Recovery Services Vault vs. Azure Backup Vault
A Recovery Services VaultAn Azure backup vault type (Microsoft.RecoveryServices/vaults) that supports Azure VMs, SQL in Azure VMs, SAP HANA in Azure VMs, Azure Files, and on-premises workloads. Also used for Azure Site Recovery. supports Azure VMs, SQL in Azure VMs, SAP HANA, Azure Files, on-premises workloads, and Azure Site Recovery. An Azure Backup VaultA newer vault type (Microsoft.DataProtection/backupVaults) designed for cloud-native workloads: Azure Disks, Azure Blobs, Azure Database for PostgreSQL, and Kubernetes services. is a newer vault type for cloud-native workloads: Azure Disks, Azure Blobs, PostgreSQL, and Kubernetes.
| Feature | Recovery Services Vault | Azure Backup Vault |
|---|---|---|
| Resource type | Microsoft.RecoveryServices/vaults | Microsoft.DataProtection/backupVaults |
| Supported workloads | Azure VMs, SQL in Azure VMs, SAP HANA, Azure Files, on-premises | Azure Disks, Azure Blobs, PostgreSQL, Kubernetes (preview) |
| Azure Site Recovery | Yes | No |
| Vault limit per subscription | Up to 500 per region | Up to 500 per region |
The storage replication type (LRS, GRS, RA-GRS) must be set before the first backup is stored — it cannot be changed after backups begin.
Backup Policies
A backup policyDefines the schedule (when backups run) and the retention (how long each backup is kept). Supports GFS retention — different retention periods for daily, weekly, monthly, and yearly recovery points.
Azure Backup supports the GFS (Grandfather-Father-Son) retention scheme:
- Daily recovery points — short-term operational recovery
- Weekly recovery points — medium-term
- Monthly recovery points — longer-term
- Yearly recovery points — long-term archiving
For Azure VMs, the Enhanced backup policy supports hourly backups (minimum 4-hour RPO). The DefaultPolicy uses a daily backup schedule with 30-day retention.
Key policy limits:
- Azure VMs: once per day (Standard policy); up to every 4 hours (Enhanced policy)
- MABS/DPM: up to twice per day
- MARS agent: up to three times per day
Restore Options for Azure VMs
- Create new VM — deploys a brand-new VM from the recovery point
- Restore disk — restores a managed disk to attach to a VM
- File recovery — mounts the recovery point as a network drive to recover individual files
- Replace existing — replaces the existing VM's disks with the backup
- Cross Region Restore (CRR) — restore to the secondary paired region; requires GRS on the vault
Azure Site Recovery (ASR)
Azure Site RecoveryProvides business continuity by replicating Azure VMs (or on-premises workloads) to a secondary region. Enables failover when the primary region is unavailable, and failback when it recovers. provides business continuity by replicating Azure VMs (or on-premises workloads) to a secondary region, enabling failover when the primary is unavailable.
Key ASR concepts:
| Term | Definition |
|---|---|
| RPO | Maximum acceptable data loss measured in time |
| RTO | Maximum acceptable downtime — how fast you must restore service |
| Replication policy | Defines RPO threshold, recovery point retention, and app-consistent snapshot frequency |
| Recovery plan | A sequenced runbook of VMs and scripts to orchestrate failover |
| Test failover | Non-disruptive DR drill using an isolated network — does NOT impact production replication |
| Failover | Moves production workload to the secondary region; replication to primary pauses |
| Failback | After primary region recovers, reprotect and fail workloads back to the primary |
Recovery point types for failover:
- Latest processed — lowest RTO (uses last ASR-processed point, skips unprocessed data)
- Latest — lowest RPO (processes all data before failover)
- Latest app-consistent — application-level consistency
Vault Type — VM Backup Common Mistake
Exam Trap
"Use a Backup vault to back up Azure VMs." → Azure VMs are backed up using a Recovery Services vault, not a Backup vault. Backup vaults support Azure Disks, Blobs, and PostgreSQL — NOT Azure VMs.
Storage Replication Type — Timing Constraint
Exam Trap
"You can change the vault's storage replication type at any time." → The storage replication type (LRS/GRS/RA-GRS) can only be modified before any backup data is stored in the vault. Once backups begin, the type is locked.
Test Failover vs. Failover
Must Memorize
- Test failover: Creates temporary VMs in an isolated network — does NOT interrupt ongoing replication or affect production
- Failover: Moves production workload to secondary; replication pauses
- Reprotect: Must be done BEFORE failback — reverses the replication direction from secondary back to primary
ASR Replication is Continuous, Not Scheduled
Exam Trap
"A replication policy in ASR defines how often backups are taken." → ASR replication is continuous, not scheduled. The replication policy defines the RPO threshold (the alert point), recovery point retention window, and app-consistent snapshot frequency — not a backup schedule.
