This article answers common questions about backing up Azure VMs with the Azure Backup service.
Backup
Which VM images can be enabled for backup when I create them?
When you create a VM, you can enable backup for VMs running supported operating systems.
Why is the Initial backup taking a lot of time to complete?
Initial backup is always a full backup and its duration will depend on the size of the data and when the backup is processed.
To improve backup performance see, backup best practices; Backup considerations and Backup Performance
Although the total backup time for incremental backups is less than 24 hours that might not be the case for the first backup.
Is the backup cost included in the VM cost?
No. Backup costs are separate from a VM's costs. Learn more about Azure Backup pricing.
Which permissions are required to enable backup for a VM?
If you're a VM contributor, you can enable backup on the VM. If you're using a custom role, you need the following permissions to enable backup on the VM:
- Microsoft.RecoveryServices/Vaults/write
- Microsoft.RecoveryServices/Vaults/read
- Microsoft.RecoveryServices/locations/*
- Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/*/read
- Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read
- Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/write
- Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/write
- Microsoft.RecoveryServices/Vaults/backupPolicies/read
- Microsoft.RecoveryServices/Vaults/backupPolicies/write
If your Recovery Services vault and VM have different resource groups, make sure you have write permissions in the resource group for the Recovery Services vault.
Does an on-demand backup job use the same retention schedule as scheduled backups?
No. Specify the retention range for an on-demand backup job. By default, it's retained for 30 days when triggered from the portal.
I recently enabled Azure Disk Encryption on some VMs. Will my backups continue to work?
Provide permissions for Azure Backup to access the Key Vault. Specify the permissions in PowerShell as described in the Enable backup section in the Azure Backup PowerShell documentation.
I migrated VM disks to managed disks. Will my backups continue to work?
Yes, backups work seamlessly. There's no need to reconfigure anything.
Why can't I see my VM in the Configure Backup wizard?
The wizard only lists VMs in the same region as the vault, and that aren't already being backed up.
My VM is shut down. Will an on-demand or a scheduled backup work?
Yes. Backups run when a machine is shut down. The recovery point is marked as crash consistent.
Can I cancel an in-progress backup job?
Yes. You can cancel the backup job in a Taking snapshot state. You can't cancel a job if data transfer from the snapshot is in progress.
I enabled a lock on the resource group created by Azure Backup Service (for example, `AzureBackupRG_<geo>_<number>`). Will my backups continue to work?
If you lock the resource group created by the Azure Backup Service, backups will start to fail. Remove the lock, and clear the restore point collection from that resource group to make the future backups successful. Follow these steps to remove the restore point collection.
I have a lock at the resource group level that contains all the resources related to my virtual machine. Will my backup work?
Azure Backup creates a separate resource group in the format AzureBackupRG_<geo>_<number>
to store ResourcePointCollections objects. Since this resource group is service owned, locking it will cause backups to fail. Locks can be only applied to customer-created resource groups.
Does Azure Backup support standard SSD-managed disks?
Yes, Azure Backup supports standard SSD managed disks.
Can we back up a VM with a Write Accelerator (WA)-enabled disk?
Snapshots can be taken on only data disks that are WA enabled and not OS disks. So, only data disks that are WA enabled can be protected.
I have a VM with Write Accelerator (WA) disks and SAP HANA installed. How do I back up?
Azure Backup can back up the WA-enabled data disk. However, the backup won't provide database consistency.
Azure Backup provides a streaming backup solution for SAP HANA databases with an RPO of 15 minutes. It's Backint certified by SAP to provide a native backup support leveraging SAP HANA’s native APIs. Learn more about backing up SAP HANA databases in Azure VMs.
What is the maximum delay I can expect in backup start time from the scheduled backup time I have set in my VM backup policy?
The scheduled backup will be triggered within 2 hours of the scheduled backup time. For example, If 100 VMs have their backup start time scheduled at 2:00 AM, then by 4:00 AM at the latest all the 100 VMs will have their backup job in progress. If scheduled backups have been paused because of an outage and resumed or retried, then the backup can start outside of this scheduled two-hour window.
