Recommended configuration options for Azure Backup for Azure VM

Artem Shaturskyi 145 Reputation points
2025-01-29T12:05:02.7933333+00:00

Hello!
What are the recommended configuration options for Azure Backup/Business Continuity Center to ensure maximum protection for the virtual machine backup routine? What should be enabled on each resource in the VM backup infrastructure to guarantee best backup availability and security?

Azure Backup
Azure Backup
An Azure backup service that provides built-in management at scale.
1,358 questions
{count} votes

Accepted answer
  1. Marcin Policht 35,595 Reputation points MVP
    2025-01-29T12:10:38.6+00:00

    There are several configuration options to consider:

    1. Vault settings
    • Enable Soft Delete: Protects deleted backups for 14 days to prevent accidental or malicious deletion.
    • Enable Multi-User Authorization (MUA): Requires additional approval for critical backup operations to prevent insider threats.
    • Enable Immutable Vault: Ensures that backups cannot be modified or deleted before their retention period expires.
    • Use Geo-Redundant Storage (GRS): Stores backup data across multiple Azure regions for disaster recovery. If cost is a concern, consider ZRS (Zone-Redundant Storage) for regional redundancy.
    • Enable Backup Security Features:
      • MFA and Role-Based Access Control (RBAC) to restrict backup operations.
      • Azure Defender for Backup to detect and mitigate threats.
    1. VM backup policy
    • Use Daily and Hourly Snapshots for Critical VMs:
      • Daily backups for non-critical workloads (7-30 days retention).
      • Hourly snapshots for mission-critical workloads (short-term retention for rapid recovery).
    • Enable Instant Restore: Allows restoring files and folders from snapshots without restoring the full VM.
    • Use Application-Consistent Backups: Ensures transactional consistency for VMs running SQL Server, Exchange, or Active Directory.
    • Configure Long-Term Retention:
      • Weekly (4 weeks), Monthly (12 months), Yearly (5-10 years).
      • Store critical backups in an archive tier to reduce costs.
    1. Storage and network
    • Enable Private Endpoints for Backup Vault: Ensures backup traffic remains within Azure Virtual Network (VNet), avoiding exposure to public internet.
    • Use Encrypted Disks and Backup Data Encryption:
      • Use Azure Disk Encryption (ADE) or Customer-Managed Keys (CMK) for VM disks.
      • Enable encryption for backup data in transit and at rest.
    • Geo-Distribute Backup Vaults:
      • Deploy multiple Recovery Services Vaults across regions for geo-failover.
      • Store mission-critical workloads in separate vaults.
    1. Additional ransomware and security considerations
    • Enable Cross-Region Restore (CRR): Allows backup restoration in a secondary region in case of regional outages.
    • Use Managed Identity for Backup Operations: Reduces exposure to credentials and secrets.
    • Enable Multi-Factor Authentication (MFA) for Backup Operations:
      • Require MFA for backup modification or deletion requests.
      • Restrict backup access using Conditional Access policies.

    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    hth

    Marcin


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.