The azure-native:dataprotection:BackupVault resource, part of the Pulumi Azure Native provider, provisions an Azure Backup vault that serves as the container for backup policies, protected items, and recovery points. This guide focuses on three capabilities: storage redundancy and monitoring setup, customer-managed key encryption, and managed identity configuration.
Backup vaults belong to resource groups and may reference Key Vault instances and managed identities for encryption and access control. The examples are intentionally small. Combine them with your own backup policies and protected items.
Create a vault with storage redundancy and monitoring
Most deployments start by configuring storage redundancy, soft delete protection, and monitoring alerts.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const backupVault = new azure_native.dataprotection.BackupVault("backupVault", {
identity: {
type: "None",
},
location: "WestUS",
properties: {
featureSettings: {
crossRegionRestoreSettings: {
state: azure_native.dataprotection.CrossRegionRestoreState.Enabled,
},
},
monitoringSettings: {
azureMonitorAlertSettings: {
alertsForAllJobFailures: azure_native.dataprotection.AlertsState.Enabled,
},
},
securitySettings: {
softDeleteSettings: {
retentionDurationInDays: 14,
state: "Enabled",
},
},
storageSettings: [{
datastoreType: azure_native.dataprotection.StorageSettingStoreTypes.VaultStore,
type: azure_native.dataprotection.StorageSettingTypes.LocallyRedundant,
}],
},
resourceGroupName: "SampleResourceGroup",
tags: {
key1: "val1",
},
vaultName: "swaggerExample",
});
import pulumi
import pulumi_azure_native as azure_native
backup_vault = azure_native.dataprotection.BackupVault("backupVault",
identity={
"type": "None",
},
location="WestUS",
properties={
"feature_settings": {
"cross_region_restore_settings": {
"state": azure_native.dataprotection.CrossRegionRestoreState.ENABLED,
},
},
"monitoring_settings": {
"azure_monitor_alert_settings": {
"alerts_for_all_job_failures": azure_native.dataprotection.AlertsState.ENABLED,
},
},
"security_settings": {
"soft_delete_settings": {
"retention_duration_in_days": 14,
"state": "Enabled",
},
},
"storage_settings": [{
"datastore_type": azure_native.dataprotection.StorageSettingStoreTypes.VAULT_STORE,
"type": azure_native.dataprotection.StorageSettingTypes.LOCALLY_REDUNDANT,
}],
},
resource_group_name="SampleResourceGroup",
tags={
"key1": "val1",
},
vault_name="swaggerExample")
package main
import (
dataprotection "github.com/pulumi/pulumi-azure-native-sdk/dataprotection/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := dataprotection.NewBackupVault(ctx, "backupVault", &dataprotection.BackupVaultArgs{
Identity: &dataprotection.DppIdentityDetailsArgs{
Type: pulumi.String("None"),
},
Location: pulumi.String("WestUS"),
Properties: &dataprotection.BackupVaultTypeArgs{
FeatureSettings: &dataprotection.FeatureSettingsArgs{
CrossRegionRestoreSettings: &dataprotection.CrossRegionRestoreSettingsArgs{
State: pulumi.String(dataprotection.CrossRegionRestoreStateEnabled),
},
},
MonitoringSettings: &dataprotection.MonitoringSettingsArgs{
AzureMonitorAlertSettings: &dataprotection.AzureMonitorAlertSettingsArgs{
AlertsForAllJobFailures: pulumi.String(dataprotection.AlertsStateEnabled),
},
},
SecuritySettings: &dataprotection.SecuritySettingsArgs{
SoftDeleteSettings: &dataprotection.SoftDeleteSettingsArgs{
RetentionDurationInDays: pulumi.Float64(14),
State: pulumi.String("Enabled"),
},
},
StorageSettings: dataprotection.StorageSettingArray{
&dataprotection.StorageSettingArgs{
DatastoreType: pulumi.String(dataprotection.StorageSettingStoreTypesVaultStore),
Type: pulumi.String(dataprotection.StorageSettingTypesLocallyRedundant),
},
},
},
ResourceGroupName: pulumi.String("SampleResourceGroup"),
Tags: pulumi.StringMap{
"key1": pulumi.String("val1"),
},
