The azure-native:dataprotection:BackupVault resource, part of the Pulumi Azure Native provider, provisions an Azure Backup vault that serves as the container for backup policies, protected items, and recovery points. This guide focuses on three capabilities: storage redundancy and monitoring setup, customer-managed key encryption, and managed identity configuration.
Backup vaults belong to resource groups and may reference Key Vault instances and managed identities for encryption and access control. The examples are intentionally small. Combine them with your own backup policies and protected items.
Create a vault with storage redundancy and monitoring
Most deployments start by configuring storage redundancy, soft delete protection, and monitoring alerts.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const backupVault = new azure_native.dataprotection.BackupVault("backupVault", {
identity: {
type: "None",
},
location: "WestUS",
properties: {
featureSettings: {
crossRegionRestoreSettings: {
state: azure_native.dataprotection.CrossRegionRestoreState.Enabled,
},
},
monitoringSettings: {
azureMonitorAlertSettings: {
alertsForAllJobFailures: azure_native.dataprotection.AlertsState.Enabled,
},
},
securitySettings: {
softDeleteSettings: {
retentionDurationInDays: 14,
state: "Enabled",
},
},
storageSettings: [{
datastoreType: azure_native.dataprotection.StorageSettingStoreTypes.VaultStore,
type: azure_native.dataprotection.StorageSettingTypes.LocallyRedundant,
}],
},
resourceGroupName: "SampleResourceGroup",
tags: {
key1: "val1",
},
vaultName: "swaggerExample",
});
import pulumi
import pulumi_azure_native as azure_native
backup_vault = azure_native.dataprotection.BackupVault("backupVault",
identity={
"type": "None",
},
location="WestUS",
properties={
"feature_settings": {
"cross_region_restore_settings": {
"state": azure_native.dataprotection.CrossRegionRestoreState.ENABLED,
},
},
"monitoring_settings": {
"azure_monitor_alert_settings": {
"alerts_for_all_job_failures": azure_native.dataprotection.AlertsState.ENABLED,
},
},
"security_settings": {
"soft_delete_settings": {
"retention_duration_in_days": 14,
"state": "Enabled",
},
},
"storage_settings": [{
"datastore_type": azure_native.dataprotection.StorageSettingStoreTypes.VAULT_STORE,
"type": azure_native.dataprotection.StorageSettingTypes.LOCALLY_REDUNDANT,
}],
},
resource_group_name="SampleResourceGroup",
tags={
"key1": "val1",
},
vault_name="swaggerExample")
package main
import (
dataprotection "github.com/pulumi/pulumi-azure-native-sdk/dataprotection/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := dataprotection.NewBackupVault(ctx, "backupVault", &dataprotection.BackupVaultArgs{
Identity: &dataprotection.DppIdentityDetailsArgs{
Type: pulumi.String("None"),
},
Location: pulumi.String("WestUS"),
Properties: &dataprotection.BackupVaultTypeArgs{
FeatureSettings: &dataprotection.FeatureSettingsArgs{
CrossRegionRestoreSettings: &dataprotection.CrossRegionRestoreSettingsArgs{
State: pulumi.String(dataprotection.CrossRegionRestoreStateEnabled),
},
},
MonitoringSettings: &dataprotection.MonitoringSettingsArgs{
AzureMonitorAlertSettings: &dataprotection.AzureMonitorAlertSettingsArgs{
AlertsForAllJobFailures: pulumi.String(dataprotection.AlertsStateEnabled),
},
},
SecuritySettings: &dataprotection.SecuritySettingsArgs{
SoftDeleteSettings: &dataprotection.SoftDeleteSettingsArgs{
RetentionDurationInDays: pulumi.Float64(14),
State: pulumi.String("Enabled"),
},
},
StorageSettings: dataprotection.StorageSettingArray{
&dataprotection.StorageSettingArgs{
DatastoreType: pulumi.String(dataprotection.StorageSettingStoreTypesVaultStore),
Type: pulumi.String(dataprotection.StorageSettingTypesLocallyRedundant),
},
},
},
ResourceGroupName: pulumi.String("SampleResourceGroup"),
Tags: pulumi.StringMap{
"key1": pulumi.String("val1"),
},
