Snapshot Management in the Portal

Of course, you can also create snapshots of Azure VMs in the web portal GUI. In contrast to hypervisors such as Hyper-V, vSphere, or Proxmox, though, Azure does not grab snapshots of the VM, but of the VM's data carrier, which can be found on the Azure portal under the objects belonging to the VM's own resource group (Figure 1). Data carriers can be found by searching for the data carrier resource type.

Figure 1: VMs can be managed in the matching resource group.

With a click on a volume, you can manage it and create snapshots. The Create snapshot button opens up a new window where you can define the settings for the snapshot. Besides the Name, Subscription, and Resource group, you can choose to create an incremental or full snapshot. The incremental backup is the default and only contains the changes since the last snapshot.

The first incremental snapshot is a complete copy of the data carrier, and subsequent snapshots only save the delta since the complete backup. During the restore, the complete data carrier is reconstructed from these snapshots. Incremental snapshots use standard disk storage, whereas full snapshots can also use premium solid-state drives (SSDs). Additionally, incremental snapshots offer higher reliability through zone-redundant storage, if available; otherwise, locally redundant storage is used. Only the storage space you actually use is billed.

Restrictions

Incremental snapshots cannot be moved between subscriptions but can be copied to other resource groups. You can create up to seven incremental snapshots per volume every five minutes to create a total of up to 500 snapshots. However, changes between snapshots cannot be restored if the data carrier is larger than 4TB.

Additional limits apply for Premium SSD v2s and Ultra Disks. Snapshots with a logical sector size of 512 bytes are saved as a virtual hard disk (VHD) and can be used for any data carrier type, whereas those with 4,096 bytes can only be used for Ultra Disks and Premium SSD v2 disks. You can create up to five disks simultaneously from a snapshot, with up to three in the queue while a background copy is running, which means you can define new workflows, including scripted workflows, and create new VMs on the basis of the snapshots.

You can only use incremental snapshots after the background copy has been completed. Snapshots are not possible if the CompletionPercent property is not at 100 percent. As the size of the data carriers increases, errors can occur when creating background copies. It is therefore advisable not to allow changes to the data carriers while this is going on.

Encrypting Snapshots

Snapshots can be encrypted when created. You can choose whether you want to manage the key yourself or let Azure do the job. By default, disk snapshots are encrypted on the server side with 256-bit AES, which meets the requirements of the US Federal Information Processing Standard (FIPS) 140-2 publication. Encryption is automatically applied to data at rest on managed Azure volumes and does not affect the performance of the volumes.

If you decide to save keys in Azure, you have no worries because Azure takes care of creating, storing, and managing them. You can store self-managed keys in the Azure Key Vault. Encryption on the host also offers end-to-end encryption for temporary data carriers and the operating system and regular data carrier caches. Double encryption at rest is also possible if you want to add an additional layer of protection.