This document outlines the architecture of a system designed to back up customer Azure SQL resources to a dedicated cloud storage environment. The system operates across three primary domains: the Customer Azure Environment, Druva Azure Processing Agents, and the Druva Cloud Storage infrastructure.

The core process involves an in-tenant agent, the Quantum Bridge, which accesses Azure SQL databases and transfers data to a Druva Data Proxy. This data is then processed and moved from transient storage to a secure, Customer Isolated Block Storage repository. A key efficiency feature is the matching of Azure regions between the customer's resources and Druva's processing agents to enable free data transfer.

Security is foundational to the architecture, employing a customer-managed key and isolated storage blocks. The entire system's functionality is contingent upon the specific roles and permissions established during the initial onboarding process, which requires an Azure global administrator.

The architecture is composed of distinct, interconnected environments that manage the end-to-end backup and storage process.

This is the source environment containing the customer's data and the necessary Druva components for initiating backups.

• Onboarding: The process is initiated by an EntraID user with the Azure global administrator role. This user deploys the Druva Enterprise App, which facilitates the setup of the Druva Backup App.

• Core Components:

◦ Azure SQL Resources: The target customer databases to be protected.

◦ Quantum Bridge: An in-tenant component that directly interfaces with the Azure SQL Databases. It operates using a dedicated Backup Role to gain necessary access.

◦ Customer Key: A customer-controlled encryption key used to secure the databases.

This environment acts as the intermediary layer, responsible for processing and staging data received from the customer's tenant.

• The Druva Data Proxy receives data from the Quantum Bridge. This communication is divided into a Control Plane for command and control and a Data Plane for the actual data transfer.

• Regional Matching: The connection between the Quantum Bridge and the Druva Data Proxy is established within the same Azure region. This is explicitly done to leverage "free data transfer in the same region," optimizing for cost and performance.

• Transient Storage: Data received by the proxy is temporarily held in Transient Blob Storage before being written to the permanent storage repository.