| title | description | services | author | manager | keywords | ms.service | ms.topic | ms.date | ms.author | ms.custom |
|---|---|---|---|---|---|---|---|---|---|---|
What is Azure Backup? |
Use Azure Backup to back up and restore data and workloads from Windows Servers, Windows workstations, System Center DPM servers, and Azure virtual machines. |
backup |
rayne-wiselman |
carmonm |
backup and restore; recovery services; backup solutions |
backup |
overview |
8/2/2018 |
raynew |
mvc |
Azure Backup is the Azure-based service you can use to back up (or protect) and restore your data in the Microsoft cloud. Azure Backup replaces your existing on-premises or off-site backup solution with a cloud-based solution that is reliable, secure, and cost-competitive. Azure Backup offers multiple components that you download and deploy on the appropriate computer, server, or in the cloud. The component, or agent, that you deploy depends on what you want to protect. All Azure Backup components (no matter whether you're protecting data on-premises or in the cloud) can be used to back up data to a Recovery Services vault in Azure. See the Azure Backup components table (later in this article) for information about which component to use to protect specific data, applications, or workloads.
Watch a video overview of Azure Backup
Traditional backup solutions have evolved to treat the cloud as an endpoint, or static storage destination, similar to disks or tape. While this approach is simple, it is limited and doesn't take full advantage of an underlying cloud platform, which translates to an expensive, inefficient solution. Other solutions are expensive because you end up paying for the wrong type of storage, or storage that you don't need. Other solutions are often inefficient because they don't offer you the type or amount of storage you need, or administrative tasks require too much time. In contrast, Azure Backup delivers these key benefits:
Automatic storage management - Hybrid environments often require heterogeneous storage - some on-premises and some in the cloud. With Azure Backup, there is no cost for using on-premises storage devices. Azure Backup automatically allocates and manages backup storage, and it uses a pay-as-you-use model. Pay-as-you-use means that you only pay for the storage that you consume. For more information, see the Azure pricing article.
Unlimited scaling - Azure Backup uses the underlying power and unlimited scale of the Azure cloud to deliver high-availability - with no maintenance or monitoring overhead. You can set up alerts to provide information about events, but you don't need to worry about high-availability for your data in the cloud.
Multiple storage options - An aspect of high-availability is storage replication. Azure Backup offers two types of replication: locally redundant storage and geo-redundant storage. Choose the backup storage option based on need:
-
Locally redundant storage (LRS) replicates your data three times (it creates three copies of your data) in a storage scale unit in a datacenter. All copies of the data exist within the same region. LRS is a low-cost option for protecting your data from local hardware failures.
-
Geo-redundant storage (GRS) is the default and recommended replication option. GRS replicates your data to a secondary region (hundreds of miles away from the primary location of the source data). GRS costs more than LRS, but GRS provides a higher level of durability for your data, even if there is a regional outage.
Unlimited data transfer - Azure Backup does not limit the amount of inbound or outbound data you transfer. Azure Backup also does not charge for the data that is transferred. However, if you use the Azure Import/Export service to import large amounts of data, there is a cost associated with inbound data. For more information about this cost, see Offline-backup workflow in Azure Backup. Outbound data refers to data transferred from a Recovery Services vault during a restore operation.
Data encryption - Data encryption allows for secure transmission and storage of your data in the public cloud. You store the encryption passphrase locally, and it is never transmitted or stored in Azure. If it is necessary to restore any of the data, only you have encryption passphrase, or key.
Application-consistent backup - An application-consistent backup means a recovery point has all required data to restore the backup copy. Azure Backup provides application-consistent backups, which ensure additional fixes are not required to restore the data. Restoring application-consistent data reduces the restoration time, allowing you to quickly return to a running state.
Long-term retention - You can use Recovery Services vaults for short-term and long-term data retention. Azure doesn't limit the length of time data can remain in a Recovery Services vault. You can keep data in a vault for as long as you like. Azure Backup has a limit of 9999 recovery points per protected instance. See the Backup and retention section in this article for an explanation of how this limit may impact your backup needs.