VaultName: pulumi.String("swaggerExample"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var backupVault = new AzureNative.DataProtection.BackupVault("backupVault", new()
{
Identity = new AzureNative.DataProtection.Inputs.DppIdentityDetailsArgs
{
Type = "None",
},
Location = "WestUS",
Properties = new AzureNative.DataProtection.Inputs.BackupVaultArgs
{
FeatureSettings = new AzureNative.DataProtection.Inputs.FeatureSettingsArgs
{
CrossRegionRestoreSettings = new AzureNative.DataProtection.Inputs.CrossRegionRestoreSettingsArgs
{
State = AzureNative.DataProtection.CrossRegionRestoreState.Enabled,
},
},
MonitoringSettings = new AzureNative.DataProtection.Inputs.MonitoringSettingsArgs
{
AzureMonitorAlertSettings = new AzureNative.DataProtection.Inputs.AzureMonitorAlertSettingsArgs
{
AlertsForAllJobFailures = AzureNative.DataProtection.AlertsState.Enabled,
},
},
SecuritySettings = new AzureNative.DataProtection.Inputs.SecuritySettingsArgs
{
SoftDeleteSettings = new AzureNative.DataProtection.Inputs.SoftDeleteSettingsArgs
{
RetentionDurationInDays = 14,
State = "Enabled",
},
},
StorageSettings = new[]
{
new AzureNative.DataProtection.Inputs.StorageSettingArgs
{
DatastoreType = AzureNative.DataProtection.StorageSettingStoreTypes.VaultStore,
Type = AzureNative.DataProtection.StorageSettingTypes.LocallyRedundant,
},
},
},
ResourceGroupName = "SampleResourceGroup",
Tags =
{
{ "key1", "val1" },
},
VaultName = "swaggerExample",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.dataprotection.BackupVault;
import com.pulumi.azurenative.dataprotection.inputs.DppIdentityDetailsArgs;
import com.pulumi.azurenative.dataprotection.inputs.FeatureSettingsArgs;
import com.pulumi.azurenative.dataprotection.inputs.CrossRegionRestoreSettingsArgs;
import com.pulumi.azurenative.dataprotection.inputs.MonitoringSettingsArgs;
import com.pulumi.azurenative.dataprotection.inputs.AzureMonitorAlertSettingsArgs;
import com.pulumi.azurenative.dataprotection.inputs.SecuritySettingsArgs;
import com.pulumi.azurenative.dataprotection.inputs.SoftDeleteSettingsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var backupVault = new BackupVault("backupVault", BackupVaultArgs.builder()
.identity(DppIdentityDetailsArgs.builder()
.type("None")
.build())
.location("WestUS")
.properties(BackupVaultArgs.builder()
.featureSettings(FeatureSettingsArgs.builder()
.crossRegionRestoreSettings(CrossRegionRestoreSettingsArgs.builder()
.state("Enabled")
.build())
.build())
.monitoringSettings(MonitoringSettingsArgs.builder()
.azureMonitorAlertSettings(AzureMonitorAlertSettingsArgs.builder()
.alertsForAllJobFailures("Enabled")
.build())
.build())
.securitySettings(SecuritySettingsArgs.builder()
.softDeleteSettings(SoftDeleteSettingsArgs.builder()
.retentionDurationInDays(14.0)
.state("Enabled")
.build())
.build())
.storageSettings(StorageSettingArgs.builder()
.datastoreType("VaultStore")
.type("LocallyRedundant")
.build())
.build())
.resourceGroupName("SampleResourceGroup")
.tags(Map.of("key1", "val1"))
.vaultName("swaggerExample")
.build());
}
}
resources:
backupVault:
type: azure-native:dataprotection:BackupVault
properties:
identity:
type: None
location: WestUS
properties:
featureSettings:
crossRegionRestoreSettings:
state: Enabled
monitoringSettings:
azureMonitorAlertSettings:
alertsForAllJobFailures: Enabled
securitySettings:
softDeleteSettings:
retentionDurationInDays: 14
state: Enabled
storageSettings:
- datastoreType: VaultStore
type: LocallyRedundant
resourceGroupName: SampleResourceGroup
tags:
key1: val1
vaultName: swaggerExample
The storageSettings property defines where backup data lives and how it’s replicated. The datastoreType specifies VaultStore (the vault’s managed storage), while type controls redundancy (LocallyRedundant keeps copies in one region). The monitoringSettings block enables Azure Monitor alerts for job failures, and securitySettings configures soft delete with a 14-day retention window to protect against accidental deletion.
