How to protect Azure Kubernetes Service (AKS) with Azure Backup

Posted on Link State By Link State No Comments on How to protect Azure Kubernetes Service (AKS) with Azure Backup
Azure Backup For AKS

In this guide, how to protect Azure Kubernetes Service (AKS) with Azure Backup. In modern cloud-native architectures, Azure Kubernetes Service (AKS) has become a cornerstone for deploying and managing containerised workloads at scale. Please, see SQLIOSim utility to simulate SQL Server activity on a disk subsystem, and MSSQL DMA Compatibility Mode: Prepare and Migrate Safely.

While Kubernetes provides high availability and resiliency by design. It does not replace the need for a robust and well-defined backup strategy. Configuration data, application state, and persistent volumes remain exposed to risks such as accidental deletion, misconfigurations, failed upgrades, or security incidents.

Also, see Preliminary Guide for WSUS Analysis and Initial Assessment, Preliminary Guide for Active Directory and Initial Assessment, and Query MBAM-protected Client for non-compliance [Part 2].

Azure Backup for Kubernetes

addresses these challenges by offering a native, centralized, and policy-driven approach to protect AKS clusters. It enables organizations to back up Kubernetes resources and persistent data consistently, securely, and in alignment with enterprise compliance requirements.

By integrating seamlessly with Azure services, it reduces operational complexity while ensuring that critical workloads can be recovered quickly and reliably.

In this blog post, we will explore how to perform backups of Azure Kubernetes Service using Azure Backup for Kubernetes, walking through the key concepts, prerequisites, and configuration steps.

We will also explain why backing up AKS is essential for business continuity, disaster recovery, and operational resilience, helping you safeguard your Kubernetes environments against both expected and unexpected failures.

Please, see how To Use Azure Key Vault Secrets in Azure Pipelines, how to backup Azure VM with VM Settings, and how to use Container Insights for Azure Kubernetes Workload.

Prerequisites

Role permission on subscription. Trusted Access Roles and Requirements

  • Resource Provider Registrations. Before enabling backup, register these providers at the subscription level:
  • Microsoft.KubernetesConfiguration
  • Microsoft.DataProtection
  • Microsoft.ContainerService
image002-min

Provider “Microsoft.DataProtection”

image004-min

Microsoft.ContainerService

image006-min

Permissions required on AKS (cluster and resource group)

To integrate AKS with Azure Backup, you need to be able to install the AKS Backup Extension and grant permissions to the Backup Vault via Trusted Access. The necessary roles are. To initialise and configure backup on AKS

•    Contributor (or higher, e.g. Owner) on the AKS Resource Group Or:

•    Azure Kubernetes Service Contributor

(sufficient to manage AKS and install the extension). In my case, I check the group of administrators with the role ‘Contributor’.

image008-min
image010-min

Please, see How To Use Azure Key Vault Secrets in Azure Pipelines, and “Create and monitor Apps using the Azure Kubernetes Service manifest“.

Specific permissions required for Trusted Access

To enable secure connection between AKS and Backup Vault, one of these roles is required at subscription or resource group level:

•    User Access Administrator

•    Owner

Without one of these two, you cannot create automatic role assignments between AKS and Backup Vault.

image012-min

Permissions required on the Backup Vault

To create backup policies, configure backups, start or restore: Data Protection Backup Operator

Allows you to configure backups, perform restores, and create policies: The Data Protection Contributor

Allows complete management of the Backup Vault (policies, resources, extensions, configurations).

•  Contributor (generally acceptable if you also need to manage networking + vault settings)

Permissions on Azure Disks

Azure Backup for AKS creates snapshots on Azure Disks associated with Persistent Volumes (CSI). One of these roles is required:

•    Disk Backup Reader and Disk Backup Contributor

(native roles specific to snapshots supported by Data Protection)or a broader role:

•    Contributor on the Resource Group of the disks**

Things to ensure before you configure backup for AKS cluster:

Currently, AKS Backup supports only Azure Disk Storage-based persistent volumes enabled by CSI driver. Backup data can be stored as snapshots in Operational Tier or can also be moved to Vault Tier for long term storage along with snapshots.

The Backup vault and AKS cluster can be in different subscriptions within same tenant and region.

How to validate on an existing AKS cluster

You can perform several checks to ensure compatibility:

  1. Inspect the PersistentVolumes / StorageClasses
    • Use kubectl get pv,pvc,sc to list your volumes and storage classes.
    • Examine the storageClassName (or directly the pv.spec) and check whether the driver is CSI (e.g. disk.csi.azure.com) rather than in-tree (e.g. kubernetes.io/azure-disk). If the PV spec uses a csi: block, that indicates a CSI-based volume.
    • Confirm the disk SKU: using Azure CLI or Portal, check that underlying Azure Disks are of supported types (Standard HDD/SSD, Premium SSD), not unsupported types like Ultra or Premium v2.

Go to the Kubernetes cluster resource and select ‘Run command to verify storage’.

kubectl get pv,pvc,sc
image014-min

Alternatively, you can use third-party software called Lens https://lenshq.io/ for GUI management of Kubernetes clusters.

image016-min
  • Currently, AKS Backup supports once-a-day backups. It also supports more frequent backups (in 4-hour, 8-hour, and 12-hour intervals) per day. This solution allows you to retain your data for restore for up to 360 days.
  • You need to install the Backup extension to configure backup and restore operations for an AKS cluster.
  • Make sure you have Microsoft.KubernetesConfiguration, Microsoft.DataProtection, and Microsoft.ContainerService registered for your subscription before you initiate backup configuration and restore operations.
  • Make sure you complete all prerequisites before you initiate a backup or restore operation for AKS Backup.
  • AKS Backup uses a blob container and a resource group to store the backups. The blob container holds the AKS cluster resources. Persistent volume snapshots are stored in the resource group. The AKS cluster and the storage locations must be in the same region.

Please, see Configure Windows Admin Center on Windows Server 2019, how to Migrate Veeam One Database from SQL Server 2017 to 2025, and Modern Backup Strategy with Veeam and Wasabi: Truly Immutable.

Create storage Account on Azure

Enter the basics, and click Next

image018-min

select preferred information

image020-min

Advanced Default check “minimum TSL version 1.2”

image022-min

Default Networking

image024-min

Data Protection

image026-min

Encryption

image028-min

Click “Create”

2025-12-24 15_20_25-GUIDA da Pub - Backup Azure Kubernetes Service by using Azure Backup.docx - Word

Next, create Container BLOB

image032-min

Create a Backup vault

A Backup vault is a management entity that stores recovery points treated over time. A Backup vault also provides an interface to do the backup operations.

Operations include taking on-demand backups, doing restores, and creating backup policies. AKS Backup requires the Backup Vault and the AKS cluster to be located in the same region.

However, they can reside in different subscriptions as long as they are within the same tenant.

image034-min

Default – You can also enable immutability if necessary (recommended).

image036-min

Insert your tag

image038-min

Review & create

image040-min

Check the cross subscription restore option if you need to perform a restore on a new or different subscription

image042-min

Create a Backup policy

image044-min

Install Backup extension and configure backup

image046-min

Install AKS Extension

Follow the steps below to install AKS extensions

image048-min

Select RG SA and Blob Container

image050-min

image052-min

Error caused by lack of permission on the storage account

image054-min

Fix the role assignment for the below.

image056-min

Assign the following permissions/roles to the subscription. Azure Kubernetes Service Contributor Role on Subscription

• The User Access Administrator on Resource Group

• Backup Operator on Subscription. Here, I didn’t quite understand the point about the backup vault. Let me know if this is OK.

• Disk Backup Reader. I can’t find Disk Backup Contributor, you already have Contributor on Subscription.

Retry install AKS Backup extension

image058-min

Second step “Grant Permission”  Trusted Access missing Role permission on Kubernetes cluster

image060-min

Complete Configure backup

image062-min

Configure Backup Policy

image064-min

Setup backup frequency

image066-min

Review Backup Policy and click Next

image068-min

Add Cluster resource to backup

image070-min

Select resource

2025-12-25 15_08_51-Back up Azure Kubernetes Service by using Azure Backup.docx - Word

Assign missing roles

01-25-12-25 15_11_28-Back up Azure Kubernetes Service by using Azure Backup.docx - Word

Role assignment complete

01-25-12-25 15_11_28-Back up Azure Kubernetes Service by using Azure Backup.docx - Word

Review & configure

image074-min
image076-min

Test  Backup

01-25-12-25 15_11_28-Back up Azure Kubernetes Service by using Azure Backup.docx - Word

Select backup protected instance & “Backup Now”

01-25-12-25 15_11_28-Back up Azure Kubernetes Service by using Azure Backup.docx - Word

The backup has been triggered

image082-min

Check whether the backup has been completed successfully.

I hope you found this article “how to protect Azure Kubernetes Service (AKS) with Azure Backup” very useful. Please, feel free to leave a comment below.

Rate this post
AWS/Azure/OpenShift Tags:, ,

Related Posts

More Related Articles

DeleteAzureVM Remove Azure VM: How to delete a Virtual Machine via the Azure Portal AWS/Azure/OpenShift
How to Register Devices to Microsoft Intune and EntraID Using My Company Portal Register Devices to Intune and EntraID Using Company Portal AWS/Azure/OpenShift
Delete AWS EBS Volume How to delete an Elastic Block Store Volume on AWS AWS/Azure/OpenShift
feature functionapp Deploy a function app from Visual Studio to Azure Platform AWS/Azure/OpenShift
WCD Join Bulk Devices using a Provisioning Package to Azure AWS/Azure/OpenShift
amazon ec2 multiple ips 1 What to note before assigning Multiple IPs’ to an Instance AWS/Azure/OpenShift

Leave a Reply