There are multiple choices only if your work or school account is associated with more than one Azure subscription.

    • Resource group: Use an existing resource group or create a new one. To see the list of available resource groups in your subscription, select Use existing, and then select a resource from the drop-down list. To create a new resource group, select Create new and enter the name. For more information about resource groups, see Azure Resource Manager overview.

    • Location: Select the geographic region for the vault. To create a vault to protect any data source, the vault must be in the same region as the data source.

      Important

      If you're not sure of the location of your data source, close the dialog box. Go to the list of your resources in the portal. If you have data sources in multiple regions, create a Recovery Services vault for each region. Create the vault in the first location before you create the vault for another location. There's no need to specify storage accounts to store the backup data. The Recovery Services vault and Azure Backup handle that automatically.

  5. After providing the values, select Review + create.

    Screenshot that shows the Review + create button in the create a Recovery Services vault process.

  6. When you're ready to create the Recovery Services vault, select Create.

    Create the Recovery Services vault

    It can take a while to create the Recovery Services vault. Monitor the status notifications in the Notifications area at the upper-right corner of the portal. After your vault is created, it's visible in the list of Recovery Services vaults. If you don't see your vault, select Refresh.

    Refresh the list of backup vaults

Important

We highly recommend you review the default settings for Storage Replication type and Security settings before configuring backups in the vault. For more information, see the Set Storage redundancy section.

Modify storage replication

By default, vaults use geo-redundant storage (GRS).

Modify the storage replication type as follows:

  1. In the new vault, select Properties in the Settings section.

  2. In Properties, under Backup Configuration, select Update.

  3. Select the storage replication type, and select Save.

    Set the storage configuration for new vault

Note

You can't modify the storage replication type after the vault is set up and contains backup items. If you want to do this you need to recreate the vault.

Apply a backup policy

Configure a backup policy for the vault.

  1. In the vault, select +Backup in the Overview section.

    Backup button

  2. In Backup Goal > Where is your workload running? select Azure. In What do you want to back up? select Virtual machine > OK. This registers the VM extension in the vault.

    Backup and Backup Goal panes

  3. In Backup policy, select the policy that you want to associate with the vault.

    • The default policy backs up the VM once a day. The daily backups are retained for 30 days. Instant recovery snapshots are retained for two days.

      Default backup policy

    • If you don't want to use the default policy, select Create New, and create a custom policy as described in the next procedure.

  4. Under Virtual Machines, select Add.

    Add virtual machines

  5. The Select virtual machines pane will open. Select the VMs you want to back up using the policy. Then select OK.

    • The selected VMs are validated.

    • You can only select VMs in the same region as the vault.

    • VMs can only be backed up in a single vault.

      "Select virtual machines" pane

    Note

    All the VMs in the same region and subscription as that of the vault are available to configure backup. When configuring backup, you can browse to the virtual machine name and its resource group, even though you don’t have the required permission on those VMs. If your VM is in soft deleted state, then it won't be visible in this list. If you need to re-protect the VM, then you need to wait for the soft delete period to expire or undelete the VM from the soft deleted list. For more information, see the soft delete for VMs article.

  6. In Backup, select Enable backup. This deploys the policy to the vault and to the VMs, and installs the backup extension on the VM agent running on the Azure VM.

After enabling backup:

  • The Backup service installs the backup extension whether or not the VM is running.
  • An initial backup will run in accordance with your backup schedule.
  • When backups run, note that:
    • A VM that's running has the greatest chance for capturing an application-consistent recovery point.
    • However, even if the VM is turned off, it's backed up. Such a VM is known as an offline VM. In this case, the recovery point will be crash-consistent.
  • Explicit outbound connectivity isn't required to allow backup of Azure VMs.

Create a custom policy

If you selected to create a new backup policy, fill in the policy settings.

  1. In Policy name, specify a meaningful name.

  2. In Backup schedule, specify when backups should be taken. You can take daily or weekly backups for Azure VMs.

  3. In Instant Restore, specify how long you want to retain snapshots locally for instant restore.

    • When you restore, backed up VM disks are copied from storage, across the network to the recovery storage location. With instant restore, you can leverage locally stored snapshots taken during a backup job, without waiting for backup data to be transferred to the vault.
    • You can retain snapshots for instant restore for between one to five days. Two days is the default setting.
  4. In Retention range, specify how long you want to keep your daily or weekly backup points.

  5. In Retention of monthly backup point and Retention of yearly backup point, specify whether you want to keep a monthly or yearly backup of your daily or weekly backups.

  6. Select OK to save the policy.

    New backup policy

Note

Azure Backup doesn't support automatic clock adjustment for daylight-saving changes for Azure VM backups. As time changes occur, modify backup policies manually as required.

Trigger the initial backup

The initial backup will run in accordance with the schedule, but you can run it immediately as follows:

  1. In the vault menu, select Backup items.
  2. In Backup Items, select Azure Virtual Machine.
  3. In the Backup Items list, select the ellipses (...).
  4. Select Backup now.
  5. In Backup Now, use the calendar control to select the last day that the recovery point should be retained. Then select OK.
  6. Monitor the portal notifications. You can monitor the job progress in the vault dashboard > Backup Jobs > In progress. Depending on the size of your VM, creating the initial backup may take a while.

Verify Backup job status

The Backup job details for each VM backup consist of two phases, the Snapshot phase followed by the Transfer data to vault phase.
The snapshot phase guarantees the availability of a recovery point stored along with the disks for Instant Restores and are available for a maximum of five days depending on the snapshot retention configured by the user. Transfer data to vault creates a recovery point in the vault for long-term retention. Transfer data to vault only starts after the snapshot phase is completed.

Backup Job Status

There are two Sub Tasks running at the backend, one for front-end backup job that can be checked from the Backup Job details pane as given below:

Backup Job Status sub-tasks

The Transfer data to vault phase can take multiple days to complete depending on the size of the disks, churn per disk and several other factors.

Job status can vary depending on the following scenarios:

Snapshot Transfer data to vault Job Status
Completed In progress In progress
Completed Skipped Completed
Completed Completed Completed
Completed Failed Completed with warning
Failed Failed Failed

Now with this capability, for the same VM, two backups can run in parallel, but in either phase (snapshot, transfer data to vault) only one sub task can be running. So in scenarios where a backup job in progress resulted in the next day’s backup to fail, it will be avoided with this decoupling functionality. Subsequent days' backups can have the snapshot completed, while Transfer data to vault is skipped if an earlier day’s backup job is in progress state. The incremental recovery point created in the vault will capture all the churn from the most recent recovery point created in the vault. There's no cost impact on the user.

Optional steps

Install the VM agent

Azure Backup backs up Azure VMs by installing an extension to the Azure VM agent running on the machine. If your VM was created from an Azure Marketplace image, the agent is installed and running. If you create a custom VM, or you migrate an on-premises machine, you might need to install the agent manually, as summarized in the table.

VM Details
Windows 1. Download and install the agent MSI file.

2. Install with admin permissions on the machine.

3. Verify the installation. In C:\WindowsAzure\Packages on the VM, right-click WaAppAgent.exe > Properties. On the Details tab, Product Version should be 2.6.1198.718 or higher.

If you're updating the agent, make sure that no backup operations are running, and reinstall the agent.
Linux Install by using an RPM or a DEB package from your distribution's package repository. This is the preferred method for installing and upgrading the Azure Linux agent. All the endorsed distribution providers integrate the Azure Linux agent package into their images and repositories. The agent is available on GitHub, but we don't recommend installing from there.

If you're updating the agent, make sure no backup operations are running, and update the binaries.

Next steps