Maximizing Data Protection Across Azure with Soft Delete and Why You Should Consider It
For this years Azure Spring Clean we are going to look at soft delete. Soft delete in Azure adds a safety net to the way we work by preserving deleted items for a period of time should you need to un-delete them. In some cases however this feature needs to be manually enabled, especially on older resources already deployed. In this post we will look at what Azure services offer Soft delete, the different settings and some things to consider when enabling the feature.
Why Enable Soft Delete
When mistakes happen it is beneficial to have a way to quickly undo any accidental deletions. You may have thought an item could be removed only to find later it was being used. Being able to restore the item can save a lot of time and effort.
Another scenario could be a malicious actor. With soft delete and purge protection enabled it makes it impossible for them to delete the item before the retention period has expired, giving you a chance to restore it.
Overall the soft delete feature gives a level of reassurance that you can recover your data after a deletion.
Azure Services
A range of Azure services offer the ability to enable soft delete features. Some of these services have had soft delete for many years such as blob storage (2018), while for others it is a recent addition, still in preview.
The links below show how these can be turned on and the considerations to be aware of when using the feature for the given service:
- Blob Storage (Blobs, Blob Containers and VM Disks)
- Azure File Shares
- Key Vault
- Azure App Configuration
- Machine Learning Workspaces
- Azure Active Directory
- Azure Backup
- Azure Container Registry (Preview)
- Azure API Management (Preview)
Retention Periods
Each of the services has had the Soft delete feature added at different times and as such as different set of retention periods and configuration options.
- VM backup - Deleted backup data is retained for 14 days
- Blobs and Blob Containers - Configurable between 1 and 365 days (7 Days and enabled are the default), this can be turned on and off at any time.
- Azure File Shares - Configurable between 7 and 365 days, initially disabled however can be toggle on and off at any time
- Azure AD - By default, Azure AD keeps deleted Azure AD user objects in soft-deleted state for 30 days
- Azure App Configuration - Configurable on creation between 7 and 90 days (90 days default)
- Key Vault - Configurable on creation between 7 and 90 days (90 days default)
- Azure API Management - Any deleted APIM resource is kept for 48 hours then deleted
Purge Protection
Once an item has been deleted (where soft delete is enabled) in most cases it is possible to fully delete the item early, before its expiration.
With Azure Key Vault and Azure app configuration, we can enable purge protection. Once this is enabled it will mean that items can only be fully removed once the retention period has expired. It is worth noting that purge protection is off by default and once purge protection is enabled it cannot be disabled.
Reasons to Not Enable
Soft delete is a great feature and some services such as Key Vaults and App Configuration have this enabled by default on creation. In 2025 soft delete will be enabled on key vaults by default on existing Key Vaults. That said it is worth considering a few scenarios where you may not want to consider before you enable the feature.
The largest reason would be the cost considerations. In some cases, such as blobs you will still be charged for the data while it is in a soft delete state, before it is fully removed. This is not true however for services such as key vault so you would need to look further on a service-by-service basis.
Even when the soft delete items are not listed, with some services, such as APIM the name of the resource cannot be used until it has been fully deleted. In this case you have to wait until the retention period has passed before you can reuse the name.
It is also worth considering any legal requirements you have. If you are required to remove items of personal data for example in a given time frame then soft delete may or may not be compatible with this.
Summary
Soft delete is a very useful feature giving us the reassurance that if something is deleted it can be un-deleted again. Adding purge protection where available adds the additional benefit that soft deleted items can not be removed before then end of the retention period.
We see the feature being rolled out to more and more services, so it is worth checking your deployed resources to see if you need to enable the feature.
This blog post is part of Azure Spring Clean 2023, please checkout the website for some great Azure articles.
Title photo by Steve Johnson on Unsplash