%% Use bold for emphasises and italics for quotes or phrases %%
## Sections
%% ## What problem does it solve %%
### Azure Backup Vault
Azure Backup Vault is a special type of storage that integrates with selected services on Azure to allow execution of (scheduled) Backup Policies, which are tied to Backup Instances. [[#^1|(1)]]
Currently<sup>as of 12.2025</sup> supported services [[#^2|(2)]]:
- On-premises
- Azure VMs
- Azure Managed Disks
- Azure Files shares
- SQL Server in Azure VMs
- SAP HANA databases in Azure VMs
- **Azure Database for PostgreSQL servers**
- Azure Blobs
- ==Azure Database for PostgreSQL Flexible server==
- Azure Kubernetes service
- Azure Database for MySQL - Flexible Server backup (preview)
- SAP ASE (Sybase) database backup on Azure VMs (preview)
%% ## How does it solve it %%
### Flavours of PostgreSQL
> *I will have some Azure Cosmos DB for PostgreSQL Clusters with Citus coordinator nodes and 10 worker nodes, with the side of Azure Database for PostgreSQL Flexible Servers with burstable computes ~~and two Azure Database for PostgreSQL Servers~~. No elastic clusters, thank you.*
Azure currently<sup>as of 12.2025</sup> offers [[#^1|(3)]] services for PostgreSQL databases:
<sup>(I am using 'proper' service names as the 'official' Customer-facing names are ambiguous).</sup>
- 'Microsoft.DBforPostgreSQL/servers' - Azure Database for PostgreSQL Server (deprecated by 2025)
- 'Microsoft.DBforPostgreSQL/flexibleServers' - Azure Database for PostgreSQL Flexible Servers
- 'Microsoft.DBforPostgreSQL/serverGroupsv2' - Azure Cosmos DB for PostgreSQL Cluster
>[!tip] Extra info
>As seen in the documentation pages - even though PostgreSQL 'server groups' are grouped together with the other two, they are not the same, as only the 'flexibleServers' and 'servers' are supported by Azure Backup Vault.
>
>The explanation is fairly simple, the 'serverGroupsv2' is a special type of service, which is not 'CosmosDB' (CosmosDB supports backups) and not a traditional PostgreSQL database, but a 'Citus' based cluster which runs PostgreSQL distributed-tables underneath.
><sup>This is a topic for another article :)</sup>
>
>Hence, 'serverGroupsv2' are both **vertically** (compute hardware) and **horizontally** (nodes) scalable, while 'flexibleServers' remain scalable only **vertically** (compute hardware).
%% ## How to use it %%
### Backup and Restoration
I will not describe how to perform the backup a step by step, as it constitutes a fairly simple routine on its own. The difficulty I experienced occurred with *Azure Database for PostgreSQL Flexible Servers* specifically.
The process involves creating an Azure Backup Vault instance with a Managed Identity (User-assigned Managed Identity is recommended), which has access to CMK encryption key in Secrets Vault.
The backup itself is configured through Backup Instances and Backup Policies.
Overall configurable features vary by the deployment Provider, be it AzureRM, AzAPI or Azure Portal.
I would like to share what the documentation highlights as requirements.
#### Backups
>[!quote] Documentation [[#^4|(4)]]
>"To perform the backup operation:
>1. Grant permissions to the backup vault MSI on the target ARM resource (PostgreSQL-Flexible server), establishing access, and control.
>2. Configure backup policies, specify scheduling, retention, and other parameters."
>[!quote] Documentation [[#^4|(4)]]
>"Permissions for backup
>For successful backup operations, the vault MSI needs the following permissions:
>1. _Restore_: Storage Blob Data Contributor role on the target storage account.
>2. _Backup_:
> a. _PostgreSQL Flexible Server Long Term Retention Backup Role_ on the server.
> b. _Reader_ role on the resource group of the server."
#### Restoration
>[!quote] Documentation [[#^5|(5)]]
>"Before you restore Azure Database for PostgreSQL - Flexible Server, ensure the following prerequisites are met:
>- Cross Region Restore is supported only for a Backup vault that uses Storage Redundancy as Geo-redundant.
>- Review the support matrix for a list of supported managed types and regions.
>- Cross Region Restore incurs extra charges. Learn more about pricing.
>Once you enable Cross Region Restore, it might take up to 48 hours for the backup items to be available in secondary regions.
>- Review the permissions required to use Cross Region Restore. "
>[!quote] Documentation [[#^6|(6)]]
>"Restore permissions on the target storage account
>To assign the Backup vault's managed identity permission to access the storage account containers, follow these steps:
>1. In the Azure portal, go to **Storage Account** > **Access Control (IAM)**, and then select **Add**.
>2. On the **Add role assignment** pane, in the **Role** dropdown list, select the **Storage Blob Data Contributor** role for the Backup vault's managed identity."
