Best practice for allowing recovery of a deleted Storage Account

Question

We are undertaking a cleanup of our storage accounts where we will be deleting potentially dozens of them.

From my understanding, the soft delete function, snapshots and protecting blobs using Azure Backup vault are not relevant here because we are deleting the storage account itself.

My question is basically - if we wanted to recover the data within a storage account that we had deleted - what would be the best way to protect it beforehand?

Thanks

Answer 1

I disagree with your point;

Azure Backup vault are not relevant

That's precisely the solution here that allows you to keep a backup of your data whilst deleting the storage account.

After backing up the Files from the storage account to a backup vault it will create a backup policy and a delete lock on the storage account.

You'll need to stop the backup policy, choosing to retain the data, and then go to the storage account and remove the AzureBackupProtectionLock before then being able to delete the storage account itself. (Note this applied to "Files" only in the storage account, not "Blobs".)

I'd suggest creating a new storage account and becoming happy with this process (and that of restoring to a new account) if you're not familiar with it to avoid losing any data.

---

Where you have a very defined objective of wanting to delete data, but setting out guardrails for the teams using the storage accounts a safer method could be Lifecycle management policies. You would defined a number of days to either move files to a cheaper, less accessible tier or deletion. https://learn.microsoft.com/en-us/azure/storage/blobs/lifecycle-management-policy-configure?tabs=azure-portal

Answer 2

Thank you for your reply.

I have tested creating a backup policy for Azure Blobs in my Backup Vault for a test SA but the outcome isn't what I expected.

There was no option to stop the policy, only Delete. And in order to delete the policy I have to delete the Backup Instance which is using it (i.e. my storage account backup). There is no option on the Backup Instance to retain data, only Delete.

If I skip the step of stopping the policy and/or Backup Instance and go straight to deletion of lock and SA, then I find that the recovery points on the Backup vault are no longer present therefore I cannot restore the SA contents.

Answer 3

Hi @mij2020

I’m from the Azure Backup Team.

Operational backup for blobs is a local backup solution. So the backup data isn't transferred to the Backup vault, but is stored in the source storage account itself.

It will use blob point-in-time restore to store data locally and allow restores when needed.

 

While configuring the backup for blobs you can select if you wish to add a lock on the storage account, this will prevent storage account deletion.

 

If you remove the lock and delete the storage account, I confirm that you will permanently delete its contents, backup included.

 

Therefore, if you want to keep the backup data, you need to keep the lock or, configure an immutable policy applied to the account, or to any residing containers or blobs, this way the account will not be deleted.

For more information: Overview of immutable storage for blob data - Azure Storage | Microsoft Docs

 

If the requirement is to delete the storage accounts, keep in mind, that you will loose the backups.

 

I also confirm that you won’t be able to stop the backup, you have only the option to delete.

 

Hope that this could clarify.

Thank you!

---

If the response helped, do "Accept Answer" and up-vote it