November 29, 2022

Protecting Data in a Cloud World: What You Need to Know About Azure Backup

Joel Neff
Azure Solution Specialist
Welcome to part 1 of our 3-part blog series, exploring data protection options and considerations for when you’re operating in a native or hybrid Azure environment. This first blog in the series, will explore the native capability of Azure Backup. The second will look at business continuity and disaster recovery using Azure Site Recovery. Finally, for the third instalment we will dive into Data#3’s Backup as a Service (BaaS) offering, leveraging the power of Azure Lighthouse to provide a uniquely stress-free solution.

Imagine that all of a sudden your business data was just gone. The consequences can be dire: the customer service team can’t access customer records, the warehouse can’t fulfil orders, the emails needed in a lawsuit have vanished. What if the data lost was a critical compliance requirement or contractual obligation? How long could a modern business, without data, survive? How much will it cost to recover?

Some businesses, of course, don’t have to imagine because they have already lived this scenario. In fact, 30% of businesses have lost data in the last year alone1 and a whopping 89% of organisations2 have a protection gap between the business needs and what their backup solution can deliver. Australian businesses are being relentlessly targeted for ransomware attacks and hacks. Whether due to ransomware, human error, or natural disaster, their ability to survive rested largely on their preparation, in the form of a considered, tested and regularly reviewed backup plan.

Cloud-based backups offer many advantages for busy IT teams. Microsoft Azure for example, maintains about 100 industry and compliance standards across the globe and manages about 2,500 regulatory changes per week. However, there is a common misconception that just by running your infrastructure in the cloud it is automatically protected. Microsoft Azure, like other cloud service providers, operate a ‘shared responsibility’ model; where the division of responsibilities vary depending on where the workload is hosted. In an on-premises data centre, you own the whole stack. As you move to the cloud, some responsibilities transfer to Microsoft. The following diagram highlights the areas of responsibility depending upon the type of deployment in your stack.

Azure Shared Responsibility Model

Like most things in technology, the way data is backed up must evolve to stay relevant. It used to be relatively simple – everything was loaded onto a tape that was taken off-premises on a regular schedule. Times have changed. Where once, almost everything stayed on-premises – including users – cloud is an inevitable part of IT delivery today, which means that old-style backups are no longer the answer, and increasingly, organisations are turning to cloud-based backups such as Microsoft Azure Backup.

So, what is Azure Backup?

Azure Backup is Microsoft’s answer to cloud backup. Like most services on Azure, it is a scalable storage solution that can dynamically meet your needs, with management through a centralised console in the Azure Portal.

Azure Backup ensures your data is stored securely by leveraging the built-in security capabilities of the Azure platform, including Role Based Access Control (RBAC) and encryption. The recently introduced ‘soft-delete’ feature also protects against any accidental or malicious attempts to delete your backup data. Tiered storage options further enable you to optimise your backup costs by using Archive storage for your longer-term retention.

Let’s explore some useful practices and considerations for Azure Backup

What is my organisation’s most critical data?
The Australian Cyber Security Centre (ACSC) recommends in its maturity level one entry point that ‘backups of important data, software and configuration settings are performed and retained in a coordinated and resilient manner in accordance with business continuity requirements’ but what counts as important will vary. As part of backup planning and reviews, it is worth taking time to understand and prioritise the most business-critical data.

What can I backup with Azure Backup?
Azure may be a cloud service, but you can use it to backup on-premises files and folders using the Microsoft Azure Recovery Services (MARS) agent, or VMs and other on-premises workloads with Azure Backup Server (MABS). You can also backup Azure VMs, managed disks and file shares, SQL Server and SAP HANA databases, all the essentials .

How fast do I need to recover my data?
Understanding the impact of temporary data loss should be a key driver of your backup plan. For some businesses, a few hours may not be catastrophic, while for others, more than a few minutes is the stuff of nightmares. When you have identified what your organisation can tolerate, your backup choices should be built around this central truth using the concepts of Recovery Point Objective (RPO) and Recovery Time Objective (RTO).

How do I forecast costs?
The first place to start with Azure Backup is to develop an estimate for your backup costs. The best place to do this initially is the Azure Pricing Calculator. If you’ve got more complex requirements the Azure Backup team at Microsoft have developed a more detailed spreadsheet which will help you understand how your backup footprint could grow, and illustrate the impact of different backup policies and other options.

Choosing the right storage options
It pays to do your homework or get help from a trusted partner. Azure allows unlimited inbound and outbound data transfer, unlike some services. It also includes automatic storage management, so you can choose what to store in the cloud, and what to store on-premises without any extra charge. You only pay for what you consume so it’s important to put good policies in place to manage cloud backup costs effectively .

The first step in configuring Azure Backup requires the creation of a Recovery Services vault. When you create a new vault, the default option is set to Geo-Redundant Storage (GRS). This is generally fine but for your non-critical workloads, such as Dev or Test, you may not need that level of protection and might want to choose the cheaper Locally-Redundant Storage (LRS) which is almost half the cost of GRS.

Optimise with Selective Disk Backup
When backing up virtual machines, which is probably the most common scenario, you have the option to use Selective Disk Backup. This allows you to choose which disks you backup within your VM, reducing your backup storage footprint.

Don’t backup what you don’t need
Once you have all of your backups configured, you can start centrally managing them via the Backup Centre. This provides a single unified management experience in Azure to govern, monitor, operate, and analyse backups at scale.

When the diagnostic setting in the Recovery Services vault has been configured with a Log Analytics workspace, you will have the ability to run backup reports for optimisation. Within the ‘Optimise’ tab, you can get an understanding of all your inactive or deleted data sources that you have retained backups for and remove any you no longer need.

Review your retention policies
Within the ‘Optimise’ tab, in the ‘Policy Optimisation’ section, the ‘Retention Optimisation’ tab identifies backup instances with a long retention duration. Additionally, the ‘Backup Schedule Optimisation’ tab identifies all databases configured for a daily full backup. You may find a different strategy, such as a weekly or monthly full backup with daily differential backup with logs, combined with SQL Backup Compression, may significantly reduce your storage requirements.

Use the Archive tier for Long Term Retention (LTR)
Azure Backup is built on top of Azure blob storage, with the storage options aligning similarly to the hot, cool and archive tiers available in blob storage. When it comes to understanding what tier is appropriate for your data, you will need to map this back to your RPO and RTO. The Archive tier is very low cost for long term storage, however it has high access costs to extract the data stored there. You would move data less frequently into the Archive tier than the Standard tier, which therefore increases the RPO. In a similar vein, the RTO is also higher for the Archive tier compared to the Standard tier.

Also worth noting is that while a backup that may be configured in the Standard tier as a full backup with incrementals, it will be consolidated into a single full backup when moved into the Archive tier. This provides a single self-contained recovery point, which will remove additional points of failure in a recovery scenario. However, this will make any cost saving calculations difficult to estimate, because it will vary considerably depending on the size of the data set.

Need advice on backing up to the cloud?

If you would like to know more about business continuity and disaster recovery and how to protect your vital business data in the cloud, please follow my blog series or connect with one of our Azure experts.

If you’re new to Azure, backup and disaster recovery are a great scenario to dip your toes in the water. We have a range of engagement options where we can work with you to understand your requirements, develop a proof of concept or pilot for Azure Backup through to production deployment and/or a managed service. If your organisation meets the qualifying criteria, you may be able to access Microsoft funding to accelerate this (subject to Microsoft approvals). Enquire today.

  1. Microsoft overview of Azure Backup, 2019
  2. Veaam Data Protection Trends Report 2022