Overview
This guide outlines the configuration steps required to protect Azure Files and Blobs across multiple Azure subscriptions using a single centralized Druva NAS Proxy.
Use Case: Cost-Efficient Centralized Management
In a Managed Service Provider (MSP) or decentralized enterprise environment, deploying a separate Druva NAS Proxy VM inside every individual subscription can become cost-prohibitive. This solution implements a Hub-and-Spoke topology:
Hub Subscription: A centralized Azure environment where the single, shared NAS Proxy VM is deployed and activated.
Spoke Subscriptions: Multiple distinct subscriptions containing the target Azure Storage Accounts (Files and Blobs) that require data protection.
By granting the Hub Proxy's Managed Identity access to the Spoke subscriptions, you centralize management overhead and significantly reduce active cloud infrastructure costs.
Prerequisites
Before completing the cross-subscription setup, ensure your environment satisfies the following baseline requirements:
The NAS Proxy VM must be successfully deployed, running, and activated within your primary Hub subscription.
The NAS Proxy VM must have its System-Assigned Managed Identity enabled (
Status = On) in the Azure Portal.You must possess an Azure account with Owner or User Access Administrator permissions on all target Spoke subscriptions to delegate roles.
Custom Druva backup roles must be defined and available to be assigned.
Step-by-Step Configuration: Granting Cross-Subscription Permissions
To authorize the centralized NAS Proxy to discover and backup resources across subscription boundaries, assign its Managed Identity to the target Spoke subscriptions.
Step 1: Locate the NAS Proxy Identity
Log in to the Azure Portal.
Navigate to Virtual Machines and select your active Druva NAS Proxy VM within your Hub subscription.
In the left-hand navigation menu, scroll to the Security section and click Identity.
Under the System assigned tab, confirm that the Status is toggled to On.
Step 2: Assign Roles to Spoke Subscriptions
In the global search bar of the Azure Portal, search for and select Subscriptions.
Click on the first target Spoke Subscription containing the file shares or blobs you wish to back up.
In the left-hand menu, select Access Control (IAM).
Click Add > Add role assignment.
In the Role tab, search for and select the custom Druva backup role (or built-in equivalent, such as Storage Account Contributor / Storage Blob Data Reader, based on your organization's security design). Click Next.
In the Members tab, configure the following options:
Assign access to: Select Managed identity.
Click + Select members.
In the Managed identity dropdown on the right side, select Virtual machine.
Choose the subscription where your Hub Proxy resides, locate your NAS Proxy VM, and click Select.
Click Review + assign to save the settings.
📝 Note: If you are protecting workloads across multiple Spoke subscriptions, repeat Step 2 for each target subscription individually.
Verification & Final Result
Once Azure propagates the role assignments (typically within 5–10 minutes), the centralized NAS Proxy will have permission to cross subscription boundaries.
You can now navigate to the Druva Cloud Platform Console, go to your NAS/Azure workloads dashboard, trigger a discovery workflow, and configure your backup sets using the unified proxy backend.