β Important
This feature has limited availability. To know more about limited availability and sign up for this feature, contact your Account Manager.
Software requirements
Azure VM instance size
Create an Azure virtual machine with the minimum specifications required for protection support.
We recommend a Standard D16s v5 - 16 CPU, 64GB memory.
Platform: Ubuntu version 22 and above.
For more information, see Create Azure VM instance.
Operating System
Azure VM backup supports only Ubuntu proxies.
Supported Blob Storage resources
We back up and restore the following Blob Storage resources:
Storage accounts
Account kind: StorageV2 (general purpose v2)
Containers
Blobs
Prerequisites
To implement Azure Blob via NAS, you must:
Configure an Azure VM that will work as a NAS proxy.
Attach the custom role to the managed identity of the Azure virtual machine with below mentioned Azure permissions. For detailed steps, follow the below sections.
Set up an Azure VM
You must first set up an Azure VM for the NAS proxy to be installed.
π Note
Azure virtual machine and storage account must be in the same region, otherwise data egress charges will be applicable.
Perform the following:
Sign in to the Azure portal.
Navigate to Home > Compute infrastructure > Infrastructure > Virtual machines > Create > Azure virtual machine to create a virtual machine.
β
For more information, see article.
Create a custom role
Managed identity is automatically managed by Azure and can be leveraged by a virtual machine (or other service) to authenticate to Azure services (such as storage accounts) without having to supply any credentials.
To create a custom role for any subscription for performing backup/restore:
Navigate to Home > Subscriptions <Subsciption name> > Access Control (IAM).
Click Add > Add custom role.
β
Inside the custom role, provide the name of the Custom role, and go to the JSON tab.
β
In the JSON tab:
Click Edit.
Mention subscription ID or storage account (that you want to backup) under assignableScopes.
Add the permissions into the custom role.
β{ "id": "/subscriptions/ea4af27d-c4e8-4969-b460-701bd493699e/providers/Microsoft.Authorization/roleDefinitions/0dfff945-7989-4baf-a770-be0bbec4177e", "properties": { ... "permissions": [ { "actions": [ "Microsoft.Storage/storageAccounts/blobServices/containers/write", "Microsoft.Storage/storageAccounts/blobServices/containers/read", "Microsoft.Storage/storageAccounts/read", "Microsoft.Storage/storageAccounts/write", "Microsoft.Storage/storageAccounts/blobServices/containers/getAcl/action", "Microsoft.Storage/storageAccounts/blobServices/containers/setAcl/action" ], "notActions": [], "dataActions": [ "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read", "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write", "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/read", "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/write", "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/filter/action" ], "notDataActions": [] } ] }}
For more information on these permissions, see the table below.
β
Click Save.
Click Review + create.
Assign a custom role
Once the Azure virtual machine is created, assign a custom role, which has the permission to read and write blobs to the VM via managed identities.
Click the virtual machine.
Go to Security > Identity.
Under System assigned tab, set the Status as On to enable system-assigned identities.
Click Azure role assignments to assign a role.
β
Click Add role assignment (Preview).
β
Select a scope (subscription).
Select a role (custom role created in the previous step).
Click Save.
Once the managed identities are set, follow the NAS activation process on the Azure VM and it can then be used to perform backup and restore operations.