Part of 202404071304 Resiliency Overview

We backup because we want to restore. Service backups are different like SQL.

• Backup Center provides single pane of glass focused on the protected workload
• At the simplest level Azure also provides backup services via recovery vaults & backup
• These can be used by backup applications and many Azure components (including VMs via extension) in addition to hybrid
• Data can then be recovered when needed / Restore from backups
• Delta-based storage with many recovery points
• Retention settings enable day, week, month and year retention goals
  • Default: snapshots kept for 2 days
  • Default: VM for 30 days
• Integration layer
  • storage - snapshots for vms or files etc
  • stream - for databases
• Availability and security
  • Azure RBAC and encryption
  • Vaults can have local, zone-redundant or geo-redundant configuration
  • soft-delete feature (deleted data stored for 14 days)
• can be used for-
  • onprem (agent based)
  • azure (built-in)
• Microsoft Azure Recovery Services (MARS) agent for backing up files or specific disks etc
• Azure Backup Access Tiers
• Recovery services vault must be in the same region as the resources you want to backup
• Scheduled backups still run even if vm is shutdown
• Upto 100 VMs can be attached to a single backup policy

Protecting backups

1. Use pim maybe for JIT access for Backup admins. But assume they will have access.
2. Create a resource guard
   1. in different subscription, maybe different aad
3. For any critical operation they have to use pim to go up to resource guard level. So someone has to approve.
4. Also have immutable vaults/can’t be deleted before expiry time

references:

Backup intro