This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Installing Protegrity Appliances on Azure

Azure is a cloud computing service offered by Microsoft, which provides services for compute, storage, and networking. It also provides software, platform, and infrastructure services along with support for different programming languages, tools, and frameworks.

The Azure cloud platform includes the following components:

1 - Verifying Prerequisites

This section describes the prerequisites, including the hardware and network requirements, for installing and using Protegrity appliances on Azure.

Prerequisites

The following prerequisites are essential to install the Protegrity appliances on Azure:

  • Sign in URL for the Azure account
  • Authentication credentials for the Azure account
  • Working knowledge of Azure
  • Access to the My.Protegrity portal

Before you begin:

Ensure that you use the following order to create a virtual machine on Azure:

OrderDescription
1Create a Resource Group
2Create a Storage Account
3Create a Container
4Obtain the Azure BLOB
5Create an image from the BLOB
6Create a VM from the image

Hardware Requirements

As the Protegrity appliances are hosted and run on Azure, the hardware requirements are dependent on the configurations provided by Microsoft. However, these requirements can change based on the customer requirements and budget. The actual hardware configuration depends on the actual usage or amount of data and logs expected.

The minimum recommendation for an appliance is 8 CPU cores and 32 GB memory. This option is available under the Standard_D8s_v3 option on Azure.

For more information about the hardware requirements of ESA, refer here.

Network Requirements

The Protegrity appliances on Azure are provided with an Azure virtual networking environment. The virtual network enables you to access other instances of Protegrity resources in your project.

For more information about configuring Azure virtual network, refer here.

2 - Azure Cloud Utility

The Azure Cloud Utility is an appliance component that is available for supporting features specific to Azure Cloud Platform. For Protegrity appliances, this component must be installed to utilize the services of Azure Accelerated Networking and Azure Linux VM agent. If you are utilizing the Azure Accelerated Networking or Azure Linux VM agent, then it is recommended to not uninstall this component.

When you upgrade or install the appliance from an Azure v10.0.0 blob, the Azure Cloud Utility is installed automatically in the appliance

3 - Setting up Azure Virtual Network

The Azure virtual network is a service that provides connectivity to the virtual machine and services on Azure. You can configure the Azure virtual network by specifying usable IP addresses. You can also create and configure subnets, network gateways, and security settings.

For more information about setting up Azure virtual network, refer to the Azure virtual network documentation at:

https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-overview

If you are using the ESA or the DSG appliance with Azure, ensure that the inbound and outbound ports of the appliances are configured in the virtual network.

For more information about the list of inbound and outbound ports, refer to section Open Listening Ports.

4 - Creating a Resource Group

Resource Groups in Azure are a collection of multiple Azure resources, such as virtual machines, storage accounts, virtual networks, and so on. The resource groups enable managing and maintaining the resources as a single entity.

For more information about creating resource groups, refer to the Azure resource group documentation at:

https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-portal

5 - Creating a Storage Account

Azure storage accounts contain all the Azure storage data objects, such as disks, blobs, files, queues, and tables. The data in the storage accounts are scalable, secure, and highly available.

For more information about creating storage accounts, refer to the Azure storage accounts documentation at:

https://docs.microsoft.com/en-us/azure/storage/common/storage-quickstart-create-account

6 - Creating a Container

The data storage objects in a storage account are stored in a container. Similar to directories in a file system, the container in Azure contain BLOBS. You add a container in Azure to store the ESA BLOB.

For more information about creating a container, refer to the following link:

https://docs.microsoft.com/en-us/azure/storage/blobs/storage-quickstart-blobs-portal

7 - Obtaining the Azure BLOB

In Azure, you can share files across different storage accounts. The ESA that is packaged as a BLOB, is shared across storage accounts on Azure. A BLOB is a data type that is used to store unstructured file formats. Azure supports BLOB storage to store unstructured data, such as audio, text, images, and so on. The BLOB of the appliance is shared by Protegrity to the client’s storage account.

