Skip to main content

System Requirements and Prerequisites for Azure Files

Updated over 3 weeks ago

❗ Important

This feature has limited availability. To know more about limited availability and sign up for this feature, contact your Account Manager.

Azure VM instance size

  • Create an Azure virtual machine with the minimum specifications required for protection support.

    • We recommend a Standard_F32s_v2 (32vCPU, 64gb RAM).

  • Platform: Ubuntu version 22 and above.
    For more information, see Create Azure VM instance.

Operating System

Azure VM backup supports only Ubuntu proxies.

Prerequisites

To implement Azure Files via NAS, you must:

  • Configure an Azure VM that will work as a NAS proxy.

  • Attach the custom role to the managed identity of the Azure virtual machine with below mentioned Azure permissions. For detailed steps, follow the below sections.

Set up an Azure VM

You must first set up an Azure VM for the NAS proxy to be installed.

πŸ“ Note

Azure virtual machine and storage account must be in the same region, otherwise data egress charges will be applicable.

Perform the following on Azure Console:

  1. Sign in to the Azure portal.

  2. Navigate to Home > Compute infrastructure > Infrastructure > Virtual machines > Create > Azure virtual machine to create a virtual machine.
    ​


    For more information, see the article.

Create a custom role

Managed identity is automatically managed by Azure and can be leveraged by a virtual machine (or other service) to authenticate to Azure services (such as storage accounts) without having to supply any credentials.

To create a custom role for any subscription for performing backup/restore:

  1. Navigate to Home > Subscriptions <Subsciption name> > Access Control (IAM).

  2. Click Add > Add custom role.
    ​


    ​

  3. Inside the custom role, provide the name of the Custom role, and go to the JSON tab.

  4. In the JSON tab:

    • Click Edit.

    • Mention subscription ID or storage account (that you want to backup) under assignableScopes.

    • Add the permissions into the custom role.

{

"id": "/subscriptions/<subscription-id>/providers/Microsoft.Authorization/roleDefinitions/<role-definition-id>",

"properties": {

"roleName": "<role-name>",

"description": "<role-description>",

"assignableScopes": [

"/subscriptions/<subscription-id>"

],

"permissions": [

{

"actions": [

"Microsoft.Storage/storageAccounts/fileServices/read",

"Microsoft.Storage/storageAccounts/fileServices/write",

"Microsoft.Storage/storageAccounts/fileServices/shares/read",

"Microsoft.Storage/storageAccounts/fileServices/shares/write",

],

"notActions": [],

"dataActions": [

"Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read",

"Microsoft.Storage/storageAccounts/fileServices/fileshares/files/write",

"Microsoft.Storage/storageAccounts/fileServices/fileshares/files/modifypermissions/action",

"Microsoft.Storage/storageAccounts/fileServices/readFileBackupSemantics/action",

"Microsoft.Storage/storageAccounts/fileServices/writeFileBackupSemantics/action"

],

"notDataActions": []

}

]

}

}​

where <role-definition-id> specifies what actions (read, write, delete etc.) can be performed with this role. These permissions apply to a subscription, resource group, or specific resources. For example,

{

"id": "/subscriptions/d560e456-8710-404c-bb50-b2961b1afbe8/providers/Microsoft.Authorization/roleDefinitions/b0e7a02a-1a3e-47ee-b9c3-694cd491b0a4",

"properties": {

"roleName": "azure-files-role",

"description": "",

"assignableScopes": [

"/subscriptions/d560e456-8710-404c-bb50-b2961b1afbe8"

],

"permissions": [

{

"actions": [

"Microsoft.Storage/storageAccounts/fileServices/read",

"Microsoft.Storage/storageAccounts/fileServices/write",

"Microsoft.Storage/storageAccounts/fileServices/shares/read"

],

"notActions": [],

"dataActions": [

"Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read",

"Microsoft.Storage/storageAccounts/fileServices/fileshares/files/write",

"Microsoft.Storage/storageAccounts/fileServices/fileshares/files/modifypermissions/action"

]

For more information on these permissions, see this table.

5. Click Save.

6. Click Review + create.

Assign a custom role

Once the Azure virtual machine is created, assign a custom role, which has the permission to read and write File Share to the VM via managed identities.

  1. Click the virtual machine.

  2. Go to Security > Identity.

  3. Under System assigned tab, set the Status as On to enable system-assigned identities.

  4. Click Azure role assignments to assign a role.
    ​

  5. Click Add role assignment (Preview).
    ​

    • Select a scope (subscription).

    • Select a role (custom role created in the previous step).

    • Click Save.

Once the managed identities are set, follow the NAS activation process on the Azure VM and it can then be used to perform backup and restore operations.

Related Articles
Roles and permissions to protect Azure Resources
File Level Restore for Azure Virtual Machines
Roles and Permissions for Azure Blobs
System Requirements and Prerequisites for Azure Blobs
Roles and Permissions for Azure Files
Did this answer your question?