VaultName: pulumi.String("swaggerExample"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var backupVault = new AzureNative.DataProtection.BackupVault("backupVault", new()
{
Identity = new AzureNative.DataProtection.Inputs.DppIdentityDetailsArgs
{
Type = "None",
},
Location = "WestUS",
Properties = new AzureNative.DataProtection.Inputs.BackupVaultArgs
{
FeatureSettings = new AzureNative.DataProtection.Inputs.FeatureSettingsArgs
{
CrossRegionRestoreSettings = new AzureNative.DataProtection.Inputs.CrossRegionRestoreSettingsArgs
{
State = AzureNative.DataProtection.CrossRegionRestoreState.Enabled,
},
},
MonitoringSettings = new AzureNative.DataProtection.Inputs.MonitoringSettingsArgs
{
AzureMonitorAlertSettings = new AzureNative.DataProtection.Inputs.AzureMonitorAlertSettingsArgs
{
AlertsForAllJobFailures = AzureNative.DataProtection.AlertsState.Enabled,
},
},
SecuritySettings = new AzureNative.DataProtection.Inputs.SecuritySettingsArgs
{
SoftDeleteSettings = new AzureNative.DataProtection.Inputs.SoftDeleteSettingsArgs
{
RetentionDurationInDays = 14,
State = "Enabled",
},
},
StorageSettings = new[]
{
new AzureNative.DataProtection.Inputs.StorageSettingArgs
{
DatastoreType = AzureNative.DataProtection.StorageSettingStoreTypes.VaultStore,
Type = AzureNative.DataProtection.StorageSettingTypes.LocallyRedundant,
},
},
},
ResourceGroupName = "SampleResourceGroup",
Tags =
{
{ "key1", "val1" },
},
VaultName = "swaggerExample",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.dataprotection.BackupVault;
import com.pulumi.azurenative.dataprotection.inputs.DppIdentityDetailsArgs;
import com.pulumi.azurenative.dataprotection.inputs.FeatureSettingsArgs;
import com.pulumi.azurenative.dataprotection.inputs.CrossRegionRestoreSettingsArgs;
import com.pulumi.azurenative.dataprotection.inputs.MonitoringSettingsArgs;
import com.pulumi.azurenative.dataprotection.inputs.AzureMonitorAlertSettingsArgs;
import com.pulumi.azurenative.dataprotection.inputs.SecuritySettingsArgs;
import com.pulumi.azurenative.dataprotection.inputs.SoftDeleteSettingsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var backupVault = new BackupVault("backupVault", BackupVaultArgs.builder()
.identity(DppIdentityDetailsArgs.builder()
.type("None")
.build())
.location("WestUS")
.properties(BackupVaultArgs.builder()
.featureSettings(FeatureSettingsArgs.builder()
.crossRegionRestoreSettings(CrossRegionRestoreSettingsArgs.builder()
.state("Enabled")
.build())
.build())
.monitoringSettings(MonitoringSettingsArgs.builder()
.azureMonitorAlertSettings(AzureMonitorAlertSettingsArgs.builder()
.alertsForAllJobFailures("Enabled")
.build())
.build())
.securitySettings(SecuritySettingsArgs.builder()
.softDeleteSettings(SoftDeleteSettingsArgs.builder()
.retentionDurationInDays(14.0)
.state("Enabled")
.build())
.build())
.storageSettings(StorageSettingArgs.builder()
.datastoreType("VaultStore")
.type("LocallyRedundant")
.build())
.build())
.resourceGroupName("SampleResourceGroup")
.tags(Map.of("key1", "val1"))
.vaultName("swaggerExample")
.build());
}
}
resources:
backupVault:
type: azure-native:dataprotection:BackupVault
properties:
identity:
type: None
location: WestUS
properties:
featureSettings:
crossRegionRestoreSettings:
state: Enabled
monitoringSettings:
azureMonitorAlertSettings:
alertsForAllJobFailures: Enabled
securitySettings:
softDeleteSettings:
retentionDurationInDays: 14
state: Enabled
storageSettings:
- datastoreType: VaultStore
type: LocallyRedundant
resourceGroupName: SampleResourceGroup
tags:
key1: val1
vaultName: swaggerExample
The storageSettings property defines where backup data lives and how it’s replicated. The datastoreType specifies VaultStore (the vault’s managed storage), while type controls redundancy (LocallyRedundant keeps copies in one region). The monitoringSettings block enables Azure Monitor alerts for job failures, and securitySettings configures soft delete with a 14-day retention window to protect against accidental deletion.
