Advanced

Azure Backup & Recovery

When all preventive guardrails fail, backup and recovery capabilities are your last line of defense. Azure provides multiple backup mechanisms, soft delete features, and recovery options that can restore accidentally deleted resources.

Azure Backup for VMs, SQL, and Storage

Azure Backup provides centralized backup management through Recovery Services vaults. For AI agent safety, the key is ensuring backups are configured before an agent can cause damage:

Setting up Azure Backup for VMs
# Create a Recovery Services vault
az backup vault create \
  --resource-group rg-backup \
  --name rsv-production-backups \
  --location eastus

# Enable soft delete on the vault (prevents backup data deletion)
az backup vault backup-properties set \
  --resource-group rg-backup \
  --name rsv-production-backups \
  --soft-delete-feature-state Enable

# Create a backup policy with daily backups and 30-day retention
az backup policy create \
  --resource-group rg-backup \
  --vault-name rsv-production-backups \
  --name policy-daily-30days \
  --backup-management-type AzureIaasVM \
  --policy '{
    "schedulePolicy": {
      "schedulePolicyType": "SimpleSchedulePolicy",
      "scheduleRunFrequency": "Daily",
      "scheduleRunTimes": ["2026-03-20T02:00:00Z"]
    },
    "retentionPolicy": {
      "retentionPolicyType": "LongTermRetentionPolicy",
      "dailySchedule": {
        "retentionTimes": ["2026-03-20T02:00:00Z"],
        "retentionDuration": { "count": 30, "durationType": "Days" }
      }
    }
  }'

# Enable backup for a production VM
az backup protection enable-for-vm \
  --resource-group rg-backup \
  --vault-name rsv-production-backups \
  --vm $(az vm show --resource-group rg-production --name vm-app-server --query id -o tsv) \
  --policy-name policy-daily-30days

Soft Delete for Recovery Services Vaults

Soft delete ensures that even if an AI agent somehow manages to delete backup data, it remains recoverable for 14 additional days:

Critical: Without soft delete enabled, an AI agent that gains sufficient permissions could delete both the resource and its backups, leaving you with no recovery option. Always enable soft delete on all Recovery Services vaults, and consider enabling Multi-User Authorization (MUA) to require multiple approvals for disabling soft delete.
Managing soft delete and enhanced security
# Check soft delete status
az backup vault backup-properties show \
  --resource-group rg-backup \
  --name rsv-production-backups \
  --query "softDeleteFeatureState"

# Enable enhanced security (prevents soft-deleted items from being purged)
az backup vault backup-properties set \
  --resource-group rg-backup \
  --name rsv-production-backups \
  --soft-delete-feature-state AlwaysOn

# List soft-deleted items that can be recovered
az backup item list \
  --resource-group rg-backup \
  --vault-name rsv-production-backups \
  --query "[?properties.isScheduledForDeferredDelete==true]"

# Undelete (recover) a soft-deleted backup item
az backup protection undelete \
  --resource-group rg-backup \
  --vault-name rsv-production-backups \
  --container-name "IaasVMContainer;rg-production;vm-app-server" \
  --item-name "VM;rg-production;vm-app-server" \
  --backup-management-type AzureIaasVM

Azure Site Recovery for Disaster Recovery

Azure Site Recovery (ASR) replicates VMs to a secondary region. If an AI agent destroys resources in the primary region, you can failover to the replica:

Setting up Azure Site Recovery (Terraform)
resource "azurerm_site_recovery_fabric" "primary" {
  name                = "primary-fabric"
  resource_group_name = azurerm_resource_group.recovery.name
  recovery_vault_name = azurerm_recovery_services_vault.vault.name
  location            = "eastus"
}

resource "azurerm_site_recovery_fabric" "secondary" {
  name                = "secondary-fabric"
  resource_group_name = azurerm_resource_group.recovery.name
  recovery_vault_name = azurerm_recovery_services_vault.vault.name
  location            = "westus2"
}

resource "azurerm_site_recovery_replication_policy" "policy" {
  name                                                 = "replication-policy"
  resource_group_name                                  = azurerm_resource_group.recovery.name
  recovery_vault_name                                  = azurerm_recovery_services_vault.vault.name
  recovery_point_retention_in_minutes                  = 1440  # 24 hours
  application_consistent_snapshot_frequency_in_minutes = 240   # 4 hours
}

Blob Soft Delete and Versioning

Azure Blob Storage offers two complementary protection mechanisms:

