Theoretical Foundation: Create an Azure Backup Vault
1. Initial Intuitionβ
In the previous content, you learned about the Recovery Services Vault, a vault capable of protecting VMs, databases, and on-premises machines, in addition to supporting disaster recovery via Azure Site Recovery.
The Azure Backup Vault is a newer vault, created for a specific category of modern Azure workloads. Think of the distinction this way: the Recovery Services Vault is a general-purpose vault, built years ago and protecting a broad spectrum of resources. The Backup Vault is a specialized vault, designed from scratch to integrate more recent Azure native services with a more modern API architecture.
The analogy: if the Recovery Services Vault is a traditional bank vault that stores everything (jewelry, documents, money), the Backup Vault is a specialized digital vault, built specifically for cloud-native digital assets, with more modern access and management protocols.
In practice, the Backup Vault serves to protect resources such as:
- Azure Disks (managed disks independent of VMs)
- Azure Blobs (operational protection of storage accounts)
- Azure Database for PostgreSQL
- Azure Kubernetes Service (AKS)
- Azure Database for MySQL Flexible Server
2. Contextβ
Microsoft introduced the Backup Vault as part of a backup platform modernization. The Recovery Services Vault was built on older APIs and has architectural limitations for supporting new Azure services with the same elegance.
The Backup Vault exists because Microsoft needed a resource that:
- Supported the new generation backup API (Datasource API) used by more recent services
- Offered Backup Center as a central management point in a more native way
- Integrated with Azure Policy more flexibly for new workloads
- Allowed independent evolution without breaking Recovery Services Vault compatibility
The critical point for AZ-104: you must know which vault to use for each workload. Using the wrong type simply doesn't work; new services don't appear as options in the Recovery Services Vault.
3. Concept Constructionβ
3.1 Backup Vault Componentsβ
Backup Vault: the regional container that stores backup data and configuration metadata for supported workloads.
Backup Policy: set of rules that defines backup frequency, retention, and storage tier. In the Backup Vault, policies are specific per datasource type.
Datasource: any Azure resource that can be protected by the vault. Each datasource type has its own policy rules and behavior.
Backup Instance: the association between a specific datasource and a policy. When you enable backup of a specific Azure Disk with a policy, this creates a Backup Instance.
3.2 Storage Redundancyβ
Like the Recovery Services Vault, the Backup Vault offers redundancy options. However, there are important differences:
| Type | Acronym | Availability in Backup Vault |
|---|---|---|
| Locally Redundant Storage | LRS | Available |
| Geo-Redundant Storage | GRS | Available |
| Zone-Redundant Storage | ZRS | Available (in supported regions) |
The configuration immutability rule repeats: redundancy can only be changed before the first backup is executed.
3.3 Managed Identityβ
This is an exclusively relevant concept in the Backup Vault that deserves special attention.
The Backup Vault uses Managed Identity to access Azure resources during backup and restore operations. This means that, unlike traditional credentials, the vault authenticates in Azure AD automatically without you needing to manage passwords or certificates.
Two types of Managed Identity:
- System-assigned: created automatically when enabled in the vault; linked to the vault's lifecycle. If the vault is deleted, the identity is deleted
- User-assigned: created independently and can be associated with multiple resources
For backup to work, you must grant the vault's identity the correct RBAC permissions on the resources that will be protected. For example, to backup an Azure Disk, the vault needs the Disk Backup Reader role on the source disk and Disk Snapshot Contributor on the Resource Group destination for snapshots.
3.4 Backup Tiersβ
The Backup Vault supports two storage tiers for certain datasources:
Operational Tier (Snapshot Tier): backup data is stored in the same region, as snapshots or operational data. Faster restoration, shorter retention, lower cost per access.
Vault Tier: data is transferred to vault storage, with longer retention and additional protection against accidental deletion.
Not all datasources support both tiers. For example, Azure Blobs backup operates exclusively in the Operational Tier (data remains in the storage account itself). Azure Disks backup can only use the Vault Tier from a certain point.