Encrypt vault data with customer-managed keys
Organizations with compliance requirements often control encryption keys through Azure Key Vault.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const backupVault = new azure_native.dataprotection.BackupVault("backupVault", {
identity: {
type: "None",
},
location: "WestUS",
properties: {
monitoringSettings: {
azureMonitorAlertSettings: {
alertsForAllJobFailures: azure_native.dataprotection.AlertsState.Enabled,
},
},
securitySettings: {
encryptionSettings: {
infrastructureEncryption: azure_native.dataprotection.InfrastructureEncryptionState.Enabled,
kekIdentity: {
identityId: "/subscriptions/85bf5e8c-3084-4f42-add2-746ebb7e97b2/resourcegroups/defaultrg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/examplemsi",
identityType: azure_native.dataprotection.IdentityType.UserAssigned,
},
keyVaultProperties: {
keyUri: "https://cmk2xkv.vault.azure.net/keys/Key1/0767b348bb1a4c07baa6c4ec0055d2b3",
},
state: azure_native.dataprotection.EncryptionState.Enabled,
},
immutabilitySettings: {
state: azure_native.dataprotection.ImmutabilityState.Disabled,
},
softDeleteSettings: {
retentionDurationInDays: 0,
state: azure_native.dataprotection.SoftDeleteState.Off,
},
},
storageSettings: [{
datastoreType: azure_native.dataprotection.StorageSettingStoreTypes.VaultStore,
type: azure_native.dataprotection.StorageSettingTypes.LocallyRedundant,
}],
},
resourceGroupName: "SampleResourceGroup",
tags: {
key1: "val1",
},
vaultName: "swaggerExample",
});
import pulumi
import pulumi_azure_native as azure_native
backup_vault = azure_native.dataprotection.BackupVault("backupVault",
identity={
"type": "None",
},
location="WestUS",
properties={
"monitoring_settings": {
"azure_monitor_alert_settings": {
"alerts_for_all_job_failures": azure_native.dataprotection.AlertsState.ENABLED,
},
},
"security_settings": {
"encryption_settings": {
"infrastructure_encryption": azure_native.dataprotection.InfrastructureEncryptionState.ENABLED,
"kek_identity": {
"identity_id": "/subscriptions/85bf5e8c-3084-4f42-add2-746ebb7e97b2/resourcegroups/defaultrg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/examplemsi",
"identity_type": azure_native.dataprotection.IdentityType.USER_ASSIGNED,
},
"key_vault_properties": {
"key_uri": "https://cmk2xkv.vault.azure.net/keys/Key1/0767b348bb1a4c07baa6c4ec0055d2b3",
},
"state": azure_native.dataprotection.EncryptionState.ENABLED,
},
"immutability_settings": {
"state": azure_native.dataprotection.ImmutabilityState.DISABLED,
},
"soft_delete_settings": {
"retention_duration_in_days": 0,
"state": azure_native.dataprotection.SoftDeleteState.OFF,
},
},
"storage_settings": [{
"datastore_type": azure_native.dataprotection.StorageSettingStoreTypes.VAULT_STORE,
"type": azure_native.dataprotection.StorageSettingTypes.LOCALLY_REDUNDANT,
}],
},
resource_group_name="SampleResourceGroup",
tags={
"key1": "val1",
},
vault_name="swaggerExample")
package main
import (
dataprotection "github.com/pulumi/pulumi-azure-native-sdk/dataprotection/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := dataprotection.NewBackupVault(ctx, "backupVault", &dataprotection.BackupVaultArgs{
Identity: &dataprotection.DppIdentityDetailsArgs{
Type: pulumi.String("None"),
},
Location: pulumi.String("WestUS"),
Properties: &dataprotection.BackupVaultTypeArgs{
MonitoringSettings: &dataprotection.MonitoringSettingsArgs{
AzureMonitorAlertSettings: &dataprotection.AzureMonitorAlertSettingsArgs{
AlertsForAllJobFailures: pulumi.String(dataprotection.AlertsStateEnabled),
},
},
SecuritySettings: &dataprotection.SecuritySettingsArgs{
EncryptionSettings: &dataprotection.EncryptionSettingsArgs{
InfrastructureEncryption: pulumi.String(dataprotection.InfrastructureEncryptionStateEnabled),
KekIdentity: &dataprotection.CmkKekIdentityArgs{
IdentityId: pulumi.String("/subscriptions/85bf5e8c-3084-4f42-add2-746ebb7e97b2/resourcegroups/defaultrg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/examplemsi"),
IdentityType: pulumi.String(dataprotection.IdentityTypeUserAssigned),
},
KeyVaultProperties: &dataprotection.CmkKeyVaultPropertiesArgs{
KeyUri: pulumi.String("https://cmk2xkv.vault.azure.net/keys/Key1/0767b348bb1a4c07baa6c4ec0055d2b3"),
},
State: pulumi.String(dataprotection.EncryptionStateEnabled),
},
ImmutabilitySettings: &dataprotection.ImmutabilitySettingsArgs{
State: pulumi.String(dataprotection.ImmutabilityStateDisabled),
},
SoftDeleteSettings: &dataprotection.SoftDeleteSettingsArgs{
RetentionDurationInDays: pulumi.Float64(0),
State: pulumi.String(dataprotection.SoftDeleteStateOff),
},
},
StorageSettings: dataprotection.StorageSettingArray{
&dataprotection.StorageSettingArgs{
DatastoreType: pulumi.String(dataprotection.StorageSettingStoreTypesVaultStore),
Type: pulumi.String(dataprotection.StorageSettingTypesLocallyRedundant),
},
},
},
ResourceGroupName: pulumi.String("SampleResourceGroup"),
Tags: pulumi.StringMap{
"key1": pulumi.String("val1"),
},
VaultName: pulumi.String("swaggerExample"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var backupVault = new AzureNative.DataProtection.BackupVault("backupVault", new()
{
Identity = new AzureNative.DataProtection.Inputs.DppIdentityDetailsArgs
{
Type = "None",
},
Location = "WestUS",
Properties = new AzureNative.DataProtection.Inputs.BackupVaultArgs
{
MonitoringSettings = new AzureNative.DataProtection.Inputs.MonitoringSettingsArgs
{
AzureMonitorAlertSettings = new AzureNative.DataProtection.Inputs.AzureMonitorAlertSettingsArgs
{
AlertsForAllJobFailures = AzureNative.DataProtection.AlertsState.Enabled,
},
},
SecuritySettings = new AzureNative.DataProtection.Inputs.SecuritySettingsArgs
{
EncryptionSettings = new AzureNative.DataProtection.Inputs.EncryptionSettingsArgs
{
InfrastructureEncryption = AzureNative.DataProtection.InfrastructureEncryptionState.Enabled,
KekIdentity = new AzureNative.DataProtection.Inputs.CmkKekIdentityArgs
{
IdentityId = "/subscriptions/85bf5e8c-3084-4f42-add2-746ebb7e97b2/resourcegroups/defaultrg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/examplemsi",
IdentityType = AzureNative.DataProtection.IdentityType.UserAssigned,
},
KeyVaultProperties = new AzureNative.DataProtection.Inputs.CmkKeyVaultPropertiesArgs
{
KeyUri = "https://cmk2xkv.vault.azure.net/keys/Key1/0767b348bb1a4c07baa6c4ec0055d2b3",
},
State = AzureNative.DataProtection.EncryptionState.Enabled,
},
ImmutabilitySettings = new AzureNative.DataProtection.Inputs.ImmutabilitySettingsArgs
{
State = AzureNative.DataProtection.ImmutabilityState.Disabled,
},
SoftDeleteSettings = new AzureNative.DataProtection.Inputs.SoftDeleteSettingsArgs
{
RetentionDurationInDays = 0,
State = AzureNative.DataProtection.SoftDeleteState.Off,