Failback Requires Reprotect First
Exam Trap
"Failover and failback in ASR are the same operation in reverse." → After a failover you must explicitly reprotect the VMs in the secondary region before failback. Reprotection reverses the replication direction so the secondary region replicates back to the primary.
Vault and VM Region Requirement
Must Memorize
The Recovery Services vault and the VMs it protects must be in the same region, but they can be in different resource groups and even different subscriptions (with limitations).
DefaultPolicy — Not Hourly
Exam Trap
"The DefaultPolicy provides hourly backups." → The DefaultPolicy uses a daily backup schedule with 30-day retention. Hourly backups require the Enhanced policy.
Create a Recovery Services Vault and Enable VM Backup
- In the Azure portal, search for Recovery Services vaults and select + Create.
- On the Basics tab, select your Subscription, Resource group, and enter a Vault name. Select the Region (must match the VM's region).
- Select Review + create, then Create.
- Open the vault. Under Getting started, select Backup.
- Set Where is your workload running? to Azure and What do you want to back up? to Virtual machine. Select Backup.
- On the Backup policy blade, select an existing policy or create a new one.
- Under Virtual Machines, select Add and select the VMs to protect. Select Enable Backup.
Configure a Backup Policy with GFS Retention
- In the Recovery Services vault, under Manage, select Backup policies.
- Select + Add, choose Azure Virtual Machine, and select the Enhanced subtype for hourly options.
- Set the Backup schedule (Daily or Hourly).
- Under Retention range, configure:
- Daily retention (e.g., 30 days)
- Weekly retention (e.g., 12 weeks, on Sunday)
- Monthly retention (e.g., 12 months, on last Sunday)
- Yearly retention (e.g., 5 years, in January)
- Select Create.
Configure Azure Site Recovery (Azure-to-Azure)
- Open the Recovery Services vault. Under Getting started, select Site Recovery.
- Under Azure virtual machines, select Enable replication.
- On the Source tab, select the Source region and the VMs to replicate.
- On the Target tab, confirm the Target region, resource group, virtual network, and storage accounts.
- Under Replication settings, review or create a Replication policy (RPO threshold, retention period, app-consistent snapshot frequency).
- Select Enable replication. Initial replication (seeding) begins in the background.
Run a Test Failover
- In the Recovery Services vault, under Protected items, select Replicated items.
- Select the replicated VM, then select Test failover from the top menu.
- Choose a Recovery point (e.g., Latest processed for low RTO).
- Select the Azure virtual network to use for the test (choose an isolated test network).
- Select OK. Monitor progress under Jobs > Site Recovery jobs.
- After validation, select Cleanup test failover to remove the test VMs and mark the drill complete.
AZ-104 Exam Focus
Exam Trap
"Use a Backup vault to back up Azure VMs." → Azure VMs require a Recovery Services vault. Backup vaults support Azure Disks, Blobs, and PostgreSQL — not VMs.
Exam Trap
"You can change the vault's storage replication type at any time." → The storage replication type can only be modified before any backup data is stored. Once backups begin, the type is locked.
Exam Trap
"Test failover in Site Recovery interrupts ongoing replication." → Test failover is a non-disruptive drill. It creates test VMs in an isolated VNet and does NOT affect production replication or traffic.
Exam Trap
"A replication policy in ASR defines how often backups are taken." → ASR replication is continuous. The replication policy defines the RPO threshold, recovery point retention, and app-consistent snapshot frequency — not a backup schedule.
Exam Trap
"Failover and failback in ASR are the same operation in reverse." → After failover you must explicitly reprotect the VMs in the secondary region before failback. Reprotect reverses the replication direction.
Exam Trap
"The DefaultPolicy provides hourly backups." → DefaultPolicy uses a daily schedule with 30-day retention. Hourly backups require the Enhanced policy.
Question — click to flip
Q: Which vault type is used to back up Azure VMs?
Question — click to flip
Q: When can the storage replication type of a Recovery Services vault be changed?
Question — click to flip
Q: What must be done BEFORE you can fail back to the primary region after an ASR failover?
Question — click to flip
Q: Does test failover in Azure Site Recovery interrupt production replication?
Question — click to flip
Q: What retention scheme does Azure Backup support that allows different retention for daily, weekly, monthly, and yearly backups?
Question — click to flip
Q: What is the difference between RPO and RTO?