> Software > Cleanroom recovery > Setup > Azure cleanroom sites

Create the Azure resources required for cleanroom

For recovery to an Azure cleanroom site, you need a new Azure subscription, a new application, a new storage account, and other resources.

Note

The steps on this page are performed in Azure, and many of the links are to Microsoft documentation.

To create the required resources, do the following:

  1. Create a new Azure subscription.

  2. Register the following Azure resource providers:

    • Microsoft.ADHybridHealthService
    • Microsoft.Authorization
    • Microsoft.Billing
    • Microsoft.ChangeAnalysis
    • Microsoft.ClassicSubscription
    • Microsoft.CloudShell
    • Microsoft.Commerce
    • Microsoft.Compute
    • Microsoft.Consumption
    • Microsoft.CostManagement
    • Microsoft.Features
    • Microsoft.GuestConfiguration
    • Microsoft.MarketplaceOrdering
    • Microsoft.Network
    • Microsoft.OperationalInsights
    • Microsoft.Portal
    • Microsoft.ResourceGraph
    • Microsoft.ResourceNotifications
    • Microsoft.SerialConsole
    • Microsoft.Storage
    • Microsoft.Support

  3. Create a new Azure application and secret.

  4. Assign the Commvault_Cleanroom role to the Azure application.

  5. Create a resource group in the region where the VMs/instances will be recovered.

  6. Create a locally-redundant storage account or a general purpose v2 storage account in the region where the VMs/instances will be recovered.

  7. Create a virtual network with the following subnet design and connectivity rules using Azure network security group (NSG) rules:

    • A subnet for hosting recovered VMs/instances, with one of the following secure access methods:

      • Preferred: Use Azure Bastion for secure, agentless access.

      • Alternate: Configure NSG rules to allow restricted access to the following ports, to trusted IP ranges only:

        • Windows VMs/instances: (TCP 3389)

        • Linux VMs/instances: SSH (TCP 22)

    • A subnet for the auto-scaled access nodes, with a NAT gateway for outbound internet access using NSG rules:

      • TCP 8403: Required for communication with your recovered control plane. Instead of allowing unrestricted outbound access on this port, configure NSG rules to allow restricted access, to control plane IP addresses only.

      • TCP 443: Required for communication with Air Gap Protect services.

  8. Verify that the virtual network for the auto-scaled access nodes has access to the storage account that you assigned to the subscription.

×

Loading...