-
Notifications
You must be signed in to change notification settings - Fork 21.4k
/
backup-azure-backup-faq.yml
318 lines (249 loc) · 20.6 KB
/
backup-azure-backup-faq.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
### YamlMime:FAQ
metadata:
title: Answers to common questions
description: 'Answers to common questions about'
ms.topic: faq
ms.service: azure-backup
ms.date: 08/09/2024
author: AbhishekMallick-MS
ms.author: v-abhmallick
ms.custom: engagement-fy24
title: Azure Backup - Frequently asked questions
summary: This article answers common questions about the Azure Backup service.
sections:
- name: Recovery Services vault
questions:
- question: |
Is there any limit on the number of vaults that can be created in each Azure subscription?
answer: |
Yes. You can create up to 500 Recovery Services vaults, per supported region of Azure Backup, per subscription. If you need additional vaults, create an additional subscription.
- question: |
Are there limits on the number of servers/machines that can be registered against each vault?
answer: |
You can register up to 1000 Azure Virtual machines per vault. If you're using the Microsoft Azure Backup Agent, you can register up to 50 MARS agents per vault. And you can register 50 MABS servers/DPM servers to a vault.
- question: |
How many datasources/items can be protected in a vault?
answer: |
Protection of up to 2000 datasources/items across all workloads (such as IaaS VM, SQL, AFS) is the recommended limit per vault.
For example, if you have already protected 500 VMs and 400 Azure Files shares in the vault, we would recommend protecting up to 1100 SQL databases in it.
- question: |
How many policies can I create per vault?
answer: |
You can only have up to 200 policies per vault. However, adding new backup policies or editing current policies through Azure Resource Manager (ARM) templates or Azure Automation clients such as PowerShell, CLI is limited to 50 over a span of 24 hours.
- question: |
If my organization has one vault, how can I isolate data from different servers in the vault when restoring data?
answer: |
Server data that you want to recover together should use the same passphrase when you set up backup. If you want to isolate recovery to a specific server or servers, use a passphrase for that server or servers only. For example, human resources servers could use one encryption passphrase, accounting servers another, and storage servers a third.
- question: |
Can I move my vault between subscriptions?
answer: |
Yes. To move a Recovery Services vault, refer this [article](backup-azure-move-recovery-services-vault.md)
- question: |
Can I move backup data to another vault?
answer: |
No. Backup data stored in a vault can't be moved to a different vault.
- question: |
Can I change the storage redundancy setting after a backup?
answer: |
The storage replication type by default is set to geo-redundant storage (GRS). Once you configure the backup, the option to modify is in disabled state and can't be changed.
![Storage replication type](./media/backup-azure-backup-faq/storage-replication-type.png)
If you've already configured the backup and must move from GRS to LRS, then see [How to change from GRS to LRS after configuring backup](backup-create-rs-vault.md#modify-default-settings).
- question: |
Can I do an Item Level Restore (ILR) for VMs backed up to a Recovery Services vault?
answer: |
- ILR is supported for Azure VMs backed up by Azure VM backup. For more information, see [article](backup-azure-restore-files-from-vm.md)
- ILR isn't supported for online recovery points of on-premises VMs backed up by Azure Backup Server (MABS) or System Center DPM.
- question: |
How can I move data from the Recovery Services vault to on-premises?
answer: |
To move backup data out of Recovery Services Vault, you need to restore the necessary data. If your vault contains backup of on-premises data, use the corresponding agent ([MARS](backup-azure-about-mars.md), [MABS](backup-azure-microsoft-azure-backup.md), or [DPM](backup-azure-dpm-introduction.md#why-back-up-dpm-to-azure)) to restore to on-premises. <br><br> We don't support exporting data directly from the Recovery Services vault to on-premises storage for backup of cloud workload ([Azure VMs](backup-azure-arm-restore-vms.md#restore-options), [SQL](restore-sql-database-azure-vm.md#restore-as-files), and [SAP HANA](sap-hana-db-restore.md#restore-as-files) in Azure VMs). However, you can restore these to the corresponding cloud resources in Azure Storage Accounts, and then move the data to on-premises. You can also export this data to on-premises via [Data Box](../databox/data-box-overview.md) or [Import/Export](../import-export/storage-import-export-service.md).
