Azure Files data protection overview

Azure Files gives you many tools to protect your data, including soft delete, share snapshots, Azure Backup, and Azure File Sync. This article describes how to protect your data in Azure Files, and the concepts and processes involved with backup and recovery of Azure file shares.

Watch this video to learn how Azure Files advanced data protection helps enterprises stay protected against ransomware and accidental data loss while delivering greater business continuity.

Why you should protect your data

For Azure Files, data protection refers to protecting the storage account, file shares, and data within them from being deleted or modified, and for restoring data after it's been deleted or modified.

There are several reasons why you should protect your file share data.

  • Recovery from accidental data loss: Recover data that's accidentally deleted or corrupted.
  • Upgrade scenarios: Restore to a known good state after a failed upgrade attempt.
  • Ransomware protection: Recover data without paying ransom to cybercriminals.
  • Long-term retention: Comply with data retention requirements.
  • Business continuity: Prepare your infrastructure to be highly available for critical workloads.

Back up and restore Azure file shares

You can configure Azure Backup to back up your file shares using the Azure portal, Azure PowerShell, Azure CLI, or REST API. You can also use Azure File Sync to back up on-premises file server data on an Azure file share.

To learn how to back up and restore Azure file shares using the Azure portal, see the following articles:

Data redundancy

Azure Files offers multiple redundancy options, including geo-redundancy, to help protect your data from service outages due to hardware problems or natural disasters. To find out which option is best for your use case, see Azure Files data redundancy.

Important

Azure Files only supports geo-redundancy (GRS or GZRS) for standard SMB file shares. Premium file shares and NFS file shares must use locally redundant storage (LRS) or zone redundant storage (ZRS).

Disaster recovery and failover

In the case of a disaster or unplanned outage, restoring access to file share data is critical to keeping the business operational. Depending on the criticality of the data hosted in your file shares, you might need a disaster recovery strategy that includes failing your Azure file shares over to a secondary region.

Azure Files offers customer-managed unplanned failover for standard storage accounts if the data center in the primary region becomes unavailable. Customer-managed planned failover can also be utilized in multiple scenarios, including planned disaster recovery testing, a proactive approach to large scale disasters, or to recover from non-storage related outages.

Important

Customer-managed planned failover is currently in PREVIEW and limited to the following regions:

  • France Central
  • France South
  • India Central
  • India West
  • East Asia
  • Southeast Asia

To opt in to the preview, see Set up preview features in Azure subscription and specify AllowSoftFailover as the feature name. The provider name for this preview feature is Microsoft.Storage.

See the Supplemental Terms of Use for Microsoft Azure Previews for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

Important

After a planned failover, a storage account's Last Sync Time (LST) value might appear stale or be reported as NULL when Azure Files data is present.

System snapshots are periodically created in a storage account's secondary region to maintain consistent recovery points used during failover and failback. Initiating customer-managed planned failover causes the original primary region to become the new secondary. In some cases, there are no system snapshots available on the new secondary after the planned failover completes, causing the account's overall LST value to appear stale or be displayed as Null.

Because user activities such as creating, modifying, or deleting objects can trigger snapshot creation, any account on which these activities occur after planned failover will not require additional attention. However, accounts having no snapshots or user activity may continue to display a Null LST value until system snapshot creation is triggered.

If necessary, perform one of the following activities for each share within a storage account to trigger snapshot creation. Upon completion, your account should display a valid LST value within 30 minutes' time.

  • Mount the share, then open any file for reading.
  • Upload a test or sample file to the share.

See Disaster recovery and failover for Azure Files.

Prevent accidental deletion of storage accounts and file shares

Data loss doesn't always occur because of a disaster. More often, it's the result of human error. Azure gives you tools to prevent accidental deletion of storage accounts and file shares.

Storage account locks

Storage account locks enable admins to lock the storage account to prevent users from accidentally deleting the storage account. There are two types of storage account locks:

  • CannotDelete lock prevents users from deleting a storage account, but permits modifying its configuration.
  • ReadOnly lock prevents users from deleting a storage account or modifying its configuration.

For more information, see Apply an Azure Resource Manager lock to a storage account.

Soft delete

Soft delete works on a file share level to protect Azure file shares against accidental deletion. If a share with soft delete enabled is deleted, it moves to a soft deleted state internally and can be retrieved until the retention period expires. Azure file shares are still billed on the used capacity when they're soft deleted.

For more information, see Enable soft delete on Azure file shares and Prevent accidental deletion of Azure file shares.

Share snapshots

File share snapshots are point-in-time copies of your Azure file share that you can take manually or automatically via Azure Backup. You can then restore individual files from these snapshots. You can take up to 200 snapshots per file share.

Snapshots are incremental in nature, capturing only the changes since the last snapshot. That means they're space and cost efficient. You're billed on the differential storage utilization of each snapshot, making it practical to have multiple recovery points to cater low RPO requirements.

For more information, see Overview of share snapshots for Azure Files.

Use Azure File Sync for hybrid cloud backups

Using Azure File Sync with Azure Backup is an easy solution for hybrid cloud backups from on-premises to cloud. Azure File Sync keeps the files in sync and centralized.

Architecture diagram for using Azure File Sync along with Azure Backup to back up multiple file servers.

This method simplifies disaster recovery and gives you multiple options. You can recover single files or directories, or perform a rapid restore of your entire file share. Just bring up a new server on the primary and point it to the centralized Azure file share where it can access the data. Over time, files will be locally cached or tiered to the cloud based on Azure File Sync settings.

See also