System Requirements for Virtual Server Agent with Microsoft Azure

Verify that your environment meets the requirements for protecting Azure VMs with Commvault.

Azure Versions

For virtual machines deployed in Azure Classic, data recovery to Premium storage accounts is not supported. This restriction applies for replication, VM conversion, and VM restore jobs.

Deprecated

For Feature Release 24 and earlier versions, existing Virtualization Azure Classic Deployment Model configurations will continue to function as defined.

For Feature Release 25 and more recent versions:

Existing Virtualization Azure Classic Deployment Model configurations will not function as defined.
New Virtualization Azure Classic Deployment Model configurations are not supported.

Virtual Server Agent Proxy Requirements

A physical machine or an Azure virtual machine with the Virtual Server Agent (VSA) installed can act as a VSA proxy to perform backups and restores.

Confidential VMs and Trusted Launch VMs

You can use confidential VMs and trusted launch VMs as VSA proxies.

Operating Systems

The VSA proxy machine must run one of the following operating systems:

Windows:

Configure one of the following versions with the required software:
- Microsoft Windows Server 2022 Editions
- Microsoft Windows Server 2019 Editions
- Microsoft Windows Server 2016 Editions
Note

Microsoft ended mainstream support for all versions of Windows Server 2012 and Windows Server 2012 R2—including Hyper-V Server 2012 and Hyper-V Server 2012 R2, and Core Editions—on October 10, 2023.
Linux:

Use one of the following methods:
- Best method: Deploy an Azure Marketplace virtual machine image to function as a Virtual Server Agent proxy for Azure. For more information, see Deploying a Microsoft Azure VM from the Microsoft Azure Marketplace.
- Alternative method: Configure Red Hat Enterprise Linux (RHEL) 7.4 or 8 with the required software.
  
  /// note | Note For a machine that runs RHEL 8.x or 9.x, to install operating system packages that are required to enable automatic installation of Mono, register the machine with Red Hat. ///

Other Requirements

Minimum of 100 GB disk space.
Minimum of 4 GB RAM beyond the requirements of the operating system and any other running applications. For more information, see Sizes for virtual machines in Azure.
Minimum of 4 CPU cores.
A VSA proxy for Azure Classic must have an Azure management certificate installed.
If the Azure subscription includes multiple regions, deploy at least one VSA proxy per region. However, cross-subscription backups are supported for access nodes/MediaAgents—that is, access nodes/MediaAgents can be hosted in different Azure subscriptions.
A VSA proxy for Azure must be accessible from Commvault resources outside of Azure. If the VSA proxy in Azure is not accessible using a private IP address from Commvault resources outside of Azure, a public IP address will be required. Note that if a VPN or ExpressRoute is available between on-premise resources and Azure, and if the VSA proxy is accessible using a private IP address from the Commserve and MediaAgent, then a public IP address is not required.

Deployment

For best results:

Deploy the VSA proxy and MediaAgent on virtual machines in the Azure cloud.
Deploy the VSA proxy on an Azure VM that is compute optimized to support faster backups.
Enable Azure accelerated networking on the VSA proxy/MediaAgent machines in Azure. This step must be completed at the time of deploying the virtual machine. For more information, see the following Microsoft articles:
- For Linux: Create a Linux virtual machine with Accelerated Networking using Azure CLI
- For Windows: Create a Windows VM with accelerated networking using Azure PowerShell
Enable service endpoints for Microsoft Storage on the Azure virtual network subnet where the proxy and MediaAgent are connected. This will ensure that all network traffic from the proxy machine to the Azure storage account is securely flowing through the Microsoft Azure backbone network. For more information, see Microsoft Azure: Virtual Network service endpoints.
Enable Changed Block Tracking for Azure. Changed Block Tracking (CBT) for Azure provides better backup performance than traditional cyclic redundancy check (CRC) backups. You can use CBT with unmanaged and managed disks.

Guest Operating Systems

Virtual machines being backed up can have any of the guest operating systems that are supported by the Azure platform.

Permissions

To back up Azure VMs that have been encrypted using Azure Key Vault, you need to provide the required permissions.

For more information, see Adding Permissions to Back Up Azure VMs Encrypted with Azure Key Vault.

Azure Endpoints

To support backups and restores that are not available through the Azure global endpoint, create the AzureRegion additional setting on the VSA access node and specify the additional endpoints as values.