- question: |
What is the difference between a geo-redundant storage (GRS) vault with and without the Cross-Region Restore (CRR) capability enabled?
answer: |
If a [GRS](azure-backup-glossary.md#grs) vault without [CRR](azure-backup-glossary.md#cross-region-restore-crr) capability enabled, the data in the secondary region can't be accessed until Azure declares a disaster in the primary region. In such a scenario, the restore happens from the secondary region. When CRR is enabled, even if the primary region is up and running, you can trigger a restore in the secondary region.
- question: |
Can I move a subscription that contains a vault to a different Microsoft Entra ID?
answer: |
Yes. To move a subscription (that contains a vault) to a different Microsoft Entra ID, see [Transfer subscription to a different directory](../role-based-access-control/transfer-subscription.md).
>[!IMPORTANT]
>Ensure that you perform the following actions after moving the subscription:<ul><li>Role-based access control permissions and custom roles aren't transferrable. You must recreate the permissions and roles in the new Microsoft Entra ID.</li><li>You must recreate the Managed Identity (MI) of the vault by disabling and enabling it again. Also, you must evaluate and recreate the MI permissions.</li><li>If the vault uses features which leverage MI, such as [Private Endpoints](private-endpoints.md#before-you-start) and [Customer Managed Keys](encryption-at-rest-with-cmk.md#considerations), you must reconfigure the features.</li></ul>
- question: |
Can I move a subscription that contains a Recovery Services Vault to a different tenant?
answer: |
Yes. Ensure that you do the following:
>[!IMPORTANT]
>Ensure that you perform the following actions after moving the subscription:<ul><li>If the vault uses CMK (customer managed keys), you must update the vault. This enables the vault to recreate and reconfigure the vault managed identity and CMK (which will reside in the new tenant), otherwise the backups/restore operation will fail.</li><li>You must reconfigure the RBAC permissions in the subscription as the existing permissions can’t be moved.</li></ul>
- question: |
What are the various vaults supported for backup and restore?
answer: |
[Recovery Services vault](backup-azure-recovery-services-vault-overview.md) and [Backup vault](backup-vault-overview.md) are both supported in Azure Backup, and target the backup and restore of different datasources. You need to create the appropriate vault based on the datasource type that you want to protect.
The following table lists the various datasources that each vault supports:
| Recovery Services vault | Backup vault |
| --- | --- |
| Supported datasources: <br><br> - Azure Virtual Machine <br> - SQL in Azure VM <br> - Azure Files <br> - SAP HANA in Azure VM <br> - Azure Backup Server <br> - Azure Backup agent <br> - DPM | Supported datasources: <br><br> - Azure Disks <br> - Azure Blobs <br> - Azure Database for PostgreSQL server <br> - Kubernetes services (preview) |
- question: |
Can I copy restore points created by the Azure Backup service portal from one region to another?
answer: |
No. Currently, Azure Backup supports only copying restore points from one vault to another. You can [move snapshots to a different region using the VM restore point APIs](/azure/virtual-machines/manage-restore-points#copy-a-vm-restore-point-between-regions), but this isn't supported for Vault-tier recovery points.
- name: Azure Backup agent
questions:
- question: |
Where can I find common questions about the Azure Backup agent for Azure VM backup?
answer: |
- For the agent running on Azure VMs, read this [FAQ](backup-azure-vm-backup-faq.yml).
- For the agent used to back up Azure file folders, read this [FAQ](backup-azure-file-folder-backup-faq.yml).
- name: General backup
questions:
- question: |
Are there limits on backup scheduling?
answer: |
Yes.
- You can back up Windows Server or Windows machines up to three times a day by MARS backup. You can set the scheduling policy to daily or weekly schedules.
- You can back up DPM up to twice a day. You can set the scheduling policy to daily, weekly, monthly, and yearly.
- You can back up Azure VMs once a day by Standard backup policy.
- question: |
What operating systems are supported for backup?
answer: |
Azure Backup supports these operating systems for backing up files and folders, and apps protected by Azure Backup Server and DPM.
