Interactive architecture demo

Ransomware-Resilient Azure Backup

Backup infrastructure—vaults and monitoring—lives in a separate protection resource group. This isolation prevents compromised workloads from disabling backups.

Protection plane isolated
← Back to Pattern B demo
1

Separate the workload and protection planes

Click any component to inspect its role, or use Next to follow the data path.

Azure ransomware-resilient backup architecture Workloads and backup agents in one resource group send backups to an isolated Recovery Services vault, with monitoring in a separate protection resource group. Network Private connectivity + controlled identity boundaries Workload Resource Group Application owners manage compute and storage Protection Resource Group Restricted administrators, policy locks, monitored changes Protected Backup Logs Triggers Restore Windows VM Encrypted Agent healthy Azure Storage File Share Policy applied Data Disk D: Drive Backup AgentVM extension Backup AgentShare protection Backup AgentDisk snapshot Recovery Services Vault Isolated backup control plane and recovery points Soft Delete — 14 days Deleted backup items remain recoverable. Immutable Lock Retention settings resist malicious change. Log Analytics Workspace Central audit telemetry Azure Monitor Alerts Actionable detection CHANGE BLOCKED
Backup / protected data Logs Alert trigger Recovery path Tip: click a component for details