Back up Azure virtual machines to Recovery Services vaults

This tutorial takes you through the steps for creating a recovery services vault and backing up an Azure virtual machine (VM). Recovery services vaults protect:

  • Azure Resource Manager-deployed VMs
  • Classic VMs
  • Standard storage VMs
  • Premium storage VMs
  • VMs running on Managed Disks
  • VMs encrypted using Azure Disk Encryption
  • Application consistent backup of Windows VMs using VSS and Linux VMs using custom pre-snapshot and post-snapshot scripts

For more information on protecting Premium storage VMs, see the article, Back up and Restore Premium Storage VMs. For more information on support for managed disk VMs, see Back up and restore VMs on managed disks. For more information on pre and post-script framework for Linux VM backup see Application consistent Linux VM backup using pre-script and post-script.

To find out more about what can you backup and what you can't, refer here

Note

This tutorial assumes you already have a VM in your Azure subscription and that you have taken measures to allow the backup service to access the VM.

The Azure Backup service has two types of vaults - the Backup vault and the Recovery Services vault. The Backup vault came first. Then the Recovery Services vault came along to support the expanded Resource Manager deployments. Microsoft recommends using Resource Manager deployments unless you specifically require a Classic deployment.

Deployment Portal Vault
Classic Classic Backup
Resource Manager Azure Recovery Services
Note

Backup vaults cannot protect Resource Manager-deployed solutions. However, you can use a Recovery Services vault to protect classically-deployed servers and VMs.

Depending on the number of virtual machines you want to protect, you can begin from different starting points. If you want to back up multiple virtual machines in one operation, go to the Recovery Services vault and initiate the backup job from the vault dashboard. If you want to back up a single virtual machine, you can initiate the backup job from VM management blade.

Configure the backup job from the VM management blade

Use the following steps to configure the backup job from the virtual machine management blade in the Azure portal. These steps do not apply to the virtual machines in the classic portal.

  1. Sign in to the Azure portal.
  2. On the Hub menu, click More Services and in the Filter dialog, type Virtual machines. As you type, the list of resources filters. When you see Virtual machines, select it.

    On Hub menu, click More Services to open text dialog, and type Virtual machines

    The list of virtual machines (VM) in the subscription, appears.

    The list of VMs in the subscription appears.

  3. From the list, select a VM to back up.

    The list of VMs in the subscription appears.

    When you select the VM, the list of virtual machines shifts to the left, and the virtual machine management blade and the virtual machine dashboard, open.
    VM Management blade

  4. On the VM management blade, in the Settings section, click Backup.

    Backup option in VM management blade

    The Enable backup blade opens.

    Backup option in VM management blade

  5. For the Recovery Services vault, click Select existing and choose the vault from the drop-down list.

    Enable Backup Wizard

    If there are no Recovery Services vaults, or you want to use a new vault, click Create new and provide the name for the new vault. A new vault is created in the same Resource Group and same location as the virtual machine. If you want to create a Recovery Services vault with different values, see the section on how to create a recovery services vault.

  6. To view the details of the Backup policy, click Backup policy.

    The Backup policy blade opens and provides the details of the selected policy. If other policies exist, use the drop-down menu to choose a different backup policy. If you want to create a policy, select Create New from the drop-down menu. For instructions on defining a backup policy, see Defining a backup policy. To save the changes to the backup policy and return to the Enable backup blade, click OK.

    Select backup policy

  7. On the Enable backup blade, click Enable Backup to deploy the policy. Deploying the policy associates it with the vault and the virtual machines.

    Enable Backup button

  8. You can track the configuration progress through the notifications that appear in the portal. The following example shows that Deployment started.

    Enable Backup notification

  9. Once the configuration progress has completed, on the VM management blade, click Backup to open the Backup Item blade and view the details.

    VM Backup Item View

    Until the initial backup has completed, Last backup status shows as Warning(Initial backup pending). To see when the next scheduled backup job occurs, under Backup policy click the name of the policy. The Backup Policy blade opens and shows the time of the scheduled backup.

