Azure Backup provides native VM and workload protection using snapshot-based backups stored in a Recovery Services Vault. It covers core backup and restore needs, including policy-based retention and cross-region recovery. However, enterprises with strict RPO/RTO targets, ransomware concerns, compliance requirements, or hybrid/multi-cloud environments may need more advanced immutability, centralized governance, and large-scale recovery capabilities. The key is not just enabling Azure Backup, but designing a data protection strategy aligned with business and security requirements.
Backing up cloud data should be a priority for any modern business. But if you rely on the Microsoft Azure cloud, as do 95% of the Fortune 500, backup needs to be at the top of your to-do list. There are several reasons for this:
Azure is probably where you are hosting some of your most critical and sensitive data
Your Microsoft 365 productivity application data is on Azure, as are some (or all) or your Microsoft stack systems in the cloud
If you lose your Azure data, your operations are going to take a hit that won’t be easy to get over
Azure’s shared security responsibility model makes backup your responsibility
Being thorough and secure in backing up Azure, especially virtual machines (VMs) on Azure, can be a challenging proposition. This Azure VM backup guide offers best practices and suggestions on how to leverage third-party backup solutions to achieve the best outcomes. It discusses how to backup Azure VMs, along with how to backup Azure in general.
How Azure VM Backup Works with Rubrik
Whether you use native Azure Backup or a third-party solution like Rubrik, the underlying protection process for Azure VMs follows a similar pattern. Understanding it helps you make better decisions about policy, consistency, and recovery options.
VM Agent and Snapshot Extension
The Azure VM Agent must be installed on each virtual machine. When a backup job triggers, a snapshot extension coordinates a disk snapshot without requiring the VM to shut down. Rubrik uses the same Azure-native snapshot mechanism, which means there is no performance impact on the VM during backup and no agent beyond the standard Azure VM Agent is required.
Snapshot Consistency Types
The quality of a restore point depends on its consistency type:
Application-consistent snapshots use the Volume Shadow Copy Service on Windows to flush in-memory data to disk before the snapshot. This is the right choice for databases and transactional workloads, and what Rubrik targets by default for supported workloads.
File-system consistent snapshots flush and pause file-system writes before the snapshot. Used for Linux VMs.
Crash-consistent snapshots capture disk state without flushing memory, suitable for workloads that can tolerate a restart-style recovery.
Incremental Backups and Storage Efficiency
After the initial full backup, subsequent jobs are incremental, transferring only changed disk blocks. Where native Azure Backup requires 30 days in hot storage before data can move to a cheaper tier, Rubrik moves backup data to cold storage from the first restore point. For organizations protecting large volumes of Azure VMs, this difference in storage tiering produces meaningful cost savings at scale.
Native Azure Backup: What It Does and Where It Falls Short
Native Azure Backup is a reasonable starting point. You create a Recovery Services Vault, define a backup policy specifying schedule and retention, enable backup on a VM, and Azure handles the rest. For small teams managing a handful of VMs in a single subscription, this is often sufficient.
At enterprise scale, the limitations become significant:
Policies are configured per vault, per subscription. Applying consistent backup standards across dozens of subscriptions requires significant manual effort or complex Azure Policy scripting.
There is no unified view across subscriptions, clouds, or on-premises infrastructure. Teams managing hybrid environments must log into each vault separately to verify coverage.
Hot storage is required for the first 30 days, which is approximately twice the cost of cold storage. This adds up fast when protecting hundreds of VMs.
Threat detection and ransomware recovery capabilities are limited. Native Azure Backup offers soft delete and vault immutability, but does not scan backup data for threat indicators before restore.
Restore options are slower. There is no equivalent to instant mounting of a backup snapshot as a live, running VM.
These are the gaps that a purpose-built solution like Rubrik Security Cloud is designed to close.
How to Back Up Azure VMs with Rubrik Security Cloud
Rubrik Security Cloud connects directly to your Azure environment, auto-discovers your VMs, and lets you apply protection through SLA Domains rather than per-vault policies. The result is centralized, policy-driven backup that scales across subscriptions and clouds without the operational overhead of the native approach.
Step 1: Connect Your Azure Subscription
Rubrik connects to Azure through a registered application in Azure Active Directory using a service principal. This is a one-time setup per subscription.
In the Rubrik Security Cloud console, navigate to Infrastructure, then Cloud Accounts.
Select Azure and follow the guided setup to register a Rubrik application in your Azure AD tenant.
Grant the required permissions: Contributor on the subscriptions you want to protect, and Key Vault access if using customer-managed keys.
Complete the connection. Rubrik immediately begins discovering all Azure VMs in the connected subscriptions.
Step 2: Review Auto-Discovered VMs
Once connected, navigate to Workloads, then Azure VMs, to see a complete inventory of every VM across your connected subscriptions. Unprotected VMs are clearly flagged. This automatic discovery eliminates the manual process of enrolling VMs into individual vaults, which is one of the most time-consuming parts of managing native Azure Backup at scale.
Step 3: Define an SLA Domain
Rubrik uses SLA Domains in place of per-vault backup policies. An SLA Domain is a declarative policy: you specify the goal (for example, hourly snapshots retained for 30 days, with monthly copies archived for seven years and replicated to a secondary region), and Rubrik handles execution across every workload assigned to that domain. One SLA Domain can cover Azure VMs, on-premises servers, SQL databases, and SaaS applications simultaneously.
In Rubrik Security Cloud, navigate to SLA Domains and select Create SLA Domain.
Set the base backup frequency (hourly, daily, or weekly) and local retention period.
Configure replication to a secondary site or cloud region for disaster recovery.
Set archival rules to tier older restore points to cold storage automatically.
Save the SLA Domain.
Step 4: Assign Protection to Azure VMs
In the Azure VMs inventory, select the VMs, resource groups, or entire subscriptions you want to protect.
Assign your SLA Domain. Protection begins immediately according to the SLA Domain schedule.
Rubrik begins tiering backup data to cold storage from the first restore point, rather than holding it in hot storage for 30 days as native Azure Backup requires.
Step 5: Monitor Compliance Across All Subscriptions
Rubrik's compliance dashboard shows which VMs are meeting their SLA Domain requirements and which are falling behind, across all connected subscriptions and cloud platforms in a single view. You can generate compliance reports for auditors without logging into individual Azure vaults or running separate queries per subscription. Alerts fire automatically when a VM falls out of compliance or a backup job fails.
How to Restore Azure VMs from Backup
Recovery speed is where Rubrik's advantage over native Azure Backup is most visible. Native Azure Backup offers three restore paths: full VM restore, disk-level restore, and file-level recovery. These work well but involve navigating to individual vaults, selecting restore points, and waiting for the data to be fully transferred before the VM becomes available.
Rubrik adds several capabilities that reduce RTO significantly.
Live Mount for Near-Instant Recovery
Rubrik's Live Mount mounts a backup snapshot directly as a running Azure VM without waiting for a full data transfer. The workload is available within minutes while Rubrik migrates the underlying data in the background. This is the difference between a recovery measured in hours and one measured in minutes, which matters when production systems are down during an incident.
Full VM Restore
For a full restore, navigate to the Azure VM in Rubrik Security Cloud, select a restore point from the snapshot timeline, and choose to restore to the original location, a new VM, a different Azure region, or a different subscription. The ability to restore across subscription boundaries is a capability native Azure Backup does not provide without significant manual effort.
File-Level Recovery
Browse the file system of any restore point directly in the Rubrik console and download individual files or folders without attaching disks or running scripts. Native Azure Backup offers a similar capability but requires downloading and running a mount script on a target VM.
Ransomware-Safe Restore
Before restoring, Rubrik can scan backup snapshots for known threat indicators, identifying the last clean restore point so you do not reintroduce malware into your environment. Native Azure Backup has no equivalent capability: you choose a restore point by date, with no visibility into whether that point is clean.
Backup Policy and Retention: Native Azure Backup vs. Rubrik
How you define backup policies determines your Recovery Point Objective and your storage costs. The two approaches are fundamentally different in how they scale.
