Support matrix for Azure VM backup

You can use the Azure Backup service to back up on-premises machines and workloads, and Azure virtual machines (VMs). This article summarizes support settings and limitations when you back up Azure VMs with Azure Backup.

Other support matrices:

Supported scenarios

Here's how you can back up and restore Azure VMs with the Azure Backup service.

Scenario Backup Agent Restore
Direct backup of Azure VMs Back up the entire VM. No additional agent is needed on the Azure VM. Azure Backup installs and uses an extension to the Azure VM agent that is running on the VM. Restore as follows:

- Create a basic VM. This is useful if the VM has no special configuration such as multiple IP addresses.

- Restore the VM disk. Restore the disk. Then attach it to an existing VM, or create a new VM from the disk by using PowerShell.

- Replace VM disk. If a VM exists and it uses managed disks (unencrypted), you can restore a disk and use it to replace an existing disk on the VM.

- Restore specific files/folders. You can restore files/folders from a VM instead of from the entire VM.
Direct backup of Azure VMs (Windows only) Back up specific files/folders/volume. Install the Azure Recovery Services agent.

You can run the MARS agent alongside the backup extension for the Azure VM agent to back up the VM at file/folder level.
Restore specific folders/files.
Back up Azure VM to backup server Back up files/folders/volumes; system state/bare metal files; app data to System Center DPM or to Microsoft Azure Backup Server (MABS).

DPM/MABS then backs up to the backup vault.
Install the DPM/MABS protection agent on the VM. The MARS agent is installed on DPM/MABS. Restore files/folders/volumes; system state/bare metal files; app data.

Learn more about backup using a backup server and about support requirements.

Note

Azure Backup now supports selective disk backup and restore using the Azure Virtual Machine backup solution.

Today, Azure Backup supports backing up all the disks (Operating System and data) in a VM together using the Virtual Machine backup solution. With exclude-disk functionality, you get an option to backup one or a few from the many data disks in a VM. This provides an efficient and cost-effective solution for your backup and restore needs. Each recovery point contains data of the disks included in the backup operation, which further allows you to have a subset of disks restored from the given recovery point during the restore operation. This applies to restore both from the snapshot and the vault.

**To sign up for the preview, write to us at AskAzureBackupTeam@microsoft.com**

Supported backup actions

Action Support
Back up a VM that's shutdown/offline VM Supported.

Snapshot is crash-consistent only, not app-consistent.
Back up disks after migrating to managed disks Supported.

Backup will continue to work. No action is required.
Back up managed disks after enabling resource group lock Not supported.

Azure Backup can't delete the older restore points, and backups will start to fail when the maximum limit of restore points is reached.
Modify backup policy for a VM Supported.

The VM will be backed up by using the schedule and retention settings in new policy. If retention settings are extended, existing recovery points are marked and kept. If they're reduced, existing recovery points will be pruned in the next cleanup job and eventually deleted.
Cancel a backup job Supported during snapshot process.

Not supported when the snapshot is being transferred to the vault.
Back up the VM to a different region or subscription Not supported.

To successfully back up, virtual machines must be in the same subscription as the vault for backup.
Backups per day (via the Azure VM extension) One scheduled backup per day.

The Azure Backup service supports up to nine on-demand backups per day, but Microsoft recommends no more than four daily on-demand backups to ensure best performance.
Backups per day (via the MARS agent) Three scheduled backups per day.
Backups per day (via DPM/MABS) Two scheduled backups per day.
Monthly/yearly backup Not supported when backing up with Azure VM extension. Only daily and weekly is supported.

You can set up the policy to retain daily/weekly backups for monthly/yearly retention period.
Automatic clock adjustment Not supported.

Azure Backup doesn't automatically adjust for daylight saving time changes when backing up a VM.

Modify the policy manually as needed.
Security features for hybrid backup Disabling security features isn't supported.
Back up the VM whose machine time is changed Not supported.

If the machine time is changed to a future date-time after enabling backup for that VM; However even if the time change is reverted, successful backup is not guaranteed.

Operating system support (Windows)

The following table summarizes the supported operating systems when backing up Windows Azure VMs.

