Create a vault as follows: Sign in to the Azure portal using your Azure subscription. In search, type Recovery Services and click Recovery Services vaults. For Name, enter a friendly name to identify the vault. The name needs to be unique for the Azure subscription. It can contain 2 to 50 characters.
These security issues can be costly, in terms of both money and data. To guard against such attacks, Azure Backup now provides security features to help protect backup data even after deletion. One such feature is soft delete. With soft delete, even if a malicious actor deletes the backup of a VM or backup data is accidentally deleted , the backup data is retained for 14 additional days, allowing the recovery of that backup item with no data loss.
Note Soft delete only protects deleted backup data. If a VM is deleted without a backup, the soft-delete feature will not preserve the data. All resources should be protected with Azure Backup to ensure full resilience. In the Azure portal, go to your recovery services vault, right-click on the backup item and choose Stop backup. In the following window, you will be given a choice to delete or retain the backup data.
If you choose Delete backup data and then Stop backup, the VM backup will not be permanently deleted. Rather, the backup data will be retained for 14 days in the soft deleted state. If Delete backup data is chosen, a delete email alert is sent to the configured email ID informing the user that 14 days remain of extended retention for backup data. Also, an email alert is sent on the 12th day informing that there are two more days left to resurrect the deleted data. The deletion is deferred until the 15th day, when permanent deletion will occur and a final email alert is sent informing about the permanent deletion of the data.
Note If any soft-deleted backup items are present in the vault, the vault cannot be deleted at that time. Please try vault deletion after the backup items are permanently deleted, and there is no item in soft deleted state left in the vault. In order to restore the soft-deleted VM, it must first be undeleted. To undelete, choose the soft-deleted VM, and then click on the option Undelete. A window will appear warning that if undelete is chosen, all restore points for the VM will be undeleted and available for performing a restore operation.
Note Garbage collector will run and clean expired recovery points only after the user performs the Resume backup operation. The Resume backup operation brings back the backup item in the active state, associated with a backup policy selected by the user defining the backup and retention schedules. This flow chart shows the different steps and states of a backup item: For more information, see the Frequently Asked Questions section below.
Disabling soft delete Soft delete is enabled by default on newly created vaults. If the soft delete security feature is disabled, backup data will not be protected from accidental or malicious deletes. Without the soft delete feature, all deletions of protected items will result in immediate removal, without the ability to restore.
Since backup data in the "soft delete" state doesn't incur any cost to the customer, disabling this feature is not recommended. The only circumstance where you should consider disabling soft delete is if you are planning on moving your protected items to a new vault, and cannot wait the 14 days required before deleting and reprotecting such as in a test environment.
Prerequisites for disabling soft delete Enabling or disabling soft delete for vaults without protected items can only be done the Azure portal. This applies to: Newly created vaults that do not contain protected items Existing vaults whose protected items have been deleted and expired beyond the fixed day retention period If the soft delete feature is disabled for the vault, you can re-enable it, but you cannot reverse that choice and disable it again if the vault contains protected items.
You cannot disable soft delete for vaults that contain protected items or items in soft-deleted state. If you need to do so, then follow these steps: Stop protection of deleted data for all protected items. Wait for the 14 days of safety retention to expire. Disable soft delete. To disable soft delete, ensure that the prerequisites are met, and then follow these steps: In the security settings pane, under Soft Delete, select Disable.
Other security features Storage side encryption Azure Storage automatically encrypts your data when persisting it to the cloud. Encryption protects your data and to help you to meet your organizational security and compliance commitments. Azure Storage encryption is similar to BitLocker encryption on Windows. Azure Backup automatically encrypts data before storing it. Azure Storage decrypts data before retrieving it.
This data remains on the Azure backbone network. For more information, please see Azure Storage encryption for data at rest. For instructions, please see Back up and restore encrypted virtual machines with Azure Backup.
Protection of Azure Backup recovery points Storage accounts used by recovery services vaults are isolated and cannot be accessed by users for any malicious purposes. The access is only allowed through Azure Backup management operations, such as restore.