Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article describes how Backup or Compliance Admins can ensure that all business-critical machines have appropriate backup and retention policies.
Azure Backup offers a variety of built-in policies through Azure Policy to help you automatically configure backup for your Azure Virtual Machines (VMs). Based on the structure of your backup teams and the organization of your resources, you can choose the most suitable policy from the following options to ensure effective and consistent backup management.
Azure Policy types for Azure VM backup
The following table lists the various policy types that allows you to manage Azure VM instances backups automatically:
| Policy type | Description |
|---|---|
| Policy 1 | Configures backup on VMs without a given tag to an existing Recovery Services vault in the same location. |
| Policy 2 | Configures backup on VMs with a given tag to an existing Recovery Services vault in the same location. |
| Policy 3 | Configures backup on VMs without a given tag to a new Recovery Services vault with a default policy. |
| Policy 4 | Configures backup on VMs with a given tag to a new Recovery Services vault with a default policy. |
Policy 1: Configure backup on VMs without a given tag to an existing recovery services vault in the same location
This policy enables a central backup team to configure backup for Azure Virtual Machines using an existing central Recovery Services vault located in the same subscription and region as the governed VMs. You can exclude specific VMs from the policy scope with a designated tag.
Policy 2: Configure backup on VMs with a given tag to an existing recovery services vault in the same location
This policy functions same as Policy 1, with a key difference - the policy includes virtual machines in the policy scope if they have a specific tag.
Policy 3: Configure backup on VMs without a given tag to a new recovery services vault with a default policy
This policy targets applications organized in dedicated resource groups and backs them up using the same Recovery Services vault. It automatically manages this configuration and allows you to exclude virtual machines from the policy scope that have a specific tag.
Policy 4: Configure backup on VMs with a given tag to a new recovery services vault with a default policy
This policy functions same as Policy 3, with a key difference - the policy includes virtual machines in the policy scope if they have a specific tag.
Azure Backup also provides an audit-only policy - Azure Backup should be enabled for Virtual Machines. This policy identifies virtual machines without backup enabled but doesn't apply any backup configuration, which helps assess compliance without enforcing changes.
Supported and unsupported Scenarios for Azure VMs backup with Azure Policy
The following table lists the supported and unsupported scenarios for the available policy types:
| Policy type | Supported | Unsupported |
|---|---|---|
| Built-in policy | Currently supported only for Azure VMs. Ensure that the retention policy specified during assignment is a VM retention policy. Learn about the VM SKUs supported by this policy . |
|
| Policies 1 and 2 | - Can be assigned to a single location and subscription at a time. To enable backup for VMs across locations and subscriptions, you need to create multiple instances of the policy assignment, one for each combination of location and subscription. - The specified vault and the VMs configured for backup can be under different resource groups. |
Management group scope is currently unsupported. |
| Policies 3 and 4 | Can be assigned to a single subscription at a time (or a resource group within a subscription). |
Note
The functionality described in the following sections can also be accessed via Backup center. Backup center is a single unified management experience in Azure. It enables enterprises to govern, monitor, operate, and analyze backups at scale. With this solution, you can perform most of the key backup management operations without being limited to the scope of an individual vault.
Assign built-in Azure Policy for Azure VM backup
This section outlines the end-to-end steps to assign Policy 1. The same instructions apply to the other policies. After assignment, the policy automatically configures backup for any new VM created within the defined scope.
To assign Policy 1 for Azure VM backup, follow these steps:
In the Azure portal, go to Policy> Authoring > Definitions to view the list of all built-in policies across Azure Resources.
On the Policy Definitions pane, filter the list for Category=Backup and select the policy named Configure backup on virtual machines without a given tag to an existing recovery services vault in the same location.
On the selected policy pane, review the policy details, and then select Assign.
On the Assign Policy pane, on the Basics tab, select the more icon corresponding to Scope.
On the right context pane, select the subscription for the policy to be applied on.
You can also select a resource group, so that the policy is applied only for VMs in a particular resource group.
On the Parameters tab, select the Location, Vault, and Backup Policy to which the VMs in the scope must be associated.
You can also specify a tag name and an array of tag values. A VM which contains any of the specified values for the given tag are excluded from the scope of the policy assignment.
Ensure that Effect is set to
deployIfNotExists.On the Review+create tab, select Create.
Note
- Azure Policy can also be used on existing VMs, using remediation.
- Avoid assigning this policy to more than 200 VM at once, as it might delay backup triggers by several hours beyond the scheduled time.