Verify that your environment meets the requirements for protecting Azure VMs with Commvault.
Azure Versions
For virtual machines deployed in Azure Classic, data recovery to Premium storage accounts is not supported. This restriction applies for replication, VM conversion, and VM restore jobs.
Deprecated
For Feature Release 24 and earlier versions, existing Virtualization Azure Classic Deployment Model configurations will continue to function as defined.
For Feature Release 25 and more recent versions:
-
Existing Virtualization Azure Classic Deployment Model configurations will not function as defined.
-
New Virtualization Azure Classic Deployment Model configurations are not supported.
Virtual Server Agent Proxy Requirements
A physical machine or an Azure virtual machine with the Virtual Server Agent (VSA) installed can act as a VSA proxy to perform backups and restores.
Confidential VMs and Trusted Launch VMs
You can use confidential VMs and trusted launch VMs as VSA proxies.
Operating Systems
The VSA proxy machine must run one of the following operating systems:
-
Windows:
Configure one of the following versions with the required software:
-
Microsoft Windows Server 2022 Editions
-
Microsoft Windows Server 2019 Editions
-
Microsoft Windows Server 2016 Editions
-
-
Linux:
Use one of the following methods:
-
Best method: Deploy an Azure Marketplace virtual machine image to function as a Virtual Server Agent proxy for Azure. For more information, see Deploying a Microsoft Azure VM from the Microsoft Azure Marketplace.
-
Alternative method: Configure Red Hat Enterprise Linux (RHEL) 7.4 or 8 with the required software.
/// note | Note For a machine that runs RHEL 8.x or 9.x, to install operating system packages that are required to enable automatic installation of Mono, register the machine with Red Hat. ///
-
Other Requirements
-
Minimum of 100 GB disk space.
-
Minimum of 4 GB RAM beyond the requirements of the operating system and any other running applications. For more information, see Sizes for virtual machines in Azure.
-
Minimum of 4 CPU cores.
-
A VSA proxy for Azure Classic must have an Azure management certificate installed.
-
If the Azure subscription includes multiple regions, deploy at least one VSA proxy per region. However, cross-subscription backups are supported for access nodes/MediaAgents—that is, access nodes/MediaAgents can be hosted in different Azure subscriptions.
-
A VSA proxy for Azure must be accessible from Commvault resources outside of Azure. If the VSA proxy in Azure is not accessible using a private IP address from Commvault resources outside of Azure, a public IP address will be required. Note that if a VPN or ExpressRoute is available between on-premise resources and Azure, and if the VSA proxy is accessible using a private IP address from the Commserve and MediaAgent, then a public IP address is not required.
Deployment
For best results:
-
Deploy the VSA proxy and MediaAgent on virtual machines in the Azure cloud.
-
Deploy the VSA proxy on an Azure VM that is compute optimized to support faster backups.
-
Enable Azure accelerated networking on the VSA proxy/MediaAgent machines in Azure. This step must be completed at the time of deploying the virtual machine. For more information, see the following Microsoft articles:
-
Enable service endpoints for Microsoft Storage on the Azure virtual network subnet where the proxy and MediaAgent are connected. This will ensure that all network traffic from the proxy machine to the Azure storage account is securely flowing through the Microsoft Azure backbone network. For more information, see Microsoft Azure: Virtual Network service endpoints.
-
Enable Changed Block Tracking for Azure. Changed Block Tracking (CBT) for Azure provides better backup performance than traditional cyclic redundancy check (CRC) backups. You can use CBT with unmanaged and managed disks.
Guest Operating Systems
Virtual machines being backed up can have any of the guest operating systems that are supported by the Azure platform.
Permissions
To back up Azure VMs that have been encrypted using Azure Key Vault, you need to provide the required permissions.
For more information, see Adding Permissions to Back Up Azure VMs Encrypted with Azure Key Vault.
Azure Endpoints
To support backups and restores that are not available through the Azure global endpoint, create the AzureRegion additional setting on the VSA access node and specify the additional endpoints as values.
For instructions on adding additional settings from the CommCell Console, see Add or Modify an Additional Setting.
Property |
Value |
---|---|
Name |
|
Category |
VirtualServer |
Type |
String |
Value |
China, usgov, Germany |
Note
This additional setting can be configured for these regions only: China, usgov, and Germany.
Firewall Requirements
Tunnel ports (for example, 8400 and 8403) must be opened in the security group for the instance to enable installation of the Virtual Server Agent to Azure virtual machines and communication with the CommServe system.
If you deploy a CommServe host in an environment with firewalls, create a persistent route from the CommServe host to the VSA proxy, as documented in Setting Up Network Gateway Connections Using a Predefined Network Topology. Specify the RESTRICTED setting for connections from the CommServe host to the VSA proxy (step 3 under If you chose not to use predefined network topologies) and the BLOCKED setting in the CommServe node settings for the proxy (step 9).
If a firewall proxy is installed, configure Internet options for the firewall proxy machine. On the HTTP Proxy tab of the Internet Options dialog box, enter the user name and password for the firewall proxy machine, using only the user name and not including the domain name with the user name.
All requests from VSA proxy machines connect through port 443 of the Azure endpoints. Therefore:
-
If a firewall is configured on the proxy machine, then port 443 must remain open.
-
If the proxy machine is an instance in the cloud, then port 443 must be opened at the network security group level for the VSA proxy instance.
To access Azure backup and restore services for the Azure regions, incorporate the following URLs in your firewall or proxy settings.
Azure |
Azure China |
Azure Germany |
Azure US Gov |
---|---|---|---|
https://management.azure.com/ https://login.microsoftonline.com/ https://*.blob.core.windows.net https://*.blob.storage.azure.net https://*.vault.azure.net https://graph.windows.net/ http://169.254.169.254/metadata/identity/oauth2/token |
https://management.chinacloudapi.cn/ https://login.chinacloudapi.cn/ https://*.blob.core.chinacloudapi.cn https://*.blob.storage.azure.net https://*.vault.azure.cn https://graph.chinacloudapi.cn/ http://169.254.169.254/metadata/identity/oauth2/token |
https://management.microsoftazure.de/ https://login.microsoftonline.de/ https://*.blob.core.cloudapi.de https://*.blob.storage.azure.net https://*.vault.microsoftazure.de https://graph.cloudapi.de/ http://169.254.169.254/metadata/identity/oauth2/token |
https://management.usgovcloudapi.net/ https://login.microsoftonline.us/ https://*.blob.core.usgovcloudapi.net https://*.blob.storage.azure.net https://*.vault.usgovcloudapi.net https://graph.windows.net/ http://169.254.169.254/metadata/identity/oauth2/token |
Configuring a Firewall to Install the Virtual Server Agent on a Cloud VM or Instance
To deploy the Virtual Server Agent (VSA) or MediaAgent on a cloud VM or instance when other components (such as the CommServe host) are on premises, configure a Commvault firewall connection between the on premises components and the cloud VM or instance.
Hardware Specifications
For information about hardware requirements for the Virtual Server Agent, see Hardware Specifications for Virtual Server Agent.
DISCLAIMER
Certain third-party software and service releases (together, "Releases") may not be supported by Commvault. You are solely responsible for ensuring Commvault’s products and services are compatible with any such Releases.