This article answers common questions about the Azure Backup service.
Recovery Services vault
Is there any limit on the number of vaults that can be created in each Azure subscription?
Yes. You can create up to 500 Recovery Services vaults, per supported region of Azure Backup, per subscription. If you need additional vaults, create an additional subscription.
Are there limits on the number of servers/machines that can be registered against each vault?
You can register up to 1000 Azure Virtual machines per vault. If you're using the Microsoft Azure Backup Agent, you can register up to 50 MARS agents per vault. And you can register 50 MABS servers/DPM servers to a vault.
How many datasources/items can be protected in a vault?
Protection of up to 2000 datasources/items across all workloads (such as IaaS VM, SQL, AFS) is the recommended limit per vault. For example, if you have already protected 500 VMs and 400 Azure Files shares in the vault, we would recommend protecting up to 1100 SQL databases in it.
How many policies can I create per vault?
You can only have up to 200 policies per vault. However, adding new backup policies or editing current policies through Azure Resource Manager (ARM) templates or Azure Automation clients such as PowerShell, CLI is limited to 50 over a span of 24 hours.
If my organization has one vault, how can I isolate data from different servers in the vault when restoring data?
Server data that you want to recover together should use the same passphrase when you set up backup. If you want to isolate recovery to a specific server or servers, use a passphrase for that server or servers only. For example, human resources servers could use one encryption passphrase, accounting servers another, and storage servers a third.
Can I move my vault between subscriptions?
Yes. To move a Recovery Services vault, refer this article
Can I move backup data to another vault?
No. Backup data stored in a vault can't be moved to a different vault.
Can I change the storage redundancy setting after a backup?
The storage replication type by default is set to geo-redundant storage (GRS). Once you configure the backup, the option to modify is in disabled state and can't be changed.
If you've already configured the backup and must move from GRS to LRS, then see How to change from GRS to LRS after configuring backup.
Can I do an Item Level Restore (ILR) for VMs backed up to a Recovery Services vault?
- ILR is supported for Azure VMs backed up by Azure VM backup. For more information, see article
- ILR isn't supported for online recovery points of on-premises VMs backed up by Azure Backup Server (MABS) or System Center DPM.
How can I move data from the Recovery Services vault to on-premises?
To move backup data out of Recovery Services Vault, you need to restore the necessary data. If your vault contains backup of on-premises data, use the corresponding agent (MARS, MABS, or DPM) to restore to on-premises.
We don't support exporting data directly from the Recovery Services vault to on-premises storage for backup of cloud workload (Azure VMs, SQL, and SAP HANA in Azure VMs). However, you can restore these to the corresponding cloud resources in Azure Storage Accounts, and then move the data to on-premises. You can also export this data to on-premises via Data Box or Import/Export.
What is the difference between a geo-redundant storage (GRS) vault with and without the Cross-Region Restore (CRR) capability enabled?
If a GRS vault without CRR capability enabled, the data in the secondary region can't be accessed until Azure declares a disaster in the primary region. In such a scenario, the restore happens from the secondary region. When CRR is enabled, even if the primary region is up and running, you can trigger a restore in the secondary region.
Can I move a subscription that contains a vault to a different Microsoft Entra ID?
Yes. To move a subscription (that contains a vault) to a different Microsoft Entra ID, see Transfer subscription to a different directory.
Important
Ensure that you perform the following actions after moving the subscription:
- Role-based access control permissions and custom roles aren't transferrable. You must recreate the permissions and roles in the new Microsoft Entra ID.
- You must recreate the Managed Identity (MI) of the vault by disabling and enabling it again. Also, you must evaluate and recreate the MI permissions.
- If the vault uses features which leverage MI, such as Private Endpoints and Customer Managed Keys, you must reconfigure the features.
Can I move a subscription that contains a Recovery Services Vault to a different tenant?
Yes. Ensure that you do the following:
Important
Ensure that you perform the following actions after moving the subscription:
- If the vault uses CMK (customer managed keys), you must update the vault. This enables the vault to recreate and reconfigure the vault managed identity and CMK (which will reside in the new tenant), otherwise the backups/restore operation will fail.
- You must reconfigure the RBAC permissions in the subscription as the existing permissions can’t be moved.
What are the various vaults supported for backup and restore?
