> Cloud Application Resilience > Cloud Application Resilience > Cloud Connections > Connect to Azure Subscriptions

Role and permission requirements for protecting Azure resources

Cloud Rewind requires roles with the permissions that are required to protect your Azure resources.

Note

When a particular role's permission is revoked manually in the Azure portal, the set of operations associated with that role fails.

Apply IAM permissions (Commvault-managed app)

  1. From the “Instant” tab, run the given command in the Azure portal bash cloud shell to grant the required permissions in a single step
  2. Or, select the “Manual” tab and click either the “DOWNLOAD ARM TEMPLATE" option or run the curl command to download the template An ARM template that will assign the necessary roles to the Cloud Rewind application will be downloaded
  3. In your Azure console, run the given command with the downloaded template file path
  4. Select the confirmation message to grant the permissions and click “FINISH”

If you have technical challenges in the above steps, you may have problems with one or more of the following items

  1. Permission to register Cloud Rewind as an enterprise app
  2. You don't have permission to assign roles to Cloud Rewind enterprise app
  3. The assigned role is removed or blocked before the discovery process
  4. There is a network outage or Azure response delay that causes the discovery to delay longer due to Exponential Backoff

Apply IAM permissions (Customer-owned app)

You can configure IAM roles using the following JSON files:

Role Custom role for Azure portal Custom role for Azure CLI
Discovery only Azure_discovery_permissions.json Azure_discovery_permissions_CLI.json
Complete protection and recovery AZURE_DPR_permissions.json AZURE_DPR_permissions_CLI.json

Permission requirements

Discovery

Discovery Resource Group

permissions:
- Microsoft.Resources/subscriptions/resourceGroups/read
- Microsoft.Resources/subscriptions/resourceGroups/resources/read

Discovery Storage

 permissions:
 - Microsoft.Storage/storageAccounts/read
 - Microsoft.Storage/storageAccounts/blobServices/containers/read
 - Microsoft.Storage/storageAccounts/listKeys/action
 - Microsoft.Storage/storageAccounts/blobServices/read
 - Microsoft.Storage/storageAccounts/fileServices/shares/read
 - Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
 - Microsoft.Compute/disks/beginGetAccess/action
 - Microsoft.Compute/disks/endGetAccess/action
 - Microsoft.Compute/disks/read
 - Microsoft.Compute/diskEncryptionSets/read

Discovery Compute

permissions:
- Microsoft.Compute/virtualMachines/read
- Microsoft.Compute/virtualMachineScaleSets/read
- Microsoft.Compute/virtualMachineScaleSets/skus/read
- Microsoft.Compute/virtualMachineScaleSets/virtualMachines/instanceView/read
- Microsoft.Compute/virtualMachineScaleSets/virtualMachines/networkInterfaces/ipConfigurations/publicIPAddresses/read
- Microsoft.Compute/virtualMachineScaleSets/virtualMachines/networkInterfaces/ipConfigurations/read
- Microsoft.Compute/virtualMachineScaleSets/virtualMachines/networkInterfaces/read
- Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read
- Microsoft.Compute/sshPublicKeys/read
- Microsoft.Compute/availabilitySets/read
- Microsoft.Compute/snapshots/read

Discovery Load balancer

Discovery WebSites

permissions:
- Microsoft.Web/sites/Read
- Microsoft.Web/serverfarms/Read
- Microsoft.Web/sites/config/list/Action
- Microsoft.web/sites/functions/read

Discovery Private Endpoint

permissions:
- Microsoft.Network/privateEndpoints/read

Discovery Application Gateway

permissions:
- Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/read
- Microsoft.Network/applicationGateways/read
- Microsoft.Network/applicationGateways/privateEndpointConnections/read

Discovery Proximity Placement Group

permissions:
- Microsoft.Compute/proximityPlacementGroups/read

Discovery Sql Managed Instance

permissions:
- Microsoft.SqlVirtualMachine/sqlVirtualMachines/read
- Microsoft.Sql/servers/read
- Microsoft.Sql/servers/databases/read

Protection Web

permissions:
- Microsoft.Web/sites/config/read
- Microsoft.Web/sites/Read
- Microsoft.Web/sites/config/write
- Microsoft.Web/sites/backup/action
- Microsoft.Web/sites/config/list/action
- Microsoft.Web/sites/backups/Read

