Restoring Azure VMs and Files

For Azure, you can restore full VMs, restore guest files and folders, and restore a disk and attach it to an existing VM.

End User Restores

End users can restore VMs either in place or out of place. The VM display name setting is the only value that end users can change in the Restore options dialog box.

End users can restore a VM disk to an existing VM.

If the VM display name is the same as an existing VM on the destination, the restore fails.

Considerations

• An application security group (ASG) is retained on a restored VM only if the VM is restored to the same network. If the VM is restored to a different region or a different network, then the ASG is not retained.

• For Azure managed disks with Availability Zones (AZs), whether the AZ information is restored depends on whether the region you restore the VMs to supports AZs:

  • If the region supports AZs, the AZ information is restored.

  • If the region doesn't support AZs, the AZ information is not restored.

• You can back up and restore Azure managed disks that are enabled with encryption at host. This capability applies to Azure managed disks that reside on Windows or Linux VMs.

• Restores to different hypervisors are supported when a VM is encrypted with customer-managed encryption keys.

VMs Encrypted with Azure Key Vault

• Restores of encrypted VMs to a different subscription are not supported due to an Azure limitation.

• Restoring to a different region under the same subscription automatically creates a new key vault, and the restore job completes successfully. To resolve this issue, try the following:

  • Find the key vault. Its name has the format [SourceKeyvaultname+regionname].

  • Assign the required permissions to the managed identity-enabled virtual machine to the new key vault in the destination region as described in Role and Permission Requirements for VMs Encrypted with Azure Key Vault.

  • Retry the restore job.

• By default, keys and secrets are not accessible to subscription users when the Key Vault is restored. The restore operation only adds the application's service principal in the Key Vault access control as an authorized user. If necessary, the subscription administrator can modify the permissions in the Azure portal.

• Microsoft has restrictions for VMs that are encrypted using Azure Key Vault. For more information, see Azure Key Vault.

• For VMs encrypted with customer-managed encryption keys, full VM restores complete successfully. However, for full VM restores from streaming backups, the customer-managed encryption key settings or disk encryption sets (DES) are not applied to the destination VM. You must manually apply the DES settings to the destination VM in Azure.

• During full VM restores, a storage account must exist in the region of the restored VM (an Azure Standard or Premium general-purpose storage account). This account acts as a staging area when VM is restored as managed VM.