Deploy Azure SaaS Connectors

Once you register your Azure tenant as a source, you must set up a SaaS Connection to protect the resources of the Azure source. A SaaS Connection act as data movers between your data sources and Cohesity DataProtect as a Service.

A SaaS Connection consists of one or more SaaS Connectors, which are virtual machines (VMs) that . Each Azure SaaS Connector is a Standard_D8s_v3 instance.

You can create a SaaS Connection in a virtual network within any subscription of your Azure source. This SaaS Connection can be used to protect multiple virtual network resources across different subscriptions, provided they belong to the same region where the SaaS Connection is deployed.

This is a Private Preview feature. Cohesity recommends you use this feature only in non-production environments. Contact your Cohesity account team to enable the feature.

Set up an Azure SaaS Connection

Setting up an Azure SaaS Connection for an Azure Source involves two major steps:

  1. Creating a SaaS Connection.

  2. Mapping the Virtual Networks to the SaaS Connection.

Creating a SaaS Connection

You can create a SaaS Connection within any subscription of your Azure source. Once created, the SaaS Connection can be used to protect the resources in virtual networks across multiple subscriptions within that source

To create an Azure SaaS Connection:

  1. In DataProtect as a Service, navigate Sources.

  2. Choose one of the following options based on your scenario:

    • If you are adding the SaaS connection to an Azure source for the first time:

      Click the Actions menu (⋮) next to the Azure source and select Setup SaaS Connection.

    • If the Azure source already has an existing SaaS connection:

      Select the Azure source. On the Sources page, go to the Connections tab, then click Add Connection in the top-right corner.

      The Create Connection page appears.

  3. In the Connection Details section, provide the following details:

    1. Source: The Azure source selected for creating the connection (pre-selected).

    2. Subscription: Select the subscription where you want to create the SaaS Connection.

    3. Region: From the drop-down list, select the Azure region where you have the Azure cloud services to protect.

    4. Resource Group: From the drop-down list, select a resource group that will hold the resources related to the SaaS Connection.

    5. Number of Connectors: Enter the number of SaaS Connectors you want to deploy in the region.

  4. In the Network Settings section, provide the following details:

    1. Network Resource Group: From the drop-down list, select the resource group for the virtual network.

    2. Virtual Network: From the drop-down list, select a virtual network to which you want to connect the SaaS connections.

      You cannot use the same virtual network for multiple SaaS connections in the same region.

    3. Subnet: Select the subnet where you want the SaaS Connectors to be launched.

  5. In the Other Settings (Optional fields) section, provide the following details:

    1. Network Security Group: The Network Security Group controls the network traffic to and from the SaaS Connector within a virtual network. From the drop-down list, select a security group that will be associated with the specified subnet. You can select multiple network security groups.

    2. Application Security Group: You can use the Application Security Group to group the SaaS Connectors. Select the application security groups you want to attach to the SaaS connector.

    3. Azure Managed Identity: Enter the managed identity that must be attached to the SaaS Connectors. This setting cannot be edited later. Example: /subscriptions/1234ab56-a2b2-a1b1-a12b-abc12345c678d/resourcegroups/example-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myManagedIdentity.

      For Azure SQL, the SaaS Connector’s managed identity will be used to authenticate to the SQL server for export/import if the SQL server source’s credential setting is set to “Managed Identity”.

      For more information on managed identity, see Microsoft Azure documentation.

    4. DNS Servers: Enter the IP addresses of the DNS servers that the SaaS Connectors should use. Separate multiple IPs with commas. Ensure the Active Directory DNS IP address (if applicable) is listed first. Verify that the NTP servers and other entities in the system can be resolved by the specified DNS server. By default, 8.8.8.8 is used as the Domain Name System (DNS) server.

    5. NTP Servers: Enter the IP addresses or the Fully Qualified Domain Name of the NTP server(s) that must be used to synchronize the time on the SaaS Connector. By default, time.google.com is used as the NTP server.

    6. Tags: Specify the tags to be used for your SaaS Connectors.

  6. Click Create Connections..

The SaaS Connection is now created in the selected virtual network and subscription.

Mapping the Virtual Networks to the SaaS Connection

To use a SaaS Connection for protecting the virtual network resources of the subscriptions in the Azure source, you must map the virtual networks with the SaaS Connections. Mapping allows a single SaaS Connection to protect virtual network resources that belong to different subscriptions. You can select multiple virtual networks across subscriptions within the same region where the SaaS Connection is created.

To map the virtual network:

  1. After creating the SaaS connection, the Mapping page appears.

  2. Select the virtual networks whose resources you want to protect using the SaaS Connection. You can select virtual networks across Subscriptions within the same region where the SaaS Connection is created.

    You cannot select the same virtual network for multiple SaaS connections in the same region.

  3. Click Save.