Azure Virtual Network (VNet) Protection

When you enable Azure Virtual Network (VNet) protection, in-place restores create the network infrastructure—VNets, subnets, and network security groups (NSGs)—along with the VM. This feature is supported for in-place restores of streaming and snap backups.

Network Resources That Are Backed Up

  • Virtual network

    • Address space (IPV6, IPV4)

    • DDoS protection association

    • DNS servers

  • Subnet

    • AddressPrefix

    • Associated network security groups

    • NAT gateway association

    • Route table association

    • Service endpoints

    • Subnet delegation

    • Network policy for private endpoints

  • NSGs

    • Network security rules

    • Network security groups attached to a network interface

    • Network security groups attached to a subnet

Properties/Resources That Are Not Backed Up

  • Azure Bastion service of the VNet
  • Peering of the VNet
  • Firewall of the VNet
  • Netowrk Manager of the VNet
  • Private endpoints of the VNet


During in-place restores, the VNet, subnet, network interface NSG, subnet NSG, and network interface are created. The NAT gateway, route table, and DDoS are reused.

Additional Permissions Required for Restores

In addition to the permissions defined in CVBackupRole, the following permissions are required:

  • Microsoft.Network/virtualNetworks/write: Creates a virtual network or update an existing virtual network

  • Microsoft.Network/networkSecurityGroups/write: Creates a network security group or update an existing network security group

  • Microsoft.Network/routeTables/join/action: Joins a route table

  • Microsoft.Network/ddosProtectionPlans/join/action: Joins a DDoS Protection plan

Enabling VNet Protection

Add the following entity settings to all Azure access nodes: