commvault.com commvault.com
Question

How to do air gap in cloud?

  • 12 December 2022
  • 8 replies
  • 733 views
X
Rank
Badge +8

I plan to replicate backup image to remote site. How to deploy real air gap in Azure & AWS? any best practice?

1, if I enable MA power management, hacker could logon Azure portal and power on the server

2, backup image save on Azure storage account, hacker could delete whole storage account/

8 replies

Onno van den Berg
Rank
Userlevel 7
Badge +19

@xiwen you could consider leveraging the immutability features of the specific cloud provider who are supported by Commvault. this will protect against data deletion and it also prevents someone from deleting a storage account. 

X
Rank
Badge +8

Azure storage account provide “Data Protection” feature, like enable soft delete for container and blob, etc, what is best pracrice?

Onno van den Berg
Rank
Userlevel 7
Badge +19

There were/are public cloud architecture guide for both Azure and AWS giving some guidance how to build well architectured Commvault infrastructures on AWS and Azure see for the latter:

https://documentation.commvault.com/2022e/assets/pdf/public-cloud-architecture-guide-for-microsoft-azure11-25.pdf

X
Rank
Badge +8

could you guide which page list well architecture for Azure air gap on your link? couldn’t find it

Damian Andre
Rank
Userlevel 7
Badge +23

Page 30 of the doc covers WORM (i.e immutable storage) that will prevent anyone from deleting data for the defined period.

Network based airgap solutions can be find on this page. Also consider that Commvault can write data directly to azure without a Media Agent in the cloud - which is also way more cost effective.

X
Rank
Badge +8

Thanks for your guide on the link. For the first option, we use Azure VWAN to connect two regions, how to connect server A to server B in two different region by Azure backbone?

Air gapping can be achieved by using one of the following methods:

  • Use VM power management to automatically shut down a MediaAgent virtual machine when not in use.

  • Create blackout windows on storage targets or network devices using scripts and workflows.

Onno van den Berg
Rank
Userlevel 7
Badge +19

You connect server A to server B by routing the traffic through the Azure VWAN connection. As for your definition of air gapping.; well you can use power management to further reduce the chance of someone taking over the MA. Not sure what you are thinking to accomplish with a blackout window on a storage target or network device, but just take some time to read through the documentation and the information provided and otherwise please talk to your account team or get some assistance. 

J Dodson
Rank
Userlevel 2
Badge +5

Here is a white paper that may offer some insight, 

Immutable Backups To The Cloud With Commvault - Commvault

-Jeff

Reply


Terms & ConditionsCookie settings