Scenario OS support
Back up with Azure VM agent extension - Windows 10 Client (64 bit only)

- Windows Server 2019 (Datacenter/Datacenter Core/Standard)

- Windows Server 2016 (Datacenter/Datacenter Core/Standard)

- Windows Server 2012 R2 (Datacenter/Standard)

- Windows Server 2012 (Datacenter/Standard)

- Windows Server 2008 R2 (RTM and SP1 Standard)

- Windows Server 2008 (64 bit only)
Back up with MARS agent Supported operating systems.
Back up with DPM/MABS Supported operating systems for backup with MABS and DPM.

Azure Backup doesn't support 32-bit operating systems.

Support for Linux backup

Here's what's supported if you want to back up Linux machines.

Action Support
Back up Linux Azure VMs with the Linux Azure VM agent File consistent backup.

App-consistent backup using custom scripts.

During restore, you can create a new VM, restore a disk and use it to create a VM, or restore a disk and use it to replace a disk on an existing VM. You can also restore individual files and folders.
Back up Linux Azure VMs with MARS agent Not supported.

The MARS agent can only be installed on Windows machines.
Back up Linux Azure VMs with DPM/MABS Not supported.

Operating system support (Linux)

For Azure VM Linux backups, Azure Backup supports the list of Linux distributions endorsed by Azure. Note the following:

  • Azure Backup doesn't support Core OS Linux.
  • Azure Backup doesn't support 32-bit operating systems.
  • Other bring-your-own Linux distributions might work as long as the Azure VM agent for Linux is available on the VM, and as long as Python is supported.
  • Azure Backup doesn't support a proxy-configured Linux VM if it does not have Python version 2.7 installed.

Backup frequency and retention

Setting Limits
Maximum recovery points per protected instance (machine/workload) 9999.
Maximum expiry time for a recovery point No limit.
Maximum backup frequency to vault (Azure VM extension) Once a day.
Maximum backup frequency to vault (MARS agent) Three backups per day.
Maximum backup frequency to DPM/MABS Every 15 minutes for SQL Server.

Once an hour for other workloads.
Recovery point retention Daily, weekly, monthly, and yearly.
Maximum retention period Depends on backup frequency.
Recovery points on DPM/MABS disk 64 for file servers, and 448 for app servers.

Tape recovery points are unlimited for on-premises DPM.

Supported restore methods

Restore option Details
Create a new VM Quickly creates and gets a basic VM up and running from a restore point.

You can specify a name for the VM, select the resource group and virtual network (VNet) in which it will be placed, and specify a storage account for the restored VM. The new VM must be created in the same region as the source VM.
Restore disk Restores a VM disk, which can then be used to create a new VM.

Azure Backup provides a template to help you customize and create a VM.

The restore job generates a template that you can download and use to specify custom VM settings, and create a VM.

The disks are copied to the Resource Group you specify.

Alternatively, you can attach the disk to an existing VM, or create a new VM using PowerShell.

This option is useful if you want to customize the VM, add configuration settings that weren't there at the time of backup, or add settings that must be configured using the template or PowerShell.
Replace existing You can restore a disk, and use it to replace a disk on the existing VM.

The current VM must exist. If it's been deleted, this option can't be used.

Azure Backup takes a snapshot of the existing VM before replacing the disk, and stores it in the staging location you specify. Existing disks connected to the VM are replaced with the selected restore point.

The snapshot is copied to the vault, and retained in accordance with the retention policy.

After the replace disk operation, the original disk is retained in the resource group. You can choose to manually delete the original disks if they are not needed.

Replace existing is supported for unencrypted managed VMs. It's not supported for unmanaged disks, generalized VMs, or for VMs created using custom images.

If the restore point has more or less disks than the current VM, then the number of disks in the restore point will only reflect the VM configuration.

Replace existing isn't supported for VMs with linked resources (like user-assigned managed-identity or Key Vault) because the backup client-app doesn't have permissions on these resources while performing the restore.
Cross Region (secondary region) Cross Region restore can be used to restore Azure VMs in the secondary region, which is an Azure paired region.

You can restore all the Azure VMs for the selected recovery point if the backup is done in the secondary region.

This feature is available for the options below:
* Create a VM
* Restore Disks

We don't currently support the Replace existing disks option.

Permissions
The restore operation on secondary region can be performed by Backup Admins and App admins.