},
},
StorageSettings = new[]
{
new AzureNative.DataProtection.Inputs.StorageSettingArgs
{
DatastoreType = AzureNative.DataProtection.StorageSettingStoreTypes.VaultStore,
Type = AzureNative.DataProtection.StorageSettingTypes.LocallyRedundant,
},
},
},
ResourceGroupName = "SampleResourceGroup",
Tags =
{
{ "key1", "val1" },
},
VaultName = "swaggerExample",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.dataprotection.BackupVault;
import com.pulumi.azurenative.dataprotection.inputs.DppIdentityDetailsArgs;
import com.pulumi.azurenative.dataprotection.inputs.MonitoringSettingsArgs;
import com.pulumi.azurenative.dataprotection.inputs.AzureMonitorAlertSettingsArgs;
import com.pulumi.azurenative.dataprotection.inputs.SecuritySettingsArgs;
import com.pulumi.azurenative.dataprotection.inputs.EncryptionSettingsArgs;
import com.pulumi.azurenative.dataprotection.inputs.CmkKekIdentityArgs;
import com.pulumi.azurenative.dataprotection.inputs.CmkKeyVaultPropertiesArgs;
import com.pulumi.azurenative.dataprotection.inputs.ImmutabilitySettingsArgs;
import com.pulumi.azurenative.dataprotection.inputs.SoftDeleteSettingsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var backupVault = new BackupVault("backupVault", BackupVaultArgs.builder()
.identity(DppIdentityDetailsArgs.builder()
.type("None")
.build())
.location("WestUS")
.properties(BackupVaultArgs.builder()
.monitoringSettings(MonitoringSettingsArgs.builder()
.azureMonitorAlertSettings(AzureMonitorAlertSettingsArgs.builder()
.alertsForAllJobFailures("Enabled")
.build())
.build())
.securitySettings(SecuritySettingsArgs.builder()
.encryptionSettings(EncryptionSettingsArgs.builder()
.infrastructureEncryption("Enabled")
.kekIdentity(CmkKekIdentityArgs.builder()
.identityId("/subscriptions/85bf5e8c-3084-4f42-add2-746ebb7e97b2/resourcegroups/defaultrg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/examplemsi")
.identityType("UserAssigned")
.build())
.keyVaultProperties(CmkKeyVaultPropertiesArgs.builder()
.keyUri("https://cmk2xkv.vault.azure.net/keys/Key1/0767b348bb1a4c07baa6c4ec0055d2b3")
.build())
.state("Enabled")
.build())
.immutabilitySettings(ImmutabilitySettingsArgs.builder()
.state("Disabled")
.build())
.softDeleteSettings(SoftDeleteSettingsArgs.builder()
.retentionDurationInDays(0.0)
.state("Off")
.build())
.build())
.storageSettings(StorageSettingArgs.builder()
.datastoreType("VaultStore")
.type("LocallyRedundant")
.build())
.build())
.resourceGroupName("SampleResourceGroup")
.tags(Map.of("key1", "val1"))
.vaultName("swaggerExample")
.build());
}
}
resources:
backupVault:
type: azure-native:dataprotection:BackupVault
properties:
identity:
type: None
location: WestUS
properties:
monitoringSettings:
azureMonitorAlertSettings:
alertsForAllJobFailures: Enabled
securitySettings:
encryptionSettings:
infrastructureEncryption: Enabled
kekIdentity:
identityId: /subscriptions/85bf5e8c-3084-4f42-add2-746ebb7e97b2/resourcegroups/defaultrg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/examplemsi
identityType: UserAssigned
keyVaultProperties:
keyUri: https://cmk2xkv.vault.azure.net/keys/Key1/0767b348bb1a4c07baa6c4ec0055d2b3
state: Enabled
immutabilitySettings:
state: Disabled
softDeleteSettings:
retentionDurationInDays: 0
state: Off
storageSettings:
- datastoreType: VaultStore
type: LocallyRedundant
