Skip to main content
commvault.com commvault.com
Question

How to do air gap in cloud?

  • December 12, 2022
  • 8 replies
  • 953 views
X
Byte
Forum|alt.badge.img+8

I plan to replicate backup image to remote site. How to deploy real air gap in Azure & AWS? any best practice?

1, if I enable MA power management, hacker could logon Azure portal and power on the server

2, backup image save on Azure storage account, hacker could delete whole storage account/

8 replies

Onno van den Berg
Commvault Certified Expert
Forum|alt.badge.img+20
  • Onno van den BergCommvault Certified Expert
  • Commvault Certified Expert
  • 1264 replies
  • December 12, 2022

@xiwen you could consider leveraging the immutability features of the specific cloud provider who are supported by Commvault. this will protect against data deletion and it also prevents someone from deleting a storage account. 

J
J
2 people like this
  • J
    Joel Bates
  • J
    Johar Grewal
X
Byte
Forum|alt.badge.img+8
  • xiwen
  • Author
  • Byte
  • 24 replies
  • December 12, 2022

Azure storage account provide “Data Protection” feature, like enable soft delete for container and blob, etc, what is best pracrice?

Onno van den Berg
Commvault Certified Expert
Forum|alt.badge.img+20
  • Onno van den BergCommvault Certified Expert
  • Commvault Certified Expert
  • 1264 replies
  • December 12, 2022

There were/are public cloud architecture guide for both Azure and AWS giving some guidance how to build well architectured Commvault infrastructures on AWS and Azure see for the latter:

https://documentation.commvault.com/2022e/assets/pdf/public-cloud-architecture-guide-for-microsoft-azure11-25.pdf

X
Byte
Forum|alt.badge.img+8
  • xiwen
  • Author
  • Byte
  • 24 replies
  • December 13, 2022

could you guide which page list well architecture for Azure air gap on your link? couldn’t find it

Damian Andre
Vaulter
Forum|alt.badge.img+23
  • Damian AndreVaulter
  • Vaulter
  • 1310 replies
  • December 13, 2022

Page 30 of the doc covers WORM (i.e immutable storage) that will prevent anyone from deleting data for the defined period.

Network based airgap solutions can be find on this page. Also consider that Commvault can write data directly to azure without a Media Agent in the cloud - which is also way more cost effective.

X
Byte
Forum|alt.badge.img+8
  • xiwen
  • Author
  • Byte
  • 24 replies
  • December 13, 2022

Thanks for your guide on the link. For the first option, we use Azure VWAN to connect two regions, how to connect server A to server B in two different region by Azure backbone?

Air gapping can be achieved by using one of the following methods:

  • Use VM power management to automatically shut down a MediaAgent virtual machine when not in use.

  • Create blackout windows on storage targets or network devices using scripts and workflows.

Onno van den Berg
Commvault Certified Expert
Forum|alt.badge.img+20
  • Onno van den BergCommvault Certified Expert
  • Commvault Certified Expert
  • 1264 replies
  • December 13, 2022

You connect server A to server B by routing the traffic through the Azure VWAN connection. As for your definition of air gapping.; well you can use power management to further reduce the chance of someone taking over the MA. Not sure what you are thinking to accomplish with a blackout window on a storage target or network device, but just take some time to read through the documentation and the information provided and otherwise please talk to your account team or get some assistance. 

J Dodson
Vaulter
Forum|alt.badge.img+5
  • J DodsonVaulter
  • Vaulter
  • 21 replies
  • December 22, 2022

Here is a white paper that may offer some insight, 

Immutable Backups To The Cloud With Commvault - Commvault

-Jeff
Onno van den Berg
1 person likes this
  • Onno van den Berg
    Onno van den Berg

Reply


Most helpful members this week

Terms & ConditionsCookie settings

Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings