Edit

Share via


Quickstart: Back up a virtual machine in Azure

This quickstart describes how to enable backup on an existing Azure VM by using the Azure portal. If you need to create a VM, you can create a VM with the Azure portal.

Azure backups can be created through the Azure portal. This method provides a browser-based user interface to create and configure Azure backups and all related resources. You can protect your data by taking backups at regular intervals. Azure Backup creates recovery points that can be stored in geo-redundant recovery vaults. This article details how to back up a virtual machine (VM) with the Azure portal.

Sign in to Azure

Sign in to the Azure portal.

Create a Recovery Services vault

A Recovery Services vault is a management entity that stores recovery points that are created over time. It provides an interface to perform backup-related operations. These operations include taking on-demand backups, performing restores, and creating backup policies.

To create a Recovery Services vault:

  1. Sign in to the Azure portal.

  2. Search for Business Continuity Center, and then go to the Business Continuity Center dashboard.

    Screenshot that shows where to search for and select Business Continuity Center.

  3. On the Vault pane, select + Vault.

    Screenshot that shows how to start creating a Recovery Services vault.

  4. Select Recovery Services vault > Continue.

    Screenshot that shows where to select Recovery Services as the vault type.

  5. On the Recovery Services vault pane, enter the following values:

    • Subscription: Select the subscription to use. If you're a member of only one subscription, you see that name. If you're not sure which subscription to use, use the default subscription. Multiple choices appear only if your work or school account is associated with more than one Azure subscription.

    • Resource group: Use an existing resource group or create a new one. To view a list of available resource groups in your subscription, select Use existing. Then select a resource in the dropdown list. To create a new resource group, select Create new, and then enter the name. For more information about resource groups, see Azure Resource Manager overview.

    • Vault name: Enter a friendly name to identify the vault. The name must be unique to the Azure subscription. Specify a name that has at least 2 but not more than 50 characters. The name must start with a letter and consist only of letters, numbers, and hyphens.

    • Region: Select the geographic region for the vault. For you to create a vault to help protect any data source, the vault must be in the same region as the data source.

      Important

      If you're not sure of the location of your data source, close the window. Go to the list of your resources in the portal. If you have data sources in multiple regions, create a Recovery Services vault for each region. Create the vault in the first location before you create a vault in another location. You don't need to specify storage accounts to store the backup data. The Recovery Services vault and Azure Backup handle that step automatically.

      Screenshot that shows fields for configuring a Recovery Services vault.

  6. After you provide the values, select Review + create.

  7. To finish creating the Recovery Services vault, select Create.

    It can take a while to create the Recovery Services vault. Monitor the status notifications in the Notifications area at the upper right. After the vault is created, it appears in the list of Recovery Services vaults. If the vault doesn't appear, select Refresh.

    Screenshot that shows the button for refreshing the list of backup vaults.

Azure Backup now supports immutable vaults that help you ensure that after recovery points are created, they can't be deleted before their expiry according to the backup policy. You can make the immutability irreversible for maximum protection to protect your backup data from various threats, including ransomware attacks and malicious actors. Learn more about Azure Backup immutable vaults.

Apply a backup policy

To apply a backup policy to your Azure VMs, follow these steps:

  1. Go to Business Continuity Center and select + Configure protection.

    Screenshot shows how to start configuring system backup.

  2. On the Configure protection pane, select Resource managed by as Azure, Datasource type as Azure Virtual machines, Solution as Azure Backup, and then select Continue.

    Screenshot shows how to set the system backup.

  3. On the Start: Configure Backup pane, select Azure Virtual machines as the Datasource type and select the vault you have created. Then select Continue.

    Screenshot showing Backup and Backup Goal panes.

  4. On the Configure backup pane, select the Policy sub type as Enhanced, Standard.

    • Enhanced Backup policy: This policy allows multiple daily backups, enabling hourly backups. To enable Azure Backup on Azure VMs in Azure Extended Zones, you can only use the Enhanced policy.
    • Standard Backup policy: This policy allows VM backup once a day. The daily backups are retained for 30 days. Instant recovery snapshots are retained for two days.

    Screenshot showing the default backup policy.

    If you don't want to use the default policy, select Create New, and create a custom policy as described in the next procedure.

Select a VM to back up

Create a scheduled daily backup to a Recovery Services vault.

  1. Under Virtual Machines, select Add.

    Screenshot showing to add virtual machines.

  2. The Select virtual machines blade will open. Select the VMs you want to back up using the policy. Then select OK.

    • The selected VMs are validated.

    • You can only select VMs in the same region as the vault.

    • VMs can only be backed up in a single vault.

      Screenshot showing the Select virtual machines blade.

    Note

    All the VMs in the same region and subscription as that of the vault are available to configure backup. When configuring backup, you can browse to the virtual machine name and its resource group, even though you don’t have the required permission on those VMs. If your VM is in soft deleted state, then it won't be visible in this list. If you need to re-protect the VM, then you need to wait for the soft delete period to expire or undelete the VM from the soft deleted list. For more information, see the soft delete for VMs article.

Enable backup on a VM

A Recovery Services vault is a logical container that stores the backup data for each protected resource, such as Azure VMs. When the backup job for a protected resource runs, it creates a recovery point inside the Recovery Services vault. You can then use one of these recovery points to restore data to a given point in time.