What is the minimum allowed retention range for a daily backup point?
Azure Virtual Machine backup policy supports a minimum retention range from seven days up to 9999 days. Any modification to an existing VM backup policy with less than seven days will require an update to meet the minimum retention range of seven days.
What happens if I change the case of the name of my VM or my VM resource group?
If you change the case (to upper or lower) of your VM or VM resource group, the case of the backup item name won't change; this is expected Azure Backup behavior. The case change won't appear in the backup item, but is updated at the backend.
Can I back up or restore selective disks attached to a VM?
Azure Backup now supports selective disk backup and restore using the Azure Virtual Machine backup solution. For more information, see Selective disk backup and restore for Azure VMs.
Are managed identities preserved if a tenant change occurs during backup?
If tenant changes occur, you're required to disable and re-enable managed identities to make backups work again.
Does Azure Backup support backing up NFS files mounted from storage?
Azure Backup doesn't support backing up NFS files that are mounted from storage, or from any other NFS server, to Linux or Windows machines. It only backs up disks which are locally attached to the VM.
What are the VM configurations stored in the virtual machine backup?
All the VM configurations required to perform the restore operations are stored in the VM backup. That includes the encryption copies of the VM encrypted keys, which are accessible to you on restore. The encryption copies can only be decrypted using the key vault. Temporary disks and memory state aren't captured in the snapshot.
Can we back up tags from Azure VM? If so, how many tags?
Azure Backup can back up and restore tags, except NICs and IPs. Azure Backup honors the subscription limitations of Azure Resource Group and restores up to 50 tags.
For detailed information, see Subscription limits.
Can I take on-demand (ad-hoc) backup without scheduling backup for an Azure VM?
No, you can’t trigger on-demand backups by disabling scheduled backup.
How does Azure Backup process work for cluster nodes?
Every Azure VM in a cluster is considered as an individual Azure VM. So, all backup operations are applicable as per individual Azure VMs.
Does Azure Backup interfere with application performance?
Creating a VM Snapshot takes few minutes, and there will be a very minimal interference on application performance at this stage. But, data transfer to a vault takes a couple of hours; so we recommend scheduling backups during off business hours. Learn more about best practices for backup and restore.
Will a new disk added to VM be backed up automatically?
Yes, a new disk added to a VM will be backed up automatically during the next backup.
Can I restore the files and folders from an encrypted VM backup?
Restoring files and folders from encrypted VM backup is currently not supported, you must recover the entire VM to restore files and folders. See, steps to restore an encrypted Azure Virtual machine. However you can recover files from backups before they were encrypted.
Can I stop a VM and scale it up during the Transfer data to vault phase?
Yes, you can do this when Transfer data to vault phase is in progress.
Does Azure Backup take backup of keys for ADE encrypted VMs and restore it along with the restored disk?
Azure Backup backs up encryption keys and secrets of the backup data. Generally, the keys are not restored in the Key vault, but Azure Backup allows restoring the keys during the loss of keys.
Can I remove all restore points and retain the latest one?
No, you can't retain one single restore point. When you delete the previous restore points, the chain gets deleted. Therefore, you can't selectively retain or delete a recovery point.
How long can I retain backup points of Azure VMs using the backup policy?
The maximum retentions of the backup points are:
- Retention of daily backup points: 9999 days
- Retention of weekly backup points: 5163 weeks
- Retention of monthly backup points: 1188 months
- Retention of yearly backup points: 99 years
Restore
How do I decide whether to restore disks only or a full VM?
Think of a VM restore as a quick create option for an Azure VM. This option changes disk names, containers used by the disks, public IP addresses, and network interface names. The change maintains unique resources when a VM is created. The VM isn't added to an availability set.
You can use the restore disk option if you want to:
- Customize the VM that gets created. For example, change the size.
- Add configuration settings that weren't there at the time of backup.
- Control the naming convention for resources that are created.
- Add the VM to an availability set.
- Add any other setting that must be configured using PowerShell or a template.
