To protect your Azure File shares, Druva deploys ephemeral Linux virtual machines (VMs) called Quantum Bridge within your Azure subscription. These VMs are created on demand to process data locally as a 'sidecar' worker and are automatically deleted once the backup task is complete. This ensures data is processed within your security boundary before being securely transferred to isolated Druva storage.
The Quantum Bridge includes:
Virtual Machine (VM)
Managed Disk
Network Interface Card (NIC)
By default, Druva manages the placement of these ephemeral resources. This feature gives you full control over where the Quantum Bridge is deployed. The Custom Quantum Bridge enables Druva to protect Azure Files and Azure Blob Storage residing within restricted or private Azure Virtual Networks (VNets).
Key Benefits
Centralized Management: Deploy data protection resources into dedicated resource groups to simplify billing, streamline cost reporting, and ensure alignment with organizational governance policies.
Network Integration: Deploy Quantum Bridge worker VMs into pre-approved subnets to respect micro-segmentation and Zero Trust models, ensuring Druva fits even the most prescriptive network designs.
In-VNet Protection: Druva secures Azure File shares within existing VNets, eliminating the need for complex VNet peering or modifications to your existing network topology.
Flexible Placement: Use additive tags to define global defaults at the subscription level while overriding specific storage accounts to land in dedicated subnets for precise architectural control.
Placement Configuration via Azure Tags
You can control the placement of the ephemeral resources by applying the DRUVA_RESOURCE_GROUP Azure Tag within your Azure portal. The value of this tag is the name of the target Resource Group. You can apply this tag at two levels:
Subscription level: Sets a global default for all protected Azure File shares within the subscription.
Storage account level: Overrides subscription-level defaults for specific storage accounts.
Tag Precedence and Inheritance
Tags applied at the storage account level take precedence over tags at the Subscription level. Placement logic follows a standard bottom-up override model:
Storage Account tags take precedence over Subscription tags.
If no tags are detected, Druva reverts to default resource placement.
This allows you to establish a global organizational policy while allowing for specific resource-level exceptions.
Configure Azure Tags for Quantum Bridge Resource Placement
Procedure
Step 1. Identify the target Resource Group
In the Azure portal, search for Resource Group in the top search box.
In the right pane, go to the Essentials section and copy the Resource group name (required for the DRUVA_RESOURCE_GROUP tag) where you want Druva to deploy the Quantum Bridge VMs. Ensure this Resource Group exists in the same region as your storage accounts.
Step 2. Assign the Tags
In the Azure portal, navigate to the desired target scope:
Global level: Search for Subscriptions and select your subscription for Azure File shares to protect.
Storage account level: In the top search bar, either type the storage account name or type “Storage accounts” and then click on the required account.
In the left resource menu, click Tags.
Enter the following:
Name: DRUVA_RESOURCE_GROUP
Value: Name of the target Resource Group. Provide the name copied in Step 1.
Step 3: Trigger a Metadata Sync
To apply the new tag configuration immediately, trigger a manual synchronization:
Log in to the Druva Cloud Platform Console. On the Global Navigation Panel, click Azure and select Organization.
Alternatively, you can navigate to the Enterprise Workloads Management Console and select the Organization from the top menu. Select Protect > Go to Azure.Locate the target Subscription, select the ellipsis (...) button, and select Sync.
Verify that the Last Sync timestamp has updated to the current time.
Click the refresh icon to update the last sync time.
Once synchronized, Druva automatically uses your custom tag configurations for all future backup and restore operations.
Considerations
Subscription Boundary: The Quantum Bridge cannot be deployed across subscription boundaries. The target Resource Group must reside within the same subscription as the data being protected.
Regional Boundary: The Quantum Bridge must be deployed into a Resource Group that resides in the same Azure region as the storage account being protected to avoid deployment failure, high egress costs, and latency.
FAQs
Why does Druva create resources in my Azure environment?
Why does Druva create resources in my Azure environment?
Druva uses a "side-car" approach for Azure File shares. The Quantum Bridge acts as a temporary worker that processes data locally. This ensures that the data processing occurs within your security boundary, optimizing performance and reducing egress overhead.
What happens if an Azure File share has no tags applied at all?
What happens if an Azure File share has no tags applied at all?
The system follows a standard inheritance model:
It first checks for Storage Account tags.
If no Storage Account tags exist, it checks for Subscription tags.
If no tags are found at all, it defaults to the Resource Group selected during your initial onboarding.
How long do these resources stay in my account?
How long do these resources stay in my account?
The Quantum Bridge VMs are ephemeral. They are provisioned at the start of a backup or restore task and are automatically decommissioned once the task completes or reaches a terminal state (failure/success).
Are there extra costs that I will incur on my cloud bill when using Quantum Bridge to protect Azure File shares?
Are there extra costs that I will incur on my cloud bill when using Quantum Bridge to protect Azure File shares?
Since these resources are hosted in your Azure subscription, they will appear on your Azure bill. Druva minimizes these costs by using optimized VM sizes and ensuring resources are only active during task execution.
Why haven't my resource group changes taken effect?
Why haven't my resource group changes taken effect?
Druva periodically syncs Azure metadata. If you updated your tags recently, trigger a Manual Sync from the Druva Console to apply the changes immediately.