resourceGroupName: SampleResourceGroup
tags:
key1: val1
vaultName: swaggerExample
The encryptionSettings property enables customer-managed keys (CMK) by pointing to a Key Vault key URI. The kekIdentity specifies which managed identity can access the key, and infrastructureEncryption adds a second layer of encryption at the infrastructure level. When soft delete is disabled (state: Off, retentionDurationInDays: 0), deleted backups are immediately removed rather than retained.
Enable system-assigned managed identity for vault operations
Vaults use managed identities to access backup data sources without storing credentials.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const backupVault = new azure_native.dataprotection.BackupVault("backupVault", {
identity: {
type: "systemAssigned",
},
location: "WestUS",
properties: {
featureSettings: {
crossRegionRestoreSettings: {
state: azure_native.dataprotection.CrossRegionRestoreState.Enabled,
},
},
monitoringSettings: {
azureMonitorAlertSettings: {
alertsForAllJobFailures: azure_native.dataprotection.AlertsState.Enabled,
},
},
securitySettings: {
softDeleteSettings: {
retentionDurationInDays: 14,
state: "Enabled",
},
},
storageSettings: [{
datastoreType: azure_native.dataprotection.StorageSettingStoreTypes.VaultStore,
type: azure_native.dataprotection.StorageSettingTypes.LocallyRedundant,
}],
},
resourceGroupName: "SampleResourceGroup",
tags: {
key1: "val1",
},
vaultName: "swaggerExample",
});
import pulumi
import pulumi_azure_native as azure_native
backup_vault = azure_native.dataprotection.BackupVault("backupVault",
identity={
"type": "systemAssigned",
},
location="WestUS",
properties={
"feature_settings": {
"cross_region_restore_settings": {
"state": azure_native.dataprotection.CrossRegionRestoreState.ENABLED,
},
},
"monitoring_settings": {
"azure_monitor_alert_settings": {
"alerts_for_all_job_failures": azure_native.dataprotection.AlertsState.ENABLED,
},
},
"security_settings": {
"soft_delete_settings": {
"retention_duration_in_days": 14,
"state": "Enabled",
},
},
"storage_settings": [{
"datastore_type": azure_native.dataprotection.StorageSettingStoreTypes.VAULT_STORE,
"type": azure_native.dataprotection.StorageSettingTypes.LOCALLY_REDUNDANT,
}],
},
resource_group_name="SampleResourceGroup",
tags={
"key1": "val1",
},
vault_name="swaggerExample")
package main
import (
dataprotection "github.com/pulumi/pulumi-azure-native-sdk/dataprotection/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := dataprotection.NewBackupVault(ctx, "backupVault", &dataprotection.BackupVaultArgs{
Identity: &dataprotection.DppIdentityDetailsArgs{
Type: pulumi.String("systemAssigned"),
},
Location: pulumi.String("WestUS"),
Properties: &dataprotection.BackupVaultTypeArgs{
FeatureSettings: &dataprotection.FeatureSettingsArgs{
CrossRegionRestoreSettings: &dataprotection.CrossRegionRestoreSettingsArgs{
State: pulumi.String(dataprotection.CrossRegionRestoreStateEnabled),
},
},
MonitoringSettings: &dataprotection.MonitoringSettingsArgs{
AzureMonitorAlertSettings: &dataprotection.AzureMonitorAlertSettingsArgs{
AlertsForAllJobFailures: pulumi.String(dataprotection.AlertsStateEnabled),
},
},
SecuritySettings: &dataprotection.SecuritySettingsArgs{
SoftDeleteSettings: &dataprotection.SoftDeleteSettingsArgs{
RetentionDurationInDays: pulumi.Float64(14),
