Microsoft.RecoveryServices vaults
Bicep resource definition
The vaults resource type can be deployed to:
- Resource groups - See resource group deployment commands
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.RecoveryServices/vaults resource, add the following Bicep to your template.
resource symbolicname 'Microsoft.RecoveryServices/vaults@2023-01-01' = {
name: 'string'
location: 'string'
tags: {
tagName1: 'tagValue1'
tagName2: 'tagValue2'
}
sku: {
capacity: 'string'
family: 'string'
name: 'string'
size: 'string'
tier: 'string'
}
etag: 'string'
identity: {
type: 'string'
userAssignedIdentities: {}
}
properties: {
encryption: {
infrastructureEncryption: 'string'
kekIdentity: {
userAssignedIdentity: 'string'
useSystemAssignedIdentity: bool
}
keyVaultProperties: {
keyUri: 'string'
}
}
monitoringSettings: {
azureMonitorAlertSettings: {
alertsForAllJobFailures: 'string'
}
classicAlertSettings: {
alertsForCriticalOperations: 'string'
}
}
moveDetails: {}
publicNetworkAccess: 'string'
redundancySettings: {}
securitySettings: {
immutabilitySettings: {
state: 'string'
}
}
upgradeDetails: {}
}
}
Property values
vaults
| Name | Description | Value |
|---|---|---|
| name | The resource name | string (required) Character limit: 2-50 Valid characters: Alphanumerics and hyphens. Start with letter. |
| location | Resource location. | string (required) |
| tags | Resource tags. | Dictionary of tag names and values. See Tags in templates |
| sku | Identifies the unique system identifier for each Azure resource. | Sku |
| etag | Optional ETag. | string |
| identity | Identity for the resource. | IdentityData |
| properties | Properties of the vault. | VaultProperties |
IdentityData
| Name | Description | Value |
|---|---|---|
| type | The type of managed identity used. The type 'SystemAssigned, UserAssigned' includes both an implicitly created identity and a set of user-assigned identities. The type 'None' will remove any identities. | 'None' 'SystemAssigned' 'SystemAssigned, UserAssigned' 'UserAssigned' (required) |
| userAssignedIdentities | The list of user-assigned identities associated with the resource. The user-assigned identity dictionary keys will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'. | object |
VaultProperties
| Name | Description | Value |
|---|---|---|
| encryption | Customer Managed Key details of the resource. | VaultPropertiesEncryption |
| monitoringSettings | Monitoring Settings of the vault | MonitoringSettings |
| moveDetails | The details of the latest move operation performed on the Azure Resource | VaultPropertiesMoveDetails |
| publicNetworkAccess | property to enable or disable resource provider inbound network traffic from public clients | 'Disabled' 'Enabled' |
| redundancySettings | The redundancy Settings of a Vault | VaultPropertiesRedundancySettings |
| securitySettings | Security Settings of the vault | SecuritySettings |
| upgradeDetails | Details for upgrading vault. | UpgradeDetails |
VaultPropertiesEncryption
| Name | Description | Value |
|---|---|---|
| infrastructureEncryption | Enabling/Disabling the Double Encryption state | 'Disabled' 'Enabled' |
| kekIdentity | The details of the identity used for CMK | CmkKekIdentity |
| keyVaultProperties | The properties of the Key Vault which hosts CMK | CmkKeyVaultProperties |
CmkKekIdentity
| Name | Description | Value |
|---|---|---|
| userAssignedIdentity | The user assigned identity to be used to grant permissions in case the type of identity used is UserAssigned | string |
| useSystemAssignedIdentity | Indicate that system assigned identity should be used. Mutually exclusive with 'userAssignedIdentity' field | bool |
CmkKeyVaultProperties
| Name | Description | Value |
|---|---|---|
| keyUri | The key uri of the Customer Managed Key | string |
MonitoringSettings
| Name | Description | Value |
|---|---|---|
| azureMonitorAlertSettings | Settings for Azure Monitor based alerts | AzureMonitorAlertSettings |
| classicAlertSettings | Settings for classic alerts | ClassicAlertSettings |
AzureMonitorAlertSettings
| Name | Description | Value |
|---|---|---|
| alertsForAllJobFailures | 'Disabled' 'Enabled' |
ClassicAlertSettings
| Name | Description | Value |
|---|---|---|
| alertsForCriticalOperations | 'Disabled' 'Enabled' |
VaultPropertiesMoveDetails
This object doesn't contain any properties to set during deployment. All properties are ReadOnly.