  10. To run a Backup job and create the initial recovery point, on the Backup vault blade click Backup now.

    click Backup now to run the initial backup

    The Backup Now blade opens.

    shows the Backup Now blade

  11. On the Backup Now blade, click the calendar icon, use the calendar control to select the last day this recovery point is retained, and click Backup.

    set the last day the Backup Now recovery point is retained

    Deployment notifications let you know the backup job has been triggered, and that you can monitor the progress of the job on the Backup jobs page.

Configure the backup job from the Recovery Services vault

To configure the backup job, you complete the following steps.

  1. Create a Recovery Services vault for a virtual machine.
  2. Use the Azure portal to select a Scenario, set a Backup policy, and identify items to protect.
  3. Run the initial backup.

Create a recovery services vault for a VM

A Recovery Services vault is an entity that stores all the backups and recovery points that have been created over time. The Recovery Services vault also contains the backup policy applied to the protected VMs.

Note

Backing up VMs is a local process. You cannot back up VMs from one location to a Recovery Services vault in another location. So, for every Azure location that has VMs to be backed up, at least one Recovery Services vault must exist in that location.

To create a Recovery Services vault:

  1. If you haven't already done so, sign in to the Azure portal using your Azure subscription.
  2. On the Hub menu, click More services and in the Filter dialog type Recovery Services. As you type, the list of resources filters. When you see Recovery Services vaults in the list, click it.

    Create Recovery Services Vault step 1

    If there are Recovery Services vaults in the subscription, the vaults are listed.

    Create Recovery Services Vault step 2

  3. On the Recovery Services vaults menu, click Add.

    Create Recovery Services Vault step 2

    The Recovery Services vault blade opens, prompting you to provide a Name, Subscription, Resource group, and Location.

    Create Recovery Services Vault step 3

  4. For Name, enter a friendly name to identify the vault. The name needs to be unique for the Azure subscription. Type a name that contains between 2 and 50 characters. It must start with a letter, and can contain only letters, numbers, and hyphens.

  5. In the Subscription section, use the drop-down menu to choose the Azure subscription. If you use only one subscription, that subscription appears and you can skip to the next step. If you are not sure which subscription to use, use the default (or suggested) subscription. There are multiple choices only if your organizational account is associated with multiple Azure subscriptions.

  6. In the Resource group section:

    • select Create new if you want to create a Resource group. Or
    • select Use existing and click the drop-down menu to see the available list of Resource groups.

    For complete information on Resource groups, see the Azure Resource Manager overview.

  7. Click Location to select the geographic region for the vault. This choice determines the geographic region where your backup data is sent.

    Important

    If you are unsure of the location in which your VM exists, close out of the vault creation dialog, and go to the list of Virtual Machines in the portal. If you have virtual machines in multiple regions, create a Recovery Services vault in each region. Create the vault in the first location before going to the next location. There is no need to specify the storage accounts used to store the backup data--the Recovery Services vault and the Azure Backup service automatically handle the storage.

  8. At the bottom of the Recovery Services vault blade, click Create.

    It can take several minutes for the Recovery Services vault to be created. Monitor the status notifications in the upper right-hand area of the portal. Once your vault is created, it appears in the list of Recovery Services vaults. If after several minutes you don't see your vault, click Refresh.

    Click Refresh button

    Once you see your vault in the list of Recovery Services vaults, you are ready to set the storage redundancy.

Now that you've created your vault, learn how to set the storage replication.

Set Storage Replication

The storage replication option allows you to choose between geo-redundant storage and locally redundant storage. By default, your vault has geo-redundant storage. If the Recovery Services vault is your primary backup, leave the storage replication option set to geo-redundant storage. Choose locally redundant storage if you want a cheaper option that isn't as durable. Read more about geo-redundant and locally redundant storage options in the Azure Storage replication overview.

To edit the storage replication setting:

  1. From the Recovery Services vaults blade, select the new vault.

    Select the new vault from the list of Recovery Services vault

    When you select the vault, the Settings blade (which has the vault's name at the top) and the vault details blade open.

    View the storage configuration for new vault

  2. In the new vault's Settings blade, use the vertical slide to scroll down to the Manage section, and click Backup Infrastructure. The Backup Infrastructure blade opens.