Feature Protection Recovery Method Cost Impact
Blob soft delete Deleted blobs retained for configurable days Undelete the blob within retention period Low — only deleted data storage costs
Container soft delete Deleted containers retained for configurable days Restore the container within retention period Low — only deleted container storage
Blob versioning Previous versions preserved on overwrite/delete Promote a previous version to current Medium — all versions consume storage
Immutable storage WORM (Write Once, Read Many) compliance Data cannot be deleted during retention period None — policy-based, no extra storage
Enabling blob soft delete and versioning
# Enable blob soft delete with 30-day retention
az storage account blob-service-properties update \
  --resource-group rg-production \
  --account-name stproddata \
  --enable-delete-retention true \
  --delete-retention-days 30

# Enable container soft delete with 14-day retention
az storage account blob-service-properties update \
  --resource-group rg-production \
  --account-name stproddata \
  --enable-container-delete-retention true \
  --container-delete-retention-days 14

# Enable blob versioning
az storage account blob-service-properties update \
  --resource-group rg-production \
  --account-name stproddata \
  --enable-versioning true

# Recover a soft-deleted blob
az storage blob undelete \
  --account-name stproddata \
  --container-name production-data \
  --name "important-file.json"

# List deleted containers for recovery
az storage container list \
  --account-name stproddata \
  --include-deleted \
  --query "[?deleted==true]"

SQL Database Point-in-Time Restore

Azure SQL Database automatically maintains backups and supports point-in-time restore (PITR) for up to 35 days:

Restoring a deleted SQL database
# List deleted databases that can be restored
az sql db list-deleted \
  --resource-group rg-production \
  --server sql-prod-server

# Restore a deleted database to a point in time
az sql db restore \
  --resource-group rg-production \
  --server sql-prod-server \
  --name sqldb-restored \
  --deleted-time "2026-03-20T14:30:00Z" \
  --time "2026-03-20T14:25:00Z"

# Restore a database that still exists to an earlier point in time
az sql db restore \
  --resource-group rg-production \
  --server sql-prod-server \
  --name sqldb-prod-main-restored \
  --dest-name sqldb-prod-main-backup \
  --time "2026-03-20T10:00:00Z"

# Configure long-term retention (LTR) for weekly, monthly, yearly backups
az sql db ltr-policy set \
  --resource-group rg-production \
  --server sql-prod-server \
  --name sqldb-prod-main \
  --weekly-retention "P4W" \
  --monthly-retention "P12M" \
  --yearly-retention "P5Y" \
  --week-of-year 1

Recovery Procedures After Accidental Deletion

  1. Immediate: Disable the Agent

    Revoke the agent's credentials immediately using the kill switch procedures from the best practices lesson. This prevents further damage while you assess the situation.

  2. Assess: Determine What Was Deleted

    Query the Activity Log to identify all resources deleted by the agent. Use the KQL queries from the monitoring lesson to get a complete picture of the damage.

  3. Recover: Restore from Backups

    Use the appropriate recovery mechanism for each resource type: Azure Backup for VMs, PITR for SQL databases, undelete for soft-deleted blobs, and ASR failover for complete environment recovery.

  4. Verify: Confirm Restoration

    After recovery, verify that all restored resources are functioning correctly. Check data integrity, network connectivity, and application health before declaring recovery complete.

  5. Prevent: Strengthen Guardrails

    Conduct a post-incident review. Identify which guardrails failed or were missing, and implement additional protections to prevent recurrence.

Cost Optimization for Backup Strategies

Strategy Monthly Cost (approx.) Recovery Speed Recommendation
Blob soft delete (30 days) ~$0.01/GB deleted data Instant Always enable — minimal cost, high value
SQL PITR (7 days default) Included in SQL pricing Minutes to hours Always enabled — no extra cost
Azure Backup (daily, 30 days) ~$5-20/VM/month 30-60 minutes Enable for all production VMs
Azure Site Recovery ~$25/VM/month Minutes (failover) Enable for business-critical workloads
Geo-redundant backup 2x local backup cost Hours (cross-region) Enable for compliance-required workloads
Cost-Effective Approach: At minimum, enable blob soft delete, SQL PITR, and Azure Backup for production VMs. These three measures cost very little but cover the most common accidental deletion scenarios. Add Azure Site Recovery and geo-redundant backups for workloads that require sub-hour recovery objectives.