|
| 1 | +--- |
| 2 | +title: Soft delete for SQL server in Azure VM and SAP HANA in Azure VM workloads |
| 3 | +description: Learn how soft delete for SQL server in Azure VM and SAP HANA in Azure VM workloads makes backups more secure. |
| 4 | +ms.topic: conceptual |
| 5 | +ms.date: 04/27/2020 |
| 6 | +--- |
| 7 | +# Soft delete for SQL server in Azure VM and SAP HANA in Azure VM workloads |
| 8 | + |
| 9 | +Azure Backup now provides soft delete for SQL server in Azure VM and SAP HANA in Azure VM workloads. This is in addition to the already supported [Azure Virtual machine soft delete scenario](https://docs.microsoft.com/azure/backup/backup-azure-security-feature-cloud). |
| 10 | + |
| 11 | +Soft delete is a security feature to help protect backup data even after deletion. With soft delete, even if a malicious actor deletes the backup of a database (or backup data is accidentally deleted), the backup data is retained for 14 additional days. This allows the recovery of that backup item with no data loss. This additional retention of 14 days of the backup data in the "soft delete" state doesn’t incur any cost to the customer. |
| 12 | + |
| 13 | +## Steps to enroll in preview |
| 14 | + |
| 15 | +1. Sign in to your Azure Account. |
| 16 | + |
| 17 | + ```powershell |
| 18 | + Login-AzureRmAccount |
| 19 | + ``` |
| 20 | + |
| 21 | +2. Select the subscription that you want to enroll in the preview: |
| 22 | + |
| 23 | + ```powershell |
| 24 | + Get-AzureRmSubscription –SubscriptionName "Subscription Name" | Select-AzureRmSubscription |
| 25 | + ``` |
| 26 | + |
| 27 | +3. Register this subscription to the preview program: |
| 28 | + |
| 29 | + ```powershell |
| 30 | + Register-AzureRMProviderFeature -FeatureName WorkloadBackupSoftDelete -ProviderNamespace Microsoft.RecoveryServices |
| 31 | + ``` |
| 32 | + |
| 33 | +4. Wait for 30 minutes for the subscription to be enrolled into the preview. |
| 34 | + |
| 35 | +5. To check the status, run the following cmdlets: |
| 36 | + |
| 37 | + ```powershell |
| 38 | + Get-AzureRmProviderFeature -FeatureName WorkloadBackupSoftDelete -ProviderNamespace Microsoft.RecoveryServices |
| 39 | + ``` |
| 40 | + |
| 41 | +6. Once the subscription shows as registered, run the following command: |
| 42 | + |
| 43 | + ```powershell |
| 44 | + Register-AzureRmResourceProvider -ProviderNamespace Microsoft.RecoveryServices |
| 45 | + ``` |
| 46 | + |
| 47 | +>[!NOTE] |
| 48 | +>Any time a new vault/vaults are created under the soft delete enabled subscription, the following command needs to be re-run to enable the feature for the newly created vaults.<BR> |
| 49 | +> `Register-AzureRmResourceProvider -ProviderNamespace Microsoft.RecoveryServices` |
| 50 | +
|
| 51 | +## Soft delete for SQL server in Azure VM |
| 52 | + |
| 53 | +These instructions also apply to SAP HANA in Azure VM. |
| 54 | + |
| 55 | +1. To delete the backup data of a database in a SQL server, the backup must be stopped. In the Azure portal, go to your recovery services vault, go to the backup item, and choose **Stop backup**. |
| 56 | + |
| 57 | +  |
| 58 | + |
| 59 | +2. In the following window, you'll be given a choice to delete or retain the backup data. If you choose **Delete backup data**, the database backup won't be permanently deleted. Rather, the backup data will be retained for 14 days in the soft deleted state. The deletion is deferred until the 15th day with regular alert emails on the first, 12th, and 15th day informing about the backup state of the database to the user. |
| 60 | + |
| 61 | +  |
| 62 | + |
| 63 | +3. During those 14 days, in the Recovery Services Vault, the soft deleted item will appear with a red “soft-delete” icon next to it. |
| 64 | + |
| 65 | +  |
| 66 | + |
| 67 | +4. To restore the soft-deleted DB, it must first be undeleted. To undelete, choose the soft-deleted DB, and then select the option **Undelete**. |
| 68 | + |
| 69 | +  |
| 70 | + |
| 71 | + A window will appear warning that if undelete is chosen, all restore points for the database will be undeleted and available for performing a restore operation. The backup item will be retained in a “stop protection with retain data” state with backups paused and backup data retained forever with no backup policy effective. |
| 72 | + |
| 73 | +  |
| 74 | + |
| 75 | +5. At this point, you can also restore the VM by selecting **Restore VM** from the chosen restore point. |
| 76 | + |
| 77 | +  |
| 78 | + |
| 79 | +6. After the undelete process is completed, the status will return to “Stop backup with retain data” and then you can choose **Resume backup**. The **Resume backup** operation brings back the backup item in the active state, associated with a backup policy selected by the user defining the backup and retention schedules. |
| 80 | + |
| 81 | +  |
| 82 | + |
| 83 | +## How to disable soft delete |
| 84 | + |
| 85 | +Disabling this feature isn't recommended. The only circumstance where you should consider disabling soft delete is if you're planning on moving your protected items to a new vault, and can't wait the 14 days required before deleting and reprotecting (such as in a test environment.) Only a Backup Administrator can disable this feature. To disable soft delete, disable the button under **Vault properties** > **Security settings** for the given vault. It's important to remember that once the button is disabled, the feature is disabled for all the workloads including virtual machines. Once enabled in preview (according to the safelisting steps), there's no way to disable soft delete only for SQL server or SAP HANA DBs while keeping it enabled for virtual machines in the same vault. |
| 86 | + |
| 87 | + |
| 88 | + |
| 89 | +## Soft delete for SQL server in VM using Azure PowerShell |
| 90 | + |
| 91 | +>[!NOTE] |
| 92 | +>The Az.RecoveryServices version required to use soft-delete using Azure PowerShell is minimum 2.2.0. Use `Install-Module -Name Az.RecoveryServices -Force` to get the latest version. |
| 93 | +
|
| 94 | +The sequence of steps for using Azure PowerShell is the same as in the Azure portal, outlined above. |
| 95 | + |
| 96 | +### Delete the backup item using Azure PowerShell |
| 97 | + |
| 98 | +Delete the backup item using the [Disable-AzRecoveryServicesBackupProtection](https://docs.microsoft.com/powershell/module/az.recoveryservices/Disable-AzRecoveryServicesBackupProtection?view=azps-1.5.0) PS cmdlet. |
| 99 | + |
| 100 | +```powershell |
| 101 | +Disable-AzRecoveryServicesBackupProtection -Item $myBkpItem -RemoveRecoveryPoints -VaultId $myVaultID -Force |
| 102 | +``` |
| 103 | + |
| 104 | +The **DeleteState** of the backup item will change from **NotDeleted** to **ToBeDeleted**. The backup data will be retained for 14 days. If you wish to revert the delete operation, then undo-delete should be performed. |
| 105 | + |
| 106 | +### Undoing the deletion operation using Azure PowerShell |
| 107 | + |
| 108 | +First, fetch the relevant backup item that is in soft-delete state (that is, about to be deleted). |
| 109 | + |
| 110 | +```powershell |
| 111 | +Get-AzRecoveryServicesBackupItem -BackupManagementType AzureWorkload -WorkloadType SQLDataBase -VaultId $myVaultID | Where-Object {$_.DeleteState -eq "ToBeDeleted"} |
| 112 | +
|
| 113 | +$myBkpItem = Get-AzRecoveryServicesBackupItem -BackupManagementType AzureWorkload -WorkloadType SQLDataBase -VaultId $myVaultID -Name AppVM1 |
| 114 | +``` |
| 115 | + |
| 116 | +Then, perform the undo-deletion operation using the [Undo-AzRecoveryServicesBackupItemDeletion](https://docs.microsoft.com/powershell/module/az.recoveryservices/undo-azrecoveryservicesbackupitemdeletion?view=azps-3.8.0) PS cmdlet. |
| 117 | + |
| 118 | +```powershell |
| 119 | +Undo-AzRecoveryServicesBackupItemDeletion -Item $myBKpItem -VaultId $myVaultID -Force |
| 120 | +``` |
| 121 | + |
| 122 | +The **DeleteState** of the backup item will revert to **NotDeleted**. But the protection is still stopped. Resume the backup to re-enable the protection. |
| 123 | + |
| 124 | +### Disabling soft delete using Azure PowerShell |
| 125 | + |
| 126 | +To disable, use the [Set-AzRecoveryServicesVaultBackupProperty](https://docs.microsoft.com/powershell/module/az.recoveryservices/set-azrecoveryservicesbackupproperty?view=azps-3.1.0) PS cmdlet. |
| 127 | + |
| 128 | +```powershell |
| 129 | +Set-AzRecoveryServicesVaultProperty -VaultId $myVaultID -SoftDeleteFeatureState Disable |
| 130 | +``` |
| 131 | + |
| 132 | +Points to note: |
| 133 | + |
| 134 | +1. If any soft-deleted backup items are present in the vault, the vault can't be deleted at that time. Try vault deletion after the backup items are permanently deleted, and there are no items in the soft deleted state left in the vault. To permanently delete soft deleted items, see [here](https://docs.microsoft.com/azure/backup/backup-azure-security-feature-cloud#permanently-deleting-soft-deleted-backup-items). |
| 135 | +2. The **Soft Delete** button under Vault properties has to be enabled (it's enabled by default for all the vaults) along with subscription safelisting (as mentioned in the steps above) to get the soft delete preview enabled for SQL Server and SAP HANA Databases running in VMs. |
| 136 | +3. All the points and steps mentioned in the doc apply to both SQL server and SAP HANA databases running in virtual machines. |
| 137 | + |
| 138 | +## Next steps |
| 139 | + |
| 140 | +- [Overview of security features in Azure Backup](security-overview.md) |
0 commit comments