4. Structural Viewβ
5. Practical Operationβ
Backup Vault Lifecycleβ
The flow has a step that doesn't exist in the Recovery Services Vault and is frequently forgotten: RBAC configuration for the Managed Identity. Without this step, backup fails with permission errors.
Required permissions per datasourceβ
| Datasource | Role on source resource | Role on destination |
|---|---|---|
| Azure Disk | Disk Backup Reader on disk | Disk Snapshot Contributor on snapshots RG |
| Azure Blob | Storage Account Backup Contributor on account | N/A (operational, no external destination) |
| PostgreSQL Flexible | Backup Reader on server | N/A |
| AKS | Reader on AKS cluster | Contributor on snapshots RG |
6. Implementation Methodsβ
6.1 Azure Portalβ
When to use: one-time creation, learning environments, initial configuration.
Steps:
- Search "Backup vaults" in Azure portal
- Click "Create"
- Fill in:
- Subscription: correct subscription
- Resource Group: existing or new
- Backup vault name: 2 to 50 characters, alphanumeric and hyphens
- Region: same region as resources to protect
- Backup storage redundancy: LRS, ZRS or GRS
- Click "Review + Create" then "Create"
After creation, access the vault:
- In Identity, enable System-assigned Managed Identity
- Navigate to the resource to protect and assign necessary RBAC roles to the vault's identity
- Create a Backup Policy compatible with the desired datasource
- Configure the Backup Instance (protect the specific resource)
6.2 Azure CLIβ
When to use: automation, repeatable scripts, pipelines.
# Create Resource Group
az group create \
--name rg-backupvault-prod \
--location brazilsouth
# Create Backup Vault
az dataprotection backup-vault create \
--resource-group rg-backupvault-prod \
--vault-name bvault-prod-brazilsouth \
--location brazilsouth \
--storage-settings datastore-type="VaultStore" type="LocallyRedundant"
# Enable Managed Identity (system-assigned)
az dataprotection backup-vault update \
--resource-group rg-backupvault-prod \
--vault-name bvault-prod-brazilsouth \
--type SystemAssigned
Note that the command is
az dataprotection, notaz backup. The Backup Vault uses the Microsoft.DataProtection API namespace, while the Recovery Services Vault uses Microsoft.RecoveryServices. This reflects the architectural difference between the two.
# Create policy for Azure Disk
az dataprotection backup-policy create \
--resource-group rg-backupvault-prod \
--vault-name bvault-prod-brazilsouth \
--name policy-disk-daily \
--policy @disk-policy.json
6.3 Azure PowerShellβ
When to use: corporate Windows environments, automation integrated with existing PowerShell scripts.
# Create Backup Vault
$storagesetting = New-AzDataProtectionBackupVaultStorageSettingObject `
-Type LocallyRedundant `
-DataStoreType VaultStore
New-AzDataProtectionBackupVault `
-ResourceGroupName "rg-backupvault-prod" `
-VaultName "bvault-prod-brazilsouth" `
-Location "brazilsouth" `
-StorageSetting $storagesetting
# Enable Managed Identity
$vault = Get-AzDataProtectionBackupVault `
-ResourceGroupName "rg-backupvault-prod" `
-VaultName "bvault-prod-brazilsouth"
Update-AzDataProtectionBackupVault `
-ResourceGroupName "rg-backupvault-prod" `
-VaultName "bvault-prod-brazilsouth" `
-IdentityType SystemAssigned
The corresponding PowerShell module is
Az.DataProtection, notAz.RecoveryServices. Make sure you have the module installed:Install-Module Az.DataProtection.
6.4 ARM Templateβ
When to use: Infrastructure as Code, versioned and repeatable deployments.
