Design for Azure Backup

In this article, we explore the robust architecture of the Azure Backup service. We discuss its design considerations, supported workloads, and strategies for storing backup data, as well as best practices for configuring Recovery Services Vaults.

Azure Backup is a versatile solution that supports both Azure and non-Azure workloads. As illustrated in the diagram below, multiple backup sources on the left feed data into a centralized backup storage system on the right.

Data Collection and Backup Processes

Azure Backup employs several methods for data collection and backup:

• Backup Agents: Installed on on-premises or non-Azure systems, these agents collect and send data directly to Azure Backup.
• Built-In Backup: Native backup features are available for services such as Azure Virtual Machines, Azure File Shares, Microsoft SQL Server, SAP, and more.

This unified backup solution encompasses essential features like a restore point manager, high availability, integrated storage management, and data tiering. With everything centralized, there is no need for additional storage provisioning or external restore point managers.

Backup Storage Architecture

Azure Backup categorizes backup data into dedicated vaults for optimized management:

• Backup Vault: Used for storing backup data for services like Azure Database for PostgreSQL, Blob storage, and disks.
• Recovery Services Vault: Protects Azure Virtual Machines, SQL databases, SAP systems, backup servers, backup agents, and Data Protection Manager (DPM). For on-premises workloads, components such as backup agents and DPM extend backup capabilities beyond Azure.

Below are important design considerations and best practices when planning your Recovery Services Vault:

Vault Organization

• Maintain separate vaults for different environments (e.g., production, development, testing).
• Configure production workloads with geo-redundant storage (GRS) to ensure high availability, while development systems may use locally redundant storage (LRS).
• Organize vaults by subscription, environment, or application based on your organizational needs.

Policy Enforcement

Use Azure Policy to enforce consistent configurations and compliance rules across all vaults. This ensures every vault adheres to standard policies and best practices.

Region Availability

Deploy Azure Backup components in the same region as the Recovery Services Vault. For example, if you have a Virtual Machine in the East US region, ensure the corresponding vault is also located in East US.

Access Control

Access to the Recovery Services Vault is managed using Azure Role-Based Access Control (RBAC). This ensures that only authorized users can manage backup resources, enhancing overall security.

Data Redundancy

By default, a newly created Recovery Services Vault is configured with geo-redundant storage (GRS). Consider the following points regarding redundancy settings:

• The Azure portal does not allow changes to the redundancy option during the initial vault creation.
• Before onboarding any resources, you can modify the redundancy setting (e.g., from LRS to zone-redundant storage (ZRS)).
• Once a resource such as a Virtual Machine is backed up in the vault, the redundancy option becomes locked.
• To switch from GRS to LRS after onboarding, you must delete the existing vault, create a new one with the desired redundancy, and then onboard the resource again.

Getting Started with Service Backup Configurations

Next, we will detail the backup configuration process for various services, starting with Azure Blob Storage. This guide will walk you through leveraging Azure Backup effectively while adhering to industry best practices.

For additional information and detailed documentation, consider visiting:

• Azure Backup Documentation
• Azure Recovery Services Vault Overview

By following these design principles and best practices, you can build a robust and scalable backup solution that meets the needs of your organization.