In the context of the Azure Administrator Associate exam (AZ-104), protecting data is a core component of the 'Monitor and maintain Azure resources' domain. Azure utilizes two distinct logical containers to manage and store backup data: the **Recovery Services vault** and the **Backup vault**. Whil…In the context of the Azure Administrator Associate exam (AZ-104), protecting data is a core component of the 'Monitor and maintain Azure resources' domain. Azure utilizes two distinct logical containers to manage and store backup data: the **Recovery Services vault** and the **Backup vault**. While both serve the purpose of securing data, they support different sets of workloads.
The **Recovery Services vault** is the established standard. It supports Azure Virtual Machines, SQL Server and SAP HANA running on Azure VMs, Azure File Shares, and on-premises workloads (via the MARS agent or Azure Backup Server). Crucially, this vault is also the exclusive entity used for Azure Site Recovery (ASR) to manage disaster recovery replication. It offers critical security features like Soft Delete, immutability, and Cross-Region Restore.
The **Backup vault** is a newer entity designed specifically for newer, cloud-native workloads. You are required to use a Backup vault for protecting Azure Blobs, Azure Managed Disks, Azure Database for PostgreSQL, and Azure Kubernetes Service (AKS).
As an administrator, you do not choose between them based on preference; the resource type dictates the vault. If you are backing up a whole VM, you utilize a Recovery Services vault. If you are backing up a specific Managed Disk or Blob container, you utilize a Backup vault. Both provides a centralized interface to define backup policies (frequency and retention), configure storage redundancy (LRS, GRS, or ZRS), and monitor job success via Azure Monitor to ensure business continuity and compliance.
Guide to Recovery Services Vaults and Backup Vaults for AZ-104
Why is this Important? Data protection is a cornerstone of the Azure Administrator role. Understanding the distinction between Recovery Services vaults and Backup vaults is critical for ensuring Business Continuity and Disaster Recovery (BCDR). In the AZ-104 exam, Microsoft tests your ability to select the correct storage mechanism based on the specific workload you are trying to protect (e.g., a Virtual Machine vs. a Blob Container) and how to configure redundancy to meet compliance requirements.
What are they? Both entities are storage entities in Azure that house data. The data is typically copies of data, or configuration information for virtual machines (VMs), workloads, servers, or workstations.
1. Recovery Services vault: This is the 'classic' vault type. It is based on the Azure Service Manager (ASM) and Azure Resource Manager (ARM) models. It is primarily used for: - Azure Virtual Machines - SQL Server in Azure VMs - SAP HANA in Azure VMs - Azure Files (Azure file shares) - On-premises servers (via MARS agent or DPM) - Azure Site Recovery (ASR) replication data.
2. Backup vault: This is the newer vault type, native to Azure Resource Manager. It is lightweight and used for newer, specific workloads such as: - Azure Blobs - Azure Disks - Azure Database for PostgreSQL - Kubernetes Services (AKS)
How it works When you configure a backup, the vault manages the storage redundancy and access security.
Storage Redundancy: You define redundancy at the Vault level, not the individual backup item level. Options include: - Locally-redundant storage (LRS): Replicates data three times in a single data center. - Geo-redundant storage (GRS): Replicates to a secondary region (default setting). - Zone-redundant storage (ZRS): Replicates across availability zones.
Soft Delete: Both vaults support Soft Delete. If a backup is deleted, it is retained for a specific period (default is 14 days) allowing you to 'undelete' it if the deletion was accidental or malicious.
Cross Region Restore (CRR): If using GRS, you can enable CRR to allow restoring data in the secondary region even if the primary region is up and running (useful for drills/testing).
Exam Tips: Answering Questions on Recovery Services vault and Backup vault The AZ-104 exam frequently asks scenario-based questions where you must choose the correct resource. Follow this logic matrix:
1. Identify the Workload: - If the question mentions Virtual Machines, Azure Files, or On-premises data, the answer is always a Recovery Services vault. - If the question mentions Azure Blobs, Managed Disks (individual disk backup, not full VM), or PostgreSQL, the answer is a Backup vault.
2. Check the Redundancy Requirement: - If the scenario requires the ability to restore to a different region during a regional outage, you must select Geo-Redundant Storage (GRS). - Note: You can only change the storage redundancy type (e.g., from GRS to LRS) before you protect any items in the vault. Once a backup item exists, the redundancy setting is locked.
3. Look for 'Site Recovery': - Azure Site Recovery (ASR) only works with Recovery Services vaults.
4. Security Keywords: - If the question asks about protecting against 'accidental deletion' or 'ransomware' where an admin deletes the backup, look for Soft Delete or Immutable storage.