Azure Backup & Site Recovery

“Welcome back. Today we cover Azure Backup and Azure Site Recovery — two services that protect your workloads from different types of failure. Backup protects against accidental deletion, corruption, and ransomware by creating recoverable copies. Site Recovery protects against regional outages by replicating your VMs to a secondary Azure region and enabling failover in minutes. Together they form your BCDR strategy — Business Continuity and Disaster Recovery.”

“Backup and disaster recovery solve different problems. Backup is for data protection — if a file is deleted, a VM is corrupted, or ransomware encrypts your data, you restore from a backup point. Recovery Time Objective — how long to restore — is typically hours. Disaster recovery is for availability — if an entire Azure region goes down, you fail over to a secondary region. Site Recovery continuously replicates your VMs, so the Recovery Point Objective is seconds to minutes of data loss, and the Recovery Time Objective is minutes to initiate failover. Define your RTO and RPO requirements for each workload to design the right protection.”

“The Recovery Services Vault is the container for both Azure Backup and Azure Site Recovery. It stores backup data and manages replication state. By default, vault storage is geo-redundant — your backups are automatically replicated to the paired Azure region, so even a regional failure doesn't lose your backups. Enable soft delete to protect against ransomware scenarios where attackers try to delete backups before encrypting data — soft-deleted backups are retained for 14 days before permanent deletion. Use RBAC to ensure only authorized users can modify backup policies or delete recovery points.”

“Azure Backup covers most Azure workload types. VM backup captures the entire VM including all attached disks, with application-consistent snapshots for SQL Server and other applications that need to flush transactions before the snapshot. Azure Files backup with instant restore lets you restore individual files in seconds from a snapshot without copying the entire share. For SQL databases in Azure VMs, use the SQL workload extension — it coordinates with SQL Server for transaction-consistent backups with 15-minute log backup frequency. AKS backup protects Kubernetes namespaces and persistent volumes.”

“Backup policies define how often backups run and how long each is retained. Modern enhanced policies support hourly backups for critical workloads — RPO of 1-4 hours. Backups live in two tiers: the operational tier stores recent snapshots for fast instant restores without copying data; the vault tier stores older backups cost-efficiently for long-term retention. Cross-region restore lets you restore a VM backup to the paired region during an outage — critical when your primary region is unavailable. Backup Center provides a single dashboard to manage and monitor all backups across multiple subscriptions and regions.”

“Azure Site Recovery replicates your workloads continuously to a secondary Azure region. For Azure VMs, ASR takes an initial replication snapshot then continuously sends changed blocks — the RPO is typically 30 seconds to 5 minutes depending on data change rate. Test failover is the most important ASR feature: it spins up your VMs in the secondary region in an isolated test network, letting you validate that your application actually works after failover without impacting production at all. Run test failovers quarterly — too many teams discover their DR doesn't work only when they need it for real.”

“Recovery plans orchestrate the failover of multi-tier applications in the correct order. You define groups — databases fail over first, then application servers, then web tier. Between groups, add Azure Automation runbooks to perform tasks: update DNS records, register failed-over VMs with load balancers, notify the team. The portal shows estimated RTO before failover, helping you set realistic expectations. After the primary region recovers, failback replicates your VMs back using the same ASR mechanism, and you fail back to primary in a planned, controlled way.”

“Every production Azure workload should have both a backup strategy and a tested DR plan. The key word is tested — untested DR is theater. Schedule test failovers and backup restores on a calendar, treat failures as findings, and iterate. Next episode we cover Azure Private Link and Service Endpoints — keeping your Azure traffic off the public internet.”