How to Design Backup in Azure
An Azure Backup design guide: vaults, policies, retention, immutability and the 3-2-1 rule applied to cloud and hybrid workloads.
Backup in Azure: design first
Turning on Azure Backup is simple; designing it well is what guarantees recovery when it matters. A backup without a clear policy, without immutability and without restore testing is a false sense of security. This guide structures the essential design decisions for Azure and hybrid workloads.
As a Microsoft Solutions Partner, RHC designs and operates Azure backup strategies focused on proven recoverability.
Azure Backup components
The service organizes around a few concepts:
- Recovery Services vault and Backup vault: the vaults that store recovery points.
- Backup policies: define frequency and retention.
- Supported workloads: Azure VMs, SQL and SAP HANA in VMs, Azure Files, blobs and, via MARS/MABS, on-premises servers.
- Vault redundancy: LRS, ZRS or GRS, defining where copies live.
What to protect and how often
Not every workload has the same value. Classify and set policies:
| Workload | Typical frequency | Typical retention |
|---|---|---|
| Critical VMs | daily (or more) | weeks to months |
| Databases | frequent, with logs | per RPO |
| Files (Azure Files) | daily | weeks to years |
| On-premises servers | daily via agent | per policy |
Frequency should derive from each workload's RPO: how much data you can lose defines the interval between backups.
Retention and the 3-2-1 rule
A good design follows the 3-2-1 logic: three copies of data, on two media types, with one copy off the primary site. In Azure this translates to:
- The production data (copy one).
- Backups in the vault (copy two).
- Geo redundancy of the vault or a copy in another region (copy three, off-site).
Retention should balance cost and need: frequent short-term points for operational recovery, and sparse long-term points for compliance.
Immutability and ransomware protection
Backup is a preferred attack target, because without it the victim has no way out. Protect it:
- Vault immutability to prevent deletion or alteration of recovery points within the defined window.
- Soft delete to retain deleted backups for a period, reversing malicious deletions.
- Additional authentication (MFA) for critical operations like stopping backup or reducing retention.
- Privilege separation between who administers the workload and who administers the backup.
These layers turn backup into a real line of defense against ransomware.
Hybrid backup
Many companies still have on-premises workloads. Azure Backup covers them:
- MARS agent for Windows server files and folders.
- MABS (Microsoft Azure Backup Server) for VMs, applications and system states, with copy to Azure.
- Integration with System Center DPM where it already exists.
This consolidates cloud and on-premises backup into a single strategy.
Monitoring and restore testing
A backup never restored is a hypothesis, not a guarantee. Establish:
- Monitoring of jobs with failure alerts via Azure Monitor and Backup Center.
- Reports on policy compliance and usage.
- Periodic restore tests in an isolated environment.
- Documentation of restore procedures.
Azure Backup design checklist
- Workloads classified by criticality and RPO.
- Frequency and retention policies defined per class.
- Vault redundancy chosen (LRS/ZRS/GRS) by risk.
- 3-2-1 rule satisfied with an off-site copy.
- Immutability, soft delete and MFA enabled.
- Hybrid backup covering on-premises workloads where present.
- Monitoring with failure alerts active.
- Restore tests scheduled and documented.
RHC structures this design, enables the ransomware protections and operates backup with tests that prove recoverability.
Frequently asked questions
Read next
Ready to do more with Microsoft?
Talk to an expert and discover how to optimize licensing, security and productivity.