There are several configuration options to consider:
- Vault settings
- Enable Soft Delete: Protects deleted backups for 14 days to prevent accidental or malicious deletion.
- Enable Multi-User Authorization (MUA): Requires additional approval for critical backup operations to prevent insider threats.
- Enable Immutable Vault: Ensures that backups cannot be modified or deleted before their retention period expires.
- Use Geo-Redundant Storage (GRS): Stores backup data across multiple Azure regions for disaster recovery. If cost is a concern, consider ZRS (Zone-Redundant Storage) for regional redundancy.
- Enable Backup Security Features:
- MFA and Role-Based Access Control (RBAC) to restrict backup operations.
- Azure Defender for Backup to detect and mitigate threats.
- VM backup policy
- Use Daily and Hourly Snapshots for Critical VMs:
- Daily backups for non-critical workloads (7-30 days retention).
- Hourly snapshots for mission-critical workloads (short-term retention for rapid recovery).
- Enable Instant Restore: Allows restoring files and folders from snapshots without restoring the full VM.
- Use Application-Consistent Backups: Ensures transactional consistency for VMs running SQL Server, Exchange, or Active Directory.
- Configure Long-Term Retention:
- Weekly (4 weeks), Monthly (12 months), Yearly (5-10 years).
- Store critical backups in an archive tier to reduce costs.
- Storage and network
- Enable Private Endpoints for Backup Vault: Ensures backup traffic remains within Azure Virtual Network (VNet), avoiding exposure to public internet.
- Use Encrypted Disks and Backup Data Encryption:
- Use Azure Disk Encryption (ADE) or Customer-Managed Keys (CMK) for VM disks.
- Enable encryption for backup data in transit and at rest.
- Geo-Distribute Backup Vaults:
- Deploy multiple Recovery Services Vaults across regions for geo-failover.
- Store mission-critical workloads in separate vaults.
- Additional ransomware and security considerations
- Enable Cross-Region Restore (CRR): Allows backup restoration in a secondary region in case of regional outages.
- Use Managed Identity for Backup Operations: Reduces exposure to credentials and secrets.
- Enable Multi-Factor Authentication (MFA) for Backup Operations:
- Require MFA for backup modification or deletion requests.
- Restrict backup access using Conditional Access policies.
If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.
hth
Marcin