Recovery Services vault and Backup vault are both supported in Azure Backup, and target the backup and restore of different datasources. You need to create the appropriate vault based on the datasource type that you want to protect.
The following table lists the various datasources that each vault supports:
Recovery Services vault | Backup vault |
---|---|
Supported datasources: - Azure Virtual Machine - SQL in Azure VM - Azure Files - SAP HANA in Azure VM - Azure Backup Server - Azure Backup agent - DPM |
Supported datasources: - Azure Disks - Azure Blobs - Azure Database for PostgreSQL server - Kubernetes services (preview) |
Can I copy restore points created by the Azure Backup service portal from one region to another?
No. Currently, Azure Backup supports only copying restore points from one vault to another. You can move snapshots to a different region using the VM restore point APIs, but this isn't supported for Vault-tier recovery points.
Azure Backup agent
Where can I find common questions about the Azure Backup agent for Azure VM backup?
General backup
Are there limits on backup scheduling?
Yes.
- You can back up Windows Server or Windows machines up to three times a day by MARS backup. You can set the scheduling policy to daily or weekly schedules.
- You can back up DPM up to twice a day. You can set the scheduling policy to daily, weekly, monthly, and yearly.
- You can back up Azure VMs once a day by Standard backup policy.
What operating systems are supported for backup?
Azure Backup supports these operating systems for backing up files and folders, and apps protected by Azure Backup Server and DPM.
OS | SKU | Details |
---|---|---|
Workstation | ||
Windows 11 64 bit | Enterprise, Pro, Home, IoT | Machines should be running the latest services packs and updates. |
Windows 10 64 bit | Enterprise, Pro, Home, IoT | Machines should be running the latest services packs and updates. |
Server | ||
Windows Server 2022 64 bit | Standard, Datacenter, Essentials, IoT | With the latest service packs/updates. |
Windows Server 2019 64 bit | Standard, Datacenter, Essentials, IoT | With the latest service packs/updates. |
Windows Server 2016 64 bit | Standard, Datacenter, Essentials | With the latest service packs/updates. |
Windows Storage Server 2016 64 bit | Standard, Workgroup | With the latest service packs/updates. |
Windows Storage Server 2012 R2 64 bit | Standard, Workgroup, Essential | With the latest service packs/updates. |
Windows Server 2012 R2 64 bit | Standard, Datacenter, Foundation | With the latest service packs/updates. |
Windows Server 2012 64 bit | Datacenter, Foundation, Standard | With the latest service packs/updates. |
Windows Storage Server 2012 64 bit | Standard, Workgroup | With the latest service packs/updates. |
Azure Backup doesn't support 32-bit operating systems.
For Azure VM Linux backups, Azure Backup supports the list of distributions endorsed by Azure, except Core OS Linux and 32-bit operating system. Other bring-your-own Linux distributions might work as long as the VM agent is available on the VM, and support for Python exists.
Learn more about the latest workloads supported by DPM and MABS Server.
Are there size limits for data backup?
Sizes limits are as follows:
OS/machine | Size limit of data source |
---|---|
Windows 8 or later | 54,400 GB |
Windows 7 | 1700 GB |
Windows Server 2012 or later | 54,400 GB |
Windows Server 2008, Windows Server 2008 R2 | 1700 GB |
Azure VM | See the support matrix for Azure VM backup |
How is the data source size determined?
The following table explains how each data source size is determined.
Data source | Details |
---|---|
Volume | The amount of data being backed up from single volume VM being backed up. |
SQL Server database | Size of single database size being backed up. |
SharePoint | Sum of the content and configuration databases within a SharePoint farm being backed up. |
Exchange | Sum of all Exchange databases in an Exchange server being backed up. |
BMR/System state | Each individual copy of BMR or system state of the machine being backed up. |
Is there a limit on the amount of data backed up using a Recovery Services vault?
There's no limit on the total amount of data you can back up using a Recovery Services vault. The individual data sources (other than Azure VMs), can be a maximum of 54,400 GB in size. For more information about limits, see the vault limits section in the support matrix.
Why is the size of the data transferred to the Recovery Services vault smaller than the data selected for backup?
Data backed up from Azure Backup Agent, DPM, and Azure Backup Server is compressed and encrypted before being transferred. With compression and encryption is applied, the data in the vault is 30-40% smaller.
Can I view the expiration time for the recovery points?
