Challenge 15: Backup & Recovery
60–75 minutes | Estimated cost: ~$0.30 | Exam Weight: 10–15%
Scenario
Disaster struck at Contoso | a developer accidentally deleted production data. Management is demanding answers: "Why wasn't there a backup?" Your job is to implement Azure Backup and Azure Site Recovery so this never happens again.
Exam skills covered
- Create a Recovery Services vault
- Create an Azure Backup vault
- Create and configure backup policy
- Perform backup and restore operations
- Configure Azure Site Recovery for VMs
- Perform failover to a secondary region
- Configure and interpret reports and alerts for backups
Sysadmin ↔ Azure reference
| On-Prem / Traditional | Azure Equivalent |
|---|---|
| Veeam / SCDPM | Azure Backup |
| Tape backup rotation (GFS) | Backup policies (daily/weekly/monthly/yearly) |
| DR site (hot / cold / warm) | Azure Site Recovery |
| Backup reports | Backup center |
Setup
# Variables
RG="rg-az104-challenge15"
LOCATION="eastus"
DR_LOCATION="westus2"
# Create resource group
az group create --name $RG --location $LOCATION
Tasks
Task 1: create a Recovery Services Vault
az backup vault create \
--resource-group $RG \
--name rsv-contoso \
--location $LOCATION
Recovery Services vaults are used for VM backup and Azure Site Recovery. The vault must be in the same region as the VMs you want to back up.
Task 2: create a Backup Policy
Create a custom backup policy: daily backups at 2:00 AM, 30-day retention.
Hint
The easiest way is via the Azure Portal:
- Go to your Recovery Services vault
- Backup policies → Add
- Policy type: Azure Virtual Machine
- Schedule: Daily at 2:00 AM
- Retention: 30 days
Or via CLI (using a policy JSON):
az backup policy set \
--resource-group $RG \
--vault-name rsv-contoso \
--policy '{"name":"policy-daily-30","properties":{"backupManagementType":"AzureIaasVM","schedulePolicy":{"schedulePolicyType":"SimpleSchedulePolicy","scheduleRunFrequency":"Daily","scheduleRunTimes":["2024-01-01T02:00:00Z"]},"retentionPolicy":{"retentionPolicyType":"LongTermRetentionPolicy","dailySchedule":{"retentionTimes":["2024-01-01T02:00:00Z"],"retentionDuration":{"count":30,"durationType":"Days"}}}}}'
Task 3: enable Backup for a VM
Deploy a VM and enable backup:
# Create a VM
az vm create \
--resource-group $RG \
--name vm-backup-test \
--image Ubuntu2204 \
--size Standard_B1s \
--admin-username azureuser \
--generate-ssh-keys
# Enable backup
az backup protection enable-for-vm \
--resource-group $RG \
--vault-name rsv-contoso \
--vm vm-backup-test \
--policy-name DefaultPolicy
Task 4: trigger an On-Demand Backup
az backup protection backup-now \
--resource-group $RG \
--vault-name rsv-contoso \
--container-name "IaasVMContainer;iaasvmcontainerv2;$RG;vm-backup-test" \
--item-name "VM;iaasvmcontainerv2;$RG;vm-backup-test" \
--retain-until "31-12-2027"
The first backup can take 30–60 minutes depending on the VM size. You can check progress in the vault's Backup Jobs blade.
Task 5: restore a VM from Backup
Once the backup completes, restore it to a new VM:
- Go to Recovery Services vault → Backup items → Azure Virtual Machine
- Select the VM → Restore VM
- Choose Create new → Give it a new name like
vm-backup-restored - Select the restore point and target VNet/subnet
CLI Hint
# List recovery points
az backup recoverypoint list \
--resource-group $RG \
--vault-name rsv-contoso \
--container-name "IaasVMContainer;iaasvmcontainerv2;$RG;vm-backup-test" \
--item-name "VM;iaasvmcontainerv2;$RG;vm-backup-test"
# Restore (Portal is easier for this task)
Task 6: create an Azure Backup Vault
Azure Backup vaults are used for newer workloads like blob backup and Azure Database for PostgreSQL.