Encrypt vault data with customer-managed keys
Organizations with compliance requirements often control encryption keys through Azure Key Vault.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const backupVault = new azure_native.dataprotection.BackupVault("backupVault", {
identity: {
type: "None",
},
location: "WestUS",
properties: {
monitoringSettings: {
azureMonitorAlertSettings: {
alertsForAllJobFailures: azure_native.dataprotection.AlertsState.Enabled,
},
},
securitySettings: {
encryptionSettings: {
infrastructureEncryption: azure_native.dataprotection.InfrastructureEncryptionState.Enabled,
kekIdentity: {
identityId: "/subscriptions/85bf5e8c-3084-4f42-add2-746ebb7e97b2/resourcegroups/defaultrg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/examplemsi",
identityType: azure_native.dataprotection.IdentityType.UserAssigned,
},
keyVaultProperties: {
keyUri: "https://cmk2xkv.vault.azure.net/keys/Key1/0767b348bb1a4c07baa6c4ec0055d2b3",
},
state: azure_native.dataprotection.EncryptionState.Enabled,
},
immutabilitySettings: {
state: azure_native.dataprotection.ImmutabilityState.Disabled,
},
softDeleteSettings: {
retentionDurationInDays: 0,
state: azure_native.dataprotection.SoftDeleteState.Off,
},
},
storageSettings: [{
datastoreType: azure_native.dataprotection.StorageSettingStoreTypes.VaultStore,
type: azure_native.dataprotection.StorageSettingTypes.LocallyRedundant,
}],
},
resourceGroupName: "SampleResourceGroup",
tags: {
key1: "val1",
},
vaultName: "swaggerExample",
});
import pulumi
import pulumi_azure_native as azure_native
backup_vault = azure_native.dataprotection.BackupVault("backupVault",
identity={
"type": "None",
},
location="WestUS",
properties={
"monitoring_settings": {
"azure_monitor_alert_settings": {
"alerts_for_all_job_failures": azure_native.dataprotection.AlertsState.ENABLED,
},
},
"security_settings": {
"encryption_settings": {
"infrastructure_encryption": azure_native.dataprotection.InfrastructureEncryptionState.ENABLED,
"kek_identity": {
"identity_id": "/subscriptions/85bf5e8c-3084-4f42-add2-746ebb7e97b2/resourcegroups/defaultrg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/examplemsi",
"identity_type": azure_native.dataprotection.IdentityType.USER_ASSIGNED,
},
"key_vault_properties": {
"key_uri": "https://cmk2xkv.vault.azure.net/keys/Key1/0767b348bb1a4c07baa6c4ec0055d2b3",
},
"state": azure_native.dataprotection.EncryptionState.ENABLED,
},
"immutability_settings": {
"state": azure_native.dataprotection.ImmutabilityState.DISABLED,
},
"soft_delete_settings": {
"retention_duration_in_days": 0,
"state": azure_native.dataprotection.SoftDeleteState.OFF,
},
},
"storage_settings": [{
"datastore_type": azure_native.dataprotection.StorageSettingStoreTypes.VAULT_STORE,
"type": azure_native.dataprotection.StorageSettingTypes.LOCALLY_REDUNDANT,
}],
},
resource_group_name="SampleResourceGroup",
tags={
"key1": "val1",
},
vault_name="swaggerExample")
package main
import (
dataprotection "github.com/pulumi/pulumi-azure-native-sdk/dataprotection/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := dataprotection.NewBackupVault(ctx, "backupVault", &dataprotection.BackupVaultArgs{
Identity: &dataprotection.DppIdentityDetailsArgs{
Type: pulumi.String("None"),
},
Location: pulumi.String("WestUS"),
Properties: &dataprotection.BackupVaultTypeArgs{
MonitoringSettings: &dataprotection.MonitoringSettingsArgs{
AzureMonitorAlertSettings: &dataprotection.AzureMonitorAlertSettingsArgs{
