I'm trying to decide between using a single recovery services vault (RSV) in the management subscription for all applications versus setting up a separate RSV for each application landing zone. I'm not sure what my customer's needs will be, and I've previously worked with environments that had around 50-200 VMs with multiple RSVs. Also, I'm concerned about the limitations of using private endpoints for most PaaS resources. I'm worried that if I go with a single RSV, it might complicate setup for things like role assignments for the service principal connected to the Azure Cloud Adoption Framework (CAF) using Terraform.
3 Answers
Deciding between a centralized RSV or one per application really hinges on your governance model. I usually consider these two questions:
1. Do you want to assign the RSV costs to each application? If so, place it in the application subscription or resource group to simplify cost reporting.
2. Who's responsible for managing and monitoring the RSV and backups? If it’s the application team, better to have it in the application’s namespace.
Remember, an RSV needs to be in the same subscription as the resources you want to back up. This is a key point you can't overlook!
Wow, I didn’t realize that either. Good to know!
As others mentioned, recovery services vaults can’t back up resources across subscriptions. So if you're thinking of a centralized vault, that's not going to work—each subscription needs its own RSV.
And don't forget to consider the vault's security features, like immutability. If some workloads need immutable backups while others don’t, that means multiple RSVs will be necessary as this is set at the vault level, not per item.
Exactly, I made the same mistake before! It's a crucial detail.