Edit

Share via


Manage Azure Backup Immutable vault operations

This article describes how to manage Azure Backup Immutable vault operations for Recovery Services vault and Backup vault.

Immutable vault can help you protect your backup data by blocking any operations that could lead to loss of recovery points. Further, you can lock the Immutable vault setting to enable WORM storage immutability and make it irreversible to prevent any malicious actors from disabling immutability and deleting backups.

Note

Immutable WORM storage is currently in GA for Recovery Services Vaults in the following regions: Australia Central 2, Switzerland West, South Africa West, Korea Central, Germany North, Korea South, Spain Central, Israel Central, India South, India West, Mexico Central, Norway West, Poland Central, Japan East.

Enable Immutable vault

You can enable immutability for a vault through its properties.

Choose a vault

To enable Immutable vault for a Recovery Services vault, follow these steps:

  1. Go to the Recovery Services vault for which you want to enable immutability.

  2. On the vault, go to Properties > Immutable vault, and then select Settings.

    Screenshot showing how to open the Immutable vault settings.

  3. On Immutable vault, select the Enable vault immutability checkbox to enable immutability for the vault.

    At this point, immutability of the vault is reversible, and it can be disabled, if needed.

  4. Once you enable immutability, the option to lock the immutability for the vault appears.

    Once you enable this lock, it makes immutability setting for the vault irreversible and uses WORM storage for backups. While this helps secure the backup data in the vault, we recommend you make a well-informed decision when opting to lock. You can also test and validate how the current settings of the vault, backup policies, and so on, meet your requirements and can lock the immutability setting later.

  5. Select Apply to save the changes.

    Screenshot showing how to enable the Immutable vault settings.

Perform operations on Immutable vault

As per the Restricted operations, certain operations are restricted on Immutable vault. However, other operations on the vault or the items it contains remain unaffected.

Perform restricted operations

Restricted operations are disallowed on the vault. Consider the following example when trying to modify a policy to reduce its retention in a vault with immutability enabled. This example shows operation on the Recovery Services vaults; however, similar experiences apply for other operations and operations on the Backup vaults.

Consider a policy with a daily backup point retention of 35 days and weekly backup point retention of two weeks, as shown in the following screenshot.

Screenshot showing how to view a backup policy for modification.

Now, let's try to reduce the retention of daily backup points to 30 days, reducing by 5 days, and save the policy.

You'll see that the operation fails with the information that the vault has immutability enabled, and therefore, any changes that could reduce retention of recovery points are disallowed.

Screenshot showing how to modify backup policy to reduce backup retention.

Now, let's try to increase the retention of daily backup points to 40 days, increasing by 5 days, and save the policy.

This time, the operation successfully passes as no recovery points can be deleted as part of this update.

Screenshot showing how to modify backup policy to increase backup retention.

However, increasing the retention of backup items that are in suspended state isn't supported.

Let's try to stop backup on a VM and choose Retain as per policy for backup data retention.

Note

When you stop backups and retain as per policy, the last hardened (vaulted) restore point and the latest restore point are retained forever to ensure recovery against any unforeseen ransomware scenarios. You must manually delete this RP after the backup policy expires to stop incurring PI charges.

Screenshot shows an attempt to increase retention of backup items in suspended state.

Now, let's go to Modify Policy and try to increase the retention of daily backup points to 45 days, increasing the value by 5 days, and save the policy.

Screenshot shows an error has occurred when you try to increase retention of backup items that are in suspended state.

When you try to update the policy, the operation fails with an error and you can't modify the policy as the backup is in suspended state.

Disable immutability

You can disable immutability only for vaults that have immutability enabled, but not locked.

Choose a vault

To disable immutability for a Recovery Services vault, follow these steps:

  1. Go to the Recovery Services vault for which you want to disable immutability.

  2. In the vault, go to Properties > Immutable vault, and then select Settings.

    Screenshot showing how to open the Immutable vault settings to disable.

  3. On the Immutable vault blade, clear the Enable vault Immutability checkbox.

  4. Select Apply to save the changes.

    Screenshot showing how to disable the Immutable vault settings.

Next step

Learn about Immutable vault for Azure Backup.