  3. In the Backup Infrastructure blade, click Backup Configuration to open the Backup Configuration blade.

    Set the storage configuration for new vault

  4. Choose the appropriate storage replication option for your vault.

    storage configuration choices

    By default, your vault has geo-redundant storage. If you use Azure as a primary backup storage endpoint, continue to use Geo-redundant. If you don't use Azure as a primary backup storage endpoint, then choose Locally redundant, which reduces the Azure storage costs. Read more about geo-redundant and locally redundant storage options in this Storage redundancy overview.

Select a backup goal, set policy and define items to protect

Before registering a VM with a vault, run the discovery process to ensure that any new virtual machines that have been added to the subscription are identified. The process queries Azure for the list of virtual machines in the subscription, along with additional information like the cloud service name and the region. In the Azure portal, scenario refers to what you are going to put into the recovery services vault. Policy is the schedule for how often and when recovery points are taken. Policy also includes the retention range for the recovery points.

  1. If you already have a recovery services vault open, proceed to step 2. Otherwise, on the Hub menu, click More services and in the list of resources, type Recovery Services and click Recovery Services vaults.

    Create Recovery Services Vault step 1

    The list of recovery services vaults appears.

    View of the Recovery Services vaults list

    From the list of recovery services vaults, select a vault to open its dashboard.

    Open vault blade

  2. On the vault dashboard menu, click Backup to open the Backup blade.

    Open Backup blade

    The Backup and Backup Goal blades open.

    Open Scenario blade

  3. On the Backup Goal blade, from the Where is your workload running drop-down menu, choose Azure. From the What do you want to backup drop-down, choose Virtual machine, then click OK.

    These actions register the VM extension with the vault. The Backup Goal blade closes and the Backup policy blade opens.

    Open Scenario blade

  4. On the Backup policy blade, select the backup policy you want to apply to the vault.

    Select backup policy

    The details of the default policy are listed under the drop-down menu. If you want to create a policy, select Create New from the drop-down menu. For instructions on defining a backup policy, see Defining a backup policy. Click OK to associate the backup policy with the vault.

    The Backup policy blade closes and the Select virtual machines blade opens.

  5. In the Select virtual machines blade, choose the virtual machines to associate with the specified policy and click OK.

    Select workload

    The selected virtual machine is validated. If you do not see the virtual machines that you expected to see, check that they exist in the same Azure location as the Recovery Services vault. The location of the Recovery Services vault is shown on the vault dashboard.

  6. Now that you have defined all settings for the vault, in the Backup blade, click Enable Backup to deploy the policy to the vault and the VMs. Deploying the backup policy does not create the initial recovery point for the virtual machine.

    Enable Backup

After successfully enabling the backup, your backup policy will execute on schedule. However, proceed to initiate the first backup job.

Initial backup

Once a backup policy has been deployed on the virtual machine, that does not mean the data has been backed up. By default, the first scheduled backup (as defined in the backup policy) is the initial backup. Until the initial backup occurs, the Last Backup Status on the Backup Jobs blade shows as Warning(initial backup pending).

Backup pending

Unless your initial backup is due to begin soon, it is recommended that you run Back up Now.

To run the initial backup job:

  1. On the vault dashboard, click the number under Backup Items, or click the Backup Items tile.
    Settings icon

    The Backup Items blade opens.

    Back up items

  2. On the Backup Items blade, select the item.

    Settings icon

    The Backup Items list opens.

    Backup job triggered

  3. On the Backup Items list, click the ellipses ... to open the Context menu.

    Context menu

    The Context menu appears.

    Context menu

  4. On the Context menu, click Backup now.

    Context menu

    The Backup Now blade opens.

    shows the Backup Now blade

  5. On the Backup Now blade, click the calendar icon, use the calendar control to select the last day this recovery point is retained, and click Backup.

    set the last day the Backup Now recovery point is retained

    Deployment notifications let you know the backup job has been triggered, and that you can monitor the progress of the job on the Backup jobs page. Depending on the size of your VM, creating the initial backup may take a while.

  6. To view or track the status of the initial backup, on the vault dashboard, on the Backup Jobs tile click In progress.

    Backup Jobs tile

    The Backup Jobs blade opens.