Support for file-level restore

Restore Supported
Restoring files across operating systems You can restore files on any machine that has the same (or compatible) OS as the backed-up VM. See the Compatible OS table.
Restoring files from encrypted VMs Not supported.
Restoring files from network-restricted storage accounts Not supported.
Restoring files on VMs using Windows Storage Spaces Restore not supported on same VM.

Instead, restore the files on a compatible VM.
Restore files on Linux VM using LVM/raid arrays Restore not supported on same VM.

Restore on a compatible VM.
Restore files with special network settings Restore not supported on same VM.

Restore on a compatible VM.

Support for VM management

The following table summarizes support for backup during VM management tasks, such as adding or replacing VM disks.

Restore Supported
Restore across subscription/region/zone. Not supported.
Restore to an existing VM Use replace disk option.
Restore disk with storage account enabled for Azure Storage Service Encryption (SSE) Not supported.

Restore to an account that doesn't have SSE enabled.
Restore to mixed storage accounts Not supported.

Based on the storage account type, all restored disks will be either premium or standard, and not mixed.
Restore VM directly to an availability set For managed disks, you can restore the disk and use the availability set option in the template.

Not supported for unmanaged disks. For unmanaged disks, restore the disk, and then create a VM in the availability set.
Restore backup of unmanaged VMs after upgrading to managed VM Supported.

You can restore disks, and then create a managed VM.
Restore VM to restore point before the VM was migrated to managed disks Supported.

You restore to unmanaged disks (default), convert the restored disks to managed disk, and create a VM with the managed disks.
Restore a VM that's been deleted. Supported.

You can restore the VM from a recovery point.
Restore a domain controller (DC) VM that is part of a multi-DC configuration through portal Supported if you restore the disk and create a VM by using PowerShell.
Restore VM in different virtual network Supported.

The virtual network must be in the same subscription and region.

VM compute support

Compute Support
VM size Any Azure VM size with at least 2 CPU cores and 1-GB RAM.

Learn more.
Back up VMs in availability sets Supported.

You can't restore a VM in an available set by using the option to quickly create a VM. Instead, when you restore the VM, restore the disk and use it to deploy a VM, or restore a disk and use it to replace an existing disk.
Back up VMs that are deployed with Hybrid Use Benefit (HUB) Supported.
Back up VMs that are deployed in a scale set Not supported.
Back up VMs that are deployed from the Azure Marketplace

(Published by Microsoft, third party)
Supported.

The VM must be running a supported operating system.

When recovering files on the VM, you can restore only to a compatible OS (not an earlier or later OS). We do not restore the Azure Marketplace VMs backed as VMs, as these needs purchase information but only as Disks.
Back up VMs that are deployed from a custom image (third-party) Supported.

The VM must be running a supported operating system.

When recovering files on the VM, you can restore only to a compatible OS (not an earlier or later OS).
Back up VMs that are migrated to Azure Supported.

To back up the VM, the VM agent must be installed on the migrated machine.
Back up Multi-VM consistency Azure Backup does not provide data and application consistency across multiple VMs.
Backup with Diagnostic Settings Unsupported.

If the restore of the Azure VM with diagnostic settings is triggered using Create New option, then the restore fails.
Restore of Zone-pinned VMs Supported (for VM that is backed-up after Jan 2019 and where availability zone are available).

We currently support restoring to the same zone that is pinned in VMs. However, if the zone is unavailable, restore fails.
Gen2 VMs Supported
Azure Backup supports backup and restore of Gen2 VMs. When these VMs are restored from Recovery point, they are restored as Gen2 VMs.
Backup of Azure VMs with locks Unsupported for unmanaged VMs.

Supported for managed VMs.

VM storage support

Component Support
Azure VM data disks Support for backup of Azure VMs with up to 32 disks is in public preview in all regions except National Clouds (Azure Government, Azure China and Azure Germany).

Support for backup of Azure VMs with unmanaged disks or classic VMs is up to 16 disks only.
Data disk size Individual disk size can be up to 32 TB and a maximum of 256 TB combined for all disks in a VM.
Storage type Standard HDD, Standard SSD, Premium SSD.
Managed disks Supported.
Encrypted disks Supported.

Azure VMs enabled with Azure Disk Encryption can be backed up (with or without the Azure AD app).

Encrypted VMs can't be recovered at the file/folder level. You must recover the entire VM.