Before creating the instance on Azure, you must obtain the BLOB from the My.Protegrity portal. On the portal, you select the required ESA version and choose Azure as the target cloud platform. You then share the product to your cloud account. The following steps describe how to share the BLOB to your cloud account.

Before creating the instance on AWS, you must obtain the image from the My.Protegrity portal. On the portal, you select the required ESA version and choose AWS as the target cloud platform. You then share the product to your cloud account. The following steps describe how to share the AMI to your cloud account.

To obtain and share the BLOB:

  1. Log in to the My.Protegrity portal with your user account.

  2. Click Product Management > Explore Products > Data Protection.

  3. Select the required ESA Platform Version from the drop-down.

    The Product Family table will update based on the selected ESA Platform Version.

    The ESA Platform Versions listed in drop-down menu reflect all versions. These include versions that were either previously downloaded or shipped within the organization along with any newer versions available thereafter. Navigate to Product Management > My Product Inventory to check the list of products previously downloaded.

    The images in this section consider the ESA as a reference. Ensure that you select the required image.

  4. Select the Product Family.

    The description box will populate with the Product Family details.

    Product Family Screen

  5. Click View Products to advance to the product listing screen.

    Product List Screen

    CalloutElement NameDescription
    1Target Platform DetailsShows details about the target platform.
    2Product NameShows the product name.
    3Product FamilyShows the product family name.
    4OS DetailsShows the operating system name.
    5VersionShows the product version.
    6End of Support DateShows the final date that Protegrity will provide support for the product.
    7ActionClick the View icon (View) to open the Product Detail screen.
    8Export as CSVDownloads a .csv file with the results displayed on the screen.
    9Search CriteriaType text in the search field to specify the search filter criteria or filter the entries using the following options:
    - OS
    - Target Platform
    10Request one hereOpens the Create Certification screen for a certification request.
  6. Select the Azure cloud target platform you require and click the View icon (View) from the Action column.

    The Product Detail screen appears.

    Product Detail Screen

    CalloutElement NameDescription
    1Product DetailShows the following information about the product:
    - Product name
    - Family name
    - Part number
    - Version
    - OS details
    - Hardware details
    - Target platform details
    - End of support date
    - Description
    2Product Build NumberShows the product build number.
    3Release Type NameShows the type of build, such as, release, hotfix, or patch.
    4Release DateShows the release date for the build.
    5Build VersionShows the build version.
    6ActionsShows the following options for download:
    - Click the Share Product icon () to share the product through the cloud.
    - Click the Download Signature icon () to download the product signature file.
    - Click the Download Readme icon () to download the Release Notes.
    7Download DateShows the date when the file was downloaded.
    8UserShows the user name who downloaded the build.
    9Active DeploymentSelect the check box to mark the software as active. Clear the check box to mark the software as inactive.

    This option is available only after you download a product.| |10|Product Build Number|Shows the product build number.|

  7. Click the Share Product icon (Cloud) to share the desired cloud product.

    If the access to the cloud products is restricted and the Customer Cloud Account details are not available, then a message appears. The message displays the information that is required and the contact information for obtaining access to cloud share.

    A dialog box appears and your available cloud accounts will be displayed.

    Account Selection Screen

  8. Select your required cloud account in which to share the Protegrity product.

  9. Click Share.

    A message box is displayed with the command line interface (CLI) instructions with the option to download a detailed PDF containing the cloud web interface instructions. Additionally, the instructions for sharing the cloud product are sent to your registered email address and to your notification inbox in My.Protegrity.

    Sharing Command

  10. Click the Copy icon (Cloudcopy) to copy the command for sharing the cloud product and run the command in CLI. Alternatively, click Instructions to download the detailed PDF instructions for cloud sharing using the CLI or the web interface.

  • The cloud sharing instruction file is saved in a .pdf format. You need a reader, such as, Acrobat Reader to view the file.

  • The Cloud Product will be shared with your cloud account for seven (7) days from the original share date in the My.Protegrity portal.

