To protect your Azure SQL family resources, Druva spawns ephemeral compute resources - Quantum Bridge, within your Azure environment. These resources are created on demand and are automatically deleted once the task (such as backup, restore, or pre-checks) is completed. The Quantum Bridge acts as a temporary "sidecar" worker that processes data locally within your Azure environment before securely sending it to an air gapped storage, ensuring data stays within your security boundary.
The Quantum Bridge includes:
Virtual Machine (VM): Provides compute power.
Managed Disk: Provides storage for the VM.
Network Interface Card (NIC): Provides network connectivity for the VM.
By default, Druva manages where these temporary resources are placed. With this feature, you will have the complete autonomy to decide where the Quantum Bridge will be spawned. You can explicitly define the Azure Resource Group and Subnet where these temporary resources are deployed, ensuring compliance with internal networking and security policies.
Key Benefits
Centralized Management: Deploy data protection resources into dedicated resource groups to simplify billing, streamline cost reporting, and ensure alignment with organizational blueprints.
Network Integration: Deploy Quantum Bridge worker VMs into pre-approved subnets to respect micro-segmentation and Zero Trust models, ensuring Druva fits even the most prescriptive network designs.
In-VNet Protection: Druva secures Azure SQL within existing VNets, eliminating the need for VNet peering or network reconfigurations required by legacy hub-and-spoke backup architectures.
Flexible Placement: Use additive tags to define global defaults at the subscription level while overriding specific SQL resources to land in dedicated subnets for precise architectural control.
Tag Definitions
You can control the placement of the ephemeral resources by applying specific Azure Tags β DRUVA_RESOURCE_GROUP and DRUVA_QB_SUBNET within your Azure portal. You can apply tags at two levels:
Subscription Level: Applies the configuration across all protected Azure SQL instances within the entire subscription.
Azure SQL Logical Server Level: Provides granular control over specific SQL instances, allowing isolation of high-security databases.
Tag Name | Value Format | Description |
DRUVA_QB_SUBNET | Subnet ID | The full Subnet ID (also known as Azure Resource ID) of the subnet. |
DRUVA_RESOURCE_GROUP | Name | The plain text name of the target Resource Group. |
Tag Precedence and Inheritance
Tags applied at the Resource level take precedence over tags at the Subscription level. This allows you to set organizational defaults across the subscription, while maintaining granular control per-SQL resource requiring unique subnet placement.
Configure Azure Tags for Quantum Bridge Resource Placement
Prerequisites
The chosen Subnet must have network access to the Azure SQL instance via a Service Endpoint or Private Endpoint. If the subnet does not have access, the jobs will fail.
For Managed Instances (MI), the subnet must be part of a private endpoint.
The selected Subnet must reside in the same Azure region as the SQL database.
Procedure
Make sure you have read the prerequisites before you begin.
Step 1. Identify Azure Resource Identifiers
In the Azure portal, either search for Resource Group in the top search box .
In the right pane, go to the Essentials section and copy the Resource group name (required for the DRUVA_RESOURCE_GROUP tag).
In the left pane, go to Settings, select Subnets, and click the specific subnet name you want to use for Quantum Bridge resources.
In the Edit subnet screen, copy the Subnet ID (required for the DRUVA_QB_SUBNET tag).
Step 2. Add the Configuration Tags
In the Azure portal, search for and select your target scope:
Global level: Search for Subscriptions and select your subscription for SQL resources to protect.
Resource level: Search for Azure SQL. In the Azure SQL hub, select either Azure SQL Database > SQL databases, Azure SQL Managed Instance > SQL managed instances, or SQL Server > SQL Server on Azure VMs.
Select the SQL Resource you want to configure.
In the Overview screen, click Edit on the Tags section
Add the following tags to your Azure SQL resource:
β
β
Tag Name | Value Format | Description |
DRUVA_QB_SUBNET | Subnet Resource ID | The full Azure Resource ID of the target subnet. Provide the Resource ID copied in Step 1. |
DRUVA_RESOURCE_GROUP | Name | The name of the target Resource Group. Provide the name copied in Step 1. |
Step 3: Synchronize Azure SQL Resources
Log in to the Management Console and navigate to Protect > Azure.
Locate the target Subscription, select the ellipsis (...) button, and select Sync.
Verify that the Last Sync timestamp has updated to the current time (hint: You can click the refresh icon to update the last sync time)
Once synchronized, Druva automatically uses your custom tag configurations for all future backup and restore operations.
Considerations
Quantum Bridge resources must be deployed within the same subscription as the target Azure SQL resources. Cross-subscription protection using tags is not currently supported.