**OS** | **SKU** | **Details**
--- | --- | ---
Workstation | |
Windows 11 64 bit | Enterprise, Pro, Home, IoT | Machines should be running the latest services packs and updates.
Windows 10 64 bit | Enterprise, Pro, Home, IoT | Machines should be running the latest services packs and updates.
Server | |
Windows Server 2022 64 bit | Standard, Datacenter, Essentials, IoT | With the latest service packs/updates.
Windows Server 2019 64 bit | Standard, Datacenter, Essentials, IoT | With the latest service packs/updates.
Windows Server 2016 64 bit | Standard, Datacenter, Essentials | With the latest service packs/updates.
Windows Storage Server 2016 64 bit | Standard, Workgroup | With the latest service packs/updates.
Windows Storage Server 2012 R2 64 bit | Standard, Workgroup, Essential | With the latest service packs/updates.
Windows Server 2012 R2 64 bit | Standard, Datacenter, Foundation | With the latest service packs/updates.
Windows Server 2012 64 bit | Datacenter, Foundation, Standard | With the latest service packs/updates.
Windows Storage Server 2012 64 bit | Standard, Workgroup | With the latest service packs/updates.
Azure Backup doesn't support 32-bit operating systems.
For Azure VM Linux backups, Azure Backup supports [the list of distributions endorsed by Azure](/azure/virtual-machines/linux/endorsed-distros), except Core OS Linux and 32-bit operating system. Other bring-your-own Linux distributions might work as long as the VM agent is available on the VM, and support for Python exists.
Learn more about the latest workloads supported by [DPM](/system-center/dpm/dpm-protection-matrix?view=sc-dpm-2022) and [MABS Server](backup-mabs-protection-matrix.md).
- question: |
Are there size limits for data backup?
answer: |
Sizes limits are as follows:
OS/machine | Size limit of data source
--- | ---
Windows 8 or later | 54,400 GB
Windows 7 |1700 GB
Windows Server 2012 or later | 54,400 GB
Windows Server 2008, Windows Server 2008 R2 | 1700 GB
Azure VM | See the [support matrix for Azure VM backup](./backup-support-matrix-iaas.md#vm-storage-support)
- question: |
How is the data source size determined?
answer: |
The following table explains how each data source size is determined.
**Data source** | **Details**
--- | ---
Volume |The amount of data being backed up from single volume VM being backed up.
SQL Server database |Size of single database size being backed up.
SharePoint | Sum of the content and configuration databases within a SharePoint farm being backed up.
Exchange |Sum of all Exchange databases in an Exchange server being backed up.
BMR/System state |Each individual copy of BMR or system state of the machine being backed up.
- question: |
Is there a limit on the amount of data backed up using a Recovery Services vault?
answer: |
There's no limit on the total amount of data you can back up using a Recovery Services vault. The individual data sources (other than Azure VMs), can be a maximum of 54,400 GB in size. For more information about limits, see the [vault limits section in the support matrix](./backup-support-matrix.md#vault-support).
- question: |
Why is the size of the data transferred to the Recovery Services vault smaller than the data selected for backup?
answer: |
Data backed up from Azure Backup Agent, DPM, and Azure Backup Server is compressed and encrypted before being transferred. With compression and encryption is applied, the data in the vault is 30-40% smaller.
- question: |
Can I view the expiration time for the recovery points?
answer: |
No, you can't view the expiration time for the scheduled backups. However, you can view the expiration time for the on-demand backups through backup jobs.
- question: |
Can I delete individual files from a recovery point in the vault?
answer: |
No, Azure Backup doesn't support deleting or purging individual items from stored backups.
- question: |
If I cancel a backup job after it starts, is the transferred backup data deleted?
answer: |
No. All data that was transferred into the vault before the backup job was canceled remains in the vault.
- Azure Backup uses a checkpoint mechanism to occasionally add checkpoints to the backup data during the backup.
- Because there are checkpoints in the backup data, the next backup process can validate the integrity of the files.
- The next backup job will be incremental to the data previously backed up. Incremental backups only transfer new or changed data, which equates to better utilization of bandwidth.
If you cancel a backup job for an Azure VM, any transferred data is ignored. The next backup job transfers incremental data from the last successful backup job.
- question: |
Can the backup items in a vault be deleted if its Resource Group has a delete lock?
answer: |
No, backup items in a vault can't be deleted if the corresponding Resource Group has a delete lock.
- name: Retention and recovery
questions:
- question: |
Are the retention policies for DPM and Windows machines without DPM the same?
answer: |
Yes, they both have daily, weekly, monthly, and yearly retention policies.
- question: |
Can I customize retention policies?
answer: |
Yes, you've customize policies. For example, you can configure weekly and daily retention requirements, but not yearly and monthly.
- question: |
Can I use different times for backup scheduling and retention policies?
answer: |
No. Retention policies can only be applied on backup points. For example, this image shows a retention policy for backups taken at 12am and 6pm.
![Schedule Backup and Retention](./media/backup-azure-backup-faq/Schedule.png)
- question: |
If a backup is kept for a long time, does it take more time to recover an older data point?
answer: |
No. The time to recover the oldest or the newest point is the same. Each recovery point behaves like a full point.
- question: |
If each recovery point is like a full point, does it impact the total billable backup storage?
answer: |
Typical long-term retention point products store backup data as full points.
- The full points are storage *inefficient* but are easier and faster to restore.
- Incremental copies are storage *efficient* but require you to restore a chain of data, which impacts your recovery time
Azure Backup storage architecture gives you the best of both worlds by optimally storing data for fast restores and incurring low storage costs. This ensures that your ingress and egress bandwidth is used efficiently. The amount of data storage, and the time needed to recover the data, is kept to a minimum. Learn more about [incremental backups](backup-architecture.md#backup-types).
- question: |
Is there a limit on the number of recovery points that can be created?
answer: |
You can create up to 9999 recovery points per protected instance. A protected instance is a computer, server (physical or virtual), or workload that backs up to Azure.
- Learn more about [backup and retention](./backup-support-matrix.md).
- question: |
How many times can I recover data that's backed up to Azure?
answer: |
There's no limit on the number of recoveries from Azure Backup.
- question: |
When restoring data, do I pay for the egress traffic from Azure?
answer: |
No. Recovery is free and you aren't charged for the egress traffic.
- question: |
What happens when I change my backup policy?
answer: |
When a new policy is applied, schedule and retention of the new policy is followed.
- If retention is extended, existing recovery points are marked to keep them according to new policy.
- If retention is reduced, they're marked for pruning in the next cleanup job and subsequently deleted.
- question: |
How long is data retained when stopping backups, but selecting the option to retain backup data?
answer: |
When backups are stopped and the data is retained, existing policy rules for data pruning will cease and data will be retained indefinitely until initiated by the administrator for deletion.
- name: Encryption
questions:
- question: |
Is the data sent to Azure encrypted?
answer: |
Yes. Data is encrypted on the on-premises machine using AES256. The data is sent over a secure HTTPS link. The data transmitted in cloud is protected by HTTPS link only between storage and recovery service. iSCSI protocol secures the data transmitted between recovery service and user machine. Secure tunneling is used to protect the iSCSI channel.
- question: |
Is the backup data on Azure encrypted as well?
answer: |
Yes. The data in Azure is encrypted-at-rest.
- For on-premises backup, encryption-at-rest is provided using the passphrase you provide when backing up to Azure.
- For Azure VMs, data is encrypted-at-rest using Storage Service Encryption (SSE).
Microsoft doesn't decrypt the backup data at any point.
- question: |
What is the minimum length of the encryption key used to encrypt backup data?
answer: |
The encryption key used by the Microsoft Azure Recovery Services (MARS) Agent is derived from a passphrase that should be at least 16 characters long. For Azure VMs, there's no limit to the length of keys used by Azure KeyVault.
- question: |
What happens if I misplace the encryption key? Can I recover the data? Can Microsoft recover the data?
answer: |
The key used to encrypt the backup data is present only on your site. Microsoft doesn't maintain a copy in Azure and doesn't have any access to the key. If you misplace the key, Microsoft can't recover the backup data.
additionalContent: |
## Next steps
Read the other FAQs:
- [Common questions](backup-azure-vm-backup-faq.yml) about Azure VM backups.
- [Common questions](backup-azure-file-folder-backup-faq.yml) about the Azure Backup agent