Protect Azure Virtual Machines

Before you protect the Azure VMs in your Azure source, you must set up a SaaS Connection for each region under each Azure subscription in your Azure source. A SaaS Connection consists of one or more SaaS Connectors, which are VMs that act as data movers between your data sources and the Cohesity DataProtect as a Service.

Once you set up a SaaS Connection, you are ready to protect the Azure VMs in the Azure source.

To protect your Azure virtual machines:

1. In DataProtect as a Service, navigate to Sources, find the registered Azure source and click into it.

2. Click the Azure VM tab.

3. Use the checkboxes to select the objects (VMs) for protection.

   Optionally, you can configure auto-protect at the Azure tenant, subscription, or resource group levels. When this option is enabled at a particular level, all the VMs that are added to that level in the future are automatically protected from the next protection run. Additionally, you can also perform tag-based auto-protection of Azure VMs.

   • To auto-protect the VMs based on the hierarchy level, click the Hierarchy View icon located at the right corner of the page, and perform one of the following steps listed in the table below:

     To auto-protect the Azure VMs..	Action
     At the tenant level	Select the checkbox of the Azure source, and then select Auto Protect This Azure Tenant.
     At the subscription level	Select the checkbox of the subscription, and then select Auto Protect This Subscription.
     At the resource group level	Select the checkbox of the resource group, and then select Auto Protect This Resource Group.

   • To auto-protect the VMs based on tag, click the Tag icon at the right corner of the page. Select the checkbox of a tag and then select Auto Protect this Tag to auto-protect the VMs with this tag.

     

   You can exclude individual VMs from auto-protection by clicking the auto-protect icon () next to the VM. VMs excluded from auto-protection are displayed with the exclude () icon.
   

4. Click the Protect icon above the checkboxes.

5. To exclude any disks of the VM from protection:

   1. Click the edit icon displayed next to Add Objects.

      

   2. Click the All Volumes edit icon displayed next to the VM of which you want to exclude the disk.

   3. Unselect the disks that you want to exclude from protection.

      You cannot exclude the root disk from protection.

   4. Click Save > Continue.

   You cannot exclude disk at the object level for auto-protected VMs. To exclude disk for auto-protect VMs, use the Volume Exclusion Settings option in the Additional Settings.

6. To exclude auto-protection of VMs based on Tags:

   1. Click the edit icon displayed next to Add Objects.

   2. Click the Tags icon located at the right corner of the page.

      

      The tags associated with the VMs are displayed.

   3. Click the exclude icon next to the tag to exclude the auto-protection of VMs associated with that tag.

   4. Click Continue.

7. Choose a policy to specify backup frequency and retention. If you don't have a policy, you can easily create one.

8. To change or configure any of the additional settings, select More Options and perform the below steps, or else, click Protect.

9. Under Settings, edit the Start Time if necessary.

10. In the SLA field, define how long the administrator expects a protection run to take. Enter:

    1. Full. The number of minutes you expect a full protection run, which captures all the blocks in an object, to take.

    2. Incremental. The number of minutes you expect an incremental protection run, which captures only the changed blocks in an object, to take.

    

11. If you need to change any of the additional settings, click the down arrow icon next to Additional Settings and click Edit.

12. Click Protect.

Cohesity DataProtect as a Service starts backing up the Azure VMs you selected. You can monitor the status of the backup in the Activity page.

Also, the Activity tab of a specific Azure VM shows the history of all protection runs, including the one in progress.

Additional Settings

Advance Settings	Description
Pause Future Runs	Toggle on this option to stop protection runs from executing. Once you enable this option, no protection runs will be scheduled.
End Date	If you need to end protection on a specific date, enable this to select the date.
Azure SAS URL Type	For the backup of Azure VMs, Cohesity uses the snapshots of Azure managed disks that are accessible through SAS URLs. Select one of the following endpoint options to access data from the SAS URL: Public Endpoint: Select this option to access snapshots over a public network. Private Endpoint: Select this option to access snapshots using a private IP address from your virtual network. Click Configure Network Details for Private Endpoints and provide the following details for configuring the private endpoint: Virtual Network: Select a virtual network in Azure. Ensure the virtual network of the SaaS connector and the private endpoint is the same. Subnet: Select a subnet of the virtual network.
Volume Exclusion Settings	Use the following parameters to form a boolean expression for excluding disks: Name automation cohesity::helios::uuid email environment expiry location non-business-hrs purpose rigel squad test user weekend For example, the expression, (name = net_volume AND environment IN (qa, dev)) OR sqaud = eng, excludes all volumes from protection for which the volume tags meet the above condition. Exclusion of disks enabled at the object level will take precedence over the exclusion configured here.
Quiet Times	(Available only if the selected policy has at least one Quiet Time.) When enabled, all the protection runs that are currently executing will cancel when the Quiet Time period starts. By default, this setting is disabled, meaning that after a protection run starts, it continues to execute even when a Quiet Time period starts. However, new protection runs will not start during a Quiet Time.