Can I restore backups of unmanaged VM disks after I upgrade to managed disks?
Yes, you can use backups taken before disks were migrated from unmanaged to managed.
How do I restore a VM to a restore point before the VM was migrated to managed disks?
The restore process remains the same. If the recovery point is of a point-in-time when VM had unmanaged disks, you can restore disks as unmanaged. If the VM had managed disks, then you can restore disks as managed disks. Then you can create a VM from those disks.
Learn more about doing this in PowerShell.
If the restore fails to create the VM, what happens to the disks included in the restore?
In the event of a managed VM restore, even if the VM creation fails, the disks will still be restored.
Can I restore a VM that's been deleted?
Yes. Even if you delete the VM, you can go to the corresponding backup item in the vault and restore from a recovery point.
How do I restore a VM to the same availability sets?
For Managed Disk Azure VMs, restoring to the availability sets is enabled by providing an option in the template while restoring as managed disks. This template has the input parameter called Availability sets.
How do we get faster restore performance?
Instant Restore capability helps with faster backups and instant restores from the snapshots.
What happens when we change the key vault settings for the encrypted VM?
After you change the key vault settings for the encrypted VM, backups will continue to work with the new set of details. However, after the restore from a recovery point before the change, you'll have to restore the secrets in a key vault before you can create the VM from it. For more information, see this article.
Operations like secret/key roll-over don't require this step and the same key vault can be used after restore.
Can I access the VM once restored due to a VM having a broken relationship with the domain controller?
Yes, you can access the VM once restored due to a VM having a broken relationship with the domain controller. For more information, see this article.
Can I cancel an in-progress restore job?
Yes, you can cancel the restore job till the data transfer phase. Once it enters VM creation phase, you can't cancel the restore job.
Why is my restore operation taking long time to complete?
The total restore time depends on the input/output operations per second (IOPS) speed and the throughput of the storage account. The total restore time can be affected if the target storage account is loaded with other application read and write operations. To improve the speed of restore operation, select a storage account that isn't loaded with other application data. Learn about the best practices for Azure VM backup and restore.
How do we handle "Create New Virtual Machine"-restore type conflicts with governance policies?
Azure Backup uses "attach" disks from recovery points and doesn't look at your image references or galleries. So in the policy you can check "storageProfile.osDisk.createOption as Attach", and the script condition will be:
if (storageProfile.osDisk.createOption == "Attach") then { exclude <Policy> }
How do I restore a VM into powered down state?
To restore a VM in powered down state, you can create a VM or restore disks, but you can't replace an existing VM. Learn more about the available restore options.
Can I restore Azure VM that is in the powered-off state?
Azure VM must be in the powered-off state while you restore. Otherwise, the restore operation would fail in the pre-check stage, with the error code UserErrorVmNotShutDown.
Also, before you swap VM disks, you must power off the VM.
Is there a limit to trigger restore in a day?
Yes, the default maximum limit to trigger restore is 20 attempts per VM in 24 hours, and 24 hours window gets reset at UTC 00:00.
How does restored disk SKU depend on target SA provided?
In the case of an unmanaged VM, the VM disk type is Premium SSD or HDD and depends on the SA in which VHDs exist. If you provide normal SA during restore, the VM disk would be HDD, and if you provide Premium SA, all disks would be Premium SSDs.
Note
- Azure Backup currently doesn't support taking different SAs as inputs for different disks.
- Restore to original disks SA is only available for snapshot tier, and it increases restore performance because data is copied much faster to the same SA than to a different SA. It's not intended to support disk type, but can be used to retain it.
Can I delete JSON template and VHD files after the restore process is complete?
Yes, you can delete these files once the restoration process is complete. By default, Azure Backup retains these files for future use.
How do I run restore operation for Cross Region Restore (CRR) of ADE encrypted VMs?
The encrypted keys are not expected to be present in the target region as part of Cross Regions Restore (CRR). Therefore, you need to restore the encrypted keys and secrets using the restored file. When the restore is complete, you can create Azure encrypted VM using restored disks.
