You can now protect secured Azure Storage Accounts for Blobs and Files using Druva’s Quantum Bridge technology. Restricted access support allows Druva to protect Azure Blob and Azure Files storage accounts that have network restrictions enabled. By default, Azure Storage accounts are created with public network access enabled from all networks.
However, Microsoft recommends (learn more) using Azure storage firewall rules (learn more) or Private Endpoints (learn more) to secure access to storage accounts over public or private networks.
Enterprise Workloads uses a temporary virtual machine (VM) in your subscription, known as the Quantum Bridge, to facilitate data transfer in these secured environments. It requires outbound connectivity from the selected Azure VNet to the control plane.
Key Features
Support for Private Endpoints: Enterprise Workloads can back up storage accounts where public access is disabled and access is only permitted via Private Endpoints.
Support for Service Endpoints: Druva protects storage accounts configured with Public access from selected networks, accessed via Service Endpoints.
Automated Life-Cycle Management: Druva automatically spawns a temporary VM in your Azure subscription during backup and restore jobs and destroys it once the task is complete to optimize costs.
Supported Network Configurations
Public Network Access + Scope | Description | Support |
Public access, All networks | Public network access is enabled, with network access scope set to Enable from all networks | Supported (Standard) |
Public access, Selected networks | Public network access is enabled, with network access scope set to Enable from selected networks | Supported (via Quantum Bridge) |
Public access, Disabled | Public network access is disabled. Private endpoints are configured on the storage accounts. | Supported (via Quantum Bridge) |
Public access, secured by perimeter | Public network access is set to Secured by perimeter. | Supported in NSP-Transition mode only. |
System Requirements
Before configuring restricted access for Azure Blob Storage, ensure your environment meets the following infrastructure requirements.
Network Requirements
Outbound Connectivity: The VNet and Subnet selected for the Quantum Bridge must have outbound access to the Druva control plane. Learn more about the URLs to be allowed here.
Service Endpoints: When using storage accounts with public access enabled with storage firewall rules applied, the Microsoft.Storage service endpoint will be used to access your storage account securely. This happens automatically when you configure a Virtual Network (VNet) rule for your storage account. To learn more about VNet rules, see Virtual Network Rules.
Private Endpoints: When using storage accounts with public "Disabled," a Private Endpoint must be pre-configured for the storage account in the same subscription and the same region as the resource. To learn more about private endpoints, see Use private endpoints for Azure Storage.
Compute Requirements
VM Quota: Your Azure subscription must have sufficient quota for the VM instance type used by the Quantum Bridge.
Resource Group: Temporary resources are created within the same resource group as your selected Virtual network or Private endpoint.
IP availability: Verify that your target subnet has at least 10 available IP addresses to accommodate the automated provisioning of Quantum Bridge VMs during active backup or restore jobs. This ensures that multiple backup and restore jobs can run concurrently.
Roles and Permissions
To enable Druva to discover and protect your Azure Blob resources, specific permissions must be granted within your Azure Tenant and Subscriptions.
Required Azure Roles
Level | Required Role | Purpose |
Tenant Level | Global Administrator | Initial registration, Entra ID app creation, and custom role definition. |
Subscription Level | Owner | Authorizing Druva to manage resources and create the required Key Vault access keys. |
Automation and Service Permissions
The following configurations need to be enabled in the Azure portal:
App Registration: The setting "Users can register applications" must be set to Yes in Entra ID.
Resource Providers: The Microsoft.KeyVault resource provider must be registered for the subscription.
Managed Identity: Druva uses a System-Assigned Managed Identity (SAMI) for the vault to access the storage accounts securely.