Overview of Azure subscription onboarding process
To protect your Azure SQL resources, you must first connect your Azure Tenant to Druva and onboard your Azure subscriptions to the Druva ecosystem. As a part of the onboarding process, you must assign an administration group and also specify a preferred Druva storage where you want to backup your data. By default, a Default Druva Storage will be assigned to back up data from all Azure regions. However, you can assign more specific region-wise storage. For more information, see Map storage.
With Druvaโs Azure data protection, the onboarding process has never been easier!
Follow these three easy steps to onboard a new subscription for the first time, and you are all set:
Step | Action |
1. Select subscriptions | Select the subscription (s) for backup and restore. |
2. Assign administrative group and/or Storage rules |
|
3. Authorize subscriptions | Authorize the creation of an access key in the Azure vault. This key is used to encrypt backups. |
Register Azure SQL Subscriptions
Prerequisites
Ensure you complete the following prerequisites before proceeding with the onboarding process:
How to add a new subscription
Log in to the Management Console.
On the console, from the top menu, select Organization.
Select Protect > Go to Azure > Azure.
Click Register.
On the Microsoft Sign-in page, enter the Microsoft Azure credentials and click Next.
Accept the default permissions.
On the subscriptions modal window that appears, do the following:
Select the subscription(s) you want to protect and click Next.
โ
๐ Note
โYou cannot select subscriptions that are already registered or onboarded.
โ
โ
โ
On the Access & Storage tab, in the Group Access section, either select an Administrative Group or create a new Administrator Group.
โIn the Storage Rules section, select a default Druva storage for all regions and click Next. You can also add additional storage rules.
โ
๐ NotesOnce you assign a default storage rule, you cannot delete it later. However, you can delete other storage rules created subsequently.
You can create multiple storage rules.
When assigning storage rules, adhere to your compliance and governance policies.
Once storage is assigned to a region then it gets permanently associated with that region. Consequently, all the VMs will continue to get backed up and stored in this region.
โ
On the E-Key Settings tab, select the following:
Provide the Key Vault Name.
Provide the Azure Resource Group Name.
Select the Primary Region. This is the Azure Region which is used to create the Security Key Vault Name and Resource Group
Select the Secondary Region. This will be used to create the Key vault and Resource Group, when the Primary Region is unavailable.
Select the Authorization check box. This authorizes creation of the encryption keys for the selected subscriptions.
If not authorized, backups will fail for resources within these subscriptions.
โ
๐ Note
โThe subscriptions are onboarded successfully even if you do not authorize the creation of an access key in your Azure vault. However, resources in these subscriptions will not be backed up unless you authorize the subscriptions.
โ
e. Click Finishโ.
The subscriptions are onboarded successfully and are listed on the Azure subscriptions listing page.โ
How to add subsequent subscriptions
You can add subscriptions during onboarding or later at any point in time. To add subscriptions for the first time, see Register Azure subscriptions.
For adding more subscriptions at a later stage, see the following procedure:
Log in to the Management Console.
On the console, from the top menu, select Organization.
Select Protect > Go to Azure > Azure.
On the Azure subscriptions page, click Add Subscriptions.
On the Microsoft Sign in page, enter the Microsoft Azure credentials and click Next.
Accept the default permissions.
On the Add Subscriptions window, do the following:
Select the subscription(s) you want to protect and click Next.
โ
๐ Note
โYou cannot select subscriptions that are already onboarded.
โOn the Access & Storage tab, in the Group Access section, either select an Administrative Group or create a new Administrator Group and click Next.
On the E-Key Settings tab, select the following:
Provide the Key Vault Name.
Provide the Azure Resource Group Name.
Select the Primary Region. This is the Azure Region which is used to create the Security Key Vault Name and Resource Group
Select the Secondary Region. This will be used to create the Key vault and Resource Group, when the Primary Region is unavailable.
Select the Authorization check box. This authorizes creation of the encryption keys for the selected subscriptions.
If not authorized, backups will fail for resources within these subscriptions.
โ
๐ Note
โThe subscriptions are onboarded successfully even if you do not authorize the creation of an access key in your Azure vault. However, resources in these subscriptions will not be backed up unless you authorize the subscriptions.
โ
e. Click Finishโ.
Administrative groups
An administrative group is a logical categorization of subscriptions. For example, subscriptions with resources located in one region can belong to one administrative group. An administrative group allows you to segregate subscriptions for Role-Based Access Control (RBAC) purposes, enabling more granular and organized management of resources and permissions.
While onboarding Azure subscriptions, you must assign administrative groups. You can assign one administrative group to manage multiple subscriptions. If no administrative group is available, you can create a new Administrator Group.
Considerations
The following are some of the important points to consider for administrative groups:
You should be a Cloud Admin to create or edit an administrative group.
Administrative group is associated with an organization. If you want to create an administrative group for a specific organization, you must select that particular organization.
You can select an administrative group while onboarding Azure subscriptions.
You can select one existing administrative group for the multiple subscriptions. If no group exists, you can create an administrative group while onboarding Azure subscriptions.
You can delete an administrative group. However, before deleting, you must move the Hybrid resources, AWS accounts, and Azure subscriptions to a different group.
If you want to give granular access to the onboarded subscriptions, you can do so from DCP or Enterprise Workloads console where you can specify Azure subscriptions for specific group admins.
Create a new administrative group
On the Management Console, while adding a subscription, on the Add Subscription > Access & Storage tab, in the Group Access section, click on the Administrative Group dropdown.
Click + New Administrative Group.
โ
On the New Administrative Group window, provide name and description and click Save.
Delete an administrative group
You can delete an Administrative group. However, before deleting, you must move the Hybrid resources, AWS accounts, and Azure subscriptions to a different group.
Log in to the Management Console.
On the console, from the top menu, select Organization and then click Manage > Administrative Groups.
The Manage Administrative Groups page displays a list of available administrative groups.To delete an administrative group, do either of the following:
Select an administrative group and click Delete.
Click on the administrative group that you want to delete, and on the Administrative group details page, click Delete.
Click Yes on the confirmation dialog box to proceed with the deletion.
Related Keywords: Azure SQL onboarding