  • After the seven (7) day time period, you need to request a new share of the cloud product through My.Protegrity.com.

8 - Creating Image from the Azure BLOB

After you obtain the BLOB from Protegrity, you must create an image from the BLOB. The following steps describe the parameters that must be selected to create an image.

To create an image from the BLOB:

  1. Log in to the Azure portal.

  2. Select Images and click Create.

  3. Enter the details in the Resource Group, Name, and Region text boxes.

  4. In the OS disk option, select Linux.

  5. In the VM generation option, select Gen 1.

  6. In the Storage blob drop-down list, select the Protegrity Azure BLOB.

  7. Enter the appropriate information in the required fields and click Review + create.

    The image is created from the BLOB.

9 - Creating a VM from the Image

After obtaining the image, you can create a VM from it. For more information about creating a VM from the image, refer to the following link.

https://docs.microsoft.com/en-us/azure/virtual-machines/linux/quick-create-portal#create-virtual-machine

To create a VM:

  1. Login in to the Azure homepage.

  2. Click Images.

    The list of all the images appear.

  3. Select the required image.

  4. Click Create VM.

  5. Enter details in the required fields.

  6. Select SSH public key in the Authentication type option. Do not select the Password based mechanism as an authentication type. Protegrity recommends not using this type as a security measure.

  7. In the Username text box, enter the name of a user. Be aware, this user will not have SSH access to the appliance. Refer to the following section Created OS user and SSH access to appliance for more details.

    This user is added as an OS level user in the appliance. Ensure that the following usernames are not provided in the Username text box:

  8. Select the required SSH public key source.

  9. Enter the required information in the Disks, Networking, Management, and Tags sections.

  10. Click Review + Create.

    The VM is created from the image.

  11. After the VM is created, you can access the appliance from the CLI Manager or Web UI.

Created OS user and SSH access to appliance

The OS user that is created in step 7 does not have SSH access to the appliance. If you want to provide SSH access to this user, login to the appliance as another administrative user and toggle SSH access. In addition, update the user to permit Linux shell access (/bin/sh).

10 - Accessing the Appliance

After setting up the virtual machine, you can access the appliance through the IP address that is assigned to the virtual machine. It is recommended to access the appliance with the administrative credentials.

If the number of unsuccessful password attempts exceed the defined value in the password policy, then the account gets locked.

For more information on the password policy for the admin and viewer users, refer here, and for the root and local_admin OS users, refer here.

11 - Finalizing the Installation of Protegrity Appliance on the Instance

When you install the appliance, it generates multiple security identifiers such as, keys, certificates, secrets, passwords, and so on. These identifiers ensure that sensitive data is unique between two appliances in a network. When you receive a Protegrity appliance image, the identifiers are generated with certain values. If you use the security identifiers without changing their values, then security is compromised and the system might be vulnerable to attacks.

Rotating Appliance OS keys to finalize installation

Using Rotate Appliance OS Keys, you can randomize the values of these security identifiers for an appliance. During the finalization process, you run the key rotation tool to secure your appliance.

If you do not complete the finalization process, then some features of the appliance may not be functional including the Web UI.

For example, if the OS keys are not rotated, then you might not be able to add appliances to a Trusted Appliances Cluster (TAC).

For information about the default passwords, refer the Release Notes 10.0.0.

Finalizing ESA Installation

You can finalize the installation of the ESA after signing in to the CLI Manager.

Before you begin

Ensure that the finalization process is initiated from a single session only. If you start finalization simultaneously from a different session, then the Finalization is already in progress. message appears. You must wait until the finalization of the instance is successfully completed.

Additionally, ensure that the appliance session is not interrupted. If the session is interrupted, then the instance becomes unstable and the finalization process is not completed on that instance.

To finalize ESA installation:

  1. Sign in to the ESA CLI Manager of the instance created using the default administrator credentials.

    The following screen appears.

    Finalizing Installation Confirmation screen

  2. Select Yes to initiate the finalization process.

    The screen to enter the administrative credentials appears.

    If you select No, then the finalization process is not initiated.

    To manually initiate the finalization process, navigate to Tools > Finalize Installation and press ENTER.

  3. Enter the credentials for the admin user and select OK.

    A confirmation screen to rotate the appliance OS keys appears.

  4. Select OK to rotate the appliance OS keys.

    The following screen appears.

    1. To update the user passwords, provide the credentials for the following users:

      • root
      • admin
      • viewer
      • local_admin
    2. Select Apply.

    The user passwords are updated and the appliance OS keys are rotated.

    The finalization process is completed.

Default products installed on appliances

The appliance comes with some products installed by default. If you want to verify the installed products or install additional products, then navigate to Administration > – Installations and Patches – > Add/Remove Services.

For more information about installing products, refer the section Working with Installation and Packages in Protegrity Installation Guide.

12 - Accelerated Networking

Accelerated networking is a feature provided by Microsoft Azure which enables the user to improve the performance of the network. This is achieved by enabling Single-root input/output virtualization (SR-IOV) to a virtual machine.

In a virtual environment, SR-IOV specifies the isolation of PCIe resources to improve manageability and performance. The SR-IOV interface helps to virtualize, access, and share the PCIe resources, such as, the connection ports for graphic cards, hard drives, and so on. This successfully reduces the latency, network jitters and CPU utilization.

As shown in figure below, the virtual switch is an integral part of a network for connecting the hardware and the virtual machine. The virtual switch helps in enforcing the policies on the virtual machine. These policies include access control lists, isolation, network security controls, and so on, and are implemented on the virtual switch. The network traffic routes through the virtual switch and the policies are implemented on the virtual machine. This results in higher latency, network jitters, and higher CPU utilization.

Without Accelerated Networking

However, in an accelerated network, the policies are applied on the hardware. The network traffic only routes through the network cards directly forwarding it to the virtual machine. The policies are applied on the hardware instead of the virtual switch. This helps the network traffic to bypass the virtual switch and the host while maintaining the policies applied at the host. Reducing the layers of communication between the hardware and the virtual machine helps to improve the network performance.

With Accelerated Networking

Following are the benefits of accelerated networking:

  • Reduced Latency: Bypassing the virtual switch from the data path increases the number of packets which are processed in the virtual machine.
  • Reduced Jitter: Bypassing the virtual switch and host from the network reduces the processing time for the policies. The policies are directly implemented on the virtual machine thereby reducing the network jitters caused by the virtual switch.
  • CPU Utilization: Applying the policies to the hardware and implementing them directly on the virtual machine reduces the workload on the CPU to process these policies.

Prerequisites

The following prerequisites are essential to enable or disable the Azure Accelerated Networking feature.

Supported Instance Sizes for Accelerated Networking

There are several series of instance sizes used on the virtual machines that support the accelerated networking feature.

These include the following:

  • D/DSv2
  • D/DSv3
  • E/ESv3
  • F/FS
  • FSv2
  • Ms/Mms

The most generic and compute-optimized instance sizes for the accelerated networking feature is with 2 or more vCPUs. However, on the systems with supported hyperthreading features, the accelerated networking feature must have instance sizes with 4 or more vCPUs.

For more information about the supported instance sizes, refer to the following link.

https://docs.microsoft.com/en-us/azure/virtual-network/create-vm-accelerated-networking-cli#limitations-and-constraints

Creating a Virtual Machine with Accelerated Networking Enabled

If you want to enable accelerated networking while creating the instance, then it is achieved only from the Azure CLI. The Azure portal does not provide the option to create an instance with accelerated networking enabled.

