Azure infrastructure backup and restore from the resource group level

Question

I am implementing cost optimization where I am working. We have a challenge where some of the infrastructure which exists is 'unknown' we monitor it for useage and implement lifecycling where possiblr to optimize costs. The storage accounts are the easiest likely suspects to monitor for this...

Once the optimization gets to a point and we still find th infrastructure unused we want to implement a snapshot of the environment at the resource group level befoe shutting down the resource group.

I have not yet tested the process.

I'm looking into Veeam as a potential to help with this challenge as the company already uses it on prem and we would just extend whatever the licensing agreement is assuming it does the trick.

I'd love some feedback.

The solution does not have to be Veeam.

Answer 1

Azure Backup does not support taking a single “snapshot of everything in a resource group” as one operation. Backup and recovery must be planned per workload and resource type, then governed centrally.

A practical approach for cost-optimization plus safety before deleting a resource group is:

1. Classify and inventory data
   • Use Microsoft Purview to inventory and classify data so that only business‑critical data is protected with longer retention and higher‑cost options, and non‑critical data has minimal or no backup.
   • Combine this with your existing usage monitoring to decide which resources truly need protection before deletion.
2. Use Azure Backup where it is natively supported
   • For Azure VMs (managed or unmanaged disks):
     • Protect them with Azure Backup to a Recovery Services vault. Azure Backup provides application‑consistent backups for Windows workloads via VSS and file‑consistent backups for Linux VMs, and can be used as the DR solution for managed and unmanaged disks.
     • This gives point‑in‑time restore of the VM or disks even after the VM or resource group is deleted, as long as the vault and backups are retained.
   • For managed disks that need independent backup from the VM:
     • Use Azure Disk Backup via a Backup vault. It creates incremental snapshots stored in your subscription, with policy‑driven frequency and retention. This is useful when only the disk content matters and not the full VM.
   • For Azure Files and blobs:
     • Enable Azure Backup for Azure Files.
     • Configure blob versioning, soft delete, and point‑in‑time restore for Azure Blob Storage to provide native protection without separate backup infrastructure.
3. Implement backup for resources not covered by Azure Backup
   • For services not natively supported by Azure Backup (for example, Key Vault secrets, container images, Cosmos DB, and custom app configuration), use their native protection features or custom automation:
     • Azure Key Vault: use native backup for secrets, keys, and certificates.
     • Azure Container Registry: enable geo‑replication and/or automated image export to secondary storage.
     • Azure Cosmos DB: enable continuous backup with point‑in‑time restore or periodic backup.
   • This ensures that deleting a resource group does not permanently remove critical configuration or data.
4. Centralize governance and monitoring
   • Use Backup Center as a single pane of glass to monitor backup jobs, inventory, and health across subscriptions and vaults.
   • Use Azure Policy for backup to audit and enforce that critical resources (for example, all VMs in certain subscriptions or RGs) are protected before they can be deleted or decommissioned.
   • Enable diagnostic settings on vaults and use Backup reports (via Azure Monitor Logs and workbooks) to audit backups/restores and identify cost‑optimization opportunities.
5. Optimize backup cost while protecting “unknown” infrastructure
   • Use Azure Backup cost‑optimization levers:
     • Tune backup schedules and retention by workload criticality (shorter retention for low‑value or “unknown” workloads, longer for critical ones).
     • Use selective disk backup to protect only disks that contain important data when VM‑level backup is used alongside other workload‑level backups.
     • Consider Azure Backup Storage reserved capacity for predictable backup storage usage.
   • For blob data, use lifecycle management policies and access tiers to move rarely accessed data to cooler tiers or expire it at end of life.
6. Operational pattern before deleting a resource group
   • For each resource group identified as unused:
     1. Run an inventory of resources and classify them (VMs, disks, storage accounts, databases, Key Vaults, registries, Cosmos DB, etc.).
     2. Ensure each critical resource type has at least one backup or export path configured as above.
     3. Trigger on‑demand backups/snapshots where needed (for example, VM backup, disk backup, storage snapshots, Key Vault backup, Cosmos DB backup mode verification).
     4. Verify backup health and retention in Backup Center and/or service‑specific blades.
     5. Only then proceed to shut down and delete the resource group, keeping the Recovery Services/Backup vaults and exported artifacts for the chosen retention period.
7. Third‑party tools such as Veeam
   • Third‑party tools can complement this, but the core Azure‑native pattern remains: use Azure Backup and service‑native backup features for supported workloads, plus Azure Policy and Backup Center for governance. Any third‑party solution should align with this model and not replace native protections where they are stronger (for example, Cosmos DB point‑in‑time restore, blob versioning/soft delete).

This approach gives a repeatable, policy‑driven way to protect resources before deleting a resource group, rather than a single RG‑level snapshot, while still supporting cost optimization.

---

References:

• Backup and disaster recovery for Azure unmanaged disks
• Overview of Azure Disk Backup
• Backup and Recovery
• Architecture strategies for optimizing data costs
• Backup cloud and on-premises workloads to cloud
• Security Control: Backup and recovery