Use the following table for information about what you can protect with each Azure Backup component.
| Component | Benefits | Limits | What is protected? | Where are backups stored? |
|---|---|---|---|---|
| Azure Backup (MARS) agent | Recovery Services vault | |||
| System Center DPM | Cannot back up Oracle workload. | |||
| Azure Backup Server | ||||
| Azure IaaS VM Backup | Recovery Services vault |
| Component | Can be deployed in Azure? | Can be deployed on-premises? | Target storage supported |
|---|---|---|---|
| Azure Backup (MARS) agent | Yes The Azure Backup agent can be deployed on any Windows Server VM that runs in Azure. |
Yes The Backup agent can be deployed on any Windows Server VM or physical machine. |
Recovery Services vault |
| System Center DPM | Yes Learn more about how to protect workloads in Azure by using System Center DPM. |
Yes Learn more about how to protect workloads and VMs in your datacenter. |
Locally attached disk, Recovery Services vault, tape (on-premises only) |
| Azure Backup Server | Yes Learn more about how to protect workloads in Azure by using Azure Backup Server. |
Yes Learn more about how to protect workloads in Azure by using Azure Backup Server. |
Locally attached disk, Recovery Services vault |
| Azure IaaS VM Backup | Yes Part of Azure fabric Specialized for backup of Azure infrastructure as a service (IaaS) virtual machines. |
No Use System Center DPM to back up virtual machines in your datacenter. |
Recovery Services vault |
The following table provides a matrix of the data and workloads that can be protected using Azure Backup. The Azure Backup solution column has links to the deployment documentation for that solution.
| Data or Workload | Source environment | Azure Backup solution |
|---|---|---|
| Files and folders | Windows Server | System Center DPM (+ the Azure Backup agent), Azure Backup Server (includes the Azure Backup agent) |
| Files and folders | Windows computer | System Center DPM (+ the Azure Backup agent), Azure Backup Server (includes the Azure Backup agent) |
| Hyper-V virtual machine (Windows) | Windows Server | System Center DPM (+ the Azure Backup agent), Azure Backup Server (includes the Azure Backup agent) |
| Hyper-V virtual machine (Linux) | Windows Server | System Center DPM (+ the Azure Backup agent), Azure Backup Server (includes the Azure Backup agent) |
| VMware virtual machine | Windows Server | System Center DPM (+ the Azure Backup agent), Azure Backup Server (includes the Azure Backup agent) |
| Microsoft SQL Server | Windows Server | System Center DPM (+ the Azure Backup agent), Azure Backup Server (includes the Azure Backup agent) |
| Microsoft SharePoint | Windows Server | System Center DPM (+ the Azure Backup agent), Azure Backup Server (includes the Azure Backup agent) |
| Microsoft Exchange | Windows Server | System Center DPM (+ the Azure Backup agent), Azure Backup Server (includes the Azure Backup agent) |
| Azure IaaS VMs (Windows) | running in Azure | Azure Backup (VM extension) |
| Azure IaaS VMs (Linux) | running in Azure | Azure Backup (VM extension) |
The following table shows the Azure Backup components that have support for Linux.
| Component | Linux (Azure endorsed) Support |
|---|---|
| Azure Backup (MARS) agent | No (Only Windows based agent) |
| System Center DPM | File-consistent backup not available for Azure VM |
| Azure Backup Server | File-consistent backup not available for Azure VM |
| Azure IaaS VM Backup | Application-consistent backup using pre-script and post-script framework Granular file recovery Restore all VM disks VM restore |
Azure Backup protects Premium Storage VMs. Azure Premium Storage is solid-state drive (SSD)-based storage designed to support I/O-intensive workloads. Premium Storage is attractive for virtual machine (VM) workloads. For more information about Premium Storage, see the article, Premium Storage: High-Performance Storage for Azure Virtual Machine Workloads.