>[!quote] Documentation [[#^7|(7)]]
>"Prerequisites
>Before you restore from Azure Database for PostgreSQL Flexible server backups, review the following prerequisites:
>- Ensure that you have the required [permissions for the restore operation](https://learn.microsoft.com/en-us/azure/backup/backup-azure-database-postgresql-flex-overview#permissions-for-backup).
>- Backup data is stored in the Backup vault as a blob within the Microsoft tenant. During a restore operation, the backup data is copied from one storage account to another across tenants. Ensure that the target storage account for the restore has the **AllowCrossTenantReplication** property set to **true**.
>- Ensure the target storage account for restoring backup as a file is accessible via a public network. If the storage account uses a private endpoint, [update its public network access settings](https://learn.microsoft.com/en-us/azure/backup/backup-azure-database-postgresql-flex-manage#enable-public-network-access-for-the-database-storage-account) before executing a restore operation."
>[!quote] Documentation [[#^8|(8)]]
>"Backup vault uses managed identity to access other Azure resources. To restore from backup, Backup vault’s managed identity requires a set of permissions on the Azure PostgreSQL – Flexible Server to which the database should be restored.
>
>To assign the relevant permissions for vault's system-assigned managed identity on the target PostgreSQL – Flexible server, check the [set of permissions](https://learn.microsoft.com/en-us/azure/backup/backup-azure-database-postgresql-flex-overview#azure-backup-authentication-with-the-postgresql-server) needed to backup Azure PostgreSQL – Flexible Server database.
>
>To restore the recovery point as files to a storage account, the **Backup vault's system-assigned managed identity** needs access on the **target storage account**."
#### The problem
The idea looks rather simple - the *Operator* creates an Azure Backup Vault, Backup Policy, Backup Instance. The design involves a Storage Account, Secrets Vault, PostgreSQL Flexible Server database and a User-assigned Managed Identity with appropriate RBAC roles.
The documentation outlines the following roles:
- ['PostgreSQL Flexible Server Long Term Retention Backup Role'](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/databases#postgresql-flexible-server-long-term-retention-backup-role) on the database for the purposes of performing backups.
- ['Reader'](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/general#reader) on the Resource Group.
- ['Storage Blob Data Contributor'](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/storage#storage-blob-data-contributor) on the Storage Account for the purpose of restoring backup files into blob containers.
Sounds clear, so why would User-assigned Managed Identity **have all those roles and still fail** when attempted to restore the backup files from Azure Backup Vault into a Storage Account's blob container?
Why would both the manual assignment and automatic (Azure Portal's) assignment result in greyed-out =='Assign missing roles'== button with one hardly relevant error message of =="Restore parameters validation failed. View details"==?
This problem took me 2-3 days to track down and I found the solution just before opening a ticket with the Support.
**Let's scroll up...**
>"Ensure the target storage account for restoring backup as a file is accessible via a public network. If the storage account uses a private endpoint, [update its public network access settings](https://learn.microsoft.com/en-us/azure/backup/backup-azure-database-postgresql-flex-manage#enable-public-network-access-for-the-database-storage-account) before executing a restore operation."
<center><img src="https://media.tenor.com/r8tcf2YZ5TIAAAAM/blinking-eyes-white-guy.gif"></center>
A presumably ==Private Endpoint secured==, ==non-public Storage Account== must be made **public** to restore backup files into it.
Not only does it contradict most of the Microsoft Defender for Cloud warnings, it also does not make sense in the context of Azure Backup Vaults being able to backup databases in private networks (performing backups is possible, restoration is not).
**However, in case you do encounter this problem - this was the solution.**
## References
### Section 1 - Azure Backup Vault
- https://learn.microsoft.com/en-us/azure/backup/backup-vault-overview ^1
- https://learn.microsoft.com/en-us/azure/backup/backup-overview ^2
### Section 2 - Flavours of PostgreSQL
- https://learn.microsoft.com/en-us/azure/templates/microsoft.dbforpostgresql/flexibleservers?pivots=deployment-language-arm-template ^3
- https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/concepts-supported-versions (extra)
### Section 3 - Backup and Restoration
- https://github.com/hashicorp/terraform-provider-azurerm/issues/29028 (extra)
- https://docs.azure.cn/en-us/backup/backup-azure-database-postgresql-flex-overview ^4
- https://learn.microsoft.com/en-us/azure/backup/tutorial-restore-postgresql-flex ^5
- https://github.com/MicrosoftDocs/azure-docs/blob/main/articles/backup/tutorial-restore-postgresql-flex.md (mirror)
- https://learn.microsoft.com/en-us/azure/backup/restore-azure-database-postgresql ^6
- https://learn.microsoft.com/en-us/azure/backup/restore-azure-database-postgresql-flex ^7
- https://learn.microsoft.com/en-us/azure/backup/backup-azure-database-postgresql-flex-restore-cli ^8
## Metadata
Date of creation: 2025-12-04
Date of revision: 2025-12-12