Back up Azure virtual machines to Recovery Services vaults
This tutorial takes you through the steps for creating a recovery services vault and backing up an Azure virtual machine (VM). Recovery services vaults protect:
- Azure Resource Manager-deployed VMs
- Classic VMs
- Standard storage VMs
- Premium storage VMs
- VMs running on Managed Disks
- VMs encrypted using Azure Disk Encryption, with BEK and KEK
- Application consistent backup of Windows VMs using VSS and Linux VMs using custom pre-snapshot and post-snapshot scripts
For more information on protecting Premium storage VMs, see the article, Back up and Restore Premium Storage VMs. For more information on support for managed disk VMs, see Back up and restore VMs on managed disks. For more information on pre and post-script framework for Linux VM backup see Application consistent Linux VM backup using pre-script and post-script
This tutorial assumes you already have a VM in your Azure subscription and that you have taken measures to allow the backup service to access the VM.
The Azure Backup service has two types of vaults - the Backup vault and the Recovery Services vault. The Backup vault came first. Then the Recovery Services vault came along to support the expanded Resource Manager deployments. Microsoft recommends using Resource Manager deployments unless you specifically require a Classic deployment.
|Resource Manager||Azure||Recovery Services|
Backup vaults cannot protect Resource Manager-deployed solutions. However, you can use a Recovery Services vault to protect classically-deployed servers and VMs.
Depending on the number of virtual machines you want to protect, you can begin from different starting points. If you want to back up multiple virtual machines in one operation, go to the Recovery Services vault and initiate the backup job from the vault dashboard. If you want to back up a single virtual machine, you can initiate the backup job from VM management blade.
Configure the backup job from the VM management blade
Use the following steps to configure the backup job from the virtual machine management blade in the Azure portal. These steps do not apply to the virtual machines in the classic portal.
- Sign in to the Azure portal.
On the Hub menu, click More Services and in the Filter dialog, type Virtual machines. As you type, the list of resources filters. When you see Virtual machines, select it.
The list of virtual machines (VM) in the subscription, appears.
From the list, select a VM to back up.
When you select the VM, the list of virtual machines shifts to the left, and the virtual machine management blade and the virtual machine dashboard, open.
On the VM management blade, in the Settings section, click Backup.
The Enable backup blade opens.
For the Recovery Services vault, click Select existing and choose the vault from the drop-down list.
If there are no Recovery Services vaults, or you want to use a new vault, click Create new and provide the name for the new vault. A new vault is created in the same Resource Group and same location as the virtual machine. If you want to create a Recovery Services vault with different values, see the section on how to create a recovery services vault.
To view the details of the Backup policy, click Backup policy.
The Backup policy blade opens and provides the details of the selected policy. If other policies exist, use the drop-down menu to choose a different backup policy. If you want to create a policy, select Create New from the drop-down menu. For instructions on defining a backup policy, see Defining a backup policy. To save the changes to the backup policy and return to the Enable backup blade, click OK.
On the Enable backup blade, click Enable Backup to deploy the policy. Deploying the policy associates it with the vault and the virtual machines.
You can track the configuration progress through the notifications that appear in the portal. The following example shows that Deployment started.
Once the configuration progress has completed, on the VM management blade, click Backup to open the Backup Item blade and view the details.
Until the initial backup has completed, Last backup status shows as Warning(Initial backup pending). To see when the next scheduled backup job occurs, under Backup policy click the name of the policy. The Backup Policy blade opens and shows the time of the scheduled backup.
To run a Backup job and create the initial recovery point, on the Backup vault blade click Backup now.
The Backup Now blade opens.
On the Backup Now blade, click the calendar icon, use the calendar control to select the last day this recovery point is retained, and click Backup.
Deployment notifications let you know the backup job has been triggered, and that you can monitor the progress of the job on the Backup jobs page.
Configure the backup job from the Recovery Services vault
To configure the backup job, you complete the following steps.
- Create a Recovery Services vault for a virtual machine.
- Use the Azure portal to select a Scenario, set a Backup policy, and identify items to protect.
- Run the initial backup.
Create a recovery services vault for a VM
A Recovery Services vault is an entity that stores all the backups and recovery points that have been created over time. The Recovery Services vault also contains the backup policy applied to the protected VMs.
Backing up VMs is a local process. You cannot back up VMs from one location to a Recovery Services vault in another location. So, for every Azure location that has VMs to be backed up, at least one Recovery Services vault must exist in that location.
To create a Recovery Services vault:
- If you haven't already done so, sign in to the Azure portal using your Azure subscription.
On the Hub menu, click More services and in the Filter dialog type Recovery Services. As you type, the list of resources filters. When you see Recovery Services vaults in the list, click it.
If there are Recovery Services vaults in the subscription, the vaults are listed.
On the Recovery Services vaults menu, click Add.
The Recovery Services vault blade opens, prompting you to provide a Name, Subscription, Resource group, and Location.
For Name, enter a friendly name to identify the vault. The name needs to be unique for the Azure subscription. Type a name that contains between 2 and 50 characters. It must start with a letter, and can contain only letters, numbers, and hyphens.
In the Subscription section, use the drop-down menu to choose the Azure subscription. If you use only one subscription, that subscription appears and you can skip to the next step. If you are not sure which subscription to use, use the default (or suggested) subscription. There are multiple choices only if your organizational account is associated with multiple Azure subscriptions.
In the Resource group section:
- select Create new if you want to create a Resource group. Or
- select Use existing and click the drop-down menu to see the available list of Resource groups.
For complete information on Resource groups, see the Azure Resource Manager overview.
Click Location to select the geographic region for the vault. This choice determines the geographic region where your backup data is sent.
If you are unsure of the location in which your VM exists, close out of the vault creation dialog, and go to the list of Virtual Machines in the portal. If you have virtual machines in multiple regions, create a Recovery Services vault in each region. Create the vault in the first location before going to the next location. There is no need to specify the storage accounts used to store the backup data--the Recovery Services vault and the Azure Backup service automatically handle the storage.
At the bottom of the Recovery Services vault blade, click Create.
It can take several minutes for the Recovery Services vault to be created. Monitor the status notifications in the upper right-hand area of the portal. Once your vault is created, it appears in the list of Recovery Services vaults. If after several minutes you don't see your vault, click Refresh.
Once you see your vault in the list of Recovery Services vaults, you are ready to set the storage redundancy.
Now that you've created your vault, learn how to set the storage replication.
Set Storage Replication
The storage replication option allows you to choose between geo-redundant storage and locally redundant storage. By default, your vault has geo-redundant storage. If the Recovery Services vault is your primary backup, leave the storage replication option set to geo-redundant storage. Choose locally redundant storage if you want a cheaper option that isn't as durable. Read more about geo-redundant and locally redundant storage options in the Azure Storage replication overview.
To edit the storage replication setting:
From the Recovery Services vaults blade, select the new vault.
When you select the vault, the Settings blade (which has the vault's name at the top) and the vault details blade open.
In the new vault's Settings blade, use the vertical slide to scroll down to the Manage section, and click Backup Infrastructure. The Backup Infrastructure blade opens.
In the Backup Infrastructure blade, click Backup Configuration to open the Backup Configuration blade.
Choose the appropriate storage replication option for your vault.
By default, your vault has geo-redundant storage. If you use Azure as a primary backup storage endpoint, continue to use Geo-redundant. If you don't use Azure as a primary backup storage endpoint, then choose Locally redundant, which reduces the Azure storage costs. Read more about geo-redundant and locally redundant storage options in this Storage redundancy overview.
Select a backup goal, set policy and define items to protect
Before registering a VM with a vault, run the discovery process to ensure that any new virtual machines that have been added to the subscription are identified. The process queries Azure for the list of virtual machines in the subscription, along with additional information like the cloud service name and the region. In the Azure portal, scenario refers to what you are going to put into the recovery services vault. Policy is the schedule for how often and when recovery points are taken. Policy also includes the retention range for the recovery points.
If you already have a recovery services vault open, proceed to step 2. Otherwise, on the Hub menu, click More services and in the list of resources, type Recovery Services and click Recovery Services vaults.
The list of recovery services vaults appears.
From the list of recovery services vaults, select a vault to open its dashboard.
On the vault dashboard menu, click Backup to open the Backup blade.
The Backup and Backup Goal blades open.
On the Backup Goal blade, from the Where is your workload running drop-down menu, choose Azure. From the What do you want to backup drop-down, choose Virtual machine, then click OK.
These actions register the VM extension with the vault. The Backup Goal blade closes and the Backup policy blade opens.
On the Backup policy blade, select the backup policy you want to apply to the vault.
The details of the default policy are listed under the drop-down menu. If you want to create a policy, select Create New from the drop-down menu. For instructions on defining a backup policy, see Defining a backup policy. Click OK to associate the backup policy with the vault.
The Backup policy blade closes and the Select virtual machines blade opens.
In the Select virtual machines blade, choose the virtual machines to associate with the specified policy and click OK.
The selected virtual machine is validated. If you do not see the virtual machines that you expected to see, check that they exist in the same Azure location as the Recovery Services vault. The location of the Recovery Services vault is shown on the vault dashboard.
Now that you have defined all settings for the vault, in the Backup blade, click Enable Backup to deploy the policy to the vault and the VMs. Deploying the backup policy does not create the initial recovery point for the virtual machine.
