Microsoft Azure offers a variety of backup and disaster recovery solutions. Let Tim iron out some common confusions about these entities and services: Azure Recovery Services vault, Azure Site Recovery, Azure Backup, and Azure Backup vault. In addition, you will learn important concepts for working with the Azure Recovery Services vault: Azure region dependency, content portability, and deletion workflow.
Latest posts by Timothy Warner (see all)

Azure Recovery Services vault

Azure Recovery Services is Microsoft Azure's primary business continuity and disaster recovery (BCDR) solution. The service has two principal features: Azure Backup and Azure Site Recovery. The corresponding Azure Recovery Services vault is the storage entity that holds the data for these two services.

Azure Site Recovery

Azure Site Recovery (ASR) is a replication/disaster recovery engine that enables you to replicate entire workloads between your on-premises and Azure environments.

Recovery Services vaults support both Hyper-V and VMware virtualization environments. You can use them to protect physical servers on-premises in addition to your virtual machines.

Azure Backup

Azure Backup enables you to back up and restore Windows Server and Linux servers:

  • In Azure
  • On premises
  • In other clouds

In addition, Microsoft recently introduced new workloads for Azure Backup that are stored in the Azure Backup vault. The Backup vault is a much leaner product than the Recovery Services vault and has a more specialized set of supported workloads. Specifically, the Backup vault protects only selected Azure resources:

  • Azure VM disks
  • Azure Blob Storage in general-purpose storage accounts
  • Azure Database for PostgreSQL servers
Backup vaults protect a small set of Azure workloads

Backup vaults protect a small set of Azure workloads

As you can see in the following screenshot, the Recovery Services and Backup vaults are separate Azure resources with nonoverlapping workloads. In all likelihood, your company will make use of both.

Two different vaults two different sets of workloads

Two different vaults two different sets of workloads

The real confusion here is one that's stereotypically Microsoft: product naming. When you use the Windows Server Backup feature in Windows Server to back up your servers to Azure, you're backing up to a Recovery Services vault, not a Backup vault. Yes, it's super confusing.

This means the term "Azure Backup" actually has nothing to do with the Azure Backup vault. I have to confess that Microsoft's propensity to change up product names again and again and again bothers me a great deal.

Let's have a closer look at the Recovery Services features.

Recovery Services vaults and Azure region dependency

Azure VMs can be associated with only one Recovery Services vault. Moreover, the VM and the Recovery Services vault must be in the same Azure region; that's a hard requirement.

Azure VMs belong to only one Recovery Services vault in their own region

Azure VMs belong to only one Recovery Services vault in their own region

The confusion comes in when you're looking to protect servers from other clouds or in your on-premises datacenters. Note that there is no regional or geographical requirement to associate these off-Azure machines with the vault.

Of course, you want to think about network latency. You're not going to get lightning-fast replication when the VM you're protecting is in the United States, and the Recovery Services vault is in Australia.

Recovery Services vault contents portability

From time to time, you may be required to move an Azure resource:

  • Between resource groups
  • Between subscriptions
  • Between Azure AD tenants

You can indeed move Recovery Services vaults between resource groups and subscriptions. However, you should definitely consult the documentation to learn more about the prerequisites and limitations.

Likewise, read the docs before attempting to move a subscription containing a Recovery Services vault to another Azure AD tenant. One sometimes overlooked consequence of this action is that you'll have to redo all your Azure RBAC role assignments because you'll be in a different directory.

The confusing "gotcha" here is that backup data in a Recovery Services vault cannot be moved to a different vault.

Recovery Services vault deletion workflow

Historically, deleting a Recovery Services vault has been a pain in the you-know-what. Why? Because you first have to empty the vault before removing the vault itself. Some of the Recovery Services artifacts and settings include:

  • Soft delete status
  • Backup data
  • Linked storage accounts
  • Linked private endpoints

You see the following error if you attempt to delete a nonempty Recovery Services vault:

Vault deletion error when the Recovery Services vault contains resources

Vault deletion error when the Recovery Services vault contains resources

Recovery Services vaults have the soft delete feature enabled by default, so you'll need to disable the feature before you can delete your backup snapshots prior to removing the vault.

As you can see in the following screenshot, soft delete can be found in the Recovery Services vault's Properties under Security Settings.

Manage Recovery Services vault soft delete settings

Manage Recovery Services vault soft delete settings

The good news is that the Microsoft software engineers heard customer complaints about the Recovery Services vault's cumbersome delete experience and have addressed it.

Take a look at the following screenshot. Now, when you want to delete the vault, choose one of two options:

  • Delete manually: Here, you need to remove all dependencies yourself before completing the vault deletion.
  • Delete using PowerShell script: Here, you run an autogenerated PowerShell script that swings a "heavy hammer" to force delete empty or nonempty vaults.
Attempting to delete a Recovery Services vault

Attempting to delete a Recovery Services vault

Here's an extract of the autogenerated PowerShell script so you can get a feel for its scope of work:

$VaultToDelete = Get-AzRecoveryServicesVault -Name $VaultName -ResourceGroupName $ResourceGroup
Set-AzRecoveryServicesAsrVaultContext -Vault $VaultToDelete
Set-AzRecoveryServicesVaultProperty -Vault $VaultToDelete.ID -SoftDeleteFeatureState Disable #disable soft delete
Write-Host "Soft delete disabled for the vault" $VaultName
$containerSoftDelete = Get-AzRecoveryServicesBackupItem -BackupManagementType AzureVM -WorkloadType AzureVM -VaultId $VaultToDelete.ID | Where-Object {$_.DeleteState -eq "ToBeDeleted"} #fetch backup items in soft delete state

foreach ($softitem in $containerSoftDelete){
	Undo-AzRecoveryServicesBackupItemDeletion -Item $softitem -VaultId $VaultToDelete.ID -Force #undelete items in soft delete state

#Invoking API to disable Security features (Enhanced Security) to remove MARS/MAB/DPM servers.
Set-AzRecoveryServicesVaultProperty -VaultId $VaultToDelete.ID -DisableHybridBackupSecurityFeature $true

This is a very powerful script that automates soft delete disablement, undeleting backups that were deleted in a soft delete state, and ultimately force-deleting everything. Good stuff, indeed!


As I began working on this concluding paragraph, I thought of one more possible point of confusion regarding Azure Backup services: "What is this 'Backup center' I see in the Azure portal?"

All the Backup center is, is a GUI overlay that gives you easier access to both the Recovery Services and Backup vaults. These portal blades could be useful for businesses that use both vault types in their work.

Subscribe to 4sysops newsletter!

The Backup center in the Azure portal

The Backup center in the Azure portal

I hope now that you've worked through this tutorial, you have a clearer understanding of the Azure Recovery Services vault and some of its potentially confusing "gotchas."


Leave a reply

Your email address will not be published. Required fields are marked *


© 4sysops 2006 - 2023


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account