> Software > Storage for Backups > Air Gap Protect

Configure private connectivity for Air Gap Protect storage

Private connectivity ensures that data transfer occurs over private infrastructure. Private connectivity is supported using AWS PrivateLink, Azure Private Link, and Azure ExpressRoute.

Support details

  • If you're a Commvault SaaS customer, contact your Commvault account team to enable private connectivity.

  • Private endpoint support is not available for Air Gap Protect storage when using OCI Object Storage.

Requirements

Before configuring private connectivity, verify that your environment meets the requirements.

  • Network connectivity: Your on-premises environment must be connected to your cloud service provider using private connectivity (AWS Direct Connect or Azure ExpressRoute).

  • DNS configuration: Cloud storage endpoints must resolve to private IP addresses instead of public endpoints.

  • Access and permissions

    • Your organization must allow cross-account or cross-subscription access.

    • You must have permissions to:

      • Create private endpoints

      • Modify network and DNS settings

      • Update storage access policies

Configure private connectivity

Use AWS PrivateLink to enable private connectivity between your environment and an Amazon S3 bucket used for Air Gap Protect.

Requirements and considerations

Network connectivity

  • Your on-premises environment must be connected to AWS using Direct Connect.

  • The connection must support expected backup and restore throughput.

  • Routing must allow access to the VPC where the interface endpoint is deployed.

DNS configuration

  • Configure DNS so that Amazon S3 endpoints resolve to the private IP address of the interface VPC endpoint.

  • Verify that [bucketname].s3.[region].amazonaws.com resolves using your private DNS configuration.

VPC endpoint configuration

  • Create an interface VPC endpoint for the S3 service (com.amazonaws.[region].s3).

  • The endpoint must:

    • Be associated with subnets reachable from your on-premises network

    • Have private DNS enabled

  • The security group associated with the endpoint must allow inbound HTTPS (port 443) traffic from your on-premises network.

Access and permissions

  • The S3 bucket and access point must allow access from:

    • Your AWS account

    • The Commvault-managed account used by Commvault

  • Do not restrict access only to service principals within your AWS account.

Cross-account considerations

  • Air Gap Protect uses a cross-account access model.

  • You must provide your AWS account ID and, optionally, VPC endpoint IDs to Commvault.

Cost considerations

AWS may charge for:

  • Interface VPC endpoint usage

  • Data processing through PrivateLink

  • Data transfer through Direct Connect

Create an interface VPC endpoint

  1. Log on to the AWS Management Console with permissions to manage VPC endpoints.

  2. In the target VPC, create an interface endpoint for the S3 service (com.amazonaws.[region].s3).

  3. Associate the endpoint with the required subnets and security groups.

  4. Enable private DNS.

  5. Create the endpoint.

Provide account information to Commvault

  1. Log on to the Commvault Support Portal.

  2. Create a support request that includes:

    • AWS account ID

    • VPC endpoint IDs (optional, if you want to restrict access)

Validate connectivity

After Commvault confirms configuration:

  1. Launch an EC2 instance in the VPC that contains the interface endpoint.

  2. Verify DNS resolution by validating that the S3 endpoint resolves to a private IP address.

  3. Access the S3 bucket using the access point.

  4. Confirm the following:

    • Data transfer succeeds (read and write operations)

    • Traffic flows through the VPC endpoint

    • No traffic routes through the public internet

Use Azure Private Link to enable private connectivity between your environment and an Azure Blob Storage account used for Air Gap Protect.

Requirements and considerations

Network connectivity

  • Your on-premises environment must be connected to Azure using ExpressRoute.

  • The connection must support expected workload performance.

DNS configuration

  • You must configure DNS so that the storage account endpoint resolves to the private endpoint IP address.

  • If you use custom DNS servers, configure forwarding for Azure private link zones.

Private endpoint configuration

  • The private endpoint must be deployed in a subnet reachable from your on-premises network.

  • The subnet must allow private endpoint deployment.

Access and permissions

  • You must have permissions to create private endpoints and manage network configuration.

  • Storage account access must allow connections through the private endpoint.

Network policies

For the subnet hosting the private endpoint, disable:

  • privateLinkServiceNetworkPolicies

  • privateEndpointNetworkPolicies

Create a private endpoint

  1. Go to the Commvault Support Portal and request a storage resource ID.

  2. In Azure, create a private endpoint using the storage resource ID.

    For more information, see Create a private endpoint.

Request endpoint approval

  1. Contact Commvault Support.

  2. Provide the name of the private endpoint.

  3. Wait for approval confirmation.

Configure DNS

  1. To identify the storage account name, go to Manage > Air Gap Protect and select the storage.

  2. Update your DNS server to resolve the storage account endpoint to the private endpoint IP address.

Validate connectivity

  1. From a VM in your network, verify DNS resolution.

The storage account endpoint resolves to a private IP address.

  1. Access the storage account.

  2. Confirm:

    • Data transfer succeeds.

    • Traffic flows through the private endpoint.

Azure ExpressRoute is supported by default in Commvault.

If your environment already uses ExpressRoute:

  • No additional configuration is required in Commvault.

  • Verify that DNS and routing are correctly configured for private access to storage endpoints.

Troubleshoot private connectivity

Use the following checks to diagnose issues.

DNS issues

  • Verify that storage endpoints resolve to private IP addresses.

  • Check conditional forwarding rules.

Connectivity issues

  • Confirm that required ports (HTTPS/443) are open.

  • Verify routing between your environment and the endpoint subnet.

Access issues

  • Review storage account or S3 bucket policies.

  • Confirm that cross-account or cross-subscription permissions are configured.

Endpoint issues

  • Ensure that:

    • The endpoint is in an approved state.

    • The endpoint is associated with the correct subnets.

×

Loading...