AlertsForAllJobFailures: pulumi.String(dataprotection.AlertsStateEnabled),
},
},
SecuritySettings: &dataprotection.SecuritySettingsArgs{
EncryptionSettings: &dataprotection.EncryptionSettingsArgs{
InfrastructureEncryption: pulumi.String(dataprotection.InfrastructureEncryptionStateEnabled),
KekIdentity: &dataprotection.CmkKekIdentityArgs{
IdentityId: pulumi.String("/subscriptions/85bf5e8c-3084-4f42-add2-746ebb7e97b2/resourcegroups/defaultrg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/examplemsi"),
IdentityType: pulumi.String(dataprotection.IdentityTypeUserAssigned),
},
KeyVaultProperties: &dataprotection.CmkKeyVaultPropertiesArgs{
KeyUri: pulumi.String("https://cmk2xkv.vault.azure.net/keys/Key1/0767b348bb1a4c07baa6c4ec0055d2b3"),
},
State: pulumi.String(dataprotection.EncryptionStateEnabled),
},
ImmutabilitySettings: &dataprotection.ImmutabilitySettingsArgs{
State: pulumi.String(dataprotection.ImmutabilityStateDisabled),
},
SoftDeleteSettings: &dataprotection.SoftDeleteSettingsArgs{
RetentionDurationInDays: pulumi.Float64(0),
State: pulumi.String(dataprotection.SoftDeleteStateOff),
},
},
StorageSettings: dataprotection.StorageSettingArray{
&dataprotection.StorageSettingArgs{
DatastoreType: pulumi.String(dataprotection.StorageSettingStoreTypesVaultStore),
Type: pulumi.String(dataprotection.StorageSettingTypesLocallyRedundant),
},
},
},
ResourceGroupName: pulumi.String("SampleResourceGroup"),
Tags: pulumi.StringMap{
"key1": pulumi.String("val1"),
},
VaultName: pulumi.String("swaggerExample"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var backupVault = new AzureNative.DataProtection.BackupVault("backupVault", new()
{
Identity = new AzureNative.DataProtection.Inputs.DppIdentityDetailsArgs
{
Type = "None",
},
Location = "WestUS",
Properties = new AzureNative.DataProtection.Inputs.BackupVaultArgs
{
MonitoringSettings = new AzureNative.DataProtection.Inputs.MonitoringSettingsArgs
{
AzureMonitorAlertSettings = new AzureNative.DataProtection.Inputs.AzureMonitorAlertSettingsArgs
{
AlertsForAllJobFailures = AzureNative.DataProtection.AlertsState.Enabled,
},
},
SecuritySettings = new AzureNative.DataProtection.Inputs.SecuritySettingsArgs
{
EncryptionSettings = new AzureNative.DataProtection.Inputs.EncryptionSettingsArgs
{
InfrastructureEncryption = AzureNative.DataProtection.InfrastructureEncryptionState.Enabled,
KekIdentity = new AzureNative.DataProtection.Inputs.CmkKekIdentityArgs
{
IdentityId = "/subscriptions/85bf5e8c-3084-4f42-add2-746ebb7e97b2/resourcegroups/defaultrg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/examplemsi",
IdentityType = AzureNative.DataProtection.IdentityType.UserAssigned,
},
KeyVaultProperties = new AzureNative.DataProtection.Inputs.CmkKeyVaultPropertiesArgs
{
KeyUri = "https://cmk2xkv.vault.azure.net/keys/Key1/0767b348bb1a4c07baa6c4ec0055d2b3",
},
State = AzureNative.DataProtection.EncryptionState.Enabled,
},
ImmutabilitySettings = new AzureNative.DataProtection.Inputs.ImmutabilitySettingsArgs
{
State = AzureNative.DataProtection.ImmutabilityState.Disabled,
},
SoftDeleteSettings = new AzureNative.DataProtection.Inputs.SoftDeleteSettingsArgs
{
RetentionDurationInDays = 0,
State = AzureNative.DataProtection.SoftDeleteState.Off,
},
},
StorageSettings = new[]
{
new AzureNative.DataProtection.Inputs.StorageSettingArgs
{
DatastoreType = AzureNative.DataProtection.StorageSettingStoreTypes.VaultStore,