For instructions on adding additional settings from the CommCell Console, see Add or Modify an Additional Setting.

Property	Value
Name	AzureRegion
Category	VirtualServer
Type	String
Value	China, usgov, Germany

Note

This additional setting can be configured for these regions only: China, usgov, and Germany.

Firewall Requirements

Tunnel ports (for example, 8400 and 8403) must be opened in the security group for the instance to enable installation of the Virtual Server Agent to Azure virtual machines and communication with the CommServe system.

If you deploy a CommServe host in an environment with firewalls, create a persistent route from the CommServe host to the VSA proxy, as documented in Setting Up Network Gateway Connections Using a Predefined Network Topology. Specify the RESTRICTED setting for connections from the CommServe host to the VSA proxy (step 3 under If you chose not to use predefined network topologies) and the BLOCKED setting in the CommServe node settings for the proxy (step 9).

If a firewall proxy is installed, configure Internet options for the firewall proxy machine. On the HTTP Proxy tab of the Internet Options dialog box, enter the user name and password for the firewall proxy machine, using only the user name and not including the domain name with the user name.

All requests from VSA proxy machines connect through port 443 of the Azure endpoints. Therefore:

If a firewall is configured on the proxy machine, then port 443 must remain open.
If the proxy machine is an instance in the cloud, then port 443 must be opened at the network security group level for the VSA proxy instance.

To access Azure backup and restore services for the Azure regions, incorporate the following URLs in your firewall or proxy settings.

Azure	Azure China	Azure Germany	Azure US Gov
https://management.azure.com/ https://login.microsoftonline.com/ https://.blob.core.windows.net https://.blob.storage.azure.net https://*.vault.azure.net https://graph.windows.net/ http://169.254.169.254/metadata/identity/oauth2/token	https://management.chinacloudapi.cn/ https://login.chinacloudapi.cn/ https://.blob.core.chinacloudapi.cn https://.blob.storage.azure.net https://*.vault.azure.cn https://graph.chinacloudapi.cn/ http://169.254.169.254/metadata/identity/oauth2/token	https://management.microsoftazure.de/ https://login.microsoftonline.de/ https://.blob.core.cloudapi.de https://.blob.storage.azure.net https://*.vault.microsoftazure.de https://graph.cloudapi.de/ http://169.254.169.254/metadata/identity/oauth2/token	https://management.usgovcloudapi.net/ https://login.microsoftonline.us/ https://.blob.core.usgovcloudapi.net https://.blob.storage.azure.net https://*.vault.usgovcloudapi.net https://graph.windows.net/ http://169.254.169.254/metadata/identity/oauth2/token

Azure

Azure China

Azure Germany

Azure US Gov

https://management.azure.com/

https://login.microsoftonline.com/

https://*.blob.core.windows.net

https://*.blob.storage.azure.net

https://*.vault.azure.net

https://graph.windows.net/

http://169.254.169.254/metadata/identity/oauth2/token

https://management.chinacloudapi.cn/

https://login.chinacloudapi.cn/

https://*.blob.core.chinacloudapi.cn

https://*.blob.storage.azure.net

https://*.vault.azure.cn

https://graph.chinacloudapi.cn/

http://169.254.169.254/metadata/identity/oauth2/token

https://management.microsoftazure.de/

https://login.microsoftonline.de/

https://*.blob.core.cloudapi.de

https://*.blob.storage.azure.net

https://*.vault.microsoftazure.de

https://graph.cloudapi.de/

http://169.254.169.254/metadata/identity/oauth2/token

https://management.usgovcloudapi.net/

https://login.microsoftonline.us/

https://*.blob.core.usgovcloudapi.net

https://*.blob.storage.azure.net

https://*.vault.usgovcloudapi.net

https://graph.windows.net/

http://169.254.169.254/metadata/identity/oauth2/token

Configuring a Firewall to Install the Virtual Server Agent on a Cloud VM or Instance

To deploy the Virtual Server Agent (VSA) or MediaAgent on a cloud VM or instance when other components (such as the CommServe host) are on premises, configure a Commvault firewall connection between the on premises components and the cloud VM or instance.

Hardware Specifications

For information about hardware requirements for the Virtual Server Agent, see Hardware Specifications for Virtual Server Agent.

DISCLAIMER

Certain third-party software and service releases (together, "Releases") may not be supported by Commvault. You are solely responsible for ensuring Commvault’s products and services are compatible with any such Releases.