Setting up an Azure target

R‑Cloud supports using an Azure target to store data in the highly available, scalable, and secure Azure cloud storage.

Prerequisites

  • To allow the HYCU Managed Service Principal (HMSP) to perform all operations on the target, you must add an Azure resource group to R‑Cloud as a source. For instructions, see Adding an Azure resource group.

  • Only if you plan to use a custom Azure service principal to access the Azure target. You must add an Azure service principal to R‑Cloud. For instructions, see Adding an Azure service principal.

  • Only if you plan to store data on an Azure target for which immutability (WORM) is enabled. You must set the enable version-level immutability support option at the storage account level. For details, see Azure documentation.

  • Only if you want the data stored on this target to be encrypted by using the customer managed key management type. The length of your AES-256 key must be 32 bytes.

Limitations

  • Storing data to a publicly available target is not supported. Therefore, make sure that the Allow Blob anonymous access setting is disabled in Azure.

  • Storing data to a target for which a lifecycle management policy is configured is not supported and may result in data loss.

  • Only StorageV2 (general-purpose v2) storage accounts can be set up as a target.

  • Only if you plan to enable target encryption. The following limitations apply:

    • Target encryption is limited to the SaaS application data.

    • R‑Cloud cannot encrypt data of the SaaS applications that are related to R‑Cloud modules that use staging targets or only use snapshots to store backup data. For details, see the relevant topics for your SaaS application in Protecting SaaS applications

Considerations

  • You can set up the same target in multiple protection sets.

  • Only if you plan to store data to an Azure target for which immutability (WORM) is enabled. When backing up data, R‑Cloud sets the retention period of the immutable blob data to the retention period defined in the R‑Cloud policy.

  • Only if you plan to enable target encryption. Consider the following:

    • The R‑Cloud encryption is applied on top of the native cloud platform data encryption to provide an additional layer of security.

    • After you enable target encryption, the previously stored backup data remains unencrypted.

    • If you decide to disable target encryption, the backup data that was stored on the target while the target encryption was enabled remains encrypted.

    • The SaaS applications metadata is not encrypted.

To access the Targets panel, in the navigation pane, click Targets Targets. Alternatively, in the Dashboard panel, click the Targets widget title.

Procedure

  1. In the Targets panel, click Add Add.

  2. Select Azure, and then click Next.

  3. In the Storage Account Name field, enter the name of the Azure storage account that will store backup data.

  4. In the Size Quota field, specify the amount of storage space that should be used for storing data (in MiB, GiB, or TiB).

    Important  The specified amount represents a soft limit, therefore actual usage may exceed it.

  5. Use the Enforce quota switch to stop running backups if this target reaches its size quota. The backups will start running again after you increase the size quota of this target or assign a different policy to the entities. Such a policy must use a target with the sufficient size quota.

  6. Use the Target encryption switch if you want the SaaS application data stored on this target to be encrypted.

    1. From the Key Management Type drop-down menu, select one of the following:

      • Select HYCU managed if you want the encryption key to be provided and managed by HYCU.

      • Select Customer managed if you want to provide and manage the encryption key by yourself.

    2. Only if you selected the customer managed key management type. In the AES-256 Encryption Key field, browse for and select your AES-256 binary key.

      Note  If you later decide to edit the target, the AES-256 Encryption Key field will remain populated.

  7. Only if you want to use a custom Azure service principal.

    1. From the Cloud Account drop-down menu, select the Azure service principal that you want to be used for performing all operations on the target.

      By clicking Add Add New, you are automatically redirected to the dialog box that enables you to add the preferred cloud account to R‑Cloud, if not already added.

    2. Click Grant Consent to create a custom role that includes the necessary permissions for accessing the Azure target and to assign the role to the selected Azure service principal.

      Note  The name of the custom role is HYCU Storage Account Role.

    3. In the Azure portal, do the following:

      1. Specify the subscription and the resource group that include the target.

      2. Depending on whether you want to assign your custom role to the service principal at the subscription or resource group scope, select subscription or resource group.

      3. Click Review + create to view the summary, and then click Create.

    4. Return to the R‑Cloud web user interface.

  8. Click Save.

The target is added to the list of targets in the Targets panel. For details on managing targets, see Managing targets.