VaultPropertiesRedundancySettings
This object doesn't contain any properties to set during deployment. All properties are ReadOnly.
SecuritySettings
| Name | Description | Value |
|---|---|---|
| immutabilitySettings | Immutability Settings of a vault | ImmutabilitySettings |
ImmutabilitySettings
| Name | Description | Value |
|---|---|---|
| state | 'Disabled' 'Locked' 'Unlocked' |
UpgradeDetails
This object doesn't contain any properties to set during deployment. All properties are ReadOnly.
Sku
| Name | Description | Value |
|---|---|---|
| capacity | The sku capacity | string |
| family | The sku family | string |
| name | Name of SKU is RS0 (Recovery Services 0th version) and the tier is standard tier. They do not have affect on backend storage redundancy or any other vault settings. To manage storage redundancy, use the backupstorageconfig | 'RS0' 'Standard' (required) |
| size | The sku size | string |
| tier | The Sku tier. | string |
Quickstart templates
The following quickstart templates deploy this resource type.
| Template | Description |
|---|---|
IBM Cloud Pak for Data on Azure |
This template deploys an Openshift cluster on Azure with all the required resources, infrastructure and then deploys IBM Cloud Pak for Data along with the add-ons that user chooses. |
| Openshift Container Platform 4.3 |
Openshift Container Platform 4.3 |
| Backup existing File Share using Recovery Services (Daily) |
This template configures protection for an existing File Share present in an existing Storage Account. It creates a new or uses an existing Recovery Services Vault and Backup Policy based on the set parameter values. |
| Backup existing File Share using Recovery Services (hourly) |
This template configures protection with hourly frequency for an existing File Share present in an existing Storage Account. It creates a new or uses an existing Recovery Services Vault and Backup Policy based on the set parameter values. |
| Backup Resource Manager VMs using Recovery Services vault |
This template will use existing recovery services vault and existing backup policy, and configures backup of multiple Resource Manager VMs that belong to same resource group |
| Create Recovery Services Vault and Enable Diagnostics |
This template creates a Recovery Services Vault and enables diagnostics for Azure Backup. This also deploys storage account and oms workspace. |
| Create Recovery Services Vault with backup policies |
This template creates a Recovery Services Vault with backup policies and configure optional features such system identity, backup storage type, cross region restore and diagnostics logs and a delete lock. |
| Deploy a Windows VM and enable backup using Azure Backup |
This template allows you to deploy a Windows VM and Recovery Services Vault configured with the DefaultPolicy for Protection. |
| Create Daily Backup Policy for RS Vault to protect IaaSVMs |
This template creates Recovery service vault and a Daily Backup Policy that can be used to protect classic and ARM based IaaS VMs. |
| Create Recovery Services Vault with default options |
Simple template that creates a Recovery Services Vault. |
| Create a Recovery Services vault with advanced options |
This template creates a Recovery Services vault that will be used further for Backup and Site Recovery. |
| Azure Backup for Workload in Azure Virtual Machines |
This template creates a Recovery Services Vault and a Workload specific Backup Policy. Registers VM with Backup service and Configures Protection |
| Create Weekly Backup Policy for RS Vault to protect IaaSVMs |
This template creates Recovery service vault and a Daily Backup Policy that can be used to protect classic and ARM based IaaS VMs. |
ARM template resource definition
The vaults resource type can be deployed to:
- Resource groups - See resource group deployment commands
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.RecoveryServices/vaults resource, add the following JSON to your template.
{
"type": "Microsoft.RecoveryServices/vaults",
"apiVersion": "2023-01-01",
"name": "string",
"location": "string",
"tags": {
"tagName1": "tagValue1",
"tagName2": "tagValue2"
},
"sku": {
"capacity": "string",
"family": "string",
"name": "string",
"size": "string",
"tier": "string"
},
"etag": "string",
"identity": {
"type": "string",
"userAssignedIdentities": {}
},
"properties": {
"encryption": {
"infrastructureEncryption": "string",
"kekIdentity": {
"userAssignedIdentity": "string",
"useSystemAssignedIdentity": "bool"
},
"keyVaultProperties": {
"keyUri": "string"
}
},
"monitoringSettings": {
"azureMonitorAlertSettings": {
"alertsForAllJobFailures": "string"
},
"classicAlertSettings": {
"alertsForCriticalOperations": "string"
}
},
"moveDetails": {},
"publicNetworkAccess": "string",
"redundancySettings": {},
"securitySettings": {
"immutabilitySettings": {
"state": "string"
}
},
"upgradeDetails": {}
}
}
Property values
vaults
| Name | Description | Value |
|---|---|---|
| type | The resource type | 'Microsoft.RecoveryServices/vaults' |
| apiVersion | The resource api version | '2023-01-01' |
| name | The resource name | string (required) Character limit: 2-50 Valid characters: Alphanumerics and hyphens. Start with letter. |
| location | Resource location. | string (required) |
| tags | Resource tags. | Dictionary of tag names and values. See Tags in templates |
| sku | Identifies the unique system identifier for each Azure resource. | Sku |
| etag | Optional ETag. | string |
| identity | Identity for the resource. | IdentityData |
| properties | Properties of the vault. | VaultProperties |
IdentityData
| Name | Description | Value |
|---|---|---|
| type | The type of managed identity used. The type 'SystemAssigned, UserAssigned' includes both an implicitly created identity and a set of user-assigned identities. The type 'None' will remove any identities. | 'None' 'SystemAssigned' 'SystemAssigned, UserAssigned' 'UserAssigned' (required) |
| userAssignedIdentities | The list of user-assigned identities associated with the resource. The user-assigned identity dictionary keys will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'. | object |
VaultProperties
| Name | Description | Value |
|---|---|---|
| encryption | Customer Managed Key details of the resource. | VaultPropertiesEncryption |
| monitoringSettings | Monitoring Settings of the vault | MonitoringSettings |
| moveDetails | The details of the latest move operation performed on the Azure Resource | VaultPropertiesMoveDetails |
| publicNetworkAccess | property to enable or disable resource provider inbound network traffic from public clients | 'Disabled' 'Enabled' |
| redundancySettings | The redundancy Settings of a Vault | VaultPropertiesRedundancySettings |
| securitySettings | Security Settings of the vault | SecuritySettings |
| upgradeDetails | Details for upgrading vault. | UpgradeDetails |
VaultPropertiesEncryption
| Name | Description | Value |
|---|---|---|
| infrastructureEncryption | Enabling/Disabling the Double Encryption state | 'Disabled' 'Enabled' |
| kekIdentity | The details of the identity used for CMK | CmkKekIdentity |
| keyVaultProperties | The properties of the Key Vault which hosts CMK | CmkKeyVaultProperties |
CmkKekIdentity
| Name | Description | Value |
|---|---|---|
| userAssignedIdentity | The user assigned identity to be used to grant permissions in case the type of identity used is UserAssigned | string |
| useSystemAssignedIdentity | Indicate that system assigned identity should be used. Mutually exclusive with 'userAssignedIdentity' field | bool |
CmkKeyVaultProperties
| Name | Description | Value |
|---|---|---|
| keyUri | The key uri of the Customer Managed Key | string |
MonitoringSettings
| Name | Description | Value |
|---|---|---|
| azureMonitorAlertSettings | Settings for Azure Monitor based alerts | AzureMonitorAlertSettings |
| classicAlertSettings | Settings for classic alerts | ClassicAlertSettings |
AzureMonitorAlertSettings
| Name | Description | Value |
|---|---|---|
| alertsForAllJobFailures | 'Disabled' 'Enabled' |
ClassicAlertSettings
| Name | Description | Value |
|---|---|---|
| alertsForCriticalOperations | 'Disabled' 'Enabled' |
VaultPropertiesMoveDetails
This object doesn't contain any properties to set during deployment. All properties are ReadOnly.
VaultPropertiesRedundancySettings
This object doesn't contain any properties to set during deployment. All properties are ReadOnly.
SecuritySettings
| Name | Description | Value |
|---|---|---|
| immutabilitySettings | Immutability Settings of a vault | ImmutabilitySettings |
ImmutabilitySettings
| Name | Description | Value |
|---|---|---|
| state | 'Disabled' 'Locked' 'Unlocked' |
UpgradeDetails
This object doesn't contain any properties to set during deployment. All properties are ReadOnly.