Protection Storage

permissions:
- Microsoft.Storage/storageAccounts/write
- Microsoft.Storage/storageAccounts/blobServices/containers/write
- Microsoft.Compute/snapshots/beginGetAccess/action
- Microsoft.Compute/snapshots/read
- Microsoft.Compute/snapshots/write
- Microsoft.Storage/storageAccounts/blobServices/write
- Microsoft.Storage/storageAccounts/objectReplicationPolicies/write
- Microsoft.Storage/storageAccounts/managementPolicies/write
- Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
- Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete

Protection

Protection Resource Group

permissions:
- Microsoft.Resources/subscriptions/resourceGroups/read
- Microsoft.Resources/subscriptions/resourceGroups/write
- Microsoft.Resources/subscriptions/resourceGroups/resources/read

Azure Replica-retention Permissions

permissions:
- Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete

Azure Retention Permissions

permissions:
- Microsoft.Compute/snapshots/delete
- Microsoft.Storage/storageAccounts/objectReplicationPolicies/delete
- Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete
- Microsoft.web/sites/backups/delete

Recovery

Recovery Resource Group

permissions:
- Microsoft.Resources/subscriptions/resourceGroups/read
- Microsoft.Resources/subscriptions/resourceGroups/write

Recovery Storage

permissions:
- Microsoft.Compute/disks/write
- Microsoft.Storage/storageAccounts/write
- Microsoft.Storage/storageAccounts/blobServices/containers/write

Recovery Compute

permissions:
- Microsoft.Compute/virtualMachines/write
- Microsoft.Compute/virtualMachineScaleSets/virtualMachines/write
- Microsoft.Compute/virtualMachineScaleSets/write
- Microsoft.Compute/sshPublicKeys/write
- Microsoft.Compute/images/write
- Microsoft.Compute/images/read
- Microsoft.Compute/availabilitySets/write
- Microsoft.Compute/proximityPlacementGroups/write
- Microsoft.Compute/virtualMachines/extensions/write

Recovery Network

permissions:
- Microsoft.Network/networkInterfaces/join/action
- Microsoft.Network/networkInterfaces/write
- Microsoft.Network/publicIPAddresses/join/action
- Microsoft.Network/publicIPAddresses/write
- Microsoft.Network/virtualNetworks/write
- Microsoft.Network/networkSecurityGroups/join/action
- Microsoft.Network/networkSecurityGroups/write
- Microsoft.Network/virtualNetworks/subnets/join/action
- Microsoft.Network/virtualNetworks/subnets/write
- Microsoft.Network/networkSecurityGroups/securityRules/write

Recovery Load balancer

permissions:
- Microsoft.Network/loadBalancers/backendAddressPools/write
- Microsoft.Network/loadBalancers/frontendIPConfigurations/join/action
- Microsoft.Network/loadBalancers/frontendIPConfigurations/loadBalancerPools/join/action
- Microsoft.Network/loadBalancers/frontendIPConfigurations/loadBalancerPools/write
- Microsoft.Network/loadBalancers/inboundNatPools/join/action
- Microsoft.Network/loadBalancers/inboundNatRules/join/action
- Microsoft.Network/loadBalancers/inboundNatRules/write
- Microsoft.Network/loadBalancers/probes/join/action
- Microsoft.Network/loadBalancers/providers/Microsoft.Insights/diagnosticSettings/write
- Microsoft.Network/loadBalancers/write
- Microsoft.Network/loadBalancers/backendAddressPools/join/action
- Microsoft.Network/virtualNetworks/subnets/joinLoadBalancer/action
- Microsoft.Network/virtualNetworks/joinLoadBalancer/action
- Microsoft.Network/locations/setLoadBalancerFrontendPublicIpAddresses/action

Recovery Deployment Manager

permissions:
- Microsoft.Resources/deployments/read
- Microsoft.Resources/deployments/write
- Microsoft.Resources/deployments/operationStatuses/read
- Microsoft.Resources/deployments/operations/read

Recovery MySql

permissions:
- Microsoft.DBforMySQL/servers/write
- Microsoft.DBforMySQL/servers/privateEndpointConnectionsApproval/action

Recovery Mssql

permissions:
- Microsoft.Sql/servers/write
- Microsoft.Sql/servers/databases/write

