The architecture and data flow across components within Druva’s Infrastructure and the customer’s environment is illustrated below:
Customer infrastructure
Druva Enterprise App: This is a Microsoft-certified app built by Druva to create the initial connection between the customer account and Druva’s environment.
During initial Onboarding, Azure creates a copy of the app to the customer’s account granting temporary onboarding permissions.Druva Backup App: The new backup service principal created by the onboarding app.
Backup Role: This is created within each subscription selected for protection, granting permissions to the Druva Backup App to perform backup and restore operations in the customer’s Azure account.
Encryption Key: The Onboarding flow creates a Vault in the customer’s Key Vault service to be used by the Backup Role to encrypt and decrypt data.
The secondary encryption key secret is used to decrypt the primary encryption key held by Druva. Using this secondary secret mechanism ensures that the customers have complete control over their data stored in Druva as this cannot be decrypted without both the keys.Protected VM: The Azure VM that the customer has chosen to protect.
Full and Incremental snapshot: Druva creates one full Azure native snapshot for each disk during the first backup.
Druva identifies VMs to be protected and creates one full Azure native snapshot for each disk during the first backup.
The subsequent backup job creates a new Azure native snapshot, which is incremental to the first full snapshot.
Each consecutive backup job creates an incremental snapshot and previous snapshots are replaced by the new latest full snapshot.
Druva's infrastructure
Druva Enterprise App: This is a Microsoft-certified app built by Druva to create the initial connection between the customer account and Druva’s environment.
Druva Storage Engine: The data proxy uses deduplication APIs to determine which data is to be transferred to the assigned Druva storage.
The costs for data transfer within Druva infrastructure are incurred by Druva.Druva Data Proxy: An Azure VM within Druva's Azure account is paired to the same region as the protected VM within the customer's account. This VM remains active only until the backup job executes.
The Data proxy uses the Backup App service principal to connect to the customer account, and to create and read the snapshots data.
No network connectivity is required as these are issued via Azure APIs, and no egress costs are incurred as the proxy is in the same region as the protected VM.
Related keywords: key vault, keyvault, azurevault, vault, azure vault, azure vault key, azurevaultkey