Share via

Soft-Delete and Redundancy for Recovery Services Vault when protecting Onprem VMWare machines using Site Recovery

Anandha Chandrasekaran 20 Reputation points
2026-05-13T22:26:43.5833333+00:00

Hi,

We are trying to protect OnPrem VMWare Virtual Machines using Azure Site Recovery to Azure. I would like to understand what is the recommended Settings for Soft Delete and Redundancy for Recovery Services Vault ?

Should we enable Soft Delete in this case ?

Should we enable LRS, ZRS or GRS?

I am going though this document https://learn.microsoft.com/en-us/azure/site-recovery/vmware-physical-azure-support-matrix#azure-storage but there are no clear answers from here for Recovery Service Vault Settings

Azure Site Recovery
Azure Site Recovery

An Azure native disaster recovery service. Previously known as Microsoft Azure Hyper-V Recovery Manager.

0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Suchitra Suregaunkar 14,420 Reputation points Microsoft External Staff Moderator
    2026-05-15T09:49:46.95+00:00

    Hello @Anandha Chandrasekaran

    Thank you for posting your query on Microsoft Q&A platform.

    Yes, it is recommended to keep Soft Delete enabled.

    • Soft delete is enabled by default on new Recovery Services vaults to protect data from accidental or malicious deletion
    • It retains deleted items for a period (for example, 14 days by default), allowing recovery if needed

    References:

    Important for ASR: Soft delete does not affect replication or failover behavior. It is purely a protection mechanism for vault data and configuration.

    1. Vault Redundancy (LRS vs ZRS vs GRS):

    For VMware → Azure Site Recovery:

    • The Recovery Services vault stores metadata and policies
    • The actual replicated VM data is stored in Azure Storage (managed disks, storage accounts)

    Reference:

    This means: Vault storage redundancy does not determine how your VM replication data is protected.

    Microsoft guidance for Recovery Services vault storage:

    • GRS (Geo‑redundant storage) → default, higher durability across regions
    • ZRS (Zone‑redundant storage) → protects against zone failures within a region
    • LRS (Locally redundant storage) → lowest cost, single‑datacenter protection

    Reference:

    For your scenario (VMware → Azure Site Recovery), here is the recommendation approach:

    LRS (Locally Redundant Storage) is the most commonly used option for Azure Site Recovery deployments because it is cost‑effective and sufficient in most cases where additional geo‑redundancy is not required.

    ZRS (Zone Redundant Storage) is a good choice for production environments when you want added resilience against Availability Zone failures within the same Azure region.

    GRS (Geo Redundant Storage) is optional and should be considered only if you have specific compliance, regulatory, or backup requirements that mandate an additional copy of vault data in a secondary region.

    • ASR failover is handled by replication configuration, not vault redundancy
    • Even if you choose GRS, it does not enable failover to a secondary region on its own
    • Cross‑region DR must be configured explicitly using ASR replication

    In Azure Site Recovery, the Recovery Services vault is a management layer. Replication durability depends on Azure storage and ASR configuration not on vault redundancy settings.

    Thanks,
    Suchitra.

    Was this answer helpful?

  2. Mark Patnaude 160 Reputation points
    2026-05-13T23:14:50.3966667+00:00

    When designing on‑prem VMware disaster recovery to Azure using Azure Site Recovery (ASR), the Recovery Services Vault settings can be confusing because Microsoft documents backup and replication behaviors separately. The following reflects what most enterprise environments actually implement.

    1. Soft Delete — Enable (Recommended)

    Yes — Soft Delete should be enabled on the Recovery Services Vault.

    Soft Delete provides a safety buffer against:

    accidental deletion of vault items

    malicious deletion or ransomware activity

    administrative mistakes during DR operations

    It ensures you have a recovery window before vault‑related data is permanently removed. Microsoft increasingly treats Soft Delete as a baseline security control. (ref: https://learn.microsoft.com/en-us/azure/backup/secure-by-default)

    Important Clarification

    Soft Delete in a Recovery Services Vault primarily protects:

    backup metadata

    vault‑protected objects

    deleted backup items

    It does not directly protect ASR‑replicated VM data the same way Azure Backup does.

    However, enabling Soft Delete is still considered best practice because:

    it adds a layer of protection with minimal operational impact

    it aligns with governance and security baselines

    most organizations enable it globally for consistency

    Enable Soft Delete

    Retention: keep the default 14 days

    Extend only if:

         regulatory or security policy requires longer retention
     
           you have concerns about ransomware dwell time or delayed detection

    Microsoft strongly discourages disabling Soft Delete except in temporary lab, testing, or migration scenarios. (ref: https://docs.azure.cn/en-us/backup/backup-azure-security-feature-cloud)

    Was this answer helpful?

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.