Recovery Postgress

permissions:
- Microsoft.DBforPostgreSQL/servers/write
- Microsoft.DBforPostgreSQL/servers/privateEndpointConnectionsApproval/action

Recovery Application Gateway

permissions:
- Microsoft.Network/applicationGateways/write
- Microsoft.Network/applicationGateways/backendAddressPools/join/action

Recovery Proximity Placement Group

permissions:
- Microsoft.Compute/proximityPlacementGroups/write

Recovery Private Endpoint

permissions:
- Microsoft.Network/privateEndpoints/write

permissions:
- Microsoft.Compute/galleries/read
- Microsoft.Compute/galleries/write
- Microsoft.Compute/galleries/share/action

permissions:
- Microsoft.Compute/galleries/images/read
- Microsoft.Compute/galleries/images/write

permissions:
- Microsoft.Compute/galleries/images/versions/read
- Microsoft.Compute/galleries/images/versions/write

Recovery Network Route Tables

 permissions:
- Microsoft.Network/routeTables/routes/write
- Microsoft.Network/routeTables/write
- Microsoft.Network/routeTables/join/action

Recovery Management Identity

 permissions:
 - Microsoft.ManagedIdentity/userAssignedIdentities/assign/action

Recovery SQL Virtual Machine

 permissions:
 - Microsoft.SqlVirtualMachine/sqlVirtualMachines/write

Recovery Web Sites

permissions:
- Microsoft.Web/sites/restoreFromBackupBlob/action
- Microsoft.Web/sites/operationresults/read
- Microsoft.Web/serverfarms/write
- Microsoft.Web/sites/write
- Microsoft.Web/sites/restoreSnapshot/action

Reset

Reset Resource Group

permissions:
- Microsoft.Resources/subscriptions/resourceGroups/delete

Reset Storage

permissions:
- Microsoft.Storage/storageAccounts/delete
- Microsoft.Storage/storageAccounts/blobServices/containers/delete
- Microsoft.Compute/disks/delete
dataPermissions:
- Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete

Reset Compute

permissions:
- Microsoft.Compute/virtualMachines/delete
- Microsoft.Compute/virtualMachineScaleSets/virtualMachines/delete
- Microsoft.Compute/virtualMachineScaleSets/delete
- Microsoft.Compute/sshPublicKeys/delete
- Microsoft.Compute/images/delete
- Microsoft.Compute/availabilitySets/delete
- Microsoft.Compute/proximityPlacementGroups/delete

Reset Network

permissions:
- Microsoft.Network/networkInterfaces/delete
- Microsoft.Network/networkSecurityGroups/delete
- Microsoft.Network/publicIPAddresses/delete
- Microsoft.Network/virtualNetworks/delete
- Microsoft.Network/virtualNetworks/subnets/delete
- Microsoft.Network/networkSecurityGroups/securityRules/delete

Reset Load balancer

permissions:
- Microsoft.Network/loadBalancers/backendAddressPools/delete
- Microsoft.Network/loadBalancers/delete
- Microsoft.Network/loadBalancers/frontendIPConfigurations/loadBalancerPools/delete
- Microsoft.Network/loadBalancers/inboundNatRules/delete

Reset MySql

permissions:
- Microsoft.DBforMySQL/servers/delete

Reset Mssql

permissions:
- Microsoft.Sql/servers/delete
- Microsoft.SqlVirtualMachine/sqlVirtualMachines/delete

Reset Postgress

permissions:
- Microsoft.DBforPostgreSQL/servers/delete

Reset Application Gateway

permissions:
- Microsoft.Network/applicationGateways/delete

Reset Proximity Placement Group

permissions:
- Microsoft.Compute/proximityPlacementGroups/delete

Reset Private Endpoint

permissions:
- Microsoft.Network/privateEndpoints/delete

permissions:
- Microsoft.Compute/galleries/delete

permissions:
- Microsoft.Compute/galleries/images/delete

permissions:
- Microsoft.Compute/galleries/images/versions/delete

Reset Network Route Table

permissions:
- Microsoft.Network/routeTables/routes/delete
- Microsoft.Network/routeTables/delete

Reset Web Sites

permissions:
- Microsoft.web/sites/backups/delete
- Microsoft.Web/sites/config/delete

Note

This list of permissions may increase as Cloud Rewind adds more services for protection.

×

Loading...