State: pulumi.String("Enabled"),
},
},
StorageSettings: dataprotection.StorageSettingArray{
&dataprotection.StorageSettingArgs{
DatastoreType: pulumi.String(dataprotection.StorageSettingStoreTypesVaultStore),
Type: pulumi.String(dataprotection.StorageSettingTypesLocallyRedundant),
},
},
},
ResourceGroupName: pulumi.String("SampleResourceGroup"),
Tags: pulumi.StringMap{
"key1": pulumi.String("val1"),
},
VaultName: pulumi.String("swaggerExample"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var backupVault = new AzureNative.DataProtection.BackupVault("backupVault", new()
{
Identity = new AzureNative.DataProtection.Inputs.DppIdentityDetailsArgs
{
Type = "systemAssigned",
},
Location = "WestUS",
Properties = new AzureNative.DataProtection.Inputs.BackupVaultArgs
{
FeatureSettings = new AzureNative.DataProtection.Inputs.FeatureSettingsArgs
{
CrossRegionRestoreSettings = new AzureNative.DataProtection.Inputs.CrossRegionRestoreSettingsArgs
{
State = AzureNative.DataProtection.CrossRegionRestoreState.Enabled,
},
},
MonitoringSettings = new AzureNative.DataProtection.Inputs.MonitoringSettingsArgs
{
AzureMonitorAlertSettings = new AzureNative.DataProtection.Inputs.AzureMonitorAlertSettingsArgs
{
AlertsForAllJobFailures = AzureNative.DataProtection.AlertsState.Enabled,
},
},
SecuritySettings = new AzureNative.DataProtection.Inputs.SecuritySettingsArgs
{
SoftDeleteSettings = new AzureNative.DataProtection.Inputs.SoftDeleteSettingsArgs
{
RetentionDurationInDays = 14,
State = "Enabled",
},
},
StorageSettings = new[]
{
new AzureNative.DataProtection.Inputs.StorageSettingArgs
{
DatastoreType = AzureNative.DataProtection.StorageSettingStoreTypes.VaultStore,
Type = AzureNative.DataProtection.StorageSettingTypes.LocallyRedundant,
},
},
},
ResourceGroupName = "SampleResourceGroup",
Tags =
{
{ "key1", "val1" },
},
VaultName = "swaggerExample",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.dataprotection.BackupVault;
import com.pulumi.azurenative.dataprotection.inputs.DppIdentityDetailsArgs;
import com.pulumi.azurenative.dataprotection.inputs.FeatureSettingsArgs;
import com.pulumi.azurenative.dataprotection.inputs.CrossRegionRestoreSettingsArgs;
import com.pulumi.azurenative.dataprotection.inputs.MonitoringSettingsArgs;
import com.pulumi.azurenative.dataprotection.inputs.AzureMonitorAlertSettingsArgs;
import com.pulumi.azurenative.dataprotection.inputs.SecuritySettingsArgs;
import com.pulumi.azurenative.dataprotection.inputs.SoftDeleteSettingsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var backupVault = new BackupVault("backupVault", BackupVaultArgs.builder()
.identity(DppIdentityDetailsArgs.builder()
.type("systemAssigned")
.build())
.location("WestUS")
.properties(BackupVaultArgs.builder()
.featureSettings(FeatureSettingsArgs.builder()
.crossRegionRestoreSettings(CrossRegionRestoreSettingsArgs.builder()
.state("Enabled")
.build())
.build())
.monitoringSettings(MonitoringSettingsArgs.builder()
.azureMonitorAlertSettings(AzureMonitorAlertSettingsArgs.builder()
.alertsForAllJobFailures("Enabled")
.build())
.build())
.securitySettings(SecuritySettingsArgs.builder()
.softDeleteSettings(SoftDeleteSettingsArgs.builder()
.retentionDurationInDays(14.0)
.state("Enabled")
.build())
.build())
.storageSettings(StorageSettingArgs.builder()
.datastoreType("VaultStore")
.type("LocallyRedundant")
