To ensure reliable and predictable data protection, Druva’s built-in prechecks validate your Azure SQL resources against core prerequisites before backup or restore operations. These automated checks proactively detect incorrect credentials and network misconfigurations—such as missing VNet rules or non-delegated subnets. By identifying these issues early, the system provides clear error codes and specific solutions, significantly reducing the likelihood of subsequent job failures.
Authentication Prechecks
Pre-check | Description | Recommended Action |
SQL Server Credential Check | Verifies whether the provided authentication credentials are valid. | For Service Principal, make sure you have mapped the concerned admin (as per your organization in the Management Console) for your Azure SQL resource. For more information, see How to map service principal in Azure. For SQL authentication, validate the authentication credentials provided by your database administrator and reassign the authentication with the correct authentication credentials. For more information, see Assign Authentication. |
VNet Rule Check | This check ensures that the database is configured with a VNet rule permitting inbound network connection from the specific virtual network where the Quantum Bridge VMs are deployed. | No VNet rule that allows Druva to connect to the database is found. Configure a VNet rule for the database. For more information, see Pre-requisites for protecting Azure SQL resources. |
Subnet Check | This check ensures the subnet is configured, is non-delegated, and is not used by the following Azure built-in services:
| Configure a non-delegated subnet in the virtual network associated with the Azure SQL Managed Instance. Also, ensure it is not used by the Azure built-in services. For more information, see Pre-requisites for protecting Azure SQL resources. |
Inbound port check | Validate that the Network Security Group (NSG) associated with the Azure SQL Managed Instance delegated subnet includes an inbound security rule allowing traffic on TCP port 1433. This ensures connectivity to the VNet-local endpoint via the default Redirect connection policy. | Update the Network Security Group (NSG) rules for the Azure SQL Managed Instance delegated subnet to permit inbound traffic on TCP port 1433. For step-by-step instructions on configuring the security rules to allow application-tier connectivity, see Configure NSG for Azure SQL Managed Instance. |
Outbound Check | Verifies outbound connectivity from the Azure SQL Managed Instance subnet (on which the Druva Quantum Bridge is spawned) to the Azure Key Vault service over TCP port 443. | Update the Network Security Group (NSG) rules and User-Defined Routes (UDR) for the Azure SQL Managed Instance subnet (on which the Druva Quantum Bridge is spawned) to permit outbound traffic to the Azure Key Vault service on TCP port 443. Connectivity must be verified for both the primary and secondary (failover) Key Vaults to ensure high availability of the encryption protector. This requirement applies regardless of the endpoint type being used:
For step-by-step configuration and a list of all required outbound rules, see |