Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  2. NetBackup™ Snapshot Manager Install and Upgrade Guide
  3. Section I. NetBackup Snapshot Manager installation and configuration
  4. NetBackup Snapshot Manager cloud providers
  5. Microsoft Azure plug-in configuration notes
NetBackup™ Snapshot Manager Install and Upgrade Guide

Microsoft Azure plug-in configuration notes

The Microsoft Azure plug-in lets you create, delete, and restore snapshots at the virtual machine level and the managed disk level.

Prerequisites

Before you configure the Azure plug-in, complete the following preparatory steps:

  • (Applicable only if user proceeds with application service principal route) Use the Microsoft Azure Portal to create an Azure Active Directory (AAD) application for the Azure plug-in.

  • Assign the required permissions to a role to access resources.

    For more information on Azure plug-in permissions required by NetBackup Snapshot Manager, See Configuring permissions on Microsoft Azure.

    In Azure you can assign permissions to the resources by one of the following methods:

    • Service principal: This permission can be assigned to user, group or an application.

    • Managed identity: Managed identities provide an automatically managed identity in Azure Active Directory for applications to use when connecting to resources that support Azure Active Directory (Azure AD) authentication. There are two types of managed identities:

      • System-assigned

      • User-assigned

For more details, follow the steps mentioned in the Azure documentation.

Table: Microsoft Azure plug-in configuration parameters

NetBackup Snapshot Manager configuration parameter

Microsoft equivalent term and description

Credential type:

Application service principal

Note:

Assign a role to the application service principal.

Tenant ID

The ID of the Azure AD directory in which you created the application.

Client ID

The application ID.

Secret key

The secret key of the application.

Credential type:

System managed identity

Note:

Assign a role to the system managed identity.

Enable system managed identity on NetBackup Snapshot Manager host in Azure.

Credential type:

User managed identity

Note:

Assign a role to the user managed identity.

Client ID

The Client ID of the user managed identity connected to the NetBackup Snapshot Manager host.

Following parameters are applicable for all the above credential type's

Regions

One or more regions in which to discover cloud assets.

Note:

If you configure a government cloud, select US Gov Arizona, US Gov Texas US, or Gov Virginia.

Resource Group prefix

The prefix used to store the snapshots created for the assets in a different resource group other than the one in which the assets exist.

For example, if an asset exists in NetBackup Snapshot Manager and prefix for resource group is snap, then snapshots of assets in NetBackup Snapshot Manager resource group would be stored in snapNetBackup Snapshot Manager resource group.

Protect assets even if prefixed Resource Groups are not found

On selecting this check box, NetBackup Snapshot Manager would not fail the snapshot operation if resource group does not exists. It tries to store the snapshot in the original resource group.

Note:

The prefixed resource group region must be same as the original resource group region.

Configuring multiple accounts or subscriptions or projects
  • If you are creating multiple configurations for the same plug-in, ensure that they manage assets from different Subscriptions. Two or more plug-in configurations should not manage the same set of cloud assets simultaneously.

  • When multiple accounts are all managed with a single NetBackup Snapshot Manager server, the number of assets being managed by a single NetBackup Snapshot Manager instance might get too large. Hence it would be better to segregate the assets across multiple NetBackup Snapshot Manager servers for better load balancing.

  • To achieve application consistent snapshots, we would require agent/agentless network connections between the remote VM instance and NetBackup Snapshot Manager server. This would require setting up cross account/subscription/project networking.

Azure plug-in considerations and limitations

Consider the following before you configure the Azure plug-in:

  • The current release of the plug-in does not support snapshots of blobs.

  • NetBackup Snapshot Manager currently only supports creating and restoring snapshots of Azure-managed disks and the virtual machines that are backed up by managed disks.

  • NetBackup Snapshot Manager does not support snapshot operations for Ultra SSD disk types in an Azure environment. Even though NetBackup Snapshot Manager discovers the ultra disks successfully, any snapshot operation that is triggered on such disk assets fails with the following error:

    Snapshots of UltraSSD_LRS disks are not supported.
  • If you are creating multiple configurations for the same plug-in, ensure that they manage assets from different Tenant IDs. Two or more plug-in configurations should not manage the same set of cloud assets simultaneously.

  • When you create snapshots, the Azure plug-in creates an Azure-specific lock object on each of the snapshots. The snapshots are locked to prevent unintended deletion either from the Azure console or from an Azure CLI or API call. The lock object has the same name as that of the snapshot. The lock object also includes a field named "notes" that contains the ID of the corresponding VM or asset that the snapshot belongs to.

    Ensure that the notes field in the snapshot lock objects is not modified or deleted. Doing so will disassociate the snapshot from its corresponding original asset.

    The Azure plug-in uses the ID from the notes fields of the lock objects to associate the snapshots with the instances whose source disks are either replaced or deleted, for example, as part of the 'Original location' restore operation.

  • Azure plug-in supports the following GovCloud (US) regions:

    • US Gov Arizona

    • US Gov Texas

    • US Gov Virginia

    • US Gov Iowa

    • US DoD Central

    • US DoD East

  • Azure plug-in supports the following India regions:

    • Jio India West

    • Jio India Central

  • NetBackup Snapshot Manager Azure plug-in does not support the following Azure regions:

    Location

    Region

    US

    • US DoD Central

    • US DoD East

    • US Sec West

    China

    NetBackup Snapshot Manager does not support any regions in China.

    • China East

    • China East 2

    • China North

    • China North 2

    Germany

    • Germany Central (Sovereign)

    • Germany Northeast (Sovereign)

  • NetBackup Snapshot Manager also supports Microsoft Azure generation 2 type of virtual machines.

  • NetBackup Snapshot Manager does not support application consistent snapshots and granular file restores for Windows systems with virtual disks or storage spaces that are created from a storage pool. If a Microsoft SQL server snapshot job uses disks from a storage pool, the job fails with an error. But if a snapshot job for virtual machine which is in a connected state is triggered, the job might be successful. In this case, the file system quiescing and indexing is skipped. The restore job for such an individual disk to original location also fails. In this condition, the host might move to an unrecoverable state and requires a manual recovery.

  • If the disk of the VM are encrypted with disk encryption sets, then while restoring the VM in same or a different subscription, same resource_group_name must be present with same disk-encryption-set-name as that of source which was there while taking backup/snapshot. Else during pre-recovery check, restore of VM fails with the following error:

    The {disk-encryption-set-name} disk encryption set does not exist or it's key is deleted or disabled. Recovery can proceed with key: EncryptionAtRestWithPlatformKey

Feedback

Was this page helpful?
Previous

Preparing the GCP service account for plug-in configuration

Next

Configuring permissions on Microsoft Azure

Feedback

Was this page helpful?