Sku
| Name | Description | Value |
|---|---|---|
| capacity | The sku capacity | string |
| family | The sku family | string |
| name | Name of SKU is RS0 (Recovery Services 0th version) and the tier is standard tier. They do not have affect on backend storage redundancy or any other vault settings. To manage storage redundancy, use the backupstorageconfig | 'RS0' 'Standard' (required) |
| size | The sku size | string |
| tier | The Sku tier. | string |
Quickstart templates
The following quickstart templates deploy this resource type.
| Template | Description |
|---|---|
| IBM Cloud Pak for Data on Azure |
This template deploys an Openshift cluster on Azure with all the required resources, infrastructure and then deploys IBM Cloud Pak for Data along with the add-ons that user chooses. |
| Openshift Container Platform 4.3 |
Openshift Container Platform 4.3 |
| Backup existing File Share using Recovery Services (Daily) |
This template configures protection for an existing File Share present in an existing Storage Account. It creates a new or uses an existing Recovery Services Vault and Backup Policy based on the set parameter values. |
| Backup existing File Share using Recovery Services (hourly) |
This template configures protection with hourly frequency for an existing File Share present in an existing Storage Account. It creates a new or uses an existing Recovery Services Vault and Backup Policy based on the set parameter values. |
| Backup Resource Manager VMs using Recovery Services vault |
This template will use existing recovery services vault and existing backup policy, and configures backup of multiple Resource Manager VMs that belong to same resource group |
| Create Recovery Services Vault and Enable Diagnostics |
This template creates a Recovery Services Vault and enables diagnostics for Azure Backup. This also deploys storage account and oms workspace. |
| Create Recovery Services Vault with backup policies |
This template creates a Recovery Services Vault with backup policies and configure optional features such system identity, backup storage type, cross region restore and diagnostics logs and a delete lock. |
| Deploy a Windows VM and enable backup using Azure Backup |
This template allows you to deploy a Windows VM and Recovery Services Vault configured with the DefaultPolicy for Protection. |
| Create Daily Backup Policy for RS Vault to protect IaaSVMs |
This template creates Recovery service vault and a Daily Backup Policy that can be used to protect classic and ARM based IaaS VMs. |
| Create Recovery Services Vault with default options |
Simple template that creates a Recovery Services Vault. |
| Create a Recovery Services vault with advanced options |
This template creates a Recovery Services vault that will be used further for Backup and Site Recovery. |
| Azure Backup for Workload in Azure Virtual Machines |
This template creates a Recovery Services Vault and a Workload specific Backup Policy. Registers VM with Backup service and Configures Protection |
| Create Weekly Backup Policy for RS Vault to protect IaaSVMs |
This template creates Recovery service vault and a Daily Backup Policy that can be used to protect classic and ARM based IaaS VMs. |
Terraform (AzAPI provider) resource definition
The vaults resource type can be deployed to:
- Resource groups
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.RecoveryServices/vaults resource, add the following Terraform to your template.