Type = AzureNative.DataProtection.StorageSettingTypes.LocallyRedundant,
},
},
},
ResourceGroupName = "SampleResourceGroup",
Tags =
{
{ "key1", "val1" },
},
VaultName = "swaggerExample",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.dataprotection.BackupVault;
import com.pulumi.azurenative.dataprotection.inputs.DppIdentityDetailsArgs;
import com.pulumi.azurenative.dataprotection.inputs.MonitoringSettingsArgs;
import com.pulumi.azurenative.dataprotection.inputs.AzureMonitorAlertSettingsArgs;
import com.pulumi.azurenative.dataprotection.inputs.SecuritySettingsArgs;
import com.pulumi.azurenative.dataprotection.inputs.EncryptionSettingsArgs;
import com.pulumi.azurenative.dataprotection.inputs.CmkKekIdentityArgs;
import com.pulumi.azurenative.dataprotection.inputs.CmkKeyVaultPropertiesArgs;
import com.pulumi.azurenative.dataprotection.inputs.ImmutabilitySettingsArgs;
import com.pulumi.azurenative.dataprotection.inputs.SoftDeleteSettingsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var backupVault = new BackupVault("backupVault", BackupVaultArgs.builder()
.identity(DppIdentityDetailsArgs.builder()
.type("None")
.build())
.location("WestUS")
.properties(BackupVaultArgs.builder()
.monitoringSettings(MonitoringSettingsArgs.builder()
.azureMonitorAlertSettings(AzureMonitorAlertSettingsArgs.builder()
.alertsForAllJobFailures("Enabled")
.build())
.build())
.securitySettings(SecuritySettingsArgs.builder()
.encryptionSettings(EncryptionSettingsArgs.builder()
.infrastructureEncryption("Enabled")
.kekIdentity(CmkKekIdentityArgs.builder()
.identityId("/subscriptions/85bf5e8c-3084-4f42-add2-746ebb7e97b2/resourcegroups/defaultrg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/examplemsi")
.identityType("UserAssigned")
.build())
.keyVaultProperties(CmkKeyVaultPropertiesArgs.builder()
.keyUri("https://cmk2xkv.vault.azure.net/keys/Key1/0767b348bb1a4c07baa6c4ec0055d2b3")
.build())
.state("Enabled")
.build())
.immutabilitySettings(ImmutabilitySettingsArgs.builder()
.state("Disabled")
.build())
.softDeleteSettings(SoftDeleteSettingsArgs.builder()
.retentionDurationInDays(0.0)
.state("Off")
.build())
.build())
.storageSettings(StorageSettingArgs.builder()
.datastoreType("VaultStore")
.type("LocallyRedundant")
.build())
.build())
.resourceGroupName("SampleResourceGroup")
.tags(Map.of("key1", "val1"))
.vaultName("swaggerExample")
.build());
}
}
resources:
backupVault:
type: azure-native:dataprotection:BackupVault
properties:
identity:
type: None
location: WestUS
properties:
monitoringSettings:
azureMonitorAlertSettings:
alertsForAllJobFailures: Enabled
securitySettings:
encryptionSettings:
infrastructureEncryption: Enabled
kekIdentity:
identityId: /subscriptions/85bf5e8c-3084-4f42-add2-746ebb7e97b2/resourcegroups/defaultrg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/examplemsi
identityType: UserAssigned
keyVaultProperties:
keyUri: https://cmk2xkv.vault.azure.net/keys/Key1/0767b348bb1a4c07baa6c4ec0055d2b3
state: Enabled
immutabilitySettings:
state: Disabled
softDeleteSettings:
retentionDurationInDays: 0
state: Off
storageSettings:
- datastoreType: VaultStore
type: LocallyRedundant
resourceGroupName: SampleResourceGroup
tags:
key1: val1
vaultName: swaggerExample
The encryptionSettings property enables customer-managed keys (CMK) by pointing to a Key Vault key URI. The kekIdentity specifies which managed identity can access the key, and infrastructureEncryption adds a second layer of encryption at the infrastructure level. When soft delete is disabled (state: Off, retentionDurationInDays: 0), deleted backups are immediately removed rather than retained.
