backup-create-recovery-services-vault.md

title	Create and Configure Recovery Services Vaults
description	Learn how to create and configure Recovery Services vaults and how to restore in a secondary region by using Cross Region Restore.
ms.topic	how-to
ms.date	12/10/2025
ms.custom	references_regions, engagement-fy23
author	AbhishekMallick-MS
ms.author	v-mallicka

Create and configure a Recovery Services vault

This article describes how to create and configure an Azure Backup Recovery Services vault that stores backups and recovery points. You can use Cross Region Restore to restore in a secondary region. To create a Recovery Services vault by using a REST API, see Create Azure Recovery Services vault by using a REST API for Azure Backup.

[!INCLUDE How to create a Recovery Services vault]

Set storage redundancy

Azure Backup automatically handles storage for the vault. You need to specify how that storage is replicated.

Note

Be sure to change the storage replication type for a Recovery Services vault before you configure a backup in the vault. After you configure a backup, the option to modify is disabled.

If you still need to configure the backup, complete the following steps to review and modify the settings. If you already configured the backup and must change the storage replication type, review these workarounds.

1. In the Recovery Services vaults pane, select the new vault. In the Settings section, select Properties.

2. In Properties, under Backup Configuration, select Update.

3. For Storage replication type, select Geo-redundant, Locally-redundant, or Zone-redundant. Then select Save.

   :::image type="content" source="./media/backup-create-rs-vault/recovery-services-vault-backup-configuration.png" alt-text="Screenshot shows how to set the storage configuration for a new vault." lightbox="./media/backup-create-rs-vault/recovery-services-vault-backup-configuration.png":::

   Here are our recommendations for choosing a storage replication type:

   • If you use Azure as a primary backup storage endpoint, continue to use the default geo-redundant storage (GRS).
   • If you don't use Azure as a primary backup storage endpoint, choose locally redundant storage (LRS) to reduce storage costs.
   • If you need data availability without downtime in a region, guaranteeing data residency, choose zone-redundant storage (ZRS).

The storage replication settings for the vault aren't relevant for Azure file share snapshot backup because the snapshots are stored in the same storage account as the backed-up file share. The storage replication settings for the vault apply only for the Azure file share vaulted backup.

Set Cross Region Restore

With the Cross Region Restore option, you can restore data in a secondary, Azure paired region. You can use Cross Region Restore to conduct drills when there's an audit or compliance requirement. You can also use it to restore the data if there's a disaster in the primary region.

Before you begin, consider the following information:

• Cross Region Restore is supported only for a Recovery Services vault that uses the GRS replication type.
• Virtual machines (VMs) created through Azure Resource Manager and encrypted Azure VMs are supported. VMs created through the classic deployment model aren't supported. You can restore the VM or its disk.
• SQL Server or SAP HANA databases hosted on Azure VMs are supported. You can restore databases or their files.
• The Recovery Services agent is supported for vaults without a private endpoint (preview).
• A list of supported managed types and regions is available in the Support matrix for Azure Backup.
• Cross Region Restore incurs extra charges for use. After you enable Cross Region Restore, it might take up to 48 hours for the backup items to be available in secondary regions. Learn more about pricing.
• Cross Region Restore currently can't be reverted to GRS or LRS after the protection starts for the first time.
• Secondary region recovery point objective (RPO) can vary by workload type and policy. For Azure VM backups, the secondary region RPO can be up to 36 hours in the worst case. With the Standard policy, the primary region RPO is up to 24 hours, and replication to the secondary region can take up to 12 hours. With the Enhanced policy, more frequent local recovery point creation can improve the best-case achievable secondary region RPO, but the worst-case can still be up to 36 hours. For workload-specific guidance, see the relevant restore documentation.
• Permissions are required to use Cross Region Restore. For more information, see Use Azure role-based access control (RBAC) to manage Azure Backup recovery points.

A vault created with GRS redundancy includes the option to configure Cross Region Restore. Every GRS vault has a banner that links to the documentation.

Cross Region Restore is also supported for machines running on Ultra Disks. Learn more about Ultra Disk backup supportability.

To configure Cross Region Restore for the vault:

1. From the Azure portal, go to your Recovery Services vault, and then under Settings, select Properties.

2. Under Backup Configuration, select Update.

3. Under Cross Region Restore, select Enable.

   

Note

If you have access to restricted paired regions and still can't view Cross Region Restore settings on the Backup Configuration pane, re-register the Recovery Services resource provider. To re-register the provider, go to your subscription in the Azure portal, go to Resource provider on the left pane, and then select Microsoft.RecoveryServices > Re-register.