az dataprotection backup-vault create \
--resource-group $RG \
--vault-name bv-contoso \
--location $LOCATION \
--storage-setting "[{type:LocallyRedundant,datastore-type:VaultStore}]"
Task 7: configure Blob Backup (Operational tier)
- Create a storage account
- Configure operational backup for blobs (point-in-time restore)
Hint
Via the Azure Portal:
- Go to your Backup vault → + Backup
- Datasource type: Azure Blobs (Azure Storage)
- Select the storage account
- Configure the backup policy (default: 30-day operational retention)
This enables point-in-time restore for blobs | no backup copies are created; it uses change tracking on the storage account.
Task 8: configure Azure Site Recovery
Enable replication for a VM to a secondary region:
- Go to Recovery Services vault → Site Recovery → Replicated items
- Click + Replicate → Azure virtual machines
- Source region:
eastus - Target region:
westus2 - Select your VM
- Review replication settings and enable
Site Recovery replicates VM disks asynchronously to the target region. Initial replication can take 30–60 minutes depending on disk size.
Task 9: run a test failover
After initial replication completes:
- Go to the replicated item
- Click Test Failover
- Select the recovery point and target VNet
- Verify the test VM in the target region
- Clean up test failover when done
Always clean up test failover resources | they continue to incur charges until removed.
Task 10: configure Backup reports
- Go to Backup center → Backup reports
- Configure the Log Analytics workspace as the data source
- Explore: backup item health, backup job trends, storage consumption
Task 11: set up Backup alerts
Configure alerts for failed backup jobs:
- Go to Recovery Services vault → Alerts
- Create an alert rule for Backup failure
- Attach an action group for email notification
Break & fix
Break it
- Delete a vault with protected items | Try to delete the Recovery Services vault while it still has backup items. Observe the error: "Vault cannot be deleted as there are existing resources within the vault."
- Region mismatch | Try to back up a VM in
westus2using the vault ineastus. What happens?
Fix it
- To delete a vault: first stop backup protection, delete backup data, then delete the vault
- Move or recreate the vault in the same region as the VM
Knowledge check
-
Recovery Services vault vs Azure Backup vault?
- Recovery Services vault: VMs, SQL in Azure VM, Azure Files, Azure Site Recovery
- Azure Backup vault: Blobs, Azure Disks, Azure Database for PostgreSQL
-
RPO vs RTO?
- RPO (Recovery Point Objective) = Maximum acceptable data loss (time between last backup and disaster)
- RTO (Recovery Time Objective) = Maximum acceptable downtime (time to restore service)
-
What are the backup types?
- Full | complete copy of all data
- Incremental | only changes since last backup (Azure default for VMs)
- Differential | changes since last full backup
-
Site Recovery: failover vs test failover?
- Test failover | validates replication without affecting production; creates test resources
- Failover | actual disaster recovery; shifts production to secondary region
Cleanup
# IMPORTANT: must stop protection before deleting vault
# 1. stop backup and delete backup data for each protected item
# 2. disable Site Recovery replication
# 3. then delete the resource group
az group delete --name $RG --yes --no-wait
If vault deletion fails, follow this order:
- Stop backup protection with "Delete backup data" for all items
- Remove Site Recovery replicated items
- Delete the vault
- Delete the resource group
Success criteria
- ⬜Recovery Services vault created
- ⬜Custom backup policy configured (daily, 30-day retention)
- ⬜VM backup enabled and on-demand backup triggered
- ⬜VM restored from backup to a new VM
- ⬜Azure Backup vault created for blob backup
- ⬜Blob operational backup configured
- ⬜Azure Site Recovery enabled (VM replication to secondary region)
- ⬜Test failover executed and cleaned up
- ⬜Backup reports configured in Backup center
- ⬜Backup failure alerts configured
- ⬜Break & Fix scenarios completed
- ⬜Resources cleaned up (in correct order!)