You can enable encryption on VMs that are already protected by Azure Backup.
Disks with Write Accelerator enabled Not supported.

Azure backup automatically excludes the disks with Write Accelerator (WA) enabled during backup. Since they are not backed up, you will not be able to restore these disks from Recovery-Points of the VM.

Important note: Virtual machines with WA disks need internet connectivity for a successful backup (even though those disks are excluded from the backup.)
Back up & Restore deduplicated VMs/disks Azure Backup does not support deduplication. For more information, see this article

- Azure Backup does not deduplicate across VMs in the Recovery Services vault

- If there are VMs in deduplication state during restore, the files can't be restored as vault does not understand the format. However, you will be able to successfully perform the full VM restore.
Add disk to protected VM Supported.
Resize disk on protected VM Supported.
Shared storage Backing up VMs using Cluster Shared Volume (CSV) or Scale-Out File Server is not supported. CSV writers are likely to fail during backup. On restore, disks containing CSV volumes might not come-up.
Shared disks Not supported.

VM network support

Component Support
Number of network interfaces (NICs) Up to maximum number of NICs supported for a specific Azure VM size.

NICs are created when the VM is created during the restore process.

The number of NICs on the restored VM mirrors the number of NICs on the VM when you enabled protection. Removing NICs after you enable protection doesn't affect the count.
External/internal load balancer Supported.

Learn more about restoring VMs with special network settings.
Multiple reserved IP addresses Supported.

Learn more about restoring VMs with special network settings.
VMs with multiple network adapters Supported.

Learn more about restoring VMs with special network settings.
VMs with public IP addresses Supported.

Associate an existing public IP address with the NIC, or create an address and associate it with the NIC after restore is done.
Network security group (NSG) on NIC/subnet. Supported.
Static IP address Not supported.

A new VM that's created from a restore point is assigned a dynamic IP address.

For classic VMs, you can't back up a VM with a reserved IP address and no defined endpoint.
Dynamic IP address Supported.

If the NIC on the source VM uses dynamic IP addressing, by default the NIC on the restored VM will use it too.
Azure Traffic Manager Supported.

If the backed-up VM is in Traffic Manager, manually add the restored VM to the same Traffic Manager instance.
Azure DNS Supported.
Custom DNS Supported.
Outbound connectivity via HTTP proxy Supported.

An authenticated proxy isn't supported.
Virtual network service endpoints Supported.

Firewall and virtual network storage account settings should allow access from all networks.

VM security and encryption support

Azure Backup supports encryption for in-transit and at-rest data:

Network traffic to Azure:

  • Backup traffic from servers to the Recovery Services vault is encrypted by using Advanced Encryption Standard 256.

  • Backup data is sent over a secure HTTPS link.

  • The backup data is stored in the Recovery Services vault in encrypted form.

  • Only you have the passphrase to unlock this data. Microsoft can't decrypt the backup data at any point.

    Warning

    After you set up the vault, only you have access to the encryption key. Microsoft never maintains a copy and doesn't have access to the key. If the key is misplaced, Microsoft can't recover the backup data.

Data security:

  • When backing up Azure VMs, you need to set up encryption within the virtual machine.
  • Azure Backup supports Azure Disk Encryption, which uses BitLocker on Windows virtual machines and us dm-crypt on Linux virtual machines.
  • On the back end, Azure Backup uses Azure Storage Service encryption, which protects data at rest.
Machine In transit At rest
On-premises Windows machines without DPM/MABS Yes Yes
Azure VMs Yes Yes
On-premises/Azure VMs with DPM Yes Yes
On-premises/Azure VMs with MABS Yes Yes

VM compression support

Backup supports the compression of backup traffic, as summarized in the following table. Note the following:

  • For Azure VMs, the VM extension reads the data directly from the Azure storage account over the storage network. It is not necessary to compress this traffic.
  • If you're using DPM or MABS, you can save bandwidth by compressing the data before it's backed up to DPM/MABS.
Machine Compress to MABS/DPM (TCP) Compress to vault (HTTPS)
On-premises Windows machines without DPM/MABS NA Yes
Azure VMs NA NA
On-premises/Azure VMs with DPM Yes Yes
On-premises/Azure VMs with MABS Yes Yes

Next steps