Skip to main content
  1. Home
  2. >
  3. Azure
  4. >
  5. AZ-104
  6. >
  7. This article

Azure AZ-104 Drill: Azure Backup Management - Protecting VMs Across Vaults

·647 words·4 mins·
Architecture Drills Microsoft Azure AZ-104 Azure CAF Governance Recovery Services Vault
Jeff Taakey
Author
Jeff Taakey
21+ Year Enterprise Architect | Multi-Cloud Architect & Strategist.
Jeff's Architecture Insights
Go beyond static exam dumps. Jeff’s Insights is engineered to cultivate the mindset of a Production-Ready Architect. We move past ‘correct answers’ to dissect the strategic trade-offs and multi-cloud patterns required to balance reliability, security, and TCO in mission-critical environments.
Table of Contents

While preparing for the AZ-104: Microsoft Azure Administrator exam, many candidates struggle with managing VM backups across Recovery Services Vaults. In large enterprises, this decision often comes down to balancing centralized backup governance versus operational segregation. Let’s drill into a simulated migration scenario.

The Scenario
#

Tailspin Automotive is a large manufacturing company that has migrated several legacy line-of-business applications to Azure virtual machines (VMs). Currently, VMs named VM1 and VM2—running critical production workloads—are protected by a Recovery Services vault named “ProdBackupVault.” Tailspin is now onboarding two additional VMs, VM3 and VM4, which reside in the same subscription but different development resource groups.

Key Requirements
#

Protect both VM3 and VM4 with Azure Backup, using the existing backup infrastructure while maintaining consistency in policy enforcement and operational management.

The Options
#

  • A) Create a new Recovery Services vault specifically for VM3 and VM4
  • B) Create a new storage account to store backup data for VM3 and VM4
  • C) Install and configure the Azure Backup extension on VM3 and VM4
  • D) Create a new backup policy targeting VM3 and VM4

Correct Answer
#

C) Install and configure the Azure Backup extension on VM3 and VM4.

The Architect’s Analysis
#

Correct Answer
#

Option C

Step-by-Step Winning Logic
#

In Azure, Recovery Services vaults centrally store backup data and manage backup policies. If VM1 and VM2 are protected by an existing vault, you do not need to create a new vault or storage account to protect VM3 and VM4 in the same subscription and region. You simply need to install and enable the Azure Backup extension on VM3 and VM4, registering them with the existing vault and applying an appropriate backup policy.

This approach aligns with these Well-Architected Framework pillars:

  • Reliability: Centralizing backups into one vault ensures consistent recovery objectives (RPO/RTO) and monitoring.
  • Operational Excellence: Simplifies operational overhead by managing backups via one vault and policy set.
  • Cost Optimization: Avoids the cost duplication of multiple Recovery Services vaults or storage accounts.

The Traps (Distractor Analysis)
#

  • Why not A? Creating a new vault adds complexity and cost and is only justified when workload or data sovereignty requires strict separation.
  • Why not B? A storage account alone does not enable or manage Azure Backup protection for VMs; backup data is abstracted within the vault.
  • Why not D? While a new policy is needed if current policies don’t fit, backup policies cannot independently protect VMs without the vault and Backup extension being configured first.

The Architect Blueprint
#

Mermaid Diagram illustrating the backup onboarding flow within the existing Recovery Services vault:

graph TD VM1[VM1] -->|Protected by| Vault[Recovery Services Vault: ProdBackupVault] VM2[VM2] -->|Protected by| Vault VM3[VM3] -->|Install Backup Extension| Vault VM4[VM4] -->|Install Backup Extension| Vault BackupPolicy[Backup Policy] --> Vault style Vault fill:#0078D4,stroke:#333,color:#fff style BackupPolicy fill:#5C2D91,stroke:#333,color:#fff

Diagram Note: VM3 and VM4 are integrated by installing the Azure Backup extension, thus registering with the existing Recovery Services vault which centrally applies backup policies and manages data.

The Decision Matrix
#

Option Est. Complexity Est. Monthly Cost Pros Cons
A) New Recovery Services vault Medium Higher (additional vault fee) Logical separation if required for compliance Unnecessary overhead if workloads are similar
B) New Storage Account Low Variable (storage costs) None for backup management Does not support VM backup protection alone
C) Install Backup Extension (Correct) Low Low (leverages existing vault) Centralized management, cost-effective Requires VM agent installed and connectivity
D) New Backup Policy Medium Same as existing vault cost Tailors retention/RPO for new VMs Cannot protect VMs without vault registration

Real-World Practitioner Insight
#

Exam Rule
#

“For the exam, always pick installing the Azure Backup extension when onboarding VMs to an existing Recovery Services vault.”

Real World
#

“In practice, enterprises benefit from consolidating backup administration under one vault per subscription or business unit, applying multiple policies as needed. This reduces costs and simplifies governance via Azure Policy enforcement on the vault and policies.”

Related Articles

Weekly Azure AZ-104 Drills

Master Azure administration from identity to networking.