Microsoft Solutions Partner|Modern Work · Azure · Security · Business Apps
hello@rhcsolutions.com·+1 (212) 555-0142
Continuity

How to Design Backup in Azure

An Azure Backup design guide: vaults, policies, retention, immutability and the 3-2-1 rule applied to cloud and hybrid workloads.

·10 min
Azure Backup
Environment protected
Last backup 12 min ago
15min
RPO
1h
RTO
Servers · 12:04OK
Microsoft 365 · 12:00OK

Backup in Azure: design first

Turning on Azure Backup is simple; designing it well is what guarantees recovery when it matters. A backup without a clear policy, without immutability and without restore testing is a false sense of security. This guide structures the essential design decisions for Azure and hybrid workloads.

As a Microsoft Solutions Partner, RHC designs and operates Azure backup strategies focused on proven recoverability.

Azure Backup components

The service organizes around a few concepts:

  • Recovery Services vault and Backup vault: the vaults that store recovery points.
  • Backup policies: define frequency and retention.
  • Supported workloads: Azure VMs, SQL and SAP HANA in VMs, Azure Files, blobs and, via MARS/MABS, on-premises servers.
  • Vault redundancy: LRS, ZRS or GRS, defining where copies live.

What to protect and how often

Not every workload has the same value. Classify and set policies:

Workload Typical frequency Typical retention
Critical VMs daily (or more) weeks to months
Databases frequent, with logs per RPO
Files (Azure Files) daily weeks to years
On-premises servers daily via agent per policy

Frequency should derive from each workload's RPO: how much data you can lose defines the interval between backups.

Retention and the 3-2-1 rule

A good design follows the 3-2-1 logic: three copies of data, on two media types, with one copy off the primary site. In Azure this translates to:

  1. The production data (copy one).
  2. Backups in the vault (copy two).
  3. Geo redundancy of the vault or a copy in another region (copy three, off-site).

Retention should balance cost and need: frequent short-term points for operational recovery, and sparse long-term points for compliance.

Immutability and ransomware protection

Backup is a preferred attack target, because without it the victim has no way out. Protect it:

  • Vault immutability to prevent deletion or alteration of recovery points within the defined window.
  • Soft delete to retain deleted backups for a period, reversing malicious deletions.
  • Additional authentication (MFA) for critical operations like stopping backup or reducing retention.
  • Privilege separation between who administers the workload and who administers the backup.

These layers turn backup into a real line of defense against ransomware.

Hybrid backup

Many companies still have on-premises workloads. Azure Backup covers them:

  • MARS agent for Windows server files and folders.
  • MABS (Microsoft Azure Backup Server) for VMs, applications and system states, with copy to Azure.
  • Integration with System Center DPM where it already exists.

This consolidates cloud and on-premises backup into a single strategy.

Monitoring and restore testing

A backup never restored is a hypothesis, not a guarantee. Establish:

  1. Monitoring of jobs with failure alerts via Azure Monitor and Backup Center.
  2. Reports on policy compliance and usage.
  3. Periodic restore tests in an isolated environment.
  4. Documentation of restore procedures.

Azure Backup design checklist

  • Workloads classified by criticality and RPO.
  • Frequency and retention policies defined per class.
  • Vault redundancy chosen (LRS/ZRS/GRS) by risk.
  • 3-2-1 rule satisfied with an off-site copy.
  • Immutability, soft delete and MFA enabled.
  • Hybrid backup covering on-premises workloads where present.
  • Monitoring with failure alerts active.
  • Restore tests scheduled and documented.

RHC structures this design, enables the ransomware protections and operates backup with tests that prove recoverability.

#Backup#Azure Backup#Immutability#Continuity

Frequently asked questions

It depends on risk. LRS keeps copies in one datacenter, ZRS spreads across zones and GRS replicates to another region. Critical workloads that must survive a regional failure benefit from GRS.

Ready to do more with Microsoft?

Talk to an expert and discover how to optimize licensing, security and productivity.