For more information about creating a virtual machine with accelerated networking, refer to the following link.

https://docs.microsoft.com/en-us/azure/virtual-network/create-vm-accelerated-networking-cli#create-a-linux-vm-with-azure-accelerated-networking

To create a virtual machine with the accelerated networking feature enabled:

  1. From the machine on which the Azure CLI is installed, login to Azure using the following command.

    az login
    
  2. Create a virtual machine using the following command.

    az vm create --image <name of the Image> --resource-group <name of the resource group> --name <name of the new instance> --size <configuration of the instance> --admin-username <administrator username> --ssh-key-values <SSH key path> --public-ip-address ""  --nsg <Azure virtual network> --accelerated-networking true
    

    For example, the table below lists values to create a virtual machine with the following parameters.

    ParameterValue
    Name of the imageProtegrityESAAzure
    name-of-resource-groupMyResourcegroup
    sizeStandard_DS3_v2
    admin-usernameadmin
    nsgTierpointAccessDev
    ssh-key-value./testkey.pub

    The virtual machine is created with the accelerated networking feature enabled.

Enabling Accelerated Networking

Perform the following steps to enable the Azure Accelerated Networking feature on the Protegrity appliance.

To enable accelerated networking:

  1. From the machine on which the Azure CLI is installed, login to Azure using the following command.

    az login
    
  2. Stop the Protegrity appliance using the following command.

    az vm deallocate --resource-group <ResourceGroupName> --name <InstanceName>
    
    ParameterDescription
    ResourceGroupNameName of the resource group where the instance is located.
    InstanceNameName of the instance that you want to stop.
  3. Enable accelerated networking on your virtual machine’s network card using the following command.

    az network nic update --name <nic-name> --resource-group <ResourceGroupName> --accelerated-networking true 
    
    ParameterDescription
    nic-nameName of the network interface card attached to the instance where you want to enable accelerated networking.
    ResourceGroupNameName of the resource group where the instance is located.
  4. Start the Protegrity appliance.

Disabling Accelerated Networking

Perform the following steps to disable the Azure Accelerated Networking features on the Protegrity appliance.

To disable accelerated networking:

  1. From the machine on which the Azure CLI is installed, login to Azure using the following command.

    az login
    
  2. Stop the Protegrity appliance using the following command.

    az vm deallocate --resource-group <ResourceGroupName> --name <InstanceName> 
    
    ParameterDescription
    ResourceGroupNameName of the resource group where the instance is located.
    InstanceNameName of the instance that you want to stop.
  3. Disable accelerated networking on your virtual machine’s network card using the following command.

    az network nic update --name <nic-name> --resource-group <ResourceGroupName> --accelerated-networking false 
    
    ParameterDescription
    nic-nameName of the network interface card attached to the instance where you want to enable accelerated networking.
    ResourceGroupNameName of the resource group where the instance is located.
  4. Start the Protegrity appliance.

Troubleshooting and FAQs for Azure Accelerated Networking

This section lists the Troubleshooting and FAQs for the Azure Accelerated Networking feature.

It is recommended to have at least two or more virtual machines in the Azure virtual network.

Can I stop or deallocate my machine from the Web UI?

Yes. You can stop or deallocate your machine from the Web UI. Navigate to the Azure instance details page and click Stop from the top ribbon.

Can I uninstall the Cloud Utility Azure if the accelerated networking feature is enabled?

It is recommended to disable the accelerated networking feature before uninstalling the Cloud Utility Azure.

How do I verify that the accelerated networking is enabled on my machine?

Perform the following steps:

  1. Login to the CLI manager.

  2. Navigate to Administration > OS Console.

  3. Enter the root credentials.

    Verify that the Azure Accelerated Networking feature is enabled by using the following commands.

    # lspci | grep “Virtual Function”
    

    Confirm the Mellanox VF device is exposed to the VM with the lspci command.

    The following is a sample output:

    001:00:02.0 Ethernet controller: Mellanox Technologies MT27500/MT27520 Family [ConnectX-3/ConnectX-3 Pro Virtual Function]

    # ethtool -S ethMNG | grep vf
    

    Check for activity on the virtual function (VF) with the ethtool -S eth0 | grep vf_ command. If you receive an output similar to the following sample output, accelerated networking is enabled and working. The value of the packets and bytes should not be zero`

    vf_rx_packets: 992956
    
    vf_rx_bytes: 2749784180
    
    vf_tx_packets: 2656684
    
    vf_tx_bytes: 1099443970
    
    vf_tx_dropped: 0
    

How do I verify from the Azure Web portal that the accelerated networking is enabled on my machine?

Perform the following steps:

  1. From the Azure Web portal, navigate to the virtual machine’s details page.
  2. From the left pane, navigate to Networking.
  3. If there are multiple NICs, then select the required NIC.
  4. Verify that the accelerated networking feature is enabled from the Accelerated Networking field.

Can I use the Cloud Shell on the Azure portal for enabling or disabling the accelerated networking feature?

Yes, you can use the Cloud Shell for enabling or disabling the accelerated networking. For more information about the pricing of the cloud shell, refer to the following link.

https://azure.microsoft.com/en-in/pricing/details/cloud-shell

How can I enable the accelerated networking feature using the Cloud Shell?

Perform the following steps to enable the accelerated networking feature using the Cloud Shell:

  1. From the Microsoft Azure portal, launch the Cloud Shell.

  2. Stop the Protegrity appliance using the following command.

    az vm deallocate --resource-group <ResourceGroupName> --name <InstanceName> 
    
  3. Enable accelerated networking on your virtual machine’s network card using the following command.

    az network nic update --name <nic-name> --resource-group <ResourceGroupName> --accelerated-networking true 
    
  4. Start the Protegrity appliance.

How can I disable the accelerated networking feature using the Cloud Shell?

Perform the following steps to disable the accelerated networking feature using the Cloud Shell:

  1. From the Microsoft Azure portal, launch the Cloud Shell.

  2. Stop the Protegrity appliance using the following command.

    az vm deallocate --resource-group <ResourceGroupName> --name <InstanceName> 
    
  3. Enable accelerated networking on your virtual machine’s network card using the following command.

    az network nic update --name <nic-name> --resource-group <ResourceGroupName> --accelerated-networking false 
    
  4. Start the Protegrity appliance.

Are there any specific regions where the accelerated networking feature is supported?

The accelerated networking feature is supported in all public Azure regions and Azure government clouds. For more information about the supported regions, refer to the following link:

https://docs.microsoft.com/en-us/azure/virtual-network/create-vm-accelerated-networking-cli#regions

Is it necessary to stop (deallocate) the machine to enable or disable the accelerated networking feature?

Yes. It is necessary to stop (deallocate) the machine to enable or disable the accelerated networking feature.This is because if the machine is not in the stop (deallocate) state, then it may cause the value of the vf packets to freeze. This results in an unexpected behaviour of the machine.

Is there any additional cost for using the accelerated networking feature?

No. There is no additional cost required for using the accelerated networking feature. For more information about the costing, contact Protegrity Support.

13 - Backing up and Restoring VMs on Azure

On Azure, you can prevent unintended loss of data by backing up your virtual machines. Azure allows you to optimize your backup by providing different levels of consistency. Similarly, the data on the virtual machines can be easily restored to a stable state. You can back up a virtual machine using the following two methods:

  • Creating snapshots of the disk
  • Using recovery services vaults

This following sections describe how to create and restore backups using the two mentioned methods.

Backing up and Restoring using Snapshots of Disks

The following sections describe how to create snapshots of disks and recover them on virtual machines. This procedure of backup and recovery is applicable for virtual machines that are created from disks and custom images.

Creating a Snapshot of a Virtual Machine on Azure

To create a snapshot of a virtual machine:

  1. Sign in to the Azure homepage.

  2. On the left pane, select Virtual machines.

    The Virtual machines screen appears.

  3. Select the required virtual machine and click Disks.

    The details of the disk appear.

  4. Select the disk and click Create Snapshot.

    The Create Snapshot screen appears.

    Create Snapshot Screen

  5. Enter the following information:

    • Name: Name of the snapshot
    • Subscription: Subscription account for Azure
  6. Select the required resource group from the Resource group drop-down list.

