Manage Azure Backup Immutable vault operations
This article describes how to manage Azure Backup Immutable vault operations for Recovery Services vault and Backup vault.
Immutable vault can help you protect your backup data by blocking any operations that could lead to loss of recovery points. Further, you can lock the Immutable vault setting to make it irreversible to prevent any malicious actors from disabling immutability and deleting backups.
Enable Immutable vault
You can enable immutability for a vault through its properties.
Choose a vault
To enable Immutable vault for a Recovery Services vault, follow these steps:
Go to the Recovery Services vault for which you want to enable immutability.
On the vault, go to Properties > Immutable vault, and then select Settings.
On Immutable vault, select the Enable vault immutability checkbox to enable immutability for the vault.
At this point, immutability of the vault is reversible, and it can be disabled, if needed.
Once you enable immutability, the option to lock the immutability for the vault appears.
Once you enable this lock, it makes immutability setting for the vault irreversible. While this helps secure the backup data in the vault, we recommend you make a well-informed decision when opting to lock. You can also test and validate how the current settings of the vault, backup policies, and so on, meet your requirements and can lock the immutability setting later.
Select Apply to save the changes.
Perform operations on Immutable vault
As per the Restricted operations, certain operations are restricted on Immutable vault. However, other operations on the vault or the items it contains remain unaffected.
Perform restricted operations
Restricted operations are disallowed on the vault. Consider the following example when trying to modify a policy to reduce its retention in a vault with immutability enabled. This example shows operation on the Recovery Services vaults; however, similar experiences apply for other operations and operations on the Backup vaults.
Consider a policy with a daily backup point retention of 35 days and weekly backup point retention of two weeks, as shown in the following screenshot.
Now, let's try to reduce the retention of daily backup points to 30 days, reducing by 5 days, and save the policy.
You'll see that the operation fails with the information that the vault has immutability enabled, and therefore, any changes that could reduce retention of recovery points are disallowed.
Now, let's try to increase the retention of daily backup points to 40 days, increasing by 5 days, and save the policy.
This time, the operation successfully passes as no recovery points can be deleted as part of this update.
However, increasing the retention of backup items that are in suspended state isn't supported.
Let's try to stop backup on a VM and choose Retain as per policy for backup data retention.
Now, let's go to Modify Policy and try to increase the retention of daily backup points to 45 days, increasing the value by 5 days, and save the policy.
When you try to update the policy, the operation fails with an error and you can't modify the policy as the backup is in suspended state.
Disable immutability
You can disable immutability only for vaults that have immutability enabled, but not locked.
Choose a vault
To disable immutability for a Recovery Services vault, follow these steps:
Go to the Recovery Services vault for which you want to disable immutability.
In the vault, go to Properties > Immutable vault, and then select Settings.
On the Immutable vault blade, clear the Enable vault Immutability checkbox.
Select Apply to save the changes.
