Hello,I missed the information about the installation/configuration. (or I'm looking wrong)I understand only (based on the documentation) that every region must have 1 VSA.Is it possible to have 1 VSA (or 1 VSA/MA) for all subscriptions in one region? If yes, how do you build that within Azure? If no, then every subscription needs own VSA/MA? If no (from question 1), how do you arrange communication between VSA in different subscription? Is that with virtual network peering? Or should we look at hub spoke model (Azure)?

Question

1x VSA/MA in one region for all subscriptions

7 months ago
13 October 2023
3 replies
105 views

+2

NK_VLK
Byte
4 replies

Hello,

I missed the information about the installation/configuration. (or I'm looking wrong)
I understand only (based on the documentation) that every region must have 1 VSA.

Is it possible to have 1 VSA (or 1 VSA/MA) for all subscriptions in one region?
- If yes, how do you build that within Azure?
- If no, then every subscription needs own VSA/MA?
If no (from question 1), how do you arrange communication between VSA in different subscription?
- Is that with virtual network peering?

Or should we look at hub spoke model (Azure)?

3 replies

P

Userlevel 1

+1

Good day @NK_VLK,

I apologize for the delay in responding to your query. We are currently in the process of arranging an engineering review for your question. Please rest assured that we are working diligently to provide you with a detailed response as soon as possible.

Thank you for your patience and understanding.

M

Userlevel 3

+6

Hi @NK_VLK,

Your question highly depends on whether you wish to use managed identities or not.

If you use managed identities then YES you need a instance/VM in every subscription currently.

If you use access key and secret key you can protect any subscription from anywhere basically. This is because any actions done by the VSA for Microsoft Azure is API based or accessing BLOB storage.

In theory your VSA could be in AWS or in a private cloud or even be a physical server in your own data center. I would not recommend that and have at least 1 VSA per Azure region to ensure smooth operations.

On the topic of managed identities and using the “Master VSA Account” option that is available for Amazon Web Services I have not gotten a reaction from product management/development yet. I am hopefull this setup would be possible in a future version/timeframe.

Regards,
Mike

V

It is possible to have one VSA/MA machines per region for multiple Subscriptions, the same VSA can then be used to backup all the subscriptions with different Hypervisor clients in Commvault.

>> for this configuration within Azure you've 2 methods of Authentication we can use to onboard Hypervisor client in CommVault to access the environment:

#1 If all the subscriptions are part of same tenant, we can utilise MSI or system Identity of Access node VMs and add permissions to that VM in all subscription. Follow below doc on how to configure this for one Subscription and same can be repeated for all subscriptions.
https://documentation.commvault.com/2023e/essential/98264_setting_up_managed_identities_for_azure_resources.html

#2 If all Subscriptions are not part of same tenant, or if system identities are not to be utilised one could also use Apps. Create one or multiple Apps for the subscriptions add respective permissions to the application and use the App secret to on-board the Hypervisor in Commvault. Please follow below doc to onboard such for one Subscription which can then be repeated for all Subscriptions.
https://documentation.commvault.com/2023e/essential/31295_setting_up_application_and_tenant_for_azure_resource_manager.html

Reply

Sign up

Login to the community

Scanning file for viruses.

This file cannot be downloaded