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.DataProtection/backupVaults",
"apiVersion": "2023-01-01",
"name": "bvault-prod-brazilsouth",
"location": "[resourceGroup().location]",
"identity": {
"type": "SystemAssigned"
},
"properties": {
"storageSettings": [
{
"datastoreType": "VaultStore",
"type": "LocallyRedundant"
}
]
}
}
]
}
6.5 Terraformβ
When to use: multi-cloud environments, teams that have already adopted Terraform as standard IaC.
resource "azurerm_resource_group" "backup" {
name = "rg-backupvault-prod"
location = "Brazil South"
}
resource "azurerm_data_protection_backup_vault" "main" {
name = "bvault-prod-brazilsouth"
resource_group_name = azurerm_resource_group.backup.name
location = azurerm_resource_group.backup.location
datastore_type = "VaultStore"
redundancy = "LocallyRedundant"
identity {
type = "SystemAssigned"
}
}
7. Control and Securityβ
RBAC in Backup Vaultβ
The Backup Vault uses the same specific backup roles as the Recovery Services Vault for administrative access to the vault itself. For protected resources, it uses specific roles per datasource via Managed Identity.
| Role (on vault) | Capability |
|---|---|
| Backup Contributor | Create/manage backups, policies and instances |
| Backup Operator | Trigger backups, restore. Cannot configure |
| Backup Reader | Read-only |
Soft Delete in Backup Vaultβ
The Backup Vault also supports Soft Delete. When enabled:
- Backup data is retained for a configurable period after deletion
- Deletion can be undone during the retention period
- The vault with items in soft delete cannot be deleted
Immutabilityβ
Identical to Recovery Services Vault in concept:
| State | Behavior |
|---|---|
| Disabled | No protection |
| Enabled (unlocked) | Immutable, but reversible |
| Enabled (locked) | Immutable and irreversible |
8. Decision Makingβ
Backup Vault vs Recovery Services Vaultβ
This is the most important decision related to the topic:
| Workload to protect | Correct vault | Reason |
|---|---|---|
| Azure Virtual Machines | Recovery Services Vault | Not supported in Backup Vault |
| SQL Server on VMs | Recovery Services Vault | Not supported in Backup Vault |
| Azure Files | Recovery Services Vault | Not supported in Backup Vault |
| On-premises (MARS/MABS) | Recovery Services Vault | Not supported in Backup Vault |
| Azure Managed Disks | Backup Vault | Only supported in Backup Vault |
| Azure Blob Storage | Backup Vault | Only supported in Backup Vault |
| PostgreSQL Flexible Server | Backup Vault | Only supported in Backup Vault |
| AKS | Backup Vault | Only supported in Backup Vault |
| MySQL Flexible Server | Backup Vault | Only supported in Backup Vault |
Storage redundancyβ
| Situation | Best choice | Reason |
|---|---|---|
| Critical production disks | GRS | Protection against regional disaster |
| Operational blobs with short retention | LRS | Operational backup; lower cost |
| Dev/test environment | LRS | Minimum cost |
| Zonal availability requirement | ZRS | Protects against zone failure |
9. Best Practicesβ
Standardized naming: use convention like bvault-[environment]-[region], such as bvault-prod-brazilsouth, to clearly differentiate from Recovery Services Vaults.
Enable Managed Identity immediately: don't create the vault without enabling managed identity next. Without it, no Backup Instance can be created.
Document and automate RBAC assignments: Managed Identity permissions on resources are the most common failure point. Automate via ARM/Terraform/Bicep to ensure consistency.
Separate vaults by environment and workload type: don't mix Disks and Blobs in the same vault if they belong to distinct environments (prod vs dev), as this complicates RBAC and policies.
Test restore regularly: Disks backup, for example, creates incremental snapshots. An untested restore can reveal problems at the wrong time.
Use tags: apply Environment, Owner, CostCenter and Application for cost visibility and governance.
10. Common Errorsβ
Error: trying to protect a VM with Backup Vault Why it happens: confusion between the two vault types. How to avoid: memorize the workloads table. VMs always go to Recovery Services Vault.
Error: forgetting to assign RBAC to Managed Identity Why it happens: Recovery Services Vault doesn't require this step, so those migrating from one to the other forget. How to avoid: include the RBAC step in the Backup Vault creation checklist or template. Automate via IaC.
Error: using wrong CLI/PowerShell namespace
Why it happens: trying to use az backup or Az.RecoveryServices to manage Backup Vault.
How to avoid: remember that Backup Vault uses az dataprotection and Az.DataProtection.
Error: changing redundancy after first backup Why it happens: same trap as Recovery Services Vault; the operator doesn't configure before starting protection. How to avoid: configure storage redundancy before creating any Backup Instance.
Error: not configuring snapshots Resource Group before protecting Disks Why it happens: when protecting an Azure Disk, it's necessary to inform a Resource Group where snapshots will be stored. Many operators don't provision this RG in advance. How to avoid: create the snapshots Resource Group as part of the environment provisioning process, before configuring backups.
11. Operation and Maintenanceβ
Monitoringβ
In the Backup Center (centralized hub that aggregates both Recovery Services Vaults and Backup Vaults), monitor:
- Backup jobs: failures indicate permission, connectivity, or configuration issues
- Backup instances: instances with "Protection Error" status require immediate attention
- Datasource health: alerts integrated with Azure Monitor
Important limitsβ
| Limit | Value |
|---|---|
| Backup Vaults per subscription | No documented limit (organize by RG) |
| Backup Instances per vault | 2000 instances |
| Policies per vault | 100 policies |
| Maximum retention (Disk backup) | 30 days in Vault Tier |
| Maximum retention (Blob backup) | 360 days operational |
| Maximum retention (PostgreSQL) | 10 years in Vault Tier |
Cost managementβ
Costs composed of:
- Protected instance: based on datasource type and size
- Storage: volume of snapshots or data in vault (LRS, ZRS, GRS)
- Restore transactions: read and write operations during restoration
12. Integration and Automationβ
Backup Centerβ
The Backup Center is the unified dashboard that aggregates Recovery Services Vaults and Backup Vaults in a single view. It's the central point for:
- Monitoring backup jobs from both vault types
- Creating backup policies and instances
- Executing restores
- Configuring alerts and reports
Azure Policy for Backup Vaultβ
Available built-in policies:
- Configure backup for Azure Disks: ensures that managed disks are automatically protected when created
- Configure backup for Azure Blobs: applies operational protection to storage accounts
Automation via REST APIβ
The Backup Vault uses the Microsoft.DataProtection namespace in REST calls:
PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DataProtection/backupVaults/{vaultName}?api-version=2023-01-01
With body:
{
"location": "brazilsouth",
"identity": {
"type": "SystemAssigned"
},
"properties": {
"storageSettings": [
{
"datastoreType": "VaultStore",
"type": "LocallyRedundant"
}
]
}
}
13. Final Summaryβ
What it is: regional container of Azure's next-generation backup, based on the Microsoft.DataProtection API, designed to protect modern native workloads like Managed Disks, Blobs, PostgreSQL Flexible, and AKS.
Essential points:
- The Backup Vault is distinct from Recovery Services Vault and supports different workloads
- Uses the Microsoft.DataProtection namespace (CLI:
az dataprotection, PowerShell:Az.DataProtection) - Requires Managed Identity enabled and RBAC configured on resources to protect
- Storage redundancy can only be changed before the first backup
- The Backup Center unifies the view of both vault types
- Soft Delete and Immutability are available with the same behavior as Recovery Services Vault
Critical differences between Backup Vault and Recovery Services Vault:
| Aspect | Backup Vault | Recovery Services Vault |
|---|---|---|
| API Namespace | Microsoft.DataProtection | Microsoft.RecoveryServices |
| CLI | az dataprotection | az backup |
| PowerShell | Az.DataProtection | Az.RecoveryServices |
| Mandatory Managed Identity | Yes, to access resources | No (uses VM extension) |
| Supported workloads | Disks, Blobs, PostgreSQL, AKS, MySQL | VMs, SQL, Files, On-premises, SAP |
| ASR (Site Recovery) | Not supported | Supported |
| Maturity | More recent | More mature and comprehensive |
What needs to be remembered for AZ-104:
- Identify the workload correctly and choose the corresponding vault
- Backup Vault requires RBAC on Managed Identity as mandatory post-creation step
- The CLI and PowerShell namespace is different from Recovery Services Vault
- The destination Resource Group for snapshots must exist before protecting Azure Disks
- Configure storage redundancy before any Backup Instance