Immutable Backup Strategy for Azure Virtual Machines
Immutable Backup Strategy for Azure Virtual Machines
Comprehensive guidance for implementing immutable and WORM (Write Once, Read Many) backup vaults for Epic workloads on Azure, including compliance and operational considerations.
๐ฏ Overview
Immutable vaults in Azure provide advanced protection for backup data by blocking operations that could result in data loss. This is essential for regulated Epic environments, where backup integrity, retention, and auditability are paramount.
Strategic Benefits
- Protection Against Deletion & Tampering: Immutability prevents the deletion or reduction of backup retention.
- Regulatory Compliance: Satisfies healthcare and financial controls (HIPAA, SOX, Epic).
- Operational Assurance: Ensures all recovery points remain available for the required retention period.
๐ Immutability Classification
Backup Protection Domains
| Domain | Scope | Purpose | Governance Level |
|---|---|---|---|
| Immutable Backup | All critical VMs and workloads | Prevents deletion or reduction of retention | Mandatory |
| WORM Storage | Vaults in supported regions | Write Once, Read Many data protection | Required where available |
| Recovery Services Vault | Epic VMs, SQL, SAP HANA, DPM, Azure Backup Server, Azure Backup Agent | Centralized backup with immutability features | Epic environments only |
๐ก๏ธ Immutable Vault Implementation (Required for All Critical Epic VMs)
Prerequisites
- Azure subscription with Owner/Contributor role.
- Recovery Services Vault provisioned in a supported region.
- Workloads: Azure VMs, SQL in Azure VM, SAP HANA in Azure VM, Azure Backup Server, Azure Backup Agent, DPM.
Implementation Steps
-
Enable Immutability in Recovery Services Vault
- In Azure Portal, navigate to Recovery Services Vault.
- Go to Properties โ Immutability Settings.
- Enable Immutability (and lock if required).
-
Review WORM Storage Availability
- WORM-enabled (Write Once, Read Many) storage is GA in select regions (see below).
- If not available, vaults will automatically transition to WORM-enabled storage once available. No user action or data movement is required.
-
Associate Protected Items with Immutable Vault
- Assign VM, SQL, SAP HANA, Azure Backup Server, Azure Backup Agent, or DPM backups to the immutable vault during or after provisioning.
-
Lock Immutable Vault (Recommended)
- Locking makes immutability settings irreversible.
Supported Regions for WORM Storage
- Australia Central 2
- Switzerland West
- South Africa West
- Korea Central
- Germany North
- Korea South
- Spain Central
- Israel Central
- India South
- India West
- Mexico Central
- Norway West
- Poland Central
- Japan East
Note: In other regions, backups with Immutability enabled and locked will automatically transition to WORM-enabled storage when available. No user action is required.
Supported Workloads for Immutable Vault with WORM
- Azure Virtual machines
- SQL in Azure VM
- SAP HANA in Azure VM
- Azure Backup Server
- Azure Backup Agent
- DPM
๐ซ Restricted Operations in Immutable Vaults
Immutable vaults prevent the following operations that could lead to data loss:
| Operation Type | Description |
|---|---|
| Stop protection with delete data | Cannot delete recovery points before expiry. You may stop protection, but recovery points are retained until expiry. |
| Modify backup policy to reduce retention | Any reduction of retention period is blocked. You may only increase retention or modify the backup schedule. <br>Note: Increase in retention cannot be applied if any item has its backups suspended (stop backup). |
| Change backup policy to reduce retention | Cannot associate a backup item with a policy that has lower retention than the existing one. Only higher/equal retention is allowed. |
๐ฅ Backup Workflows for EoA Servers
Initial Backup
- All EoA servers are backed up at build time to a standard (non-immutable) Recovery Services Vault.
- After the hyper-care period post-cutover, server backups are moved to the immutable vault.
Server Rebuild Workflow (with Immutable Vault)
Due to the restriction that a VM protected by an immutable vault cannot be deleted via Terraform, follow these steps for a server rebuild:
- Stop the backup of the server.
- Delete the server from the Azure Portal.
- Re-run the code from the workspace used for deployment (this rebuilds the VM and attaches it to the immutable vault).
Server Decommission Workflow (after move to Immutable Vault)
- Stop the backup of the server.
- Delete the server from the Azure Portal.
- Delete the backup data from the Recovery Services Vault (data is retained until retention period expiry).
- After retention expires, data is retained for 14 more days for soft delete.
- Validate that the server no longer appears as a backed-up item in the vault.
๐ง Implementation Guidelines
Terraform Example for Immutable Vault
resource "azurerm_recovery_services_vault" "immutable" {
name = "epic-immutable-vault"
location = "West US 3"
resource_group_name = "rg-epic-app-prod-westus3"
sku = "Standard"
immutability {
state = "Locked"
}
}
Azure CLI: Enable Immutability
az backup vault update \
--name epic-immutable-vault \
--resource-group rg-epic-app-prod-westus3 \
--immutability-state Locked
๐ Monitoring & Compliance
Audit & Status Checks
Azure CLI:
# List all vaults with immutability enabled
az backup vault list \
--query "[?properties.immutabilityState=='Locked']"
# List protected items in an immutable vault
az backup item list \
--vault-name epic-immutable-vault \
--resource-group rg-epic-app-prod-westus3
Audit Examples
- Ensure all PHI/critical Epic VMs use an immutable vault.
- Validate backup retention cannot be reduced.
๐ Related Documentation
- Architecture Overview: Platform design and architectural principles
- Operations Procedures: Day-to-day operations and maintenance
- Security Guidelines: Security controls and compliance requirements
- Operations Runbooks: Standard operating procedures
๐จ Troubleshooting Guide
Common Immutable Backup Issues
Problem: Unable to delete VM protected by immutable vault
Diagnosis: Retention lock prevents VM deletion via Terraform.
Resolution:
- Stop backup in Recovery Services Vault.
- Delete VM from portal.
- Re-run Terraform/IaC deployment.
Problem: Backup retention policy cannot be reduced
Diagnosis: Immutable vault blocks changes that lower retention.
Resolution:
- Only increase or maintain retention periods.
- For new requirements, create new backup policies with higher or equal retention.
Problem: Region not supporting WORM
Diagnosis: Vaults will auto-upgrade when WORM is GA in the region.
Resolution:
- Monitor Azure updates for region support.
- Leave vault in immutable state; transition to WORM is automatic.
๐ Support & Contacts
Immutable Backup Governance
| Domain | Contact | Responsibility |
|---|---|---|
| Backup | [email protected] | Vault configuration & policy |
| Immutability | [email protected] | Immutability/WORM vault management |
| Compliance | [email protected] | HIPAA/SOX backup validation |
| Technical Ops | [email protected] | Backup troubleshooting |
Emergency Contacts
- Immutable Vault Failure: [email protected]
- Backup/Restore Issue: [email protected]
- Compliance Audit: [email protected]
๐ก๏ธ Backup Integrity Excellence: Immutable, WORM-enabled backups protect Epic healthcare data from loss, tampering, and non-compliance on Azure.