faq-backup-sql-server.yml

### YamlMime:FAQ
metadata:
  title: FAQ - Backing up SQL Server databases on Azure Virtual Machines (VMs)
  description: Find answers to common questions about backing up SQL Server databases on an Azure Virtual Machine (VM) with Azure Backup.
  ms.reviewer: vijayts
  ms.topic: faq
  ms.service: azure-backup
  ms.date: 02/13/2026
  author: AbhishekMallick-MS
  ms.author: v-mallicka

    
title: FAQ about SQL Server databases that are running on an Azure VM backup
summary: |
  This article answers common questions about backing up SQL Server databases that run on Azure virtual machines (VMs) and use the [Azure Backup](backup-overview.md) service. To understand the SQL database backup and restore support scenarios, see the [support matrix](sql-support-matrix.md).
  

sections:
  - name: Backup
    questions:
      - question: |
          Can I use Azure Backup for IaaS VM and SQL Server on the same machine?
        answer: |
          Yes, both VM and SQL backups can coexist on the same VM. To avoid interfering with database backups using other backup tools, IaaS VM backups trigger copy-only full backups.

      - question: |
          Does the solution retry or auto-heal the backups?
        answer: |
          Under some circumstances, the Azure Backup service triggers remedial backups. Auto-heal can happen for any of the following six conditions:
          
          - If log or differential backup fails due to LSN Validation Error, next log or differential backup is instead converted to a full backup.
          - If no full backup has happened before a log or differential backup, that log or differential backup is instead converted to a full backup.
          - If the latest full backup's point-in-time is older than 15 days, the next log or differential backup is instead converted to a full backup.
          - All the backup jobs that get canceled due to an extension upgrade are retriggered after the upgrade is completed and the extension is started.
          - If you choose to overwrite the database during Restore, the next log/differential backup fails and a full backup is triggered instead.
          - In cases where a full backup is required to reset the log chains due to change in database recovery model, a full gets triggered automatically on the next schedule.
          
      - question: |
          Can I cancel an auto-heal backup job?
        answer: |
          No, you can’t cancel an auto-heal job. However, you can opt out of it by following these steps:
          
          1. On the SQL Server instance, in the *C:\Program Files\Azure Workload Backup\bin* folder, create or edit the **ExtensionSettingsOverrides.json** file.
          1. In the **ExtensionSettingsOverrides.json** file, set `{"EnableAutoHealer": false}`.
          1. Save the changes and close the file.
          1. On the **SQL Server instance**, open **Task Manager**, stop `AzureWLBackupPluginSvs` and `AzureWLBackupInquirySvc` services, and then restart the `AzureWLBackupCoordinatorSvc` service.
          
             `AzureWLBackupPluginSvs` and `AzureWLBackupInquirySvc` services auto-start when new tasks arrive. Avoid restarting `AzureWLBackupCoordinatorSvc` during active backups; otherwise, it aborts them and might trigger full remedial backups.

      - question: |
          Can I control how many concurrent backups run on the SQL server?
        answer: |
          Yes. You can throttle the rate at which the backup policy runs to minimize the impact on a SQL Server instance. To change the setting:
          
          1. On the SQL Server instance, in the *C:\Program Files\Azure Workload Backup\bin* folder, create the *ExtensionSettingsOverrides.json* file.
          1. In the **ExtensionSettingsOverrides.json** file, change the `DefaultBackupTasksThreshold` setting to a lower value (for example, 5). <br>
            `{"DefaultBackupTasksThreshold": 5}`
          <br>
          The default value of DefaultBackupTasksThreshold is **20**.
          
          1. Save your changes and close the file.
          1. On the **SQL Server instance**, open **Task Manager**, stop `AzureWLBackupPluginSvs` and `AzureWLBackupInquirySvc` services, and then restart the `AzureWLBackupCoordinatorSvc` service.
          
             `AzureWLBackupPluginSvs` and `AzureWLBackupInquirySvc` services auto-start when new tasks arrive. Avoid restarting `AzureWLBackupCoordinatorSvc` during active backups; otherwise, it aborts them and might trigger full remedial backups. For more generic control over CPU, I/O, and memory usage by backup applications, use **SQL Server Resource Governor**.

          
          > [!NOTE]
          > In the UX you can still go ahead and schedule as many backups at any given time. However they'll be processed in a sliding window of say, 5, according to the above example.
          
      - question: |
          Do successful backup jobs create alerts?
        answer: |
          No. Successful backup jobs don't generate alerts. Alerts are sent only for backup jobs that fail. Detailed behavior for portal alerts is documented [here](backup-azure-monitoring-built-in-monitor.md). However, if you're interested in having alerts even for successful jobs, you can use [Monitoring using Azure Monitor](backup-azure-monitoring-use-azuremonitor.md).
          
      - question: |
          Are future databases automatically added for backup?
        answer: |
          Yes, you can achieve this capability with [autoprotection](backup-sql-server-database-azure-vms.md#enable-auto-protection).  
          
      - question: |
          If I delete a database from an autoprotected instance, what will happen to the backups?
        answer: |
          If a database is dropped from an autoprotected instance, the database backups are still attempted. This implies that the deleted database begins to show up as unhealthy under **Backup Items** and is still protected.
          
          The correct way to stop protecting this database is to do **Stop Backup** with **delete data** on this database.  
          
      - question: |
          Can I protect databases on virtual machines that have Azure Disk Encryption (ADE) enabled?
        answer: |
          Yes, you can protect databases on virtual machines that have Azure Disk Encryption (ADE) enabled.

      - question: |
          Can I protect databases that have TDE (Transparent Data Encryption) turned on and will the database stay encrypted through the entire backup process?
        answer: |
          Yes, Azure Backup supports backup of SQL Server databases or server with TDE enabled. Backup supports [TDE](/sql/relational-databases/security/encryption/transparent-data-encryption) with keys managed by Azure, or with customer-managed keys (BYOK).  Backup doesn't perform any SQL encryption as part of the backup process so the database will stay encrypted when backed up.
          
      - question: |
          Does Azure Backup perform a checksum operation on the data stream?
        answer: |
          We do perform a checksum operation on the data stream. However, this isn't to be confused with [SQL checksum](/sql/relational-databases/backup-restore/enable-or-disable-backup-checksums-during-backup-or-restore-sql-server).
          Azure workload backup computes the checksum on the data stream and stores it explicitly during the backup operation. This checksum stream is then taken as a reference and cross-verified with the checksum of the data stream during the restore operation to make sure that the data is consistent.

      - question: |
          Can I use Azure Site Recovery for SQL machine as well as Azure SQL database backup on the same machine?
        answer: |
          Yes. Azure Site Recovery will trigger a *copy-only full backup* while taking the *application consistent snapshot* on the VM not to truncate the logs. [Learn more](../site-recovery/site-recovery-sql.md#combining-bcdr-technologies-with-site-recovery).   
      - question: |
          What happens if I rename the SQL Server VM at the OS level? Will backups and restores still work?
        answer: |
          Renaming the VM at the OS level is supported. Azure Backup for SQL Server relies on the Azure Resource URI and SQL Server instance registration, not the OS hostname. Backups will continue to work as long as the Azure Backup Plugin can connect to the SQL Server instance. 
  - name: Manage
    questions:
      - question: |
          Can I see scheduled backup jobs in the Backup Jobs menu?
        answer: |
          The **Backup Job** menu shows all scheduled and on-demand operations, except the scheduled log backups since they can be very frequent. For scheduled log jobs, use [Monitoring using Azure Monitor](backup-azure-monitoring-use-azuremonitor.md).

      - question: |
          If I do stop backup operation of an autoprotected database what will be its behavior?
        answer: |
          If you do **stop backup with retain data**, no future backups will take place and the existing recovery points will remain intact. The database will still be considered as protected and be shown under the **Backup items**.
          
          If you do **stop backup with delete data**, no future backups will take place and the existing recovery points will also be deleted. The database will be considered un-protected and be shown under the instance on the **Configure Backup** blade. However, unlike other up-protected databases that can be selected manually or that can get autoprotected, this database appears greyed out and can’t be selected. The only way to re-protect this database is to disable auto-protection on the instance. You can now select this database and configure protection on it or re-enable auto-protection on the instance again.

      - question: |
          If I've changed the name of the database after it has been protected, what will be the behavior?
        answer: |
          A renamed database is treated as a new database. So the service will treat this situation as if the database weren't found and with fail the backups.
          
          You can select the database, which is now renamed and configure protection on it. If the auto-protection is enabled on the instance, the renamed database will be automatically detected and protected.

      - question: |
          Why can’t I see an added database for an autoprotected instance?
        answer: |
          A database that you [add to an autoprotected instance](backup-sql-server-database-azure-vms.md#enable-auto-protection) might not immediately appear under protected items. This is because the discovery typically runs every 8 hours, and the actual protection of the system can take additional time as it depends on the size of the VM. However, you can discover new databases immediately if you manually run a discovery by selecting **Rediscover DBs**, as shown in the following image:
          
            :::image type="content" source="./media/backup-azure-sql-database/view-newly-added-database.png" alt-text="Screenshot of manually discover a newly added database."

  - name: Restore
    questions:
      - question: |
          Can I download only a subset of files during restore as files?
        answer: |
          Yes, you can download files partially as documented [here](restore-sql-database-azure-vm.md#partial-restore-as-files).
      - question: |
          Can I download files to an unregistered during restore as files during restore as files?
        answer: |
          Yes, you need a file path in a registered VM to download files. That path can be a network share too. Configure a network share from the unregistered VM to the registered VM and then choose the registered VM as target and the network share as the target file path. Once files are downloaded, you could simply unmount the network share from the registered VM and the files are now available in the unregistered VM.

      - question: |
          Connecting the Azure environment to on-premises network using ExpressRoute and  configured forced tunneling directs all the traffic to the on-premises network. How can I configure the settings so that Azure SQL Server workload backup traffic won't pass through the on-premises network and directly connects to Recovery Services vault?
        answer: |
          During the backup operation, the *backup job* connects to three Service Endpoints - `AzureBackup`, `AzureStorage`, and `Microsoft Entra ID`. In this scenario, we recommend you to configure the Service Endpoint to `AzureStorage`, which helps to send the traffic from the Virtual Network to the Storage directly. For Azure Backup and Microsoft Entra ID, you can configure UDR over service tags so that the traffic travels to backbone network instead of on-premises.

      - question: |
          Why do I need write permission on the source SQL Server to restore to another SQL Server?
        answer: |
          You need write access to the source VM during a PowerShell-based SQL ALR restore to confirm that the data owner is initiating the restore. This check prevents unauthorized access through the Recovery Services Vault. If the source VM no longer exists, the vault skips validation and lets you restore to any VM without needing write access to the original source.


additionalContent: |

  ## Next steps

  - [Back up a SQL Server database running on an Azure VM](backup-azure-sql-database.md).
  - [Restore backed up SQL Server databases](restore-sql-database-azure-vm.md).
  - [Manage and monitor backed up SQL Server databases using Azure portal](manage-monitor-sql-database-backup.md).