How to protect Azure Kubernetes Service (AKS) with Azure Backup

In this guide, how to protect Azure Kubernetes Service (AKS) with Azure Backup. In modern cloud-native architectures, Azure Kubernetes Service (AKS) has become a cornerstone for deploying and managing containerised workloads at scale. Please, see SQLIOSim utility to simulate SQL Server activity on a disk subsystem, and MSSQL DMA Compatibility Mode: Prepare and Migrate Safely.

While Kubernetes provides high availability and resiliency by design. It does not replace the need for a robust and well-defined backup strategy. Configuration data, application state, and persistent volumes remain exposed to risks such as accidental deletion, misconfigurations, failed upgrades, or security incidents.

Also, see Preliminary Guide for WSUS Analysis and Initial Assessment, Preliminary Guide for Active Directory and Initial Assessment, and Query MBAM-protected Client for non-compliance [Part 2].

Azure Backup for Kubernetes

addresses these challenges by offering a native, centralized, and policy-driven approach to protect AKS clusters. It enables organizations to back up Kubernetes resources and persistent data consistently, securely, and in alignment with enterprise compliance requirements.

By integrating seamlessly with Azure services, it reduces operational complexity while ensuring that critical workloads can be recovered quickly and reliably.

In this blog post, we will explore how to perform backups of Azure Kubernetes Service using Azure Backup for Kubernetes, walking through the key concepts, prerequisites, and configuration steps.

We will also explain why backing up AKS is essential for business continuity, disaster recovery, and operational resilience, helping you safeguard your Kubernetes environments against both expected and unexpected failures.

Please, see how To Use Azure Key Vault Secrets in Azure Pipelines, how to backup Azure VM with VM Settings, and how to use Container Insights for Azure Kubernetes Workload.

Prerequisites

Role permission on subscription. Trusted Access Roles and Requirements

• Resource Provider Registrations. Before enabling backup, register these providers at the subscription level:
• Microsoft.KubernetesConfiguration
• Microsoft.DataProtection
• Microsoft.ContainerService

Provider “Microsoft.DataProtection”

Microsoft.ContainerService

Permissions required on AKS (cluster and resource group)

To integrate AKS with Azure Backup, you need to be able to install the AKS Backup Extension and grant permissions to the Backup Vault via Trusted Access. The necessary roles are. To initialise and configure backup on AKS

•    Contributor (or higher, e.g. Owner) on the AKS Resource Group Or:

•    Azure Kubernetes Service Contributor

(sufficient to manage AKS and install the extension). In my case, I check the group of administrators with the role ‘Contributor’.

Please, see How To Use Azure Key Vault Secrets in Azure Pipelines, and “Create and monitor Apps using the Azure Kubernetes Service manifest“.

Specific permissions required for Trusted Access

To enable secure connection between AKS and Backup Vault, one of these roles is required at subscription or resource group level:

•    User Access Administrator

•    Owner

Without one of these two, you cannot create automatic role assignments between AKS and Backup Vault.

Permissions required on the Backup Vault

To create backup policies, configure backups, start or restore: Data Protection Backup Operator

Allows you to configure backups, perform restores, and create policies: The Data Protection Contributor

Allows complete management of the Backup Vault (policies, resources, extensions, configurations).

•  Contributor (generally acceptable if you also need to manage networking + vault settings)

Permissions on Azure Disks

Azure Backup for AKS creates snapshots on Azure Disks associated with Persistent Volumes (CSI). One of these roles is required:

•    Disk Backup Reader and Disk Backup Contributor

(native roles specific to snapshots supported by Data Protection)or a broader role:

•    Contributor on the Resource Group of the disks**

Things to ensure before you configure backup for AKS cluster:

Currently, AKS Backup supports only Azure Disk Storage-based persistent volumes enabled by CSI driver. Backup data can be stored as snapshots in Operational Tier or can also be moved to Vault Tier for long term storage along with snapshots.

The Backup vault and AKS cluster can be in different subscriptions within same tenant and region.

How to validate on an existing AKS cluster

You can perform several checks to ensure compatibility:

1. Inspect the PersistentVolumes / StorageClasses
   • Use kubectl get pv,pvc,sc to list your volumes and storage classes.
   • Examine the storageClassName (or directly the pv.spec) and check whether the driver is CSI (e.g. disk.csi.azure.com) rather than in-tree (e.g. kubernetes.io/azure-disk). If the PV spec uses a csi: block, that indicates a CSI-based volume.
   • Confirm the disk SKU: using Azure CLI or Portal, check that underlying Azure Disks are of supported types (Standard HDD/SSD, Premium SSD), not unsupported types like Ultra or Premium v2.

Go to the Kubernetes cluster resource and select ‘Run command to verify storage’.

kubectl get pv,pvc,sc

Alternatively, you can use third-party software called Lens https://lenshq.io/ for GUI management of Kubernetes clusters.

• Currently, AKS Backup supports once-a-day backups. It also supports more frequent backups (in 4-hour, 8-hour, and 12-hour intervals) per day. This solution allows you to retain your data for restore for up to 360 days.
• You need to install the Backup extension to configure backup and restore operations for an AKS cluster.
• Make sure you have Microsoft.KubernetesConfiguration, Microsoft.DataProtection, and Microsoft.ContainerService registered for your subscription before you initiate backup configuration and restore operations.
• Make sure you complete all prerequisites before you initiate a backup or restore operation for AKS Backup.
• AKS Backup uses a blob container and a resource group to store the backups. The blob container holds the AKS cluster resources. Persistent volume snapshots are stored in the resource group. The AKS cluster and the storage locations must be in the same region.

Please, see Configure Windows Admin Center on Windows Server 2019, how to Migrate Veeam One Database from SQL Server 2017 to 2025, and Modern Backup Strategy with Veeam and Wasabi: Truly Immutable.

Create storage Account on Azure

Enter the basics, and click Next

select preferred information

Advanced Default check “minimum TSL version 1.2”

Default Networking

Data Protection

Encryption

Click “Create”

Next, create Container BLOB

Create a Backup vault

A Backup vault is a management entity that stores recovery points treated over time. A Backup vault also provides an interface to do the backup operations.

Operations include taking on-demand backups, doing restores, and creating backup policies. AKS Backup requires the Backup Vault and the AKS cluster to be located in the same region.

However, they can reside in different subscriptions as long as they are within the same tenant.

Default – You can also enable immutability if necessary (recommended).

Insert your tag

Review & create

Check the cross subscription restore option if you need to perform a restore on a new or different subscription

Create a Backup policy

Install Backup extension and configure backup

Install AKS Extension

Follow the steps below to install AKS extensions

Select RG SA and Blob Container

Error caused by lack of permission on the storage account

Fix the role assignment for the below.

Assign the following permissions/roles to the subscription. Azure Kubernetes Service Contributor Role on Subscription

• The User Access Administrator on Resource Group

• Backup Operator on Subscription. Here, I didn’t quite understand the point about the backup vault. Let me know if this is OK.

• Disk Backup Reader. I can’t find Disk Backup Contributor, you already have Contributor on Subscription.

Retry install AKS Backup extension

Second step “Grant Permission”  Trusted Access missing Role permission on Kubernetes cluster

Complete Configure backup

Configure Backup Policy

Setup backup frequency

Review Backup Policy and click Next

Add Cluster resource to backup

Select resource

Assign missing roles

Role assignment complete

Review & configure

Test  Backup

Select backup protected instance & “Backup Now”

The backup has been triggered

Check whether the backup has been completed successfully.

I hope you found this article “how to protect Azure Kubernetes Service (AKS) with Azure Backup” very useful. Please, feel free to leave a comment below.