While backing up Premium Storage VMs, the Backup service creates a temporary staging location, named "AzureBackup-", in the Premium Storage account. The size of the staging location is equal to the size of the recovery point snapshot. Be sure the Premium Storage account has adequate free space to accommodate the temporary staging location. For more information, see the article, premium storage limitations. Once the backup job finishes, the staging location is deleted. The price of storage used for the staging location is consistent with all Premium storage pricing.
Note
Do not modify or edit the staging location.
You can restore Premium Storage VMs to either Premium Storage or to Standard Storage. Restoring a Premium Storage VM recovery point back to Premium Storage is the typical process. However, it can be cost effective to restore a Premium Storage VM recovery point to Standard Storage if you need a subset of files from the VM.
Azure Backup protects managed disk VMs. Managed disks free you from managing storage accounts of virtual machines and greatly simplify VM provisioning.
Backing up VMs on managed disks is no different than backing up Resource Manager VMs. In the Azure portal, you can configure the backup job directly from the Virtual Machine view or from the Recovery Services vault view. You can back up VMs on managed disks through RestorePoint collections built on top of managed disks. Azure Backup also supports backing up managed disk VMs encrypted using Azure Disk encryption(ADE).
Azure Backup allows you to restore a complete VM with managed disks, or restore managed disks to a storage account. Azure manages the managed disks during the restore process. You (the customer) manage the storage account created as part of the restore process. When restoring managed encrypted VMs, the VM's keys and secrets should exist in the key vault prior to starting the restore operation.
The following sections provide tables that summarize the availability or support of various features in each Azure Backup component. See the information following each table for additional support or details.
| Feature | Azure Backup agent | System Center DPM | Azure Backup Server | Azure IaaS VM Backup |
|---|---|---|---|---|
| Recovery Services vault |  |
|
|
|
| Disk storage | |
|
||
| Tape storage | |
|||
| Compression (in Recovery Services vault) |
|
|
|
|
| Incremental backup | |
|
|
|
| Disk deduplication |  |
|
The Recovery Services vault is the preferred storage target across all components. System Center DPM and Azure Backup Server also provide the option to have a local disk copy. However, only System Center DPM provides the option to write data to a tape storage device.
Backups are compressed to reduce the required storage space. The only component that does not use compression is the VM extension. The VM extension copies all backup data from your storage account to the Recovery Services vault in the same region. No compression is used when transferring the data. Transferring the data without compression slightly inflates the storage used. However, storing the data without compression allows for faster restoration, should you need that recovery point.
You can take advantage of deduplication when you deploy System Center DPM or Azure Backup Server on a Hyper-V virtual machine. Windows Server performs data deduplication (at the host level) on virtual hard disks (VHDs) that are attached to the virtual machine as backup storage.
Note
Deduplication is not available in Azure for any Backup component. When System Center DPM and Backup Server are deployed in Azure, the storage disks attached to the VM cannot be deduplicated.
Every Azure Backup component supports incremental backup regardless of the target storage (disk, tape, Recovery Services vault). Incremental backup ensures that backups are storage and time efficient, by transferring only those changes made since the last backup.
Storage consumption, recovery time objective (RTO), and network consumption varies for each type of backup method. To keep the backup total cost of ownership (TCO) down, you need to understand how to choose the best backup solution. The following image compares Full Backup, Differential Backup, and Incremental Backup. In the image, data source A is composed of 10 storage blocks A1-A10, which are backed up monthly. Blocks A2, A3, A4, and A9 change in the first month, and block A5 changes in the next month.
With Full Backup, each backup copy contains the entire data source. Full backup consumes a large amount of network bandwidth and storage, each time a backup copy is transferred.
Differential backup stores only the blocks that changed since the initial full backup, which results in a smaller amount of network and storage consumption. Differential backups don't retain redundant copies of unchanged data. However, because the data blocks that remain unchanged between subsequent backups are transferred and stored, differential backups are inefficient. In the second month, changed blocks A2, A3, A4, and A9 are backed up. In the third month, these same blocks are backed up again, along with changed block A5. The changed blocks continue to be backed up until the next full backup happens.
