Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  2. NetBackup™ Snapshot Manager for Cloud Install and Upgrade Guide
  3. Section I. NetBackup Snapshot Manager for Cloud installation and configuration
  4. NetBackup Snapshot Manager for cloud providers
  5. Microsoft Azure plug-in configuration notes
NetBackup™ Snapshot Manager for Cloud Install and Upgrade Guide

Microsoft Azure plug-in configuration notes

The Microsoft Azure plug-in lets you create, delete, and restore snapshots at the virtual machine level and the managed disk level.

Support for restore of multiple network interfaces (NIC)

NetBackup provides support for restoring all the NIC's and static IP addresses attached to a VM on Azure. Following are the specific behavior for the supported scenarios:

  • Private IP addresses have the following allocation methods:

    Static: If the IP address was statically allocated, then the exact private IP address would be restored.

    Dynamic: If the IP address was dynamically allocated, then a dynamic IP address would be assigned to the NIC and the exact IP address would not be enforced.

  • For Public IP addresses it is not possible to specify the actual Public IP address to be associated with a Public IP resource, irrespective of the allocation method used.

    Hence a Public IP resource is created and associated with relevant NIC. Other properties of the Public IP resource would still be the same as they were during the backup time.

Support for Azure Disk Encryption (ADE) enabled VM

NetBackup provides support for Azure disk encrypted VM's. ADE enabled VM will show Azure Disk Encryption flag as True in asset details in Web UI. Following are the supported scenarios:

  • Rollback Restore

  • Snapshot, Backup and Restore from snapshot and backup of VMs.

  • If Azure disk encryption extension is present at the time of snapshot then only extension will be present after VM is restored from snapshot.

  • Supported operating systems:

    For Linux VM: Supported VMs and operating systems

    For Windows: Supported VMs and operating systems

Support for private disk access in NetBackup Snapshot Manager

NetBackup Snapshot Manager provides support for disks having private disk access using disk access object. Consider the following points while protecting the private disk access:

  • To support backup from snapshot, the Azure managed disks of the VM must have public or private disk access enabled.

    • Azure propagates the same setting to the VM restore point created during the snapshot operation.

    • The snapshot contents are then read securely using a SAS URI for the disk snapshots of the VM restore point.

    • If private disk access has been setup with a disk access object and associated private endpoint, then due to the restriction from Azure you cannot export more than 100 disks/snapshots per disk access object. Hence ensure that not more than 2 disks would share the same disk access object, else backup from snapshot would fail with the following error:

      (DiskAccessObjectHasTooManyActiveSASes) Too many simultaneous imports or exports using disk access object. The current cap is 100. Revoke some active access tokens before creating more access requests 
  • This feature allows user to snapshot and restore disks having private disk access enabled. The restored disk will also have the same disk access object associated.

  • User would be able to snapshot, backup and restore VM's having private disk access. The restored VM will also have disks having private disk enabled with same disk access object.

    If VMs having private disk access are restored through snapshot or backup copy, then ensure that the count of the disks per disk access object would increase and might not adhere to the prerequisite of 5 disks per disk access object. User must take appropriate actions to protect the restored VM.

  • For cross subscription or cross region restore from backup copy or if disk access object is deleted which was present in original VM, then disks of the restored VM would have disabled public and private access. Client must assign existing or newly created disk access object as per requirement.

  • If NetBackup Snapshot Manager is in one subscription and VM's to be protected are in different subscription, then appropriate private endpoint created within Snapshot Manager subscription must be associated with disk access objects.

Support for application consistency using Azure recovery points

By default, the create snapshot operation in Snapshot Manager would create recovery points instead of snapshots. To use Azure recovery points for the snapshots to be application consistent, refer to the following table to connect and configure the VM's in Azure cloud:

For Windows

For Linux

No need to connect and configure the VM's

  • For Linux: By default the snapshots would be filesystem consistent in Azure.

  • For Oracle on Linux:

    • The VM must be in a connected state

      Or

    • Pre-scripts or post-scripts for application consistency must be configured for the Linux VM as mentioned in the Application-consistent backup of Azure Linux VMs documentation.

Note:

While creating and restoring snapshots, restore points would be created instead of snapshots being created in Azure.

Create snapshot

  • In Snapshot Manager a Restore Point Collection is created with a VM restore point when the first snapshot is taken for a VM.

  • Each VM restore point contains the disk restore points of all disks whose snapshots have been taken in the VM snapshot operation.

  • Each subsequent snapshot taken on the VM is saved in Azure under the same Restore Point Collection that was created when the first snapshot was taken.

  • The subsequent restore points are incremental backups.

Restore snapshot

  • Snapshots would be restored from snapshots in Azure, for snapshots taken in versions prior to Snapshot Manager version 10.2.

  • Snapshots would be restored from Restore Points, for snapshots taken in Snapshot Manager version 10.2.

Note the following:

  • Locate the restore point:

    Obtain the Snapshot ID in the job details of the created snapshot in NetBackup as follows:

    Snapshot ID: azure-snapvmrp-<subscription name>+<RG name>+<restore point collection name>+<restore point>

    The restore point can be found in Azure portal by navigating to Subscription -> Resource Group (RG) -> Restore Point Collection (RPC) -> Restore Point.

  • Locate the logs:

    • Snapshot Manager: /cloudpoint/flexsnap.log

    • Host VM:

      • Linux: /var/log/azure/Microsoft.Azure.RecoveryServices.VMSnapshotLinux/extension.log

      • Windows: C:\WindowsAzure\Logs