Commvault uses Azure resource providers to perform data protection and data recovery operations for virtual machines that run in Azure or Azure Stack.
These resource providers are used only to access snapshots, disks, and virtual machine configurations that are required for backing up virtual machines to storage media, for recovering virtual machines, and for deleting intermediate entities that are created by Commvault during those operations. When a user who has the required administrative privileges requests that a recovered virtual machine overwrite the original virtual machine, the resource providers are also used to remove the original virtual machine, but only after confirmation from the user.
Commvault usage of Azure resource providers is controlled by the service principal that is used to create a virtualization client (hypervisor). To perform authentication, the virtualization client can use a managed identity or Active Directory application-based client credentials to access the Azure or Azure Stack subscription.
For more information about Azure resource providers, go to Azure resource providers and types on the Microsoft documentation website.
The following table shows the Azure resource providers that are needed for Commvault operations and describes how Commvault uses each resource provider.
Resource Providers |
Backups |
Restores |
VM conversions |
Replication |
Usage |
---|---|---|---|---|---|
Microsoft.Compute/availabilitySets/Read |
Yes |
-- |
-- |
-- |
Get the availability set details of the VM. |
Microsoft.Compute/diskEncryptionSets/read |
-- |
Yes |
Yes |
-- |
List the disk encryption set options for the region. |
Microsoft.Compute/disks/* |
Yes |
Yes |
-- |
Yes |
Perform all disk actions. |
Microsoft.Compute/locations/* |
Yes |
Yes |
-- |
Yes |
List the available VM sizes for a location and track the status of asynchronous API operations. |
Microsoft.Compute/proximityPlacementGroups/read |
Yes |
Yes |
-- |
-- |
Get the proximity placement group properties. |
Microsoft.Compute/proximityPlacementGroups/write |
Yes |
Yes |
-- |
-- |
Create a new proximity placement group or updates an existing one. |
Microsoft.Compute/restorePointCollections/* |
Yes |
Yes |
-- |
Yes |
Perform all restorePointCollection activities. |
Microsoft.ManagedIdentity/userAssignedIdentities/assign/action |
-- |
Yes |
-- |
Yes |
RBAC action for assigning an existing user-assigned identity to a resource. |
Microsoft.Compute/snapshots/* |
Yes |
Yes |
-- |
Yes |
Perform all snapshot activities. |
Microsoft.Compute/virtualMachines/* |
-- |
Yes |
Yes |
Yes |
Create virtual machines during restore operations. |
Microsoft.KeyVault/checkNameAvailability/read |
-- |
Yes |
Yes |
Yes |
Validate the name of a key vault. |
Microsoft.KeyVault/vaults/accessPolicies/write |
-- |
Yes |
Yes |
Yes |
Add, merge, or replace an access policy in a key vault. |
Microsoft.KeyVault/vaults/deploy/action |
-- |
Yes |
Yes |
Yes |
Access secrets in a key vault when you deploy Azure resources. |
Microsoft.KeyVault/vaults/keys/* |
Yes |
Yes |
-- |
Yes |
Access key vault when configured with RBAC. Used only for encrypted VMs. |
Microsoft.KeyVault/vaults/read |
Yes |
Yes |
Yes |
Yes |
Get the key vault properties. |
Microsoft.KeyVault/vaults/secrets/* |
Yes |
Yes |
-- |
Yes |
Access key vault when configured with RBAC. Used only for encrypted VMs. |
Microsoft.KeyVault/vaults/write |
-- |
Yes |
Yes |
Yes |
Create or update a key vault for an encrypted VM. |
Microsoft.Network/applicationSecurityGroups/joinIpConfiguration/action |
Yes |
Yes |
Yes |
Yes |
Joins an IP Configuration to application security groups. Not alertable. |
Microsoft.Network/applicationSecurityGroups/read |
Yes |
Yes |
Yes |
Yes |
Gets an application security group ID. |
Microsoft.Network/loadBalancers/read |
-- |
-- |
-- |
Yes |
Get a load balancer definition. |
Microsoft.Network/locations/* |
Yes |
Yes |
-- |
Yes |
Track the status of asynchronous API operations. |
Microsoft.Network/networkInterfaces/* |
Yes |
Yes |
-- |
Yes |
Perform all network interface actions to create or attach existing network interfaces. |
Microsoft.Network/networkSecurityGroups/join/action |
-- |
-- |
-- |
Yes |
Join a network security group. |
Microsoft.Network/networkSecurityGroups/read |
-- |
Yes |
-- |
Yes |
Get a network security group definition. |
Microsoft.Network/publicIPAddresses/delete |
-- |
Yes |
-- |
Yes |
Deletes the public IP address. |
Microsoft.Network/publicIPAddresses/join/action |
-- |
Yes |
-- |
Yes |
Join a public IP address. |
Microsoft.Network/publicIPAddresses/read |
Yes |
Yes |
-- |
Yes |
Get a public IP address. |
Microsoft.Network/publicIPAddresses/write |
-- |
Yes |
-- |
Yes |
Create or update an existing IP address. |
Microsoft.Network/virtualNetworks/read |
Yes |
Yes |
-- |
Yes |
Get virtualNetworks information. |
Microsoft.Network/virtualNetworks/subnets/join/action |
-- |
-- |
-- |
Yes |
Join a subnet. |
Microsoft.Network/virtualNetworks/subnets/read |
Yes |
Yes |
-- |
Yes |
Get virtualNetworks information about a subnet. |
Microsoft.ResourceHealth/availabilityStatuses/read |
-- |
Yes |
-- |
Yes |
Get the availability statuses for the resources in a specified scope. |
Microsoft.Resources/deployments/* |
Yes |
Yes |
-- |
Yes |
Create and manage a deployment. |
Microsoft.Resources/subscriptions/resourceGroups/read |
Yes |
Yes |
Yes |
Yes |
Get a list of resource groups. |
Microsoft.Storage/storageAccounts/* |
Yes |
Yes |
-- |
Yes |
Create and manage a storage account on Blob. |
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action |
Yes |
Yes |
-- |
Yes |
Access unmanaged VM blob. |
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete |
-- |
Yes |
-- |
Yes |
Access unmanaged VM blob. |
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action |
Yes |
Yes |
-- |
Yes |
Access unmanaged VM blob. |
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read |
Yes |
Yes |
-- |
Yes |
Access unmanaged VM blob. |
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write |
-- |
Yes |
-- |
Yes |
Access unmanaged VM blob. |