After successfully enabling the backup, your backup policy will execute on schedule. However, proceed to initiate the first backup job.
Once a backup policy has been deployed on the virtual machine, that does not mean the data has been backed up. By default, the first scheduled backup (as defined in the backup policy) is the initial backup. Until the initial backup occurs, the Last Backup Status on the Backup Jobs blade shows as Warning(initial backup pending).
Unless your initial backup is due to begin soon, it is recommended that you run Back up Now.
To run the initial backup job:
On the vault dashboard, click the number under Backup Items, or click the Backup Items tile.
The Backup Items blade opens.
On the Backup Items blade, select the item.
The Backup Items list opens.
On the Backup Items list, click the ellipses ... to open the Context menu.
The Context menu appears.
On the Context menu, click Backup now.
The Backup Now blade opens.
On the Backup Now blade, click the calendar icon, use the calendar control to select the last day this recovery point is retained, and click Backup.
Deployment notifications let you know the backup job has been triggered, and that you can monitor the progress of the job on the Backup jobs page. Depending on the size of your VM, creating the initial backup may take a while.
To view or track the status of the initial backup, on the vault dashboard, on the Backup Jobs tile click In progress.
The Backup Jobs blade opens.
In the Backup jobs blade, you can see the status of all jobs. Check if the backup job for your VM is still in progress, or if it has finished. When a backup job is finished, the status is Completed.
As a part of the backup operation, the Azure Backup service issues a command to the backup extension in each VM to flush all writes and take a consistent snapshot.
Defining a backup policy
A backup policy defines a matrix of when the data snapshots are taken, and how long those snapshots are retained. When defining a policy for backing up a VM, you can trigger a backup job once a day. When you create a new policy, it is applied to the vault. The backup policy interface looks like this:
To create a policy:
- Enter a name for the Policy name.
Snapshots of your data can be taken at Daily or Weekly intervals. Use the Backup Frequency drop-down menu to choose whether data snapshots are taken Daily or Weekly.
If you choose a Daily interval, use the highlighted control to select the time of the day for the snapshot. To change the hour, de-select the hour, and select the new hour.
If you choose a Weekly interval, use the highlighted controls to select the day(s) of the week, and the time of day to take the snapshot. In the day menu, select one or multiple days. In the hour menu, select one hour. To change the hour, de-select the selected hour, and select the new hour.
By default, all Retention Range options are selected. Uncheck any retention range limit you do not want to use. Then, specify the interval(s) to use.
Monthly and Yearly retention ranges allow you to specify the snapshots based on a weekly or daily increment.
When protecting a VM, a backup job runs once a day. The time when the backup runs is the same for each retention range.
After setting all options for the policy, at the top of the blade click Save.
The new policy is immediately applied to the vault.
Install the VM Agent on the virtual machine
This information is provided in case it is needed. The Azure VM Agent must be installed on the Azure virtual machine for the Backup extension to work. However, if your VM was created from the Azure gallery, then the VM Agent is already present on the virtual machine. VMs that are migrated from on-premises datacenters would not have the VM Agent installed. In such a case, the VM Agent needs to be installed. If you have problems backing up the Azure VM, check that the Azure VM Agent is correctly installed on the virtual machine (see the following table). If you create a custom VM, ensure the Install the VM Agent check box is selected before the virtual machine is provisioned.
The following table provides additional information about the VM Agent for Windows and Linux VMs.
|Installing the VM Agent|
|Updating the VM Agent||Updating the VM Agent is as simple as reinstalling the VM Agent binaries.
Ensure that no backup operation is running while the VM agent is being updated.
|Follow the instructions on updating the Linux VM Agent.
Ensure that no backup operation is running while the VM Agent is being updated.
|Validating the VM Agent installation||N/A|
Once the VM Agent is installed on the virtual machine, the Azure Backup service installs the backup extension to the VM Agent. The Azure Backup service seamlessly upgrades and patches the backup extension without additional user intervention.
The Backup service installs the backup extension, even if the VM is not running. A running VM provides the greatest chance of getting an application-consistent recovery point. However, the Azure Backup service continues to back up the VM even if it is turned off, and the extension could not be installed. This type of backup is known as Offline VM, and the recovery point is crash consistent.
If you have issues accomplishing some of the tasks in this article, consult the Troubleshooting guidance.
The cost of backing up Azure VMs is based on the number of protected instances. For a definition of a protected instance, see What is a protected instance. For an example of calculating the cost of backing up a virtual machine, see How are protected instances calculated. See the Azure Backup Pricing page for information about Backup Pricing.
If you have questions, or if there is any feature that you would like to see included, send us feedback.