resource "azapi_resource" "symbolicname" {
type = "Microsoft.RecoveryServices/vaults@2023-01-01"
name = "string"
location = "string"
parent_id = "string"
tags = {
tagName1 = "tagValue1"
tagName2 = "tagValue2"
}
identity {
type = "string"
identity_ids = []
}
body = jsonencode({
properties = {
encryption = {
infrastructureEncryption = "string"
kekIdentity = {
userAssignedIdentity = "string"
useSystemAssignedIdentity = bool
}
keyVaultProperties = {
keyUri = "string"
}
}
monitoringSettings = {
azureMonitorAlertSettings = {
alertsForAllJobFailures = "string"
}
classicAlertSettings = {
alertsForCriticalOperations = "string"
}
}
moveDetails = {}
publicNetworkAccess = "string"
redundancySettings = {}
securitySettings = {
immutabilitySettings = {
state = "string"
}
}
upgradeDetails = {}
}
sku = {
capacity = "string"
family = "string"
name = "string"
size = "string"
tier = "string"
}
etag = "string"
})
}
Property values
vaults
| Name | Description | Value |
|---|---|---|
| type | The resource type | "Microsoft.RecoveryServices/vaults@2023-01-01" |
| name | The resource name | string (required) Character limit: 2-50 Valid characters: Alphanumerics and hyphens. Start with letter. |
| location | Resource location. | string (required) |
| parent_id | To deploy to a resource group, use the ID of that resource group. | string (required) |
| tags | Resource tags. | Dictionary of tag names and values. |
| sku | Identifies the unique system identifier for each Azure resource. | Sku |
| etag | Optional ETag. | string |
| identity | Identity for the resource. | IdentityData |
| properties | Properties of the vault. | VaultProperties |
IdentityData
| Name | Description | Value |
|---|---|---|
| type | The type of managed identity used. The type 'SystemAssigned, UserAssigned' includes both an implicitly created identity and a set of user-assigned identities. The type 'None' will remove any identities. | "SystemAssigned" "SystemAssigned, UserAssigned" "UserAssigned" (required) |
| identity_ids | The list of user-assigned identities associated with the resource. The user-assigned identity dictionary keys will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'. | Array of user identity IDs. |
VaultProperties
| Name | Description | Value |
|---|---|---|
| encryption | Customer Managed Key details of the resource. | VaultPropertiesEncryption |
| monitoringSettings | Monitoring Settings of the vault | MonitoringSettings |
| moveDetails | The details of the latest move operation performed on the Azure Resource | VaultPropertiesMoveDetails |
| publicNetworkAccess | property to enable or disable resource provider inbound network traffic from public clients | "Disabled" "Enabled" |
| redundancySettings | The redundancy Settings of a Vault | VaultPropertiesRedundancySettings |
| securitySettings | Security Settings of the vault | SecuritySettings |
| upgradeDetails | Details for upgrading vault. | UpgradeDetails |
VaultPropertiesEncryption
| Name | Description | Value |
|---|---|---|
| infrastructureEncryption | Enabling/Disabling the Double Encryption state | "Disabled" "Enabled" |
| kekIdentity | The details of the identity used for CMK | CmkKekIdentity |
| keyVaultProperties | The properties of the Key Vault which hosts CMK | CmkKeyVaultProperties |
CmkKekIdentity
| Name | Description | Value |
|---|---|---|
| userAssignedIdentity | The user assigned identity to be used to grant permissions in case the type of identity used is UserAssigned | string |
| useSystemAssignedIdentity | Indicate that system assigned identity should be used. Mutually exclusive with 'userAssignedIdentity' field | bool |
CmkKeyVaultProperties
| Name | Description | Value |
|---|---|---|
| keyUri | The key uri of the Customer Managed Key | string |
MonitoringSettings
| Name | Description | Value |
|---|---|---|
| azureMonitorAlertSettings | Settings for Azure Monitor based alerts | AzureMonitorAlertSettings |
| classicAlertSettings | Settings for classic alerts | ClassicAlertSettings |
AzureMonitorAlertSettings
| Name | Description | Value |
|---|---|---|
| alertsForAllJobFailures | "Disabled" "Enabled" |
ClassicAlertSettings
| Name | Description | Value |
|---|---|---|
| alertsForCriticalOperations | "Disabled" "Enabled" |
VaultPropertiesMoveDetails
This object doesn't contain any properties to set during deployment. All properties are ReadOnly.
VaultPropertiesRedundancySettings
This object doesn't contain any properties to set during deployment. All properties are ReadOnly.
SecuritySettings
| Name | Description | Value |
|---|---|---|
| immutabilitySettings | Immutability Settings of a vault | ImmutabilitySettings |
ImmutabilitySettings
| Name | Description | Value |
|---|---|---|
| state | "Disabled" "Locked" "Unlocked" |
UpgradeDetails
This object doesn't contain any properties to set during deployment. All properties are ReadOnly.
Sku
| Name | Description | Value |
|---|---|---|
| capacity | The sku capacity | string |
| family | The sku family | string |
| name | Name of SKU is RS0 (Recovery Services 0th version) and the tier is standard tier. They do not have affect on backend storage redundancy or any other vault settings. To manage storage redundancy, use the backupstorageconfig | "RS0" "Standard" (required) |
| size | The sku size | string |
| tier | The Sku tier. | string |
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for