No, you can't view the expiration time for the scheduled backups. However, you can view the expiration time for the on-demand backups through backup jobs.
Can I delete individual files from a recovery point in the vault?
No, Azure Backup doesn't support deleting or purging individual items from stored backups.
If I cancel a backup job after it starts, is the transferred backup data deleted?
No. All data that was transferred into the vault before the backup job was canceled remains in the vault.
- Azure Backup uses a checkpoint mechanism to occasionally add checkpoints to the backup data during the backup.
- Because there are checkpoints in the backup data, the next backup process can validate the integrity of the files.
- The next backup job will be incremental to the data previously backed up. Incremental backups only transfer new or changed data, which equates to better utilization of bandwidth.
If you cancel a backup job for an Azure VM, any transferred data is ignored. The next backup job transfers incremental data from the last successful backup job.
Can the backup items in a vault be deleted if its Resource Group has a delete lock?
No, backup items in a vault can't be deleted if the corresponding Resource Group has a delete lock.
Retention and recovery
Are the retention policies for DPM and Windows machines without DPM the same?
Yes, they both have daily, weekly, monthly, and yearly retention policies.
Can I customize retention policies?
Yes, you've customize policies. For example, you can configure weekly and daily retention requirements, but not yearly and monthly.
Can I use different times for backup scheduling and retention policies?
No. Retention policies can only be applied on backup points. For example, this image shows a retention policy for backups taken at 12am and 6pm.
If a backup is kept for a long time, does it take more time to recover an older data point?
No. The time to recover the oldest or the newest point is the same. Each recovery point behaves like a full point.
If each recovery point is like a full point, does it impact the total billable backup storage?
Typical long-term retention point products store backup data as full points.
- The full points are storage inefficient but are easier and faster to restore.
- Incremental copies are storage efficient but require you to restore a chain of data, which impacts your recovery time
Azure Backup storage architecture gives you the best of both worlds by optimally storing data for fast restores and incurring low storage costs. This ensures that your ingress and egress bandwidth is used efficiently. The amount of data storage, and the time needed to recover the data, is kept to a minimum. Learn more about incremental backups.
Is there a limit on the number of recovery points that can be created?
You can create up to 9999 recovery points per protected instance. A protected instance is a computer, server (physical or virtual), or workload that backs up to Azure.
- Learn more about backup and retention.
How many times can I recover data that's backed up to Azure?
There's no limit on the number of recoveries from Azure Backup.
When restoring data, do I pay for the egress traffic from Azure?
No. Recovery is free and you aren't charged for the egress traffic.
What happens when I change my backup policy?
When a new policy is applied, schedule and retention of the new policy is followed.
- If retention is extended, existing recovery points are marked to keep them according to new policy.
- If retention is reduced, they're marked for pruning in the next cleanup job and subsequently deleted.
How long is data retained when stopping backups, but selecting the option to retain backup data?
When backups are stopped and the data is retained, existing policy rules for data pruning will cease and data will be retained indefinitely until initiated by the administrator for deletion.
Encryption
Is the data sent to Azure encrypted?
Yes. Data is encrypted on the on-premises machine using AES256. The data is sent over a secure HTTPS link. The data transmitted in cloud is protected by HTTPS link only between storage and recovery service. iSCSI protocol secures the data transmitted between recovery service and user machine. Secure tunneling is used to protect the iSCSI channel.
Is the backup data on Azure encrypted as well?
Yes. The data in Azure is encrypted-at-rest.
- For on-premises backup, encryption-at-rest is provided using the passphrase you provide when backing up to Azure.
- For Azure VMs, data is encrypted-at-rest using Storage Service Encryption (SSE).
Microsoft doesn't decrypt the backup data at any point.
What is the minimum length of the encryption key used to encrypt backup data?
The encryption key used by the Microsoft Azure Recovery Services (MARS) Agent is derived from a passphrase that should be at least 16 characters long. For Azure VMs, there's no limit to the length of keys used by Azure KeyVault.
What happens if I misplace the encryption key? Can I recover the data? Can Microsoft recover the data?
The key used to encrypt the backup data is present only on your site. Microsoft doesn't maintain a copy in Azure and doesn't have any access to the key. If you misplace the key, Microsoft can't recover the backup data.
Next steps
Read the other FAQs:
- Common questions about Azure VM backups.
- Common questions about the Azure Backup agent