Azure Requirements and Considerations

This topic covers the following:

• Requirements and Considerations For Azure VM Protection

• Azure Requirements and Considerations

Requirements and Considerations For Azure VM Protection

Before you register your Azure sources with Cohesity DataProtect as a Service, ensure the Azure VMs you want to backup are on the regions Cohesity supports, you've met the prerequisites and understood the considerations.

For information on the supported cloud regions where you can back up this source, see Supported Workloads and Cloud Regions.

Requirements

Before you register Azure with Cohesity DataProtect as a Service, ensure:

• To perform the following steps:

  1. Register an application with Azure AD and create a service principal. For information, see the Azure documentation.

  2. Create an application secret key for setting up authentication for the service principal. For information, see the Azure documentation.

  3. Create a custom role at the subscription level with the required permissions for backup and recovery.

     For information about creating a custom role, see the Azure documentation.

  4. Assign the custom role to the Azure AD application created in step a. For more information, see the Azure documentation.

     The application ID and application secret key are required when you register the Azure source with the Cohesity DataProtect as a Service.

• The ports listed in the Azure section in the Firewall Ports topic are open to allow communication between the Cohesity SaaS Connector(s) and Azure environment.

• SaaS Connectors are able to resolve the following URLs by name:

  • Login.windows.net

  • management.azure.com

  • *.blob.core.windows.net

• To whitelist *.blob.storage.azure.net.

• Cohesity DataProtect as a Service supports the regions where the Azure VMs you want to backup is located.

• To recover files and folders of Azure VMs:

  • Firewall port 50051 must be open on the target VM.

  • The target VM must be reachable via a private IP from the SaaS connector.

Required Permissions

Resource Provider	Operation Name
Microsoft.Resources	Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Resources/subscriptions/resourceGroups/write
Microsoft.Storage	Microsoft.Storage/storageAccounts/blobServices/containers/read Microsoft.Storage/storageAccounts/blobServices/containers/write Microsoft.Storage/storageAccounts/listkeys/action Microsoft.Storage/storageAccounts/read Microsoft.Storage/storageAccounts/write
Microsoft.Network	Microsoft.Network/dnszones/A/read Microsoft.Network/dnszones/A/write Microsoft.Network/dnszones/A/delete Microsoft.Network/networkInterfaces/write Microsoft.Network/networkInterfaces/read Microsoft.Network/networkInterfaces/join/action Microsoft.Network/networkInterfaces/delete Microsoft.Network/networkInterfaces/ipconfigurations/read Microsoft.Network/networkSecurityGroups/read Microsoft.Network/networkSecurityGroups/join/action Microsoft.Network/networkSecurityGroups/securityRules/read Microsoft.Network/privateEndpoints/read Microsoft.Network/privateEndpoints/write Microsoft.Network/privateEndpoints/delete Microsoft.Network/virtualNetworks/read Microsoft.Network/virtualNetworks/subnets/read Microsoft.Network/virtualNetworks/subnets/join/action Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action
Microsoft.Compute	Microsoft.Compute/disks/beginGetAccess/action Microsoft.Compute/disks/delete Microsoft.Compute/disks/endGetAccess/action Microsoft.Compute/disks/read Microsoft.Compute/disks/write Microsoft.Compute/virtualMachines/start/action Microsoft.Compute/virtualMachines/powerOff/action Microsoft.Compute/virtualMachines/write Microsoft.Compute/virtualMachines/read Microsoft.Compute/virtualMachines/delete Microsoft.Compute/virtualMachines/runCommand/action Microsoft.Compute/virtualMachines/deallocate/action Microsoft.Compute/snapshots/write Microsoft.Compute/snapshots/read Microsoft.Compute/snapshots/beginGetAccess/action Microsoft.Compute/snapshots/endGetAccess/action Microsoft.Compute/snapshots/delete Microsoft.Compute/diskAccesses/write Microsoft.Compute/diskAccesses/read Microsoft.Compute/diskAccesses/delete Microsoft.Compute/diskAccesses/privateEndpointConnectionsApproval/action
Microsoft.KeyVault	Microsoft.KeyVault/vaults/deploy/action

Considerations

• Cohesity DataProtect as a Service supports the protection of UEFI boot mode-enabled Azure VMs running on the following guest operating systems:

  • Windows 2012, 2016, 2019

  • Ubuntu 14, 16,18, 20

  • RHEL 6.x, 7.x, 8.x

  • Centos 6.x, 7.x

• All the disk sizes on the Azure VM must be a multiple of 1MB because Azure only allows creating disks whose size is a multiple of 1MB.

• Cohesity DataProtect as a Service supports the protection of Azure VMs with the following configurations:

  • Managed disks - Standard_LRS, Premium_LRS, StandardSSD_LRS, Premium_ZRS, or StandardSSD_ZRS.

  • Unmanaged disks

• The Private Endpoint option is not supported for the VMs selected using auto-protect. To use a private endpoint, you must manually select the VMs for protection.

• The disk size limit of an Azure VM using a private endpoint is 32 TB.

• VMs encrypted through ADE cannot be restored to a different location unless the user replicates the keys used to encrypt the VM to the new location. VMs encrypted using Azure SSE do not have this issue.

• Managed disk VMs in turn-off state are shown as 0 bytes in size in the entity hierarchy of Azure Source. However, backup and recovery of the VM is supported in a turned-off state.

• Recovery of the unmanaged disk with different SKU types will depend on the storage container where the recovery is performed.

• Recovery of unmanaged disk VM to the original location, scans for the same resource group, storage account, storage container & blobs created during backup. If these resources are deleted, the restore will fail.

• Recovery of the VMs from Availability set to a different location will not have the Availability set parameters.

• VMs with static IP will not be recovered back with static IP.

• You can perform files and folder recovery to an Azure VM Linux instance only if the Azure VM Linux instance is of x86_64 architecture.

• Recovery of an Azure VM with a disk containing more than 50 tags may fail with the following error:

  Unable to complete the task. RPC status: 400, Azure response: {"error":{"code":"InvalidTags","message":"Too many tags specified. Requested tag count - '51'. Maximum number of tags allowed - '50'."}}

• Cohesity DataProtect as a Service does not support:

  • File download.

  • Cloning.

  • App consistent backup.

  • LDM for OS disk.

  • Backup of shared managed disks.

  • Backup of Managed Ultra disks.

  • Backup of the Azure VM having ephemeral volumes.

  • Backup of Azure disks of more than 8TB using a private endpoint.

  • Backup of Azure VMs of new disk of type, Premium SSD v2 LRS.

  • Azure Stack Hub for Azure VM backups.

Requirements and Considerations for Azure SQL Protection

Before you register an Azure SQL source on Cohesity DataProtect as a Service, ensure the following requirements are met:

1. Register an application with Azure Entra ID and create a service principal. For information, see the Azure documentation.

2. Create an application secret key for setting up authentication for the service principal. For information, see the Azure documentation.

3. Create a custom role at the subscription level with the required permissions for backup and recovery.

   For information about creating a custom role, see the Azure documentation.

4. Assign the custom role to the Azure Entra ID application created in step 1.

   The application ID and application secret key are required when you register the Azure source with the Cohesity cluster.

5. The ports listed in the Azure section in the Firewall Port topic are open to allow communication between the Cohesity SaaS Connector(s) and Azure environment.

6. SaaS Connectors are able to resolve the following URLs by name:

   • login.windows.net

   • management.azure.com

   • *.blob.core.windows.net

   • To whitelist *.blob.storage.azure.net

7. Ensure the following:

   • For regular Azure SQL databases (not Managed databases), the following are the connection requirements:

     • Public Access must be enabled in the Networking page of the SQL instance
       or

     • The SQL instance must have a Private Endpoint Connection created for the VNET assigned to the Saas Connection associated with this Azure source. For information on the steps to create a Private Endpoint Connection, see Azure Private Link for Azure SQL Database and Azure Synapse Analytics.

   • For databases in Managed SQL instances, the following are the connection requirements:

     • The SQL Managed instance must be configured on the same VNET assigned to the Saas Connection associated with this Azure source
       or

     • A two-way VNET Peering must be created between the VNET of the Saas Connection and the VNET of the SQL Managed instance with the following option checked for both local and remote peering directions: “Allow XXX to access YYY”.
       For information on the steps to create a Peering, see Create, change, or delete a virtual network peering.