Enable system-assigned managed identity for vault operations
Vaults use managed identities to access backup data sources without storing credentials.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const backupVault = new azure_native.dataprotection.BackupVault("backupVault", {
identity: {
type: "systemAssigned",
},
location: "WestUS",
properties: {
featureSettings: {
crossRegionRestoreSettings: {
state: azure_native.dataprotection.CrossRegionRestoreState.Enabled,
},
},
monitoringSettings: {
azureMonitorAlertSettings: {
alertsForAllJobFailures: azure_native.dataprotection.AlertsState.Enabled,
},
},
securitySettings: {
softDeleteSettings: {
retentionDurationInDays: 14,
state: "Enabled",
},
},
storageSettings: [{
datastoreType: azure_native.dataprotection.StorageSettingStoreTypes.VaultStore,
type: azure_native.dataprotection.StorageSettingTypes.LocallyRedundant,
}],
},
resourceGroupName: "SampleResourceGroup",
tags: {
key1: "val1",
},
vaultName: "swaggerExample",
});
import pulumi
import pulumi_azure_native as azure_native
backup_vault = azure_native.dataprotection.BackupVault("backupVault",
identity={
"type": "systemAssigned",
},
location="WestUS",
properties={
"feature_settings": {
"cross_region_restore_settings": {
"state": azure_native.dataprotection.CrossRegionRestoreState.ENABLED,
},
},
"monitoring_settings": {
"azure_monitor_alert_settings": {
"alerts_for_all_job_failures": azure_native.dataprotection.AlertsState.ENABLED,
},
},
"security_settings": {
"soft_delete_settings": {
"retention_duration_in_days": 14,
"state": "Enabled",
},
},
"storage_settings": [{
"datastore_type": azure_native.dataprotection.StorageSettingStoreTypes.VAULT_STORE,
"type": azure_native.dataprotection.StorageSettingTypes.LOCALLY_REDUNDANT,
}],
},
resource_group_name="SampleResourceGroup",
tags={
"key1": "val1",
},
vault_name="swaggerExample")
package main
import (
dataprotection "github.com/pulumi/pulumi-azure-native-sdk/dataprotection/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := dataprotection.NewBackupVault(ctx, "backupVault", &dataprotection.BackupVaultArgs{
Identity: &dataprotection.DppIdentityDetailsArgs{
Type: pulumi.String("systemAssigned"),
},
Location: pulumi.String("WestUS"),
Properties: &dataprotection.BackupVaultTypeArgs{
FeatureSettings: &dataprotection.FeatureSettingsArgs{
CrossRegionRestoreSettings: &dataprotection.CrossRegionRestoreSettingsArgs{
State: pulumi.String(dataprotection.CrossRegionRestoreStateEnabled),
},
},
MonitoringSettings: &dataprotection.MonitoringSettingsArgs{
AzureMonitorAlertSettings: &dataprotection.AzureMonitorAlertSettingsArgs{
AlertsForAllJobFailures: pulumi.String(dataprotection.AlertsStateEnabled),
},
},
SecuritySettings: &dataprotection.SecuritySettingsArgs{
SoftDeleteSettings: &dataprotection.SoftDeleteSettingsArgs{
RetentionDurationInDays: pulumi.Float64(14),
State: pulumi.String("Enabled"),
},
},
StorageSettings: dataprotection.StorageSettingArray{
&dataprotection.StorageSettingArgs{
DatastoreType: pulumi.String(dataprotection.StorageSettingStoreTypesVaultStore),
Type: pulumi.String(dataprotection.StorageSettingTypesLocallyRedundant),
},
},
},
ResourceGroupName: pulumi.String("SampleResourceGroup"),
Tags: pulumi.StringMap{
"key1": pulumi.String("val1"),
},
