Tutorial: Enable Vault Tier backups for AKS and restore across regions by using Azure Backup (preview)

This tutorial describes how to create backups for an AKS cluster available in the Secondary Region (Azure Paired region) and perform a disaster recovery by using Cross Region Restore.

Azure Backup allows you to store AKS cluster backups in both Operational Tier as snapshot and Vault Tier as blobs (preview). This feature enables you to move snapshot-based AKS backups stored in Operational Tier to a Vault-standard Tier. You can use the backup policy, to define whether to store backups just in Operational Tier as snapshots or also protect them in Vault Tier along with Operational. Vaulted backups are stored offsite, which protects them from tenant compromise, malicious attacks, and ransomware threats. You can also retain the backup data for long term and can do Cross Region Restore by configuring the Backup vault with storage redundancy set as global and Cross Region Restore property as enabled. Learn more.


For backups to be available in Secondary region (Azure Paired Region), create a Backup vault with Storage Redundancy enabled as Globally Redundant and Cross Region Restore enable.

Screenshot shows how to enable the Backup Storage Redundance parameter.

Screenshot shows how to enable the Cross Region Restore parameter.

Configure Vault Tier backup (preview)

To use AKS backup for regional disaster recovery, store the backups in Vault Tier. You can enable this capability by creating a backup policy with retention policy set for Vault-standard datastore.

To set the retention policy in a backup policy, follow these steps:

  1. Select the backup policy.

  2. On the Schedule + retention tab, define the frequency of backups and how long they need to be retained in Operational and Vault Tier (also called datastore).

    Backup Frequency: Select the backup frequency (hourly or daily), and then choose the retention duration for the backups.

    Screenshot that shows selection of backup frequency.

    Retention Setting: A new backup policy has two retention rules.

    Screenshot that shows selection of retention period.

    You can also create additional retention rules to store backups for a longer duration that are taken daily or weekly.

    • Default: This rule defines the default retention duration for all the operational tier backups taken. You can only edit this rule and can’t delete it.

    • First successful backup taken every day: In addition to the default rule, every first successful backup of the day can be retained in the Operational datastore and Vault-standard store. You can edit and delete this rule (if you want to retain backups in Operational datastore).

      Screenshot that shows the retention configuration for Vault Tier and Operational Tier.

With the new backup policy, you can configure protection for the AKS cluster and store in both Operational Tier (as snapshot) and Vault Tier (as blobs). Once the configuration is complete, the backups stored in the vault are available in the Secondary Region (an Azure paired region) for restore that can be used when during regional outage.

Restore in secondary region (preview)

In case of primary region outage, you can use the recovery points stored in Vault Tier in secondary region to bring back the AKS cluster.

Follow these steps:

  1. Go to Backup center and select Restore.

    Screenshot shows how to start the restore process.

  2. On the next page, click Select backup instance, and then select the instance that you want to restore.

    In case of disaster recovery, select Secondary Region. This allows you to choose recovery points available in the Azure Paired Region.

    Screenshot shows selection of backup instance for restore.

    Screenshot shows choosing instances for restore.

    Screenshot shows the selection of the secondary region.

  3. Click Select restore point to select the restore point you want to restore.

    If the restore point is available in both Vault and Operation datastore, select the one you want to restore from.

    Screenshot shows how to view the restore points.

    Screenshot shows selection of a restore point.

  4. In the Restore parameters section, click Select Kubernetes Service and select the AKS cluster to which you want to restore the backup to.

    Screenshot shows how to initiate parameter selection.

    Screenshot shows selection of AKS instance.

    Screenshot shows the Restore page with the selection of Kubernetes parameter.

  5. If you have opted for restore from Vault-standard datastore, then provide a snapshot resource group and storage account as the staging location.

    Screenshot shows the parameters to add for restore from Vault-standard storage.

    Screenshot shows the storage parameter to add for restore from Vault-standard storage.

  6. Select Validate to run validation on the cluster selections for restore.

    Screenshot shows the validation of restore parameters.

  7. Once the validation is successful, select Restore to trigger the restore operation.

    Screenshot shows how to start the restore operation.

  8. You can track this restore operation by the Backup Job named as CrossRegionRestore.

Next steps