Are there any recommended naming conventions of an Azure VM in Azure Backup?
Microsoft Windows allows a VM name that has maximum of 15 characters. Also, you can't specify a DNS host name that differs from the NETBIOS host name. However, you can create host headers for a website hosted on an Azure VM with the name as per recommendation.
Learn more about the VM naming convention limitations for Azure VMs.
Can I restore an Azure Virtual Machine in a different subscription?
Yes, Cross Subscription Restore now allows you to restore Azure VMs from a recovery point in one subscription to another under tenant as per Azure role-based access control (Azure RBAC) rules. Cross Subscription Restore is unsupported from snapshots and secondary region restores.
Does Cross Subscription Restore support all Azure VM?
No, it's unsupported for Encrypted Azure VMs.
Can I use Azure VM snapshots to restore in another subscription?
No, Cross Subscription Restore is unsupported from snapshot restore.
Can I perform Cross Subscription Restore for Azure VMs running in secondary regions?
No, Cross Subscription Restore does not support restore from secondary regions.
Can I use Enhanced policy for Cross Subscription Restore?
Yes, it's supported for Cross subscription Restore.
Can I restore an Azure zone pinned Virtual Machine in a different zone?
Yes, Cross Zonal Restore now allows you to restore Azure zone pinned VMs to a different available zone using a recovery point in a vault with Zonal-redundant storage (ZRS) enabled as per Azure role-based access control (Azure RBAC) rules. It's also supported from vaults with Cross Region Restore (CRR).
Can I restore an Azure non-zone pinned Virtual Machine in a different zone?
Yes, Cross Zonal Restore now allows you to restore Azure non-zone pinned VMs to any available zones using a recovery point in a vault with Zonal-redundant storage (ZRS) enabled as per Azure role-based access control (Azure RBAC) rules.
Does Cross Zonal Restore support all Azure VM?
No, it's unsupported for Encrypted Azure VMs.
Can I use Azure VM snapshots to restore in another zone?
No, Cross Zonal Restore is unsupported from snapshot restore.
Can I restore Azure zone pinned VMs to secondary regions?
Yes, Azure Backup support restore of Azure zone pinned VMs to secondary regions.
Can I use Enhanced policy for Cross Zonal Restore?
Yes, it's supported for Cross Zonal Restore.
How do I clear iSCSI session and it's processes after running the Python script for Linux ILR?
After you unmount disks from the Azure portal, run the Python script with clean
parameter (python scriptName.py clean
) to clear the session and remove the mount paths of the recovery point from the machine.
Manage VM backups
What happens if I modify a backup policy?
The VM is backed up using the schedule and retention settings in the modified policy.
- If retention is extended, existing recovery points are marked and kept in accordance with the new policy.
- If retention is reduced, recovery points are marked for pruning in the next cleanup job, and subsequently deleted.
However, recovery points are specific to retention range frequency. For example, adding or modifying a yearly retention policy does not affect the retention of preexisting monthly recovery points.
How do I move a VM backed up by Azure Backup to a different resource group?
Temporarily stop the backup and retain backup data.
To move virtual machines configured with Azure Backup, do the following steps:
- Find the location of your virtual machine.
- Find a resource group with the following naming pattern:
AzureBackupRG_<location of your VM>_1
. For example, AzureBackupRG_westus2_1 - In the Azure portal, check Show hidden types.
- Find the resource with type Microsoft.Compute/restorePointCollections that has the naming pattern
AzureBackup_<name of your VM that you're trying to move>_###########
. - Delete this resource. This operation deletes only the instant recovery points, not the backed-up data in the vault.
- After the delete operation is complete, you can move your virtual machine.
Move the VM to the target resource group.
Resume the backup.
You can restore the VM from available restore points that were created before the move operation.
What happens after I move a VM to a different resource group?
Once a VM is moved to a different resource group, it's a new VM as far as Azure Backup is concerned.
After moving the VM to a new resource group, you can reprotect the VM either in the same vault or a different vault. Since this is a new VM for Azure Backup, you'll be billed for it separately.
The old VM's restore points will be available for restore if needed. If you don't need this backup data, you can stop protecting your old VM with delete data.
Is there a limit on number of VMs that can be associated with the same backup policy?
Yes, there's a limit of 100 VMs that can be associated to the same backup policy from the portal. We recommend that for more than 100 VMs, create multiple backup policies with same schedule or different schedule.
There is a daily limit of 1000 for overall configure/modify protections in a vault.
How can I view the retention settings for my backups?
Currently, you can view retention settings at a backup item (VM) level based on the backup policy that's assigned to the VM.
One way to view the retention settings for your backups, is to navigate to the backup item dashboard for your VM, in the Azure portal. Selecting the link to its backup policy helps you view the retention duration of all the daily, weekly, monthly and yearly retention points associated with the VM.
You can also use Backup Explorer to view the retention settings for all your VMs within a single pane of glass. Go to the Backup Explorer from any Recovery Services vault, go to the Backup Items tab and select the Advanced View to see detailed retention information for each VM.
When the snapshot is moved from a storage account to a vault, how is encryption in the transit managed?
Azure VM Backup uses HTTPS communication for encryption in transit. The data transfer uses Azure fabric (and not public endpoints), which do not need Internet access for VM backup.
How can I disable the File Recovery option?
This API provision a script for invoking an iSCSI connection for file recovery from Azure Backup.
- You can disable this option using custom role-definitions by excluding API action.
- You can also use the private endpoints to restrict access to the iSCSI server from within the private network.
- You can also disable this option across an organization using the deny assignment feature.
I have changed the retention policy, what is the time needed for the policy to be effective?
The policy takes effect immediately after the modifications of the parameters, such as retention, schedule, and so on. This is applicable for all new backups taken from the modified policy. However, the pruning of the recovery points (if applicable) according to the new policy takes 24 hours.
How do I extend or reduce the retention of a specific recovery point?
This feature is currently not supported. You can post any feature ask in the Azure Backup community portal.
How to modify retention period for Stopped backups?
Retention of stopped backups cannot be modified since they do not have any policy attached to it. However, you can resume protection and assign a policy.
How long are the stopped backups retained?
Stopped backups are retained until manually deleted.
I’m unable to select a virtual network, subnet, or storage account in the secondary region when performing a Cross Region Restore.
You need to check the subscription permissions in the secondary region. Write to us at AskAzureBackupTeam@microsoft.com for subscription enrollment.
How can I check the traffic between Azure Backup service and Azure VM?
Because Azure resources handle this traffic, it can't be determined by an external user.
What is the minimum RPO and RTO for VM backups in Azure Backup?
RPO: The minimum RPO is 1 day or 24 hours when you're using Standard policy. If you use Enhanced policy, the minimum RPO is 4 hours.
Why does the error VMMarketplaceInvalidInputmessage appear?
This error appears when you try to start a VM after creating an Azure VM from a non-Marketplace image or swap the OS disk of a VM with a non-Marketplace image, and then the VM deployment fails. To resolve this issue, remove the plan information from the VM.
How do I manage key rotations? How to ensure which key is used during backup and if it’s present to be used with the restored VM?
Azure Backup backs up the secrets and KEK data of the key version during backup, and restores the same. However, booting ADE VMs with older version keys are also possible.
When Vault is configured with CRR, what happens to the secondary data if the primary region fails?
Backup data fully replicated to the secondary region before the failure of the primary region will remain intact. This remains the case even after the primary region has recovered from the failure. In other words, the virtual machine can be recovered in the secondary region with the data it had before the failure as per the replication schedule. Note that the RPO for the secondary region is 36 hours i.e., data takes approximately 36 hours to be fully replicated from primary to the secondary region.
When I update the backup policy, why is the expiry time not getting updated immediately?
Expiry Time of recovery points are updated when Garbage Collector (GC) runs, which is every 24 hours. Once you update the backup policy, it can take up to 24 hours to show the updates in the Expiry Time, if there're no delays in GC jobs.