Share via

Protecting OnPrem VMWare VMs using Azure Backup - MABS Server

Anandha Chandrasekaran 40 Reputation points
2026-06-08T10:15:13.1+00:00

Hi,

As part of our Business Continuity and Disaster Recovery (BCDR) strategy, we have decided to replicate our on-premises VMware virtual machines to Azure using Azure Site Recovery (ASR).

Since ASR retention is limited to a maximum of 15 days and does not provide long-term backup capabilities, we are evaluating additional backup options to protect against scenarios such as ransomware attacks and accidental data deletion.

We are considering using Azure Backup with Microsoft Azure Backup Server (MABS) and would appreciate clarification on the following points:

  1. VMware VM Backup and Recovery
    • Can Azure Backup (via MABS) be used to back up on-premises VMware VMs directly to Azure?
      • If a recovery is required, can the backed-up VMware VMs be restored and brought online directly as Azure virtual machines?
        • Or does the recovery process require a VMware environment (such as VMware Cloud or Azure VMware Solution) in Azure to restore and run the VMs?
        1. SQL Server Workloads
          • Most of the workloads running on these VMs are SQL Server databases.
            • Would it be a better approach to use Azure-native SQL Server backup solutions (for example, SQL backups to Azure Blob Storage or Azure Backup for SQL Server) instead of relying solely on VM-level backups?
              • What would be the recommended approach for ransomware protection, long-term retention, and recovery in Azure for SQL Server workloads?

We would appreciate any guidance on the recommended architecture and best practices for combining ASR and backup solutions in this scenario.

Azure Backup
Azure Backup

An Azure backup service that provides built-in management at scale.

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Suchitra Suregaunkar 14,595 Reputation points Microsoft External Staff Moderator
    2026-06-10T20:12:37.7366667+00:00

    Hello Anandha Chandrasekaran

    Thank you for reaching out with your BCDR architecture questions. I'll address each of your points with clarity so you can make the right decisions for your environment.

    1. VMware VM Backup and Recovery with MABS: Yes, Azure Backup Server (MABS) supports backing up on-premises VMware VMs directly to Azure. Here's what you need to know:

    How it works:

    • MABS performs agentless backups of VMware VMs running on ESXi hosts or vCenter Server (versions 6.5, 6.7, 7.0, and 8.0)
    • Backups are first stored on local MABS disk storage, then transferred to an Azure Recovery Services vault for long-term retention
    • This gives you both short-term (local disk) and long-term (Azure cloud) backup storage

    Restore options - Important limitation: MABS can restore VMware VMs only back to VMware environments, NOT directly as Azure IaaS VMs.

    The supported restore scenarios are:

    1. Original Location Recovery (OLR): Restore the VM to its original location on the same VMware infrastructure
    2. Alternate Location Recovery (ALR): Restore to a different ESXi host, resource pool, folder, or datastore within your VMware environment.
    3. Individual File-Level Recovery (ILR): Restore individual files/folders from Windows Server VMs without restoring the entire VM.

    Critical point: To restore and run the backed-up VMware VMs, you must have a VMware environment available either on-premises VMware infrastructure, Azure VMware Solution (AVS), or VMware Cloud on Azure.

    MABS does not support converting VMware VM backups directly into Azure IaaS virtual machines during restore.

    2. SQL Server Workloads — Recommended Approach

    You're absolutely right to consider application-aware protection for your SQL Server workloads. Here's the recommended strategy:

    Layered protection approach:

    Option 1: VM-level backup via MABS (what you're already evaluating)

    • MABS can perform application-consistent backups of VMware VMs running SQL Server when VMware Tools are installed
    • This provides VM-level protection with application awareness
    • However, this is a VM-level restore — you restore the entire VM, not individual databases

    Option 2: Application-level SQL Server backup (RECOMMENDED for SQL workloads)

    For SQL Server running on on-premises VMware VMs, you have two paths:

    Path A: MABS SQL Server protectionmicrosoft

    • Install MABS protection agent inside the VM (guest-level)
    • MABS can then back up SQL databases directly with SQL-native APIs
    • Supports full, differential, and log backups
    • Enables database-level restore (much more flexible than VM-level restore)
    • Provides 15-minute RPO with log backups.

    Path B: Azure Backup for SQL Server in Azure VMs (if you migrate to Azure IaaS)

    • Once VMs are in Azure, use Azure Backup native SQL protectionmicrosoft
    • Provides streaming backups with 15-minute RPO
    • Point-in-time recovery up to a second
    • Database-level backup and restore
    • Supports SQL FCI, Always On Availability Groups.

    Best practice recommendation:

    For ransomware protection and long-term retention of SQL Server workloads:

    1. Use layered protection:
      • VM-level backup (MABS backing up VMware VMs) for rapid full-VM recovery
        • Application-level SQL backup (MABS with in-guest agent OR native SQL backups to Azure Blob Storage) for granular database recoverymicrosoft
        1. Enable Azure Backup Immutable Vault for ransomware protection:microsoft
          • Immutable vaults ensure recovery points cannot be deleted before expiry
            • Protects against ransomware attacks and malicious actors
              • Can be made irreversible for maximum protectionmicrosoft
              1. Retention strategy:
                • Short-term: MABS local disk (days to weeks)
                  • Long-term: Azure Recovery Services vault (months to years)microsoft
                    • Configure retention policies based on your compliance requirementsmicrosoft

    Reference documentation:

    3. Azure Site Recovery vs. Azure Backup — Understanding the Difference

    You're correct that ASR retention is limited, and it's important to understand the distinction:

    Azure Site Recovery (ASR):

    • Purpose: Disaster recovery and business continuity (replication for failover)
    • Retention: Maximum 15 days for crash-consistent recovery pointsmicrosoft
    • Recovery Point Objective: Crash-consistent snapshots every 5 minutes; app-consistent snapshots can be configured (minimum 1 hour)microsoft
    • Use case: Near-continuous replication for rapid failover during disasters

    Azure Backup (MABS):

    • Purpose: Long-term backup and restore
    • Retention: Configurable from days to years (10 years is common)microsoft+1
    • Use case: Protection against data loss, ransomware, accidental deletion, compliance

    For your scenario:

    • ASR handles replication and DR failover (up to 15 days of recovery points)
    • Azure Backup (MABS) provides long-term backup, ransomware protection, and compliance retention

    This is the correct layered BCDR architecture — use both services together.microsoft

    Reference documentation:

    Recommended Architecture

    Based on your requirements, here's the recommended approach:

    1. Azure Site Recovery (ASR):
      • Replicate VMware VMs to Azure for DR (15-day retention)
        • Enables rapid failover to Azure during disasters
        1. Azure Backup Server (MABS):
          • VM-level backup of VMware VMs to Azure Recovery Services vault
            • Long-term retention (months/years)
              • Restore to VMware environment (on-premises, AVS, or VMware Cloud)
              1. SQL Server Protection:
                • Install MABS agent inside SQL VMs for application-aware SQL backups
                  • Configure database-level backups with log backups for 15-minute RPO
                    • Store backups in Azure Recovery Services vault with immutable vault enabled
                    1. Ransomware Protection:
                      • Enable Immutable Vault on your Recovery Services vaultmicrosoft
                        • Use multi-layered backups (VM + SQL database level)
                          • Regular test restores to validate recovery procedures

    Key Official Documentation:

    I hope this clarifies your architecture decisions. If you have follow-up questions about configuration or implementation, please feel free to ask!

    Thanks,

    Suchitra.

    Was this answer helpful?

    0 comments

  2. AI answer

    2026-06-08T10:15:43.9166667+00:00

    Azure Backup Server (MABS) can be used to protect on-premises VMware VMs to Azure, but it does not convert them directly into native Azure IaaS VMs on restore.

    1. VMware VM backup and recovery with MABS
    • MABS supports agentless backup of VMware vCenter/ESXi workloads and sends backups to disk and then to an Azure Recovery Services vault (cloud-integrated backup).
    • Supported VMware versions include vCenter/ESXi 6.5, 6.7, 7.0, and 8.0 (licensed versions). MABS protects VMs stored on local disk, NFS, or cluster storage and supports folder-level auto-protection and vCenter-managed environments.
    • Protection workflow for VMware VMs with MABS:
      1. Set up a secure channel over HTTPS between MABS and vCenter/ESXi.
      2. Configure a VMware account and add its credentials to MABS.
      3. Add the vCenter/ESXi server to MABS.
      4. Create protection groups, select VMware VMs or folders, and configure disk and online (Azure) backup schedules and retention.
    • Recovery capabilities:
      • MABS recovers VMware VMs as VMware VMs (back to vCenter/ESXi) and supports item-level recovery of files/folders from Windows VMs.
      • It does not provide a direct “restore VMware backup as native Azure VM” path. Restores are designed to target VMware infrastructure (on-premises or VMware-based environments such as Azure VMware Solution) rather than converting to Azure IaaS.
      • For Azure VMware Solution, guidance explicitly assumes restore back into AVS vSAN datastore and notes that cross-region restore is not supported.

    Given this, to run restored workloads in Azure as VMs, a VMware-capable target (for example, Azure VMware Solution) is required when using MABS for VMware VM-level backup. MABS is not a VM-conversion tool to Azure IaaS.

    1. SQL Server workloads on VMware VMs

    MABS can protect the entire VMware VM and supports item-level file/folder recovery for Windows VMs, but for SQL Server workloads, application-aware backup is typically preferred.

    • MABS supports application-level backup via the DPM protection agent installed inside VMs for workloads such as SQL Server. In Azure VMware Solution scenarios, guidance includes:
      • Installing the DPM protection agent on VMs for application backup (for example, SQL).
      • Ensuring antivirus exclusions and NSG rules to allow agent communication with MABS.

    This pattern (guest-level, application-aware backup) is more suitable for SQL Server than relying solely on VM-level snapshots when:

    • Granular database-level recovery is required.
    • Consistent backups are needed under load (VSS-based application-consistent backups).
    • Ransomware and long-term retention scenarios require many recovery points and fine-grained restore options.

    For ransomware protection, long-term retention, and recovery in Azure for SQL workloads, recommended practices from the provided guidance include:

    • Use MABS with:
      • Disk-based short-term protection and online protection to Azure for long-term retention.
      • Protection groups with appropriate retention and backup schedules (disk retention range, Express Full frequency, online backup schedule, and online retention policy up to 9,999 recovery points per protected instance).
    • For Azure VMware Solution or similar VMware-in-Azure scenarios:
      • Use the Azure Backup Server capacity planner to size MABS and storage.
      • Use storage pools and tiered storage on MABS for performance and IOPS.
      • Plan parallel backup jobs and validate that backup/restore times meet RPO/RTO.
      • Ensure AVS vSAN datastore has capacity for restores.
      • Configure NSGs and antivirus exclusions correctly for DPM agents.

    Combining ASR and backup

    From the available guidance, a combined pattern is:

    • Use Azure Site Recovery for near-continuous replication and short retention (up to 15 days) to meet low RPO/RTO for disaster recovery and failover.
    • Use MABS for:
      • Long-term retention of VMware VMs (VM-level protection) to Azure.
      • Application-aware backups of SQL Server workloads via DPM agents, with disk + cloud protection and long-term retention in the Recovery Services vault.

    This combination provides:

    • ASR for fast DR failover and short-term history.
    • MABS for long-term, ransomware-resilient backups with many recovery points and application-level restores.

    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.