.build())
.build())
.resourceGroupName("SampleResourceGroup")
.tags(Map.of("key1", "val1"))
.vaultName("swaggerExample")
.build());
}
}
resources:
backupVault:
type: azure-native:dataprotection:BackupVault
properties:
identity:
type: systemAssigned
location: WestUS
properties:
featureSettings:
crossRegionRestoreSettings:
state: Enabled
monitoringSettings:
azureMonitorAlertSettings:
alertsForAllJobFailures: Enabled
securitySettings:
softDeleteSettings:
retentionDurationInDays: 14
state: Enabled
storageSettings:
- datastoreType: VaultStore
type: LocallyRedundant
resourceGroupName: SampleResourceGroup
tags:
key1: val1
vaultName: swaggerExample
The identity property assigns a system-managed identity to the vault. Setting type to “systemAssigned” creates an identity that Azure manages automatically, which the vault uses to authenticate to backup sources and perform operations on your behalf.
Beyond these examples
These snippets focus on specific vault-level features: storage redundancy and monitoring configuration, customer-managed encryption keys, and managed identity assignment. They’re intentionally minimal rather than full backup solutions.
The examples may reference pre-existing infrastructure such as Azure resource groups, Key Vault instances with encryption keys (for CMK example), and user-assigned managed identities (for CMK example). They focus on configuring the vault rather than provisioning everything around it.
To keep things focused, common vault patterns are omitted, including:
- Cross-region restore configuration (featureSettings)
- Immutability settings for compliance locks
- User-assigned managed identities (identity type variations)
- Backup policies and protected items (separate resources)
These omissions are intentional: the goal is to illustrate how each vault feature is wired, not provide drop-in backup modules. See the BackupVault resource reference for all available configuration options.
Let's create Azure Backup Vaults
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Configuration & Immutability
What properties can't be changed after creating a backup vault?
The
resourceGroupName and vaultName are immutable and cannot be modified after creation.What storage redundancy type should I use?
All examples use
LocallyRedundant for the storageSettings.type property with VaultStore as the datastore type.Security & Encryption
How do I configure soft delete for my backup vault?
Set
softDeleteSettings with retentionDurationInDays (e.g., 14) and state set to “Enabled”. To disable soft delete, use 0 days and state “Off”.How do I enable customer-managed keys (CMK) for encryption?
Configure encryptionSettings with:
kekIdentitypointing to a user-assigned managed identitykeyVaultProperties.keyUriwith your Key Vault key URI- Optionally enable
infrastructureEncryption - Set
stateto “Enabled”
What identity types are supported for backup vaults?
You can use “None”, “systemAssigned”, or user-assigned managed identity. User-assigned identity is required when using customer-managed keys.
Features & Monitoring
How do I enable cross-region restore?
Set
crossRegionRestoreSettings.state to “Enabled” within featureSettings.How do I enable monitoring alerts for backup job failures?
Configure
azureMonitorAlertSettings.alertsForAllJobFailures to “Enabled” within monitoringSettings.