Azure SQL Requirements and Considerations

Before you register an Azure SQL source on Cohesity DataProtect as a Service, ensure the following requirements are met:

  1. Register an application with Azure Entra ID and create a service principal. For information, see the Azure documentation.

  2. Create an application secret key for setting up authentication for the service principal. For information, see the Azure documentation.

  3. Create a custom role at the subscription level with the required permissions for backup and recovery.

    For information about creating a custom role, see the Azure documentation.

  4. Assign the custom role to the Azure Entra ID application created in step 1.

    The application ID and application secret key are required when you register the Azure source with the Cohesity cluster.

  5. The ports listed in the Azure section in the Firewall Port topic are open to allow communication between the Cohesity SaaS Connector(s) and Azure environment.

  6. SaaS Connectors are able to resolve the following URLs by name:

    • login.windows.net

    • management.azure.com

    • *.blob.core.windows.net

    • To whitelist *.blob.storage.azure.net

  7. Ensure the following:

    • For regular Azure SQL databases (not Managed databases), the following are the connection requirements:

      • Public Access must be enabled in the Networking page of the SQL instance
        or

      • The SQL instance must have a Private Endpoint Connection created for the VNET assigned to the Saas Connection associated with this Azure source. For information on the steps to create a Private Endpoint Connection, see Azure Private Link for Azure SQL Database and Azure Synapse Analytics.

    • For databases in Managed SQL instances, the following are the connection requirements:

      • The SQL Managed instance must be configured on the same VNET assigned to the Saas Connection associated with this Azure source
        or

      • A two-way VNET Peering must be created between the VNET of the Saas Connection and the VNET of the SQL Managed instance with the following option checked for both local and remote peering directions: “Allow XXX to access YYY”.
        For information on the steps to create a Peering, see Create, change, or delete a virtual network peering.

    • The server name of the SQL Server (or Managed instance) must be accessible over port 1433. You can use the nping utility to confirm reachability. The server name will be displayed on the Overview page, for example, sql-managed-instance.c17f785003dd.database.windows.net OR cohesitysqlserver.database.windows.net
      For more information, see Connect to Azure SQL Database Managed Instance with Virtual Network peering and Connect your application to Azure SQL Managed Instance.

Required Permissions

Resource Provider Operation Name
Microsoft.ManagedIdentity Microsoft.ManagedIdentity/userAssignedIdentities/assign/action
Microsoft.Resources Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Resources/subscriptions/resourceGroups/write
Microsoft.Storage

Microsoft.Storage/storageAccounts/blobServices/containers/read

Microsoft.Storage/storageAccounts/blobServices/containers/write

Microsoft.Storage/storageAccounts/listkeys/action

Microsoft.Storage/storageAccounts/read

Microsoft.Storage/storageAccounts/write

Microsoft.Network

Microsoft.Network/dnszones/A/read

Microsoft.Network/dnszones/A/write

Microsoft.Network/dnszones/A/delete

Microsoft.Network/networkInterfaces/write

Microsoft.Network/networkInterfaces/read

Microsoft.Network/networkInterfaces/join/action

Microsoft.Network/networkInterfaces/delete

Microsoft.Network/networkInterfaces/ipconfigurations/read

Microsoft.Network/networkSecurityGroups/read

Microsoft.Network/networkSecurityGroups/join/action

Microsoft.Network/networkSecurityGroups/securityRules/read

Microsoft.Network/privateEndpoints/read

Microsoft.Network/privateEndpoints/write

Microsoft.Network/virtualNetworks/read

Microsoft.Network/privateEndpoints/delete

Microsoft.Network/virtualNetworks/subnets/read

Microsoft.Network/virtualNetworks/subnets/join/action

Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action

Microsoft.Compute

 

Microsoft.Compute/disks/beginGetAccess/action

Microsoft.Compute/disks/delete

Microsoft.Compute/disks/endGetAccess/action

Microsoft.Compute/disks/read

Microsoft.Compute/disks/write

Microsoft.Compute/virtualMachines/start/action

Microsoft.Compute/virtualMachines/powerOff/action

Microsoft.Compute/virtualMachines/write

Microsoft.Compute/virtualMachines/read

Microsoft.Compute/virtualMachines/delete

Microsoft.Compute/virtualMachines/runCommand/action

Microsoft.Compute/virtualMachines/deallocate/action

Microsoft.Compute/snapshots/write

Microsoft.Compute/snapshots/read

Microsoft.Compute/snapshots/beginGetAccess/action

Microsoft.Compute/snapshots/endGetAccess/action

Microsoft.Compute/snapshots/delete

Microsoft.Compute/diskAccesses/write

Microsoft.Compute/diskAccesses/read

Microsoft.Compute/diskAccesses/delete

Microsoft.Compute/diskAccesses/privateEndpointConnectionsApproval/action

Microsoft.KeyVault Microsoft.KeyVault/vaults/deploy/action
Microsoft.Sql

Microsoft.Sql/servers/read

Microsoft.Sql/servers/databases/read

Microsoft.Sql/servers/databases/write

Microsoft.Sql/servers/databases/delete

Microsoft.Sql/servers/databases/usages/read

Microsoft.Sql/managedInstances/read

Microsoft.Sql/managedInstances/databases/read

Microsoft.Sql/managedInstances/databases/write

Microsoft.Sql/managedInstances/databases/delete

Required Roles

Assign the following roles to the application:

  • SQL Managed Instance Contributor - to discover/backup/restore SQL Managed Instance databases.

  • SQL DB Contributor - to discover/backup/restore Logical SQL Server databases.

For more information on the permissions granted by these roles, see Azure built-in roles for Databases.

Firewall Ports

For firewall rules, see Azure SQL Database and Azure Synapse IP Firewall Rules.

Considerations

  • Transaction Log and Differential Backups are not supported for Azure SQL databases. This is due to a Microsoft limitation.

  • Azure SQL Pool/Synapse is not supported. This is due to a Microsoft limitation.

  • Databases with external elements are not supported. This is due to a Microsoft limitation.