Incremental Backup achieves high storage and network efficiency by storing only the blocks of data that changed since the previous backup. With incremental backup, there is no need to take regular full backups. In the example, after taking the full backup in the first month, blocks A2, A3, A4, and A9 are marked as changed, and transferred to the second month. In the third month, only changed block A5 is marked and transferred. Moving less data saves storage and network resources, which decreases TCO.
| Feature | Azure Backup agent | System Center DPM | Azure Backup Server | Azure IaaS VM Backup |
|---|---|---|---|---|
| Network security (to Azure) |
|
|
|
|
| Data security (in Azure) |
|
|
|
|
All backup traffic from your servers to the Recovery Services vault is encrypted using Advanced Encryption Standard 256. The backup data is sent over a secure HTTPS link. The backup data is also stored in the Recovery Services vault in encrypted form. Only you, the Azure customer, have the passphrase to unlock this data. Microsoft cannot decrypt the backup data at any point.
Warning
Once you establish the Recovery Services vault, only you have access to the encryption key. Microsoft never maintains a copy of your encryption key, and does not have access to the key. If the key is misplaced, Microsoft cannot recover the backup data.
Backing up Azure VMs requires setting up encryption within the virtual machine. Azure Backup supports Azure Disk Encryption, which uses BitLocker on Windows virtual machines and dm-crypt on Linux virtual machines. On the back end, Azure Backup uses Azure Storage Service encryption, which protects data at rest.
| Feature | Azure Backup agent | System Center DPM | Azure Backup Server | Azure IaaS VM Backup |
|---|---|---|---|---|
| Network compression (to backup server) |
|
|
||
| Network compression (to Recovery Services vault) |
|
|
|
|
| Network protocol (to backup server) |
TCP | TCP | ||
| Network protocol (to Recovery Services vault) |
HTTPS | HTTPS | HTTPS | HTTPS |
The VM extension (on the IaaS VM) reads the data directly from the Azure storage account over the storage network, so it is not necessary to compress this traffic.
If you use a System Center DPM server or Azure Backup Server as a secondary backup server, compress the data going from the primary server to the backup server. Compressing data before back up to DPM or Azure Backup Server, saves bandwidth.
The Azure Backup agent offers network throttling, which allows you to control how network bandwidth is used during data transfer. Throttling can be helpful if you need to back up data during work hours but do not want the backup process to interfere with other internet traffic. Throttling for data transfer applies to back up and restore activities.
Azure Backup has a limit of 9999 recovery points, also known as backup copies or snapshots, per protected instance. A protected instance is a computer, server (physical or virtual), or workload configured to back up data to Azure. For more information, see the section, What is a protected instance. An instance is protected once a backup copy of data has been saved. The backup copy of data is the protection. If the source data was lost or became corrupt, the backup copy could restore the source data. The following table shows the maximum backup frequency for each component. Your backup policy configuration determines how quickly you consume the recovery points. For example, if you create a recovery point each day, then you can retain recovery points for 27 years before you run out. If you take a monthly recovery point, you can retain recovery points for 833 years before you run out. The Backup service does not set an expiration time limit on a recovery point.
| Azure Backup agent | System Center DPM | Azure Backup Server | Azure IaaS VM Backup | |
|---|---|---|---|---|
| Backup frequency (to Recovery Services vault) |
Three backups per day | Two backups per day | Two backups per day | One backup per day |
| Backup frequency (to disk) |
Not applicable | Not applicable | ||
| Retention options | Daily, weekly, monthly, yearly | Daily, weekly, monthly, yearly | Daily, weekly, monthly, yearly | Daily, weekly, monthly, yearly |
| Maximum recovery points per protected instance | 9999 | 9999 | 9999 | 9999 |
| Maximum retention period | Depends on backup frequency | Depends on backup frequency | Depends on backup frequency | Depends on backup frequency |
| Recovery points on local disk | Not applicable | Not applicable | ||
| Recovery points on tape | Not applicable | Unlimited | Not applicable | Not applicable |
A protected instance is a generic reference to a Windows computer, a server (physical or virtual), or SQL database that has been configured to back up to Azure. An instance is protected once you configure a backup policy for the computer, server, or database, and create a backup copy of the data. Subsequent copies of the backup data for that protected instance (which are called recovery points), increase the amount of storage consumed. You can create up to 9999 recovery points for a protected instance. If you delete a recovery point from storage, it does not count against the 9999 recovery point total. Some common examples of protected instances are virtual machines, application servers, databases, and personal computers running the Windows operating system. For example:
- A virtual machine running the Hyper-V or Azure IaaS hypervisor fabric. The guest operating systems for the virtual machine can be Windows Server or Linux.