Native Azure Backup uses per-vault policies configured individually for each subscription and workload. The Standard policy supports daily backups. The Enhanced policy supports hourly backups and enables tiering to the vault-archive tier for long-term retention. Retention durations can be set independently for daily, weekly, monthly, and yearly restore points. At enterprise scale, applying consistent policies across dozens of subscriptions requires Azure Policy automation and ongoing maintenance to ensure new VMs are enrolled correctly.
Rubrik's SLA Domain model collapses this complexity. One SLA Domain definition covers any number of workloads across any number of subscriptions and cloud platforms. When a new VM is provisioned and assigned to an SLA Domain, protection begins automatically with no additional configuration required. Policy changes apply immediately to every workload in the domain. This is the declarative model the original Azure VM backup process lacks, and it is what makes Rubrik operationally practical at enterprise scale.
The benefits of third-party backup for Azure instances
Azure Backups Best Practices
Azure VM backups are the subject of a growing, evolving set of best practices. Some of these focus on security, which makes sense given how inviting a target backed up data can be for attackers. Use of a third-party backup tool is also recommended.
Security
In the old days, backing up data meant putting it on tape and stashing those tapes in a salt mine. Unless someone brought in a tractor trailer, your data was pretty well air gapped against malicious actors.
The cloud is different, to put it mildly. The cloud is sprawling, in comparison to conventional storage environments. Your organization might have multiple accounts spanning different geographics and cloud platforms. As a result, your data is exposed through a wide attack surface that requires more resources and expertise to defend. (And, due to the shared security model, those resources and expertise must be from your side, not the cloud provider’s)
Backed-up data in the cloud is also at risk for breach and exfiltration. Unless you protect it well, you are exposed to breach risk. It’s a best practice to apply the same level of security rigor to backups on Azure as you bring to your other critical IT systems.
What does this look like? At a high level, security for Azure backups is part of the overall cloud data protection picture. One factor to pay attention to in securing cloud backups is credential management. Stolen or accidentally revealed credentials are a leading exploit for ransomware attacks. Enabling MFA also helps, as it reduces the possibility that malicious actors can log in from unknown devices. Role-Based Access Control (RBAC) helps, too, by simplifying the process of assigning and revoking access privileges by basing access on organizational roles.
Additionally, data encryption is strongly recommended for all tiers of storage on Azure. The best practice is to leverage the built-in Azure Key Vault tool to safeguard your cryptographic keys and other secrets you might use as countermeasures to a data breach.
Monitoring, Alerts, and Reporting
Effective backup and restore requires constant awareness of the state of backup jobs. It also requires awareness of potential problems (such as missed workflow steps, outages, or cyberattacks). It is a best practice, therefore, to engage in continuous, thorough monitoring of all affected systems. Monitoring must then follow through with alerts and reports as needed to ensure rapid, appropriate action if the monitoring process picks up a problem.
There are multiple ways to monitor your systems for backup and recovery, and you’re not limited to just one. It may make sense to set up Azure Monitor to stay on top of system usage and backup jobs. Azure Monitor is a multi-faceted solution that collects, analyzes, and responds to monitoring data from cloud and on-premises environments. It collects and aggregates data relevant to backup and recovery. With Azure Monitor, you can be instantly aware of potential issues affecting the state of your backed-up VMs and data.
By reviewing reports and analyzing the monitoring data stream, it is possible to validate user behavior—while also potentially spotting anomalous activity that could suggest a threat or attack in progress. A ransomware attack, for example, might be preceded by users logging in from unusual places or at off-hours. If a monitoring solution catches these suspicious signals quickly enough, it can avert the attack or limit its blast radius.
Native vs. Third-Party Backup
Azure has its own backup functions, but a third-party backup solution may be preferable. While Azure’s built-in backup offers some advantages (breadth of workload coverage, relative ease of use, and the simplicity of a single vendor relationship), it comes with some inherent limitations.
Native backup tools, such as Azure’s can make it difficult to get a baseline backup. It can be operationally complex to set policies across multiple accounts. These tools tend to lack centralized visibility for multi-cloud architectures, and may lead to inconsistent policy definitions and enforcement. At a higher level, native backup tools may be less than economical, with poor storage tiering and inefficient deduplication, among other sub-optimal cost factors.
