Soft-Delete and Redundancy for Recovery Services Vault when protecting Onprem VMWare machines using Site Recovery

Question

Soft-Delete and Redundancy for Recovery Services Vault when protecting Onprem VMWare machines using Site Recovery

Anandha Chandrasekaran 20

Hi,

We are trying to protect OnPrem VMWare Virtual Machines using Azure Site Recovery to Azure. I would like to understand what is the recommended Settings for Soft Delete and Redundancy for Recovery Services Vault ?

Should we enable Soft Delete in this case ?

Should we enable LRS, ZRS or GRS?

I am going though this document https://learn.microsoft.com/en-us/azure/site-recovery/vmware-physical-azure-support-matrix#azure-storage but there are no clear answers from here for Recovery Service Vault Settings

Suchitra Suregaunkar 13,990 Reputation points Microsoft External Staff Moderator

2026-05-15T09:49:46.95+00:00
Hello @Anandha Chandrasekaran

Thank you for posting your query on Microsoft Q&A platform.

Yes, it is recommended to keep Soft Delete enabled.

Soft delete is enabled by default on new Recovery Services vaults to protect data from accidental or malicious deletion

It retains deleted items for a period (for example, 14 days by default), allowing recovery if needed

References:

Create and configure a Recovery Services vault

Enhanced soft delete for Azure Backup

Important for ASR: Soft delete does not affect replication or failover behavior. It is purely a protection mechanism for vault data and configuration.

Vault Redundancy (LRS vs ZRS vs GRS):

For VMware → Azure Site Recovery:

The Recovery Services vault stores metadata and policies

The actual replicated VM data is stored in Azure Storage (managed disks, storage accounts)

Reference:

VMware to Azure Site Recovery architecture

This means: Vault storage redundancy does not determine how your VM replication data is protected.

Microsoft guidance for Recovery Services vault storage:

GRS (Geo‑redundant storage) → default, higher durability across regions

ZRS (Zone‑redundant storage) → protects against zone failures within a region

LRS (Locally redundant storage) → lowest cost, single‑datacenter protection

Reference:

Recovery Services vault storage redundancy guidance

For your scenario (VMware → Azure Site Recovery), here is the recommendation approach:

LRS (Locally Redundant Storage) is the most commonly used option for Azure Site Recovery deployments because it is cost‑effective and sufficient in most cases where additional geo‑redundancy is not required.

ZRS (Zone Redundant Storage) is a good choice for production environments when you want added resilience against Availability Zone failures within the same Azure region.

GRS (Geo Redundant Storage) is optional and should be considered only if you have specific compliance, regulatory, or backup requirements that mandate an additional copy of vault data in a secondary region.

ASR failover is handled by replication configuration, not vault redundancy

Even if you choose GRS, it does not enable failover to a secondary region on its own

Cross‑region DR must be configured explicitly using ASR replication

In Azure Site Recovery, the Recovery Services vault is a management layer. Replication durability depends on Azure storage and ASR configuration not on vault redundancy settings.

Thanks,
Suchitra.

1 answer

Your answer

Answer 1

When designing on‑prem VMware disaster recovery to Azure using Azure Site Recovery (ASR), the Recovery Services Vault settings can be confusing because Microsoft documents backup and replication behaviors separately. The following reflects what most enterprise environments actually implement.

1. Soft Delete — Enable (Recommended)

Yes — Soft Delete should be enabled on the Recovery Services Vault.

Soft Delete provides a safety buffer against:

accidental deletion of vault items

malicious deletion or ransomware activity

administrative mistakes during DR operations

It ensures you have a recovery window before vault‑related data is permanently removed. Microsoft increasingly treats Soft Delete as a baseline security control. (ref: https://learn.microsoft.com/en-us/azure/backup/secure-by-default)

Important Clarification

Soft Delete in a Recovery Services Vault primarily protects:

backup metadata

vault‑protected objects

deleted backup items

It does not directly protect ASR‑replicated VM data the same way Azure Backup does.

However, enabling Soft Delete is still considered best practice because:

it adds a layer of protection with minimal operational impact

it aligns with governance and security baselines

most organizations enable it globally for consistency

Recommended Configuration

Enable Soft Delete

Retention: keep the default 14 days

Extend only if:

     regulatory or security policy requires longer retention
     
           you have concerns about ransomware dwell time or delayed detection

Microsoft strongly discourages disabling Soft Delete except in temporary lab, testing, or migration scenarios. (ref: https://docs.azure.cn/en-us/backup/backup-azure-security-feature-cloud)

Share via

Soft-Delete and Redundancy for Recovery Services Vault when protecting Onprem VMWare machines using Site Recovery

1 answer

1. Soft Delete — Enable (Recommended)

Important Clarification

Recommended Configuration

Your answer