Preparing for Azure SQL data protection

Before you start protecting your Azure SQL data, complete the following steps:

Getting familiar with your SaaS application specifics

Before you start protecting your Azure SQL data, you must get familiar with all prerequisites, limitations, considerations, and/or recommendations in this section to make sure that your environment is prepared and configured correctly.

Prerequisites

  • Before you can add the Azure SQL module to R-Cloud as a source, your authentication service account must be created.

    You can create your own authentication service account in the Microsoft Entra ID tenant or use the service account automatically created by R-Cloud.

    If you want to create your own service account, you can create it under App registrations in the Microsoft Entra ID tenant. No API permissions are required to be set at the application or delegated level as the below-mentioned contributor roles will be used as a service account for management.

    Add the following redirect URI to the service account when creating your own:

    https://authentication.r-cloud.hycu.com/api/v2/oauth/callback/handleConsentGrant/

    After the service account is present on the Entra ID tenant, you must assign the Access Control (IAM) roles to it on the subscription level, and afterward grant it the permissions required by R-Cloud.

  • The following roles must be assigned to the Azure subscription in Azure Portal:

    • SQL DB Contributor

    • SQL Server Contributor

    • Storage Account Contributor

  • The Azure SQL Server must have the following option enabled under the Security > Networking properties in the Azure Portal:

    • Allow Azure services and resources to access this server

Limitations

  • The maximum size of BACPAC is 200 GiB when exporting to Azure Blob Storage.

  • For large databases, the BACPAC export and import procedures might take a long time. In certain cases, the procedures can also fail for various reasons on the Azure side.

  • Azure SQL Managed Instance databases cannot be exported via API or Azure UI.

  • Azure SQL database exports and imports are only available via SQL Authentication.

  • The database import cannot be done for a free limit database.

  • Due to the Azure SQL export limitations, multiple backups cannot be run at the same time.

  • Database properties other than the database instance type and the database size cannot be protected.

  • All Azure resources must be in the same subscription (SQL server, SQL database, and Storage Account).

Considerations

  • If the export procedure exceeds 20 hours, it might get canceled by Azure. To reduce the chance of being canceled, the clustered indexes should be present.

  • Rate limitations apply. For details about Azure Management throttling and rate limits, see Microsoft documentation.

Configuring SaaS application data backup options

Before you start protecting SaaS applications, you can adjust SaaS application protection to the needs of your data protection environment by configuring backup options in R‑Cloud.

Important  Configuring backup options is not supported for all types of SaaS applications. Additionally, the list of available backup options varies depending on the type of your SaaS application.

Backup options

Backup option Description
Exclude Resources

Enables you to specify one or more resources to be excluded from the backup.
Options

Enables you to use backup options specific to each SaaS application or SaaS application resource (for example, if you are protecting Google Cloud SQL, you can set the offload option that enables R‑Cloud to delegate the export operation to a separate data mover).
Data Movers

Enables you to specify the source, the region, and the subnet where you want R‑Cloud to create a data mover during the backup. If the specified source is an , you can also select a security group. If the specified source is an Azure resource group, you must select a network.

Important  For the SaaS applications that run in an , in an Azure resource group, or in a Google Cloud project: If you do not configure this backup option, R‑Cloud by default creates the data mover in your , Azure resource group, or Google Cloud project after you set up a target in R‑Cloud or add a source to R‑Cloud.

Prerequisites

  • For Google Cloud SaaS applications: Specifically for the HMSA, R‑Cloud requires additional permissions. For details, see Google Cloud permissions required by R‑Cloud.

  • Only if you plan to configure the data mover and select the Azure resource group as a source for the data mover. The network that you select must allow your Azure service principal or the HMSP to access the specified source and the targets that store the protected data.

  • The data movers must have access to the SaaS applications that you want to protect and to the targets that store the protected data. To ensure this, configure SaaS application backup options so that the data mover uses the appropriate subnet.

    Tip  You can check under which subnet the SaaS applications and the targets are accessible in your cloud provider management console.

Consideration

Only if you plan to store the protected SaaS application data on an Azure target. For security purposes, it is recommended that you configure SaaS application backup options so that R‑Cloud creates the data mover in the Azure resource group to keep the protected data in the same Azure environment during the backup.

Recommendation

If you plan to use targets for storing the protected data, optimize the egress data costs by configuring SaaS application backup options so that the data mover uses the same or the nearest available region as the target.

Note  R‑Cloud performs automatic synchronization of SaaS applications at periodic intervals. However, you can at any time update the list of SaaS applications also manually by clicking Synchronize Refresh.

To access the SaaS panel, in the navigation pane, click SaaS SaaS.

Procedure

  1. In the SaaS panel, select the SaaS application or the resource for which you want to configure backup options.

  2. Click Configuration Configuration. The SaaS Configuration dialog box opens.

  3. Depending on what you want to do, perform the required action:

    I want to... Instructions
    Exclude resources from the backup. On the Exclude Resources tab, select the resources that you want to exclude from the backup.
    Use a backup option specific to my SaaS application or resource. On the Options tab, specify which of the available backup options you want to use and provide the required information.
    Specify the source, the region, the subnet, the network, or the security group for a data mover.

    On the Data Movers tab, do the following:

    1. From the Compute drop-down menu, select the source for the data mover.

      Important  If the type of the source that you select for the data mover differs from the source where the target specified in the R‑Cloud policy resides, this may result in data egress charges.

    2. From the Region drop-down menu, select the preferred region.

    3. For Azure resource groups: From the Network drop-down menu, select the preferred network.

    4. From the Subnet drop-down menu, select the preferred subnet.

    5. For s: Optionally, from the Security Group drop-down menu, select the preferred security group. By default, the data mover is created in the default security group of the preferred subnet.

  4. Click Save.