  7. Select the required account type from the Account type drop-down list.

  8. Click Create.

    The snapshot of the disk is created.

Restoring from a Snapshot on Azure

This section describes the steps to restore a snapshot of a virtual machine on Azure.

Before you begin

Ensure that the snapshot of the machine is taken.

How to restore from a snapshot on Azure

To restore a virtual machine from a snapshot:

  1. On the Azure Dashboard screen, select Virtual Machine.

    The screen displaying the list of all the Azure virtual machines appears.

  2. Select the required virtual machine.

    The screen displaying the details of the virtual machine appears.

  3. On the left pane, under Settings, click Disks.

  4. Click Swap OS Disk.

    The Swap OS Disk screen appears.

  5. Click the Choose disk drop-down list and select the snapshot created.

  6. Enter the confirmation text and click OK.

    The machine is stopped and the disk is successfully swapped.

  7. Restart the virtual machine to verify whether the snapshot is available.

Backing up and Restoring using Recovery Services Vaults

Recovery services vault is an entity that stores backup and recovery points. They enable you to copy the configuration and data from virtual machines. The benefit of using recovery services vaults is that it helps organize your backups and minimize the overhead of management. It comes with enhanced capabilities of backing up data without compromising on data security. These vaults also allow you to create backup polices for virtual machines, thus ensuring integrity and protection. Using recovery services vaults, you can retain recovery points of protected virtual machines to restore them at a later point in time.

For more information about Recovery services vaults, refer to the following link:

https://docs.microsoft.com/en-us/azure/backup/backup-azure-recovery-services-vault-overview

Before you begin

This process of backup and restore is applicable only for virtual machines that are created from a custom image.

Creating Recovery Services Vaults

Before starting with the backup procedure, you must create a recovery services vault.

Before you begin

Ensure that you are aware about the pricing and role-based access before proceeding with the backup.

For more information about the pricing and role-based access, refer to the following links:

To create a recovery services vault:

  1. Sign in to the Azure homepage.

  2. On the Azure Dashboard screen, search Recovery Services vaults.

    The screen displaying all the services vaults appears.

  3. Click Add.

    The Create Recovery Services vault screen appears.

  4. Populate the following fields:

    • Subscription: Account name under which the recovery services vault is created.
    • Resource group: Associate a resource group to the vault.
    • Vault name: Name of the vault.
    • Region: Location where the data for recovery vault must be stored.

    The Welcome to Azure Backup screen appears on the right pane.

  5. Click Review + create .

    The recovery services vault is created.

Backing up Virtual Machine using Recovery Services Vault

This section describes how to create a backup of a virtual machine using a Recovery Services Vault. For more information about the backup, refer to the link, https://docs.microsoft.com/en-us/azure/backup/backup-azure-vm-backup-faq

To create a backup of a virtual machine:

  1. Sign in to the Azure homepage.

  2. On the left pane, select Virtual machines.

    The Virtual machines screen appears.

  3. Select the required virtual machine.

  4. On the left pane, under the Operations tab, click Backup.

    The Welcome to Azure Backup screen appears on the right pane.

  5. From the Recovery Services vault option, choose Select existing and select the required vault.

  6. In the backup policy, you specify the frequency, backup schedule, and so on. From the Choose backup policy option, select a policy from the following options:

    • DailyPolicy: Retain the daily backup taken at 9.00 AM UTC for 180 days.
    • DefaultPolicy: Retain the daily backup taken at 10.30 AM UTC for 30 days.
    • Create backup policy: Customize the backup policy as per your requirements.
  7. Click Enable backup.

    A notification stating that backup is initiated appears.

  8. On the Azure Dashboard screen, search Recovery Services vaults.

    The screen displaying all the services vaults appears.

  9. Select the required services vault.

    The screen displaying the details of the virtual machine appears.

  10. On the center pane, under Protected items, click Backup items.

    The screen displaying the different management types vault appears.