A third-party backup solution fills in many of these gaps. They generally enable lower total cost of ownership (TCO), partly as the result of simplified administration of multiple Azure accounts and regions—as well as unified management and pervasive visibility of backups across multiple cloud and on-premises VMs. A third-party solution reduces TCO by storing backup data in cold storage on day 1, which is cheaper. In contrast, Azure Backup requires you store in hot storage for 30 days, which is twice as expensive as cold storage.
A third-party backup solution, such as Rubrik Security Cloud, also includes security features like data threat analytics and immutable backups that comprise a countermeasure against ransomware. Rubrik’s Azure backup solution offers distinct advantages for the Azure environment, e.g., purpose-built backup functionality for Azure SQL, Azure VMs, Azure NetApp files, and more.
What to Look for in an Azure Backup Vendor
The right Azure backup vendor will be one that offers specific features for Azure VMs and related Microsoft workloads, but also enables you to work across multiple clouds and on-premises infrastructure through a “single pane of glass” management interface. It should enhance backup security through immutability, Role-Based Access Control (RBAC), Multi-Factor Authentication (MFA), ransomware detection, and air-gapped backups, along with fast restore and fast RTOs and RPOs. Having a “cold storage” option is also essential for keeping total cost of ownership (TCO) as low as possible.
Management Simplicity via Policy-Driven Automation
A suitable Azure backup solution should keep backup management simple through automation. The solution should be able to automate processes like tiering Azure VMs and Managed Disks, for example. Automated discovery of Azure VMs is also a plus, especially if the solution can deliver policy-driven automation. An example might be automated tagging of resources in a resource group.
Additionally, the ability to create service level agreements (SLAs) using declarative statements is a big plus for an Azure backup vendor. As exemplified by Rubrik’s SLA Domain construct, the declarative statement stands in contrast to the conventional “imperative” mode of adhering to SLAs. Unlike an imperative approach, which outlines a series of steps that admins must follow to meet a backup SLA, a process that inevitably becomes cumbersome and inefficient, a declarative statement sets a goal, such as an RTO. It’s a “set it and forget it” way to do backups that meet SLAs. Compliance becomes much simpler as a result.
Fast Recovery for Near-zero RTOs and RPOs
When there is a data loss event of any kind on Azure, rapid recovery is an absolute imperative. The best Azure backup vendor will be one that can selectively restore the most-needed Azure VMs and other data at scale. This way, critical data is prioritized for the fastest restoration—which speeds up a return to normal operations.
Specifically, this means executing the fastest possible Recovery Time Objective (RTO), which is the time that elapses between the start of an event and the recovery of affected Azure VMs and related files. In addition, the solution needs to enable the narrowest possible Recovery Point Objective (RPO). The RPO is the point at which data becomes lost in an outage, such as the most recent transaction in a series. An effective Azure backup solution will deliver near-zero time RTOs and RPOs.
Application Mobility for Cost-Effective Long-Term Retention, Application Recovery, or Test/Dev
If your goal is long-term retention and application recovery, it pays to work with an Azure backup vendor that offers application mobility. You might want, for example, to move a VM from Azure to Amazon Web Services (AWS)--or move an app from dev to test to production. This process may involve quickly replicating data between the clouds. The vendor should support that process. Simple, unified management across clouds is essential for success.
Data Threat Analytics
Are attackers going after your backed up Azure VMs? The right Azure backup vendor will help you figure that out—before it’s too late—by providing data threat analytics capabilities. Data security requires nonstop vigilance. For example, your backup solution should continuously scan backed up data for threat signatures. It would be good if it could also engage in threat hunting, which means looking for specific threats and not waiting for them to manifest as attacks. If the solution discovers a threat, it should send alerts to people who are tasked with threat mitigation.
Native Protection of Virtual Workloads and SaaS Applications Running on Azure
A third-party Azure backup solution should ideally cover Software-as-a-Service (SaaS) applications such as Microsoft 365. This means SaaS data protection at scale, including safeguarding SaaS data with logically air-gapped, access-controlled backups and rapid restoration. Centralized backup/restore management functionality, complete with an intuitive dashboard, helps realize this capability.