When you enable Azure Virtual Network (VNet) protection, in-place restores (but not out-of-place restores) create the network infrastructure—VNets, subnets, and network security groups (NSGs)—along with the VM.
During in-place restores, the VNet, subnet, network interface NSG, subnet NSG, and network interface are created. The NAT gateway, route table, and DDoS are reused.
Supported
-
Virtual network
-
Address space (IPv6, IPv4)
-
DDoS protection association
-
DNS servers
-
-
Subnet
-
AddressPrefix
-
Associated network security groups
-
NAT gateway association
-
Route table association
-
Service endpoints
-
Subnet delegation
-
Network policy for private endpoints
-
-
NSGs
-
Network security rules
-
Network security groups attached to a network interface
-
Network security groups attached to a subnet
-
Not Supported
-
Azure Bastion service of the VNet
-
Peering of the VNet
-
Firewall of the VNet
-
Network Manager of the VNet
-
Private endpoints of the VNet
Additional Permission Requirements
In addition to the permissions defined in CVBackupRole, the following permissions are required. For information about CVBackupRole, see Role and Permission Requirements for Protecting Azure Resources.
-
Microsoft.Network/virtualNetworks/write: Creates a virtual network or updates an existing virtual network
-
Microsoft.Network/networkSecurityGroups/write: Creates a network security group or updates an existing network security group
-
Microsoft.Network/routeTables/join/action: Joins a route table
-
Microsoft.Network/ddosProtectionPlans/join/action: Joins an Azure DDoS Protection plan
Enabling VNet Protection
Add the following entity settings to all Azure access nodes:
-
bAzureBackupNetworkConfig: Enables backups of Azure network configuration
-
bAzureRestoreNetworkConfig: Enable restores of network resources