    Backup Jobs tile

    In the Backup jobs blade, you can see the status of all jobs. Check if the backup job for your VM is still in progress, or if it has finished. When a backup job is finished, the status is Completed.

    Note

    As a part of the backup operation, the Azure Backup service issues a command to the backup extension in each VM to flush all writes and take a consistent snapshot.

Defining a backup policy

A backup policy defines a matrix of when the data snapshots are taken, and how long those snapshots are retained. When defining a policy for backing up a VM, you can trigger a backup job once a day. When you create a new policy, it is applied to the vault. The backup policy interface looks like this:

Backup policy

To create a policy:

  1. Enter a name for the Policy name.
  2. Snapshots of your data can be taken at Daily or Weekly intervals. Use the Backup Frequency drop-down menu to choose whether data snapshots are taken Daily or Weekly.

    • If you choose a Daily interval, use the highlighted control to select the time of the day for the snapshot. To change the hour, de-select the hour, and select the new hour.

      Daily backup policy

    • If you choose a Weekly interval, use the highlighted controls to select the day(s) of the week, and the time of day to take the snapshot. In the day menu, select one or multiple days. In the hour menu, select one hour. To change the hour, de-select the selected hour, and select the new hour.

      Weekly backup policy

  3. By default, all Retention Range options are selected. Uncheck any retention range limit you do not want to use. Then, specify the interval(s) to use.

    Monthly and Yearly retention ranges allow you to specify the snapshots based on a weekly or daily increment.

    Note

    When protecting a VM, a backup job runs once a day. The time when the backup runs is the same for each retention range.

  4. After setting all options for the policy, at the top of the blade click Save.

    The new policy is immediately applied to the vault.

Install the VM Agent on the virtual machine

This information is provided in case it is needed. The Azure VM Agent must be installed on the Azure virtual machine for the Backup extension to work. However, if your VM was created from the Azure gallery, then the VM Agent is already present on the virtual machine. VMs that are migrated from on-premises datacenters would not have the VM Agent installed. In such a case, the VM Agent needs to be installed. If you have problems backing up the Azure VM, check that the Azure VM Agent is correctly installed on the virtual machine (see the following table). If you create a custom VM, ensure the Install the VM Agent check box is selected before the virtual machine is provisioned.

Learn about the VM Agent and how to install it.

The following table provides additional information about the VM Agent for Windows and Linux VMs.

Operation Windows Linux
Installing the VM Agent
  • Download and install the agent MSI. You need Administrator privileges to complete the installation.
  • Update the VM property to indicate that the agent is installed.
  • Install the latest Linux agent from GitHub. You need Administrator privileges to complete the installation.
  • Update the VM property to indicate that the agent is installed.
  • Updating the VM Agent Updating the VM Agent is as simple as reinstalling the VM Agent binaries.
    Ensure that no backup operation is running while the VM agent is being updated.
    Follow the instructions on updating the Linux VM Agent.
    Ensure that no backup operation is running while the VM Agent is being updated.
    Validating the VM Agent installation
  • Navigate to the C:\WindowsAzure\Packages folder in the Azure VM.
  • You should find the WaAppAgent.exe file present.
  • Right-click the file, go to Properties, and then select the Details tab. The Product Version field should be 2.6.1198.718 or higher.
  • N/A

    Backup extension

    Once the VM Agent is installed on the virtual machine, the Azure Backup service installs the backup extension to the VM Agent. The Azure Backup service seamlessly upgrades and patches the backup extension without additional user intervention.

    The Backup service installs the backup extension, even if the VM is not running. A running VM provides the greatest chance of getting an application-consistent recovery point. However, the Azure Backup service continues to back up the VM even if it is turned off, and the extension could not be installed. This type of backup is known as Offline VM, and the recovery point is crash consistent.

    Troubleshooting information

    If you have issues accomplishing some of the tasks in this article, consult the Troubleshooting guidance.

    Pricing

    The cost of backing up Azure VMs is based on the number of protected instances. For a definition of a protected instance, see What is a protected instance. For an example of calculating the cost of backing up a virtual machine, see How are protected instances calculated. See the Azure Backup Pricing page for information about Backup Pricing.

    Questions?

    If you have questions, or if there is any feature that you would like to see included, send us feedback.