> Software > Virtual Machines > Azure > Configuration

Prerequisites for configuring Azure VM backups

Before you configure backups for Azure VMs, ensure the following prerequisites that allows Commvault to access Azure VMs are met.

General

The following requirements apply to all types of authentication methods.

Azure Access and Scope

  • Azure Subscription ID(s).

  • Azure Tenant ID.

  • Required Azure RBAC role assigned at the appropriate scope (subscription or resource group):

    • Contributor role, or
    • The cvbackuprole with following permissions:
      • Microsoft.Compute/*
      • Microsoft.Network/*
      • Microsoft.Storage/*
      • Microsoft.Resources/*

  • Role assignment must cover all subscriptions or resource groups containing the VMs to be protected.

Azure Environment Requirements

  • Azure Resource Manager (ARM) deployment model (Classic model is not supported).

  • No Azure policies blocking snapshot creation or disk access.

  • Sufficient Azure snapshot and storage quotas available.

Application and secret

When you want to configure backups on either hosted infrastructure or your own access nodes, Commvault supports the use of a managed identity and an Azure application and a secret. This method requires manual creation and configuration of an Azure AD application (service principal).

  • A pre-created Azure AD Application (Service Principal).

  • Obtain the following credentials:

    • Application (Client) ID
    • Directory (Tenant) ID
    • Client Secret

  • Client secret or certificate must be valid and not expired.

  • Administrator consent granted for required API permissions.

  • Secure storage mechanism for the application secret or certificate.

Managed identity

When you want to configure backups on your own access nodes, Commvault supports the use of a managed identity. This method uses Azure Managed Identity instead of stored credentials.

  • Commvault MediaAgent / VSA access node must be deployed within Azure.

  • One of the following:

    • System-assigned Managed Identity enabled on the Azure VM hosting the Commvault component.
    • User-assigned Managed Identity created and attached to the Azure VM.

  • Access to Azure Instance Metadata Service (IMDS).

Express configuration (SaaS only)

An Express configuration automatically creates and configures the required Azure AD application and assigns permissions.

  • An Azure account with Global Administrator or Application Administrator role in Azure Active Directory (AAD).

  • Has permission to:

    • Register applications in Azure AD
    • Create service principals
    • Grant admin consent
    • Assign Azure RBAC roles at the subscription or resource group level

  • Ability to authenticate interactively during the configuration workflow (popup-based Azure login).

×

Loading...