To enable VM backup, in Backup, select Enable backup. This deploys the policy to the vault and to the VMs, and installs the backup extension on the VM agent running on the Azure VM.

After enabling backup:

  • The Backup service installs the backup extension whether or not the VM is running.
  • An initial backup will run in accordance with your backup schedule.
  • When backups run, note that:
    • A VM that's running has the greatest chance for capturing an application-consistent recovery point.
    • However, even if the VM is turned off, it's backed up. Such a VM is known as an offline VM. In this case, the recovery point will be crash-consistent.
  • Explicit outbound connectivity isn't required to allow backup of Azure VMs.

Create a custom policy

If you selected to create a new backup policy, fill in the policy settings.

  1. In Policy name, specify a meaningful name.

  2. In Backup schedule, specify when backups should be taken. You can take daily or weekly backups for Azure VMs.

  3. In Instant Restore, specify how long you want to retain snapshots locally for instant restore.

    • When you restore, backed up VM disks are copied from storage, across the network to the recovery storage location. With instant restore, you can leverage locally stored snapshots taken during a backup job, without waiting for backup data to be transferred to the vault.
    • You can retain snapshots for instant restore for between one to five days. The default value is two days.
  4. In Retention range, specify how long you want to keep your daily or weekly backup points.

  5. In Retention of monthly backup point and Retention of yearly backup point, specify whether you want to keep a monthly or yearly backup of your daily or weekly backups.

  6. Select OK to save the policy.

    Note

    To store the restore point collection (RPC), the Backup service creates a separate resource group (RG). This RG is different than RG of the VM. Learn more.

    Screenshot showing the new backup policy.

Note

Azure Backup doesn't support automatic clock adjustment for daylight-saving changes for Azure VM backups. As time changes occur, modify backup policies manually as required.

Start a backup job

The initial backup will run in accordance with the schedule, but you can run it immediately as follows:

  1. Go to Business Continuity Center and then select Protection Inventory > Protected items.
  2. On the Protected items pane, filter Datasource type by Virtual machines, and then select the more icon > Details corresponding to the VM instance you want to back up.
  3. On the selected VM instance pane, right-click the relevant row or select the more icon (…), and then select Backup Now.
  4. On the Backup now pane, use the calendar control to select the last day that the recovery point should be retained. Then select OK.

Monitor the backup job

The Backup job details for each VM backup consist of two phases, the Snapshot phase followed by the Transfer data to vault phase.

The snapshot phase guarantees the availability of a recovery point stored along with the disks for Instant Restores and are available for a maximum of five days depending on the snapshot retention configured by the user. Transfer data to vault creates a recovery point in the vault for long-term retention. Transfer data to vault only starts after the snapshot phase is completed.

Screenshot showing the backup job status.

There are two Sub Tasks running at the backend, one for front-end backup job that can be checked from the Backup Job details blade as given below:

Screenshot showing backup job status sub-tasks.

The Transfer data to vault phase can take multiple days to complete depending on the size of the disks, churn per disk and several other factors.

Job status can vary depending on the following scenarios:

Snapshot Transfer data to vault Job Status
Completed In progress In progress
Completed Skipped Completed
Completed Completed Completed
Completed Failed Completed with warning
Failed Failed Failed

Now with this capability, for the same VM, two backups can run in parallel, but in either phase (snapshot, transfer data to vault) only one sub task can be running. So in scenarios where a backup job in progress resulted in the next day’s backup to fail, it will be avoided with this decoupling functionality. Subsequent days' backups can have the snapshot completed, while Transfer data to vault is skipped if an earlier day’s backup job is in progress state. The incremental recovery point created in the vault will capture all the churn from the most recent recovery point created in the vault. There's no cost impact on the user.

Optional steps

Install the VM agent

Azure Backup backs up Azure VMs by installing an extension to the Azure VM agent running on the machine. If your VM was created from an Azure Marketplace image, the agent is installed and running. If you create a custom VM, or you migrate an on-premises machine, you might need to install the agent manually, as summarized in the table.

VM Details
Windows 1. Download and install the agent MSI file.

2. Install with admin permissions on the machine.

3. Verify the installation. In C:\WindowsAzure\Packages on the VM, right-click WaAppAgent.exe > Properties. On the Details tab, Product Version should be 2.6.1198.718 or higher.

If you're updating the agent, make sure that no backup operations are running, and reinstall the agent.
Linux Install by using an RPM or a DEB package from your distribution's package repository. This is the preferred method for installing and upgrading the Azure Linux agent. All the endorsed distribution providers integrate the Azure Linux agent package into their images and repositories. The agent is available on GitHub, but we don't recommend installing from there.

If you're updating the agent, make sure no backup operations are running, and update the binaries.

    Clean up deployment

    When no longer needed, you can disable protection on the VM, remove the restore points and Recovery Services vault, then delete the resource group and associated VM resources

    Learn how to stop protection and delete VM backups.

    Next steps

    In this quickstart, you created a Recovery Services vault, enabled protection on a VM, and created the initial recovery point. To learn more about Azure Backup and Recovery Services, continue to the tutorials.