VaultName: pulumi.String("swaggerExample"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var backupVault = new AzureNative.DataProtection.BackupVault("backupVault", new()
{
Identity = new AzureNative.DataProtection.Inputs.DppIdentityDetailsArgs
{
Type = "systemAssigned",
},
Location = "WestUS",
Properties = new AzureNative.DataProtection.Inputs.BackupVaultArgs
{
FeatureSettings = new AzureNative.DataProtection.Inputs.FeatureSettingsArgs
{
CrossRegionRestoreSettings = new AzureNative.DataProtection.Inputs.CrossRegionRestoreSettingsArgs
{
State = AzureNative.DataProtection.CrossRegionRestoreState.Enabled,
},
},
MonitoringSettings = new AzureNative.DataProtection.Inputs.MonitoringSettingsArgs
{
AzureMonitorAlertSettings = new AzureNative.DataProtection.Inputs.AzureMonitorAlertSettingsArgs
{
AlertsForAllJobFailures = AzureNative.DataProtection.AlertsState.Enabled,
},
},
SecuritySettings = new AzureNative.DataProtection.Inputs.SecuritySettingsArgs
{
SoftDeleteSettings = new AzureNative.DataProtection.Inputs.SoftDeleteSettingsArgs
{
RetentionDurationInDays = 14,
State = "Enabled",
},
},
StorageSettings = new[]
{
new AzureNative.DataProtection.Inputs.StorageSettingArgs
{
DatastoreType = AzureNative.DataProtection.StorageSettingStoreTypes.VaultStore,
Type = AzureNative.DataProtection.StorageSettingTypes.LocallyRedundant,
},
},
},
ResourceGroupName = "SampleResourceGroup",
Tags =
{
{ "key1", "val1" },
},
VaultName = "swaggerExample",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.dataprotection.BackupVault;
import com.pulumi.azurenative.dataprotection.inputs.DppIdentityDetailsArgs;
import com.pulumi.azurenative.dataprotection.inputs.FeatureSettingsArgs;
import com.pulumi.azurenative.dataprotection.inputs.CrossRegionRestoreSettingsArgs;
import com.pulumi.azurenative.dataprotection.inputs.MonitoringSettingsArgs;
import com.pulumi.azurenative.dataprotection.inputs.AzureMonitorAlertSettingsArgs;
import com.pulumi.azurenative.dataprotection.inputs.SecuritySettingsArgs;
import com.pulumi.azurenative.dataprotection.inputs.SoftDeleteSettingsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var backupVault = new BackupVault("backupVault", BackupVaultArgs.builder()
.identity(DppIdentityDetailsArgs.builder()
.type("systemAssigned")
.build())
.location("WestUS")
.properties(BackupVaultArgs.builder()
.featureSettings(FeatureSettingsArgs.builder()
.crossRegionRestoreSettings(CrossRegionRestoreSettingsArgs.builder()
.state("Enabled")
.build())
.build())
.monitoringSettings(MonitoringSettingsArgs.builder()
.azureMonitorAlertSettings(AzureMonitorAlertSettingsArgs.builder()
.alertsForAllJobFailures("Enabled")
.build())
.build())
.securitySettings(SecuritySettingsArgs.builder()
.softDeleteSettings(SoftDeleteSettingsArgs.builder()
.retentionDurationInDays(14.0)
.state("Enabled")
.build())
.build())
.storageSettings(StorageSettingArgs.builder()
.datastoreType("VaultStore")
.type("LocallyRedundant")
.build())
.build())
.resourceGroupName("SampleResourceGroup")
.tags(Map.of("key1", "val1"))
.vaultName("swaggerExample")
.build());
}
}
resources:
backupVault:
type: azure-native:dataprotection:BackupVault
properties:
identity:
type: systemAssigned
location: WestUS
properties:
featureSettings:
crossRegionRestoreSettings:
state: Enabled
monitoringSettings:
azureMonitorAlertSettings:
alertsForAllJobFailures: Enabled
securitySettings:
softDeleteSettings:
retentionDurationInDays: 14
state: Enabled
storageSettings:
- datastoreType: VaultStore
type: LocallyRedundant
resourceGroupName: SampleResourceGroup
tags:
key1: val1
vaultName: swaggerExample
The identity property assigns a system-managed identity to the vault. Setting type to “systemAssigned” creates an identity that Azure manages automatically, which the vault uses to authenticate to backup sources and perform operations on your behalf.
Beyond these examples
These snippets focus on specific vault-level features: storage redundancy and monitoring configuration, customer-managed encryption keys, and managed identity assignment. They’re intentionally minimal rather than full backup solutions.
The examples may reference pre-existing infrastructure such as Azure resource groups, Key Vault instances with encryption keys (for CMK example), and user-assigned managed identities (for CMK example). They focus on configuring the vault rather than provisioning everything around it.
To keep things focused, common vault patterns are omitted, including:
- Cross-region restore configuration (featureSettings)
- Immutability settings for compliance locks
- User-assigned managed identities (identity type variations)
- Backup policies and protected items (separate resources)
These omissions are intentional: the goal is to illustrate how each vault feature is wired, not provide drop-in backup modules. See the BackupVault resource reference for all available configuration options.
Let's create Azure Backup Vaults
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Configuration & Lifecycle
What properties can't I change after creating a backup vault?
The
resourceGroupName and vaultName properties are immutable and cannot be changed after vault creation.What storage redundancy options are available?
The examples demonstrate
LocallyRedundant storage type with VaultStore datastore type configured in storageSettings.Security & Encryption
How do I enable soft delete protection?
Configure
securitySettings.softDeleteSettings with retentionDurationInDays (e.g., 14) and set state to “Enabled”. To disable soft delete, set retentionDurationInDays to 0 and state to “Off”.Can I use customer-managed keys for encryption?
Yes, configure
securitySettings.encryptionSettings with keyVaultProperties.keyUri pointing to your Key Vault key, specify kekIdentity with the managed identity details, and set state to “Enabled”. You can also enable infrastructureEncryption for additional encryption.What's the difference between soft delete and immutability settings?
Soft delete (
securitySettings.softDeleteSettings) provides time-based recovery with configurable retention days, while immutability settings (securitySettings.immutabilitySettings) control whether backup data can be modified or deleted. The CMK example shows immutability set to “Disabled”.Identity & Access
What managed identity types can I assign to a backup vault?
You can configure three identity types: “None” (no managed identity), “systemAssigned” (Azure-managed identity), or “UserAssigned” (user-managed identity with explicit identity resource ID).
Monitoring & Features
How do I enable monitoring alerts for backup job failures?
Set
monitoringSettings.azureMonitorAlertSettings.alertsForAllJobFailures to “Enabled” to receive alerts for all job failures.How do I enable cross-region restore?
Configure
featureSettings.crossRegionRestoreSettings.state to “Enabled” to allow restoring backups across Azure regions.