Backup SLA policies¶
Afi SaaS backup for Microsoft Azure uses the concept of a backup SLA policy to protect virtual machines and configure custom backup settings, such as frequency, retention and archiving settings, and encryption keys (Afi- or customer-managed). A resource or a set of resources can be protected by an SLA policy directly on the Service → Protection screen, or an SLA policy can be assigned to a group of resources on the Service → Protection → Resource groups tab, enabling automatic protection for resources added to the group.
Backup SLA policies are managed on the Service → Settings → SLA tab in the Afi portal. Upon tenant onboarding, Afi automatically creates a set of predefined backup SLA policies (Gold, Silver, Bronze, Manual). Administrators can also create additional SLA policies as needed, allowing them to customize protection for different sets of resources within a tenant. The service cost is not influenced by the backup SLA policies used, so you are free to select or configure any policies that best suit your use cases.
Backup SLA policy management¶
Backup SLA policies for a tenant are configured and managed on the Service → Settings → SLA tab in the Afi portal.
You can view and modify the settings of an SLA policy by clicking its tile in the policy list, or create a new SLA policy by clicking the Add new SLA button in the top-right corner of the screen.
The SLA policy settings available for configuration are explained below.
Data to backup¶
This section allows you to configure which workloads are backed up by the Afi service for resources protected by an SLA policy. Currently, Afi provides protection for Azure virtual machines, with support for Azure databases coming in H1 2025.
Schedule¶
SLA schedule settings allow you to define how often backups are run for resources protected by a specific SLA policy. The service can either run backups automatically once or three times per day, or you can select the Manual frequency to launch backups manually from the Afi portal. If the Manual frequency is selected, the Afi service will not initiate backups for the associated resources automatically. In most cases, it is recommended to use the automatic backup options (once or three times per day) to ensure your data is backed up periodically and in a timely manner.
For SLA policies with periodic backup frequencies, the Afi service triggers backups within defined backup windows that span several hours:
- Once per day backup frequency: A single 9-hour backup window. The start time of this window can be configured when this frequency is selected.
- Three times per day backup frequency: Three 6-hour backup windows are distributed throughout the day.
Spreading backup start times across a backup window is essential to avoid peak loads on Microsoft Azure services and to prevent API throttling.
Retention¶
By default, Afi retains all backup snapshots for each backed up resource indefinitely. However, you can configure custom backup version or GFS data retention rules for an SLA policy to specify how long backup snapshots are retained by the service. The available data retention rules are described in the following article.
Please note that the Afi service enforces retention rules only to the backups that protected by an SLA policy and are backed up periodically. If a resource is not protected by an SLA policy, the service will continue to keep its backup together with all historical backup snapshots, but no custom retention or archiving rules will be applied.
Archiving¶
Archiving rules define how long the Afi service will keep a backup for a resource protected by an SLA policy after it is marked as Archived on the Afi side. A resource becomes Archived when it is deleted on the Azure side. Archiving rules are described in detail in the following article.
Encryption¶
By default, all Afi backups are encrypted using per-tenant Afi-managed encryption keys. Additionally, Afi supports configuring customer-managed cloud KMS encryption keys that allow service administrators to meet regulatory requirements and gain an additional layer of control over their backup data. Customer-managed (BYOK) encryption setup is described in this section.
Protecting resources with a backup SLA policy¶
Once you selected or configured a backup SLA policy that you plan to use, you can assign it to a resource or a set of resources on the Service → Protection tab. When a resource is protected with an SLA policy, you can trigger its backup by clicking on the Backup now button.
You can also assign a backup SLA policy to a group of resources that belong to a selected Azure resource group, subscription, or management group, and automatically protect all resources that are added in this group on the Service → Protection → Resource Groups tab. Please see the following guide for more details.
For Microsoft Azure tenants, you can create multiple independent backup sequences for a resource (e.g., a virtual machine) by protecting it multiple times using different backup SLA policies (e.g., Gold and Silver). This approach enables you to back up resource data to multiple backup storage locations in different regions (coming in H1 2025).
Please note that each backup sequence is linked to its corresponding backup SLA policy. If you assign a new backup SLA to a resource and initiate a backup, it will create a new backup sequence from scratch.