The Quantum Bridge is a temporary Azure virtual machine which is created during backup and recovery operations inside your Azure Blob and Azure Files storage accounts that have network restrictions enabled. In environments where storage accounts are not accessible via public networks, the Quantum Bridge facilitates secure data transfer between the restricted storage and the backup cloud.
Key Highlights
Secure Data Transfer: Acts as a gateway to access storage accounts configured with Selected networks or where public access is Disabled (Private Endpoints).
Ephemeral Lifecycle: The bridge exists only for the duration of a data task. It is automatically provisioned at the start of a backup or restore job and is terminated immediately upon completion o to optimize resource usage.
Network Mapping: Connects to specific Virtual Networks (VNets) and subnets within the Azure environment to reach isolated storage resources.
Quantum Bridge Lifecycle and Workflow
The lifecycle of the Quantum Bridge is fully automated to ensure data is moved securely without requiring permanent infrastructure.
Deployment Process
Job Initiation: When a backup or restore task starts for a restricted storage account, the system triggers the spawning of a temporary Virtual Machine (VM) within the associated Azure subscription.
Configuration: The VM is attached to the VNet and subnet specified during the network configuration process.
Data Movement: The VM establishes a connection to the storage account (via Service Endpoints or Private Endpoints) and transfers data to the backup destination.
Teardown: Once the data transfer is verified, the system automatically shuts down and deletes the VM and its associated resources that were spawned.
Monitoring the Lifecycle
The status of the bridge can be monitored through job logs:
Provisioning: Look for log entries such as "spawning temporary VM in subscription."
Termination: Look for confirmation logs indicating the VM has been shut down and deleted.
Infrastructure Requirements
To deploy the Quantum Bridge successfully, the Azure environment must meet specific networking and resource criteria.
Networking Requirements
Subnet Connectivity: The selected subnet must have outbound connectivity to reach the backup control plane.
Service Endpoints: For storage accounts using Selected networks, the Microsoft.Storage service endpoint must be enabled on the subnet where the bridge VM resides.
Private Endpoints: If public access is disabled, a Private Endpoint must be configured for the storage account, and the bridge must be deployed into a VNet that can resolve and access that endpoint.
Firewall Rules: Required ports and URLs must be allowed the bridge to communicate with the management console.
Azure Resource Requirements
Subscription Quota: The Azure subscription must have an available quota for the specific VM family and size used for the bridge.