For more information about backup and restore with Cross Region Restore, see these articles:

• Cross Region Restore for Azure VMs
• Cross Region Restore for SQL Server databases
• Cross Region Restore for SAP HANA databases
• Cross Region Restore for MARS (preview)

Set Cross Subscription Restore

Cross Subscription Restore allows you to restore data to a different subscription within the same tenant as the source subscription (as per the Azure RBAC capabilities) from restore points.

Cross Subscription Restore is currently supported for Azure VMs, SQL Server in Azure VMs, SAP ASE and SAP HANA in Azure VMs, and Azure Files.

To configure Cross Subscription Restore for the vault, follow these steps:

1. In the Azure portal, go to your Recovery Services vault.

2. On the Recovery Services vault pane, select Settings > Properties.

3. On the Properties pane, under Cross Subscription Restore, select Update.

   :::image type="content" source="./media/backup-create-rs-vault/configure-cross-region-restore.png" alt-text="Screenshot that shows how to enable Cross Subscription Restore for a vault." lightbox="./media/backup-create-rs-vault/configure-cross-region-restore.png" :::

4. On the Cross Subscription Restore pane, select Enable Cross Subscription Restore > Update.

Set encryption settings

By default, the data in the Recovery Services vault is encrypted through platform-managed keys. You don't need to take any explicit actions to enable this encryption. It applies to all workloads that are backed up to your Recovery Services vault.

You can choose to bring your own key (a customer-managed key) to encrypt the backup data in this vault. If you want to encrypt backup data by using your own key, you must specify the encryption key before any item is added to this vault. After you enable encryption with your key, it can't be reversed.

To configure your vault to encrypt with customer-managed keys:

1. Enable managed identity for your Recovery Services vault.
2. Assign permissions to the vault to access the encryption key in Azure Key Vault.
3. Enable soft delete and purge protection in Key Vault.
4. Assign the encryption key to the Recovery Services vault.

For instructions for each of these steps, see Configure a vault to encrypt by using customer-managed keys.

Modify default settings

We recommend that you review the default settings for storage replication type and security before you configure backups in the vault.

By default, Soft delete is set to Enabled on newly created vaults to help protect backup data from accidental or malicious deletions. To review and modify the settings, follow the steps in Secure by default with soft delete for Azure Backup.

Before you decide to move from GRS to LRS, review the trade-offs between lower cost and higher data durability that fit your scenario. If you must move from GRS to LRS after you configure backup, you have the following two choices. Your choice depends on your business requirements to retain the backup data.

Don't need to preserve previous backed-up data

To help protect workloads in a new LRS vault, you need to delete the current protection and data in the GRS vault and reconfigure backups.

Warning

The following operation is destructive and can't be undone. All backup data and backup items associated with the protected server will be permanently deleted. Proceed with caution.

To stop and delete current protection on the GRS vault:

1. Follow these steps to disable soft delete in the GRS vault's properties.

2. Stop protection and delete backups from the existing GRS vault. On the vault dashboard menu, select Backup Items. If you need to move items that are listed here to the LRS vault, you must remove them and their backup data. For more information, see Delete protected items in the cloud and Delete protected items on-premises.

3. If you're planning to move Azure file shares, SQL Server instances, or SAP HANA servers, you also need to unregister them. On the vault dashboard menu, select Backup Infrastructure. For steps beyond that, see Unregister a storage account associated with Azure file shares, Unregister a SQL Server instance, or Unregister an SAP HANA instance.

4. After you remove Azure file shares, SQL Server instances, or SAP HANA servers from the GRS vault, continue to configure the backups for your workload in the new LRS vault.

Must preserve previous backed-up data

If you need to keep the current protected data in the GRS vault and continue the protection in a new LRS vault, some of the workloads have limited options:

• For Recovery Services, you can stop protection with retained data and register the agent in the new LRS vault. Consider that:

  • You can retain all the existing recovery points of the GRS vault with Azure Backup.
  • You need to pay to keep the recovery points in the GRS vault.
  • You can restore the backed-up data only for unexpired recovery points in the GRS vault.
  • You need to create an initial replica of the data on the LRS vault.

• For an Azure VM, you can stop protection with retained data for the VM in the GRS vault, move the VM to another resource group, and then help protect the VM in the LRS vault. For information about moving a VM to another resource group, see the guidance and limitations.

  You can add a VM to only one vault at a time. You can add the VM in the new resource group to the LRS vault because it's considered a different VM. Consider that:

  • You can retain the recovery points that were backed up on the GRS vault with Azure Backup.
  • You need to pay to keep the recovery points in the GRS vault. For more information, see Azure Backup pricing.
  • You can restore the VM, if needed, from the GRS vault.
  • Your first backup on the LRS vault of the VM in the new resource is an initial replica.

Related content

• Learn more about Recovery Services vaults
• Delete Recovery Services vaults
• Update the soft delete state for a Recovery Services vault by using a REST API