  11. Select the required management type.

    After the backup is completed, the list displays the virtual machine for which the backup was initiated.

Restoring a Virtual Machine using Recovery Services Vaults

In Azure, when restoring a virtual machine using Recovery Services vaults, you have the following two options:

  • Creating a virtual machine: Create a virtual machine with the backed up information.
  • Replacing an existing: Replace an existing disk on the virtual machine with the backed up information.

Restoring by Creating a Virtual Machine

This section describes how to restore a backup on a virtual machine by creating a virtual machine.

Before you begin

Ensure that the backup process for the virtual machine is completed.

How to restore by creating a virtual machine

To restore a virtual machine by creating a virtual machine:

  1. On the Azure Dashboard screen, search Recovery Services vaults.

    The screen displaying all the services vaults appears.

  2. Select the required services vault.

    The screen displaying the details of the services vault appears.

  3. On the center pane, under Protected items, click Backup items.

    The screen displaying the different management types vault appears.

  4. Select the required management type.

    The virtual machines for which backup has been initiated appears.

  5. Select the virtual machine.

    The screen displaying the backup details, and restore points appear.

  6. Click Restore VM.

    The Select Restore point screen appears.

  7. Choose the required restore point and click OK.

    The Restore Configuration screen appears.

  8. If you want to create a virtual machine, click Create new.

    1. Populate the following fields for the respective options:

      • Restore type: Create a new virtual machine without overwriting an existing backup.
      • Virtual machine name: Name for the virtual machine.
      • Resource group: Associate vault to a resource group.
      • Virtual network: Associate vault to a virtual network.
      • Storage account: Associate vault to a storage account.
    2. Click OK.

  9. Click Restore.

    The restore process is initiated. A virtual machine is created with the backed up information.

Restoring a Virtual Machine by Restoring a Disk

This section describes how to restore a backup on a virtual machine by restoring a disk on a virtual machine.

Before you begin

Ensure that the backup process for the virtual machine is completed. Also, ensure that the VM is stopped before performing the restore process.

How to restore a virtual machine by creating a virtual machine

To restore a virtual machine by creating a virtual machine:

  1. On the Azure Dashboard screen, search Recovery Services vaults.

    The screen displaying all the services vaults appears.

  2. Select the required services vault.

    The screen displaying the details of the services vault appears.

  3. On the center pane, under Protected items, click Backup items.

    The screen displaying the different management types vault appears.

  4. Select the required management type.

    The virtual machines for which backup has been initiated appears.

  5. Select the virtual machine.

    The screen displaying the backup details, and restore points appear.

  6. Click Restore VM.

    The Select Restore point screen appears.

  7. Choose the required restore point and click OK.

    The Restore Configuration screen appears.

  8. Click Replace existing.

    1. Populate the following fields:

      • Restore type: Replace the disk from a selected restore point.
      • Staging location: Temporary location used during the restore process.
    2. Click OK.

  9. Click Restore.

    The restore process is initiated. The backup is restored by replacing an existing disk on the machine with the disk containing the backed up information.

14 - Connecting to an ESA Instance

If you are using an instance of the DSG appliance on Azure, you must connect it to an instance of the ESA appliance. Using the CLI manager, you must provide the connectivity details of the ESA appliance in the DSG appliance.

For more information about connecting a DSG instance with ESA, refer Setting up ESA Communication.

15 - Deploying the Protegrity Appliance Instance with the Protectors

You can configure the various protectors that are a part of the Protegrity Data Security Platform with an instance of the ESA appliance running on Azure.

Depending on the cloud-based environment that hosts the protectors, the protectors can be configured with the instance of the ESA appliance in one of the following ways:

  • If the protectors are running on the same virtual network as the instance of the ESA appliance, then the protectors need to be configured using the internal IP address of the ESA appliance within the virtual network.
  • If the protectors are running on a different virtual network than that of the ESA appliance, then the virtual network of the ESA instance needs to be configured to connect to the virtual network of the protectors.