Note: If you want to protect Azure SQL workloads, please click here to learn more about required permissions.
Overview
To protect your Azure virtual machines, you must first connect your Azure Tenant to Druva and onboard your Azure subscriptions to the Druva ecosystem. As a part of the onboarding process, you must assign an administration group and also specify a preferred Druva storage where you want to backup your data. By default, a Default Druva Storage will be assigned to back up data from all Azure regions. However, you can assign more specific region-wise storage. For more information, see Map storage.
With Druvaโs Azure data protection, the onboarding process has never been easier! Follow these three easy steps to onboard a new subscription for the first time, and you are all set.
Step | Action |
1. Select subscriptions | Select the subscriptions(s) for backup and restore. |
2. Assign administrative group and/or Storage rules |
|
3. Authorize subscriptions | Authorize the creation of an access key in the Azure vault. This key is used to encrypt backups. |
The following video shows a quick demo of how to register or onboard your Azure subscriptions to the Druva ecosystem.
Register Azure Subscriptions
Before you begin
Ensure you complete the prerequisites before proceeding with the onboarding process.
Add new subscription
Log in to the Management Console.
On the console, from the top menu, select Organization.
Select Protect > Azure Workloads > Virtual Machines.
Click Register.
On the Microsoft Sign in page, enter the Microsoft Azure credentials and click Next.
Accept the default permissions.
On the subscriptions modal window that appears, do the following:
Select the subscription(s) you want to protect and click Next.
โ๐ Note
โYou cannot select subscriptions that are already registered or onboarded.On the Access & Storage tab, in the Group Access section, either select an Administrative Group or create a new Administrator Group.
โIn the Storage Rules section, select a default Druva storage for all regions and click Next. You can also add additional storage rules.
โ๐ Notes
Once you assign a default storage rule, you cannot delete it later. However, you can delete other storage rules created subsequently.
You can create multiple storage rules.
When assigning storage rules, adhere to your compliance and governance policies.
Once storage is assigned to a region then it gets permanently associated with that region. Consequently, all the VMs will continue to get backed up and stored in this region.
On the E-Key Settings tab, select the following:
Select the Primary Region. This is the Azure Region which is used to create the Security Key Vault Name and Resource Group
โ๐ Note
โDefine a Secondary Region as well, which will be used to create the Key vault and Resource Group, when the Primary Region is unavailable.Select the Authorization check box. This authorizes creation of the encryption keys for the selected subscriptions.
If not authorized, backups will fail for resources within these subscriptions.
โ๐ Note
โThe subscriptions are onboarded successfully even if you do not authorize the creation of an access key in your Azure vault. However, resources in these subscriptions will not be backed up unless you authorize the subscriptions.Click Finishโ.
The subscriptions are onboarded successfully and are listed on the Azure subscriptions listing page.
โ
Add subsequent subscriptions
You can add subscriptions during onboarding or later at any point in time. To add subscriptions for the first time, see Register Azure subscriptions.
For adding more subscriptions at a later stage, see the following procedure:
Log in to the Management Console.
On the console, from the top menu, select Organization.
Select Protect > Azure Workloads > Virtual Machines.
On the Azure subscriptions page, click Add Subscriptions.
On the Microsoft Sign in page, enter the Microsoft Azure credentials and click Next.
Accept the default permissions.
On the Add Subscriptions window, do the following:
Select the subscription(s) you want to protect and click Next.
๐ Note
โYou cannot select subscriptions that are already onboarded.On the Access & Storage tab, in the Group Access section, either select an Administrative Group or create a new Administrator Group and click Next.
โOn the E-Key Settings tab, select the following:
Select the Primary Region. This is the Azure Region which is used to create the Security Key Vault Name and Resource Group.
โ๐ Note
โDefine a Secondary Region as well, which will be used to create the Key vault and Resource Group, when the Primary Region is unavailable.Select the Authorization check box. This authorizes creation of the encryption keys for the selected subscriptions.
If not authorized, backups will fail for resources within these subscriptions.
โ๐ Note
โThe subscriptions are onboarded successfully even if you do not authorize the creation of an access key in your Azure vault. However, resources in these subscriptions will not be backed up unless you authorize the subscriptions.Click Finishโ.
The subscriptions are onboarded successfully and are listed on the Azure subscriptions listing page.
Delete an Azure VM Subscription
You can delete an Azure VM subscription from your management console based on your business requirements.
โ Important
A subscription, once deleted from your Druva management console, cannot be retrieved. All backed up data will be removed and will no longer be available for restore.
Before you begin
You can delete your Azure VM subscription from the management console only under the following conditions:
You have hard deleted all your existing Azure VM backup sets.
You have no active Auto Configuration Rule for the subscription to be deleted.
Deletion does not impact the subscription or associated resources within your Azure environment.
Procedure
To delete a subscription:
Log in to your management console and select your Organization.
Navigate to Protect > Azure Workloads and click Go to Azure.
On the Azure Subscriptions page, locate the subscription and click Delete from the three-dot menu.
On the confirmation dialog, click Yes, Delete to proceed with the deletion.
๐ Note:
Deleting a subscription will not reverse the entities and resources created by Druva within your Azure environment, for example the Resource Group. If you need to remove these resources permanently, contact Support.
If you delete the last subscription in a specific Organization, you will need to reauthorize the subscription when registering a new one.
Administrative groups
An administrative group is a logical categorization of subscriptions. For example, subscriptions with resources located in one region can belong to one administrative group. An administrative group allows you to segregate subscriptions for Role-Based Access Control (RBAC) purposes, enabling more granular and organized management of resources and permissions.
While onboarding Azure subscriptions, you must assign administrative groups. You can assign one administrative group to manage multiple subscriptions. If no administrative group is available, you can create an administrative group.
Considerations
The following are some of the important points to consider for administrative groups:
You should be a Cloud Admin to create or edit an administrative group.
Administrative group is associated with an organization. If you want to create an administrative group for a specific organization, you must select that particular organization.
You can select an administrative group while onboarding Azure subscriptions.
You can select one existing administrative group for the multiple subscriptions. If no group exists, you can create an administrative group while onboarding Azure subscriptions.
You can delete an administrative group. However, before deleting, you must move the Hybrid resources, AWS accounts, and Azure subscriptions to a different group.
If you want to give granular access to the onboarded subscriptions, you can do so from DCP or Enterprise Workloads console where you can specify Azure subscriptions for specific group admins.
Create a new administrative group
Log in to the Management Console.
On the console, from the top menu, select Organization.
Select Protect > Azure Workloads > Virtual Machines.
On the Access & Storage tab, in the Group Access section, click on the Administrative Group dropdown.
Click + New Administrative Group.
โOn the New Administrative Group window, provide name and description and click Save.
Delete an administrative group
You can delete an Administrative group. However, before deleting, you must move the Hybrid resources, AWS accounts, and Azure subscriptions to a different group.
Log in to the Management Console.
On the console, from the top menu, select Organization and then click Manage > Administrative Groups.
The Manage Administrative Groups page displays a list of available administrative groups.To delete an administrative group, do either of the following:
Select an administrative group and click Delete.
Click on the administrative group that you want to delete, and on the Administrative group details page, click Delete.
Click Yes on the confirmation dialog box to proceed with the deletion.
Related keywords: key vault, keyvault, azurevault, vault, azure vault, azure vault key, azurevaultkey, azure kms