Technical Lab: Create and configure a backup policy
Questionsβ
Question 1 β Multiple Choiceβ
An operations team needs to ensure that virtual machines in three different Azure regions are protected by backups with distinct policies: one with 30-day retention, another with 90 days, and a third with 1 year. The Recovery Services Vault was created in the East US region.
Which statement correctly describes the relationship between vaults and regions in this scenario?
A) A single vault can protect VMs from any region, as backup is a global Azure service.
B) A separate vault must be created in each region where the VMs are hosted, as the vault must be co-located with the protected resources.
C) The vault can protect VMs from other regions, but backup data always travels to the vault's region, which may increase costs and latency.
D) A single vault can contain distinct policies applied to VMs from different regions, as long as the VMs are in the same subscription.
Question 2 β Technical Scenarioβ
An administrator configured a VM backup in Azure Backup with the following policy:
Frequency: Daily
Time: 02:00 UTC
Daily point retention: 7 days
Weekly point retention: 4 weeks (Sunday)
Monthly point retention: Not configured
Annual point retention: Not configured
After 35 days, the administrator verifies that recovery points older than 7 days are still available. He concludes that the policy is defective.
What is the correct explanation for this behavior?
A) Azure Backup ignores daily retention when there's overlap with weekly points, keeping the oldest point as reference.
B) Sunday points that qualify as weekly points are retained for 4 weeks, even though the 7-day daily retention period has expired, because retention rules accumulate.
C) There's a 30-day grace period in Azure Backup before any recovery point is deleted, regardless of the configured policy.
D) The policy was overridden by a default vault policy that enforces a minimum 30-day retention.
Question 3 β True or Falseβ
When deleting a Recovery Services Vault in Azure, the operation completes successfully even if there are protected backup items and retained data within the vault.
Question 4 β Technical Scenarioβ
A company needs to protect a SQL Server database hosted on an Azure VM. The administrator navigates to the Recovery Services Vault and tries to add the backup, but SQL Server doesn't appear in the list of available workloads for selection.
Vault: vault-producao-eastus
Backup type: Azure Virtual Machine -> (SQL Server not listed)
What is the most likely cause and correct action?
A) SQL Server backup on VM is not supported by Azure Backup; the correct solution is to use Azure SQL Managed Instance.
B) The correct workload type for SQL Server on VM is SQL in Azure VM, and the AzureBackupWindowsWorkload extension needs to be installed and registered on the VM before SQL appears as a protectable item.
C) The vault needs to be recreated with Application Aware type enabled during creation, as this option cannot be changed after provisioning.
D) SQL Server is only visible in the vault after manually running an initial snapshot via Azure CLI with the --workload-type MSSQL parameter.
Question 5 β Multiple Choiceβ
An administrator needs to ensure that backup data from critical VMs cannot be deleted by any operator, even in case of compromised credentials, for a minimum period of 90 days after the recovery point creation.
Which Azure Backup feature directly meets this requirement?
A) Enable Soft Delete on the vault with 90-day retention, as it protects data against accidental deletion for an additional 14 days after the request.
B) Apply an Azure Policy that denies the Microsoft.RecoveryServices/vaults/delete operation for all operators.
C) Configure Immutability on the vault with the Locked option, preventing any entity from modifying or deleting recovery points before the configured period ends.
D) Create a ReadOnly resource lock on the vault, which prevents deletions while active.
Answer Key and Explanationsβ
Answer Key β Question 1β
Answer: B
Explanation:
- A Recovery Services Vault is a regional resource: it can only protect resources located in the same region where the vault was created. This is a fundamental architectural limitation, not a subscription or policy restriction.
- Alternative A is false because Azure Backup is not a global service; the vault is explicitly tied to a region.
- Alternative C describes incorrect behavior: it's not possible to use a vault from one region to protect VMs from another region, regardless of cost considerations.
- Alternative D correctly mixes subscription scope with regional scope, but the premise is wrong: the vault doesn't cross regions. For the described scenario, the correct solution is to create a vault in each region.
Answer Key β Question 2β
Answer: B
Explanation:
- Azure Backup applies retention rules additively: a recovery point is kept as long as any retention rule still covers it. A point created on a Sunday can simultaneously qualify as both a daily point and a weekly point.
- In this case, the Sunday point is retained for 4 weeks by the weekly rule, even though the 7-day daily rule has already expired for that date.
- Alternative A reverses the logic: Azure Backup doesn't ignore daily retention; it keeps the point for the longest period among all applicable rules.
- Alternatives C and D describe non-existent behaviors in the product. There's no global 30-day grace period, and vault default policies don't override custom policies already applied.
Answer Key β Question 3β
Answer: False
Explanation:
- Azure Backup enforces explicit protection that prevents deletion of a vault containing protected items or retained data. The deletion operation fails with an error until all backup items are disassociated and retention data is removed or expired.
- This restriction exists precisely to avoid accidental loss of recovery data. The administrator must stop protection for each item, delete associated backup data, and only then delete the vault.
- This behavior is relevant in environment decommissioning scenarios and is a common failure point in automations that try to destroy resources in incorrect order.
Answer Key β Question 4β
Answer: B
Explanation:
- Azure Backup distinguishes between backing up the VM as a whole (disk snapshot) and backing up the SQL Server workload within the VM. For the second scenario, the correct type is SQL in Azure VM, and the
AzureBackupWindowsWorkloadextension needs to be installed on the VM and databases need to be discovered by the vault before appearing as protectable items. - The correct process includes: selecting the vault, using the Discover DBs option pointing to the VM, which installs the extension and automatically registers SQL instances.
- Alternative A is wrong: SQL Server backup on VM is widely supported and is a primary use case for Azure Backup.
- Alternatives C and D describe fictitious behaviors: there's no Application Aware vault type configured at creation, and there's no
--workload-type MSSQLCLI parameter for initial snapshot.
Answer Key β Question 5β
Answer: C
Explanation:
- The Immutability feature with Locked mode prevents any entity, including global administrators, from deleting or modifying recovery points during the configured period. Once locked, Locked mode cannot be reverted, making it suitable for compliance requirements and protection against ransomware attacks with credential compromise.
- Alternative A describes Soft Delete, which protects against accidental deletion by offering a 14-day recovery window after deletion request. It doesn't prevent deletion by privileged operators and doesn't guarantee the 90 days required in the statement.
- Alternative B applies a restriction to the vault as a resource, but doesn't protect internal recovery points against deletion by operators with vault permissions.
- Alternative D uses a ReadOnly lock that prevents deletion of the vault itself, but doesn't protect backup management operations within the vault, such as recovery point deletion via backup service API.