   • The server name of the SQL Server (or Managed instance) must be accessible over port 1433. You can use the nping utility to confirm reachability. The server name will be displayed on the Overview page, for example, sql-managed-instance.c17f785003dd.database.windows.net OR cohesitysqlserver.database.windows.net
     For more information, see Connect to Azure SQL Database Managed Instance with Virtual Network peering and Connect your application to Azure SQL Managed Instance.

Required Permissions

Resource Provider	Operation Name
Microsoft.ManagedIdentity	Microsoft.ManagedIdentity/userAssignedIdentities/assign/action
Microsoft.Resources	Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Resources/subscriptions/resourceGroups/write
Microsoft.Storage	Microsoft.Storage/storageAccounts/blobServices/containers/read Microsoft.Storage/storageAccounts/blobServices/containers/write Microsoft.Storage/storageAccounts/listkeys/action Microsoft.Storage/storageAccounts/read Microsoft.Storage/storageAccounts/write
Microsoft.Network	Microsoft.Network/dnszones/A/read Microsoft.Network/dnszones/A/write Microsoft.Network/dnszones/A/delete Microsoft.Network/networkInterfaces/write Microsoft.Network/networkInterfaces/read Microsoft.Network/networkInterfaces/join/action Microsoft.Network/networkInterfaces/delete Microsoft.Network/networkInterfaces/ipconfigurations/read Microsoft.Network/networkSecurityGroups/read Microsoft.Network/networkSecurityGroups/join/action Microsoft.Network/networkSecurityGroups/securityRules/read Microsoft.Network/privateEndpoints/read Microsoft.Network/privateEndpoints/write Microsoft.Network/virtualNetworks/read Microsoft.Network/privateEndpoints/delete Microsoft.Network/virtualNetworks/subnets/read Microsoft.Network/virtualNetworks/subnets/join/action Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action
Microsoft.Compute	Microsoft.Compute/disks/beginGetAccess/action Microsoft.Compute/disks/delete Microsoft.Compute/disks/endGetAccess/action Microsoft.Compute/disks/read Microsoft.Compute/disks/write Microsoft.Compute/virtualMachines/start/action Microsoft.Compute/virtualMachines/powerOff/action Microsoft.Compute/virtualMachines/write Microsoft.Compute/virtualMachines/read Microsoft.Compute/virtualMachines/delete Microsoft.Compute/virtualMachines/runCommand/action Microsoft.Compute/virtualMachines/deallocate/action Microsoft.Compute/snapshots/write Microsoft.Compute/snapshots/read Microsoft.Compute/snapshots/beginGetAccess/action Microsoft.Compute/snapshots/endGetAccess/action Microsoft.Compute/snapshots/delete Microsoft.Compute/diskAccesses/write Microsoft.Compute/diskAccesses/read Microsoft.Compute/diskAccesses/delete Microsoft.Compute/diskAccesses/privateEndpointConnectionsApproval/action
Microsoft.KeyVault	Microsoft.KeyVault/vaults/deploy/action
Microsoft.Sql	Microsoft.Sql/servers/read Microsoft.Sql/servers/databases/read Microsoft.Sql/servers/databases/write Microsoft.Sql/servers/databases/delete Microsoft.Sql/servers/databases/usages/read Microsoft.Sql/managedInstances/read Microsoft.Sql/managedInstances/databases/read Microsoft.Sql/managedInstances/databases/write Microsoft.Sql/managedInstances/databases/delete

Required Roles

Assign the following roles to the application:

• SQL Managed Instance Contributor - to discover/backup/restore SQL Managed Instance databases.

• SQL DB Contributor - to discover/backup/restore Logical SQL Server databases.

For more information on the permissions granted by these roles, see Azure built-in roles for Databases.

Firewall Ports

For firewall rules, see Azure SQL Database and Azure Synapse IP Firewall Rules.

Considerations

• Transaction Log and Differential Backups are not supported for Azure SQL databases. This is due to a Microsoft limitation.

• Azure SQL Pool/Synapse is not supported. This is due to a Microsoft limitation.

• Databases with external elements are not supported. This is due to a Microsoft limitation.