- An application server: The application server can be a physical or virtual machine running Windows Server and workloads with data that needs to be backed up. Common workloads are Microsoft SQL Server, Microsoft Exchange server, Microsoft SharePoint server, and the File Server role on Windows Server. To back up these workloads you need System Center Data Protection Manager (DPM) or Azure Backup Server.
- A personal computer, workstation, or laptop running the Windows operating system.
A Recovery Services vault is an online storage entity in Azure used to hold data such as backup copies, recovery points, and backup policies. You can use Recovery Services vaults to hold backup data for Azure services and on-premises servers and workstations. Recovery Services vaults make it easy to organize your backup data, while minimizing management overhead. Within each Azure subscription, you can create up to 500 Recovery Services vaults per Azure region. When considering where to store your data, not all regions are the same. See Geo-redundant storage for information about region pairings and additional storage considerations.
Backup vaults, which were based on Azure Service Manager, were the first version of the vault. Recovery Services vaults, which add the Azure Resource Manager model features, are the second version of the vault. See the Recovery Services vault overview article for a full description of the feature differences. You can no longer create Backup vaults, and all existing Backup vaults have been upgraded to Recovery Services vaults. You can use the Azure portal to manage the vaults that were upgraded to Recovery Services vaults.
Azure Backup and Azure Site Recovery are related in that both services back up data and can restore that data. However, these services serve different purposes in providing business continuity and disaster recovery in your business. Use Azure Backup to protect and restore data at a more granular level. For example, if a presentation on a laptop became corrupted, you would use Azure Backup to restore the presentation. If you wanted to replicate the configuration and data on a VM across another datacenter, use Azure Site Recovery.
Azure Backup protects data on-premises and in the cloud. Azure Site Recovery coordinates virtual-machine and physical-server replication, failover, and failback. Both services are important because your disaster recovery solution needs to keep your data safe and recoverable (Backup) and keep your workloads available (Site Recovery) when outages occur.
The following concepts can help you make important decisions around backup and disaster recovery.
| Concept | Details | Backup | Disaster recovery (DR) |
|---|---|---|---|
| Recovery point objective (RPO) | The amount of acceptable data loss if a recovery needs to be done. | Backup solutions have wide variability in their acceptable RPO. Virtual machine backups usually have an RPO of one day, while database backups have RPOs as low as 15 minutes. | Disaster recovery solutions have low RPOs. The DR copy can be behind by a few seconds or a few minutes. |
| Recovery time objective (RTO) | The amount of time that it takes to complete a recovery or restore. | Because of the larger RPO, the amount of data that a backup solution needs to process is typically much higher, which leads to longer RTOs. For example, it can take days to restore data from tapes, depending on the time it takes to transport the tape from an off-site location. | Disaster recovery solutions have smaller RTOs because they are more in sync with the source. Fewer changes need to be processed. |
| Retention | How long data needs to be stored | For scenarios that require operational recovery (data corruption, inadvertent file deletion, OS failure), backup data is typically retained for 30 days or less. From a compliance standpoint, data might need to be stored for months or even years. Backup data is ideally suited for archiving in such cases. |
Disaster recovery needs only operational recovery data, which typically takes a few hours or up to a day. Because of the fine-grained data capture used in DR solutions, using DR data for long-term retention is not recommended. |
Use one of the following tutorials for detailed, step-by-step, instructions for protecting data on Windows Server, or protecting a virtual machine (VM) in Azure:
For details about protecting other workloads, try one of these articles: