How Azure Backup Soft Delete protects from Accidental deletes, Malicious and Ransomware threats
Published Nov 24 2022 09:57 PM 7,514 Views

Azure Backup’s Soft Delete provides protection of backup data against accidental, malicious, or human-operated ransomware attacks deleting. It is enabled by default on newly created vaults.  With Soft Delete enabled, the deleted backup data is retained for 14 additional days to recover with no data loss. The additional 14 days of retention for backup data in the "soft delete" state don't incur any cost to you. If you need to ensure that your Soft Delete should not be disabled, then you can further strengthen your backup security posture by turning Always-on setting making it irreversible.  

 

How does it work

enhanced-soft-delete-for-azure-backup-flow-diagram-inline

 

  • Let’s say you have a Recovery Services vault with several active backup items.  
  • You can choose one of the backup item, right-click and choose Stop backup.

StopBackup.png

  • In the following window, you'll be given a choice to Delete Backup Data or Retain Backup Data

DeleteBackup.png

  • When you choose Delete Backup Data, this action will stop all scheduled backup jobs and deletes all the recovery points. Since Soft Delete is enabled by default it goes into ‘Soft Delete with Retain State’ state and will be retained for 14 days. The retention range set in the policy does not apply to the backup data in Soft Deleted state.
  • During those 14 days, in the Recovery Services vault, the soft deleted VM will appear with a red "soft-delete" icon next to it.

SoftDeleteDisabledIndicator.png

  • A delete email alert is sent to the configured email ID informing that 14 days remain of extended retention for backup data. Follow-up email alert is sent on 12th day informing that there are two more days left to resurrect the deleted data. A final email alert is sent informing about the permanent deletion of the data.
  • To restore the soft-deleted VM within 14 days, it must first be undeleted. To undelete, choose the soft-deleted VM, and then select the option Undelete.

Undelete.png

  • A window will appear warning that if undelete is chosen, all restore points for the VM will be undeleted and available for performing a restore operation. The VM will be retained in a "stop protection with retain data" state with backups paused and backup data retained forever with no backup policy effective.

Undelete2.png

  • After the undelete process is completed, the status will return to "Stop backup with retain data" and then you can choose Resume backup. The Resume backup operation brings back the backup item in the active state, associated with a backup policy selected by the user defining the backup and retention schedules.

ResumeBackup.png

 

Soft Delete states

The following shows the various states of Soft Delete: 

SoftDeleteStates.png

  • Disabled: Deleted items aren't retained in the soft deleted state and are permanently deleted. 
  • Enabled: This is the default state for newly created vaults. Deleted items are retained for the specified soft delete retention period and are permanently deleted after the expiry of the soft delete retention duration. Disabling soft delete immediate purges deleted data.
  • Enabled and Always-On: Deleted items are retained for the specified soft delete retention period and are permanently deleted after the expiry of the soft delete retention duration. Once you opt for this state, soft delete can't be disabled.

 

Disabling Soft Delete is not recommended

Disabling this feature is not recommended. The only circumstance where you should consider disabling soft delete is if you're planning on moving your protected items to a new vault, and can't wait the 14 days required before deleting and reprotecting (such as in a test environment). To disable soft delete on a vault, you must have the Backup Contributor role for that vault (you should have permissions to perform Microsoft.RecoveryServices/Vaults/backupconfig/write on the vault). If you disable this feature, all future deletions of protected items will result in immediate removal, without the ability to restore. Backup data that exists in soft deleted state before disabling this feature, will remain in soft deleted state for the period of 14 days. If you wish to permanently delete these immediately, then you need to undelete and delete them again to get permanently deleted.

 

Soft delete retention period

There is no retention cost for soft delete for the default duration of 14 days. If you chose to increase the retention > 14 days, then it will incur regular backup charges. The retention range value is between 14 days to 180 days. Once configured, the soft delete retention period applies to all soft deleted instances of cloud and hybrid workloads in the vault.

For example, you've deleted backups for one of the instances in the vault that has soft delete retention of 60 days. If you want to recover the soft deleted data after 52 days of deletion, the pricing is:

  • Standard rates (similar rates apply when the instance is in stop protection with retain data state) are applicable for the first 46 days (60 days of soft delete retention configured minus 14 days of default soft delete retention).
  • No charges for the last 6 days of soft delete retention.

 

Enabling Always-on soft delete

Soft delete is enabled by default for all new vaults you create. To make enabled settings irreversible, select Enable Always-on Soft Delete.  Always-on soft delete can be enabled only if soft delete is enabled for both cloud and hybrid workloads. When you enable Always-on the following confirmation is prompted as a reminder that this setting is irreversible:

AlwaysOnConfirm.png

 

Soft Delete with MUA

If you do not wish to enable Always-on but needed alternative ways to restrict disabling it, then enable Multi-user authorization (MUA) for Azure Backup. This adds an additional layer of protection to critical operations on your vaults.

 

Additional Resources:

Co-Authors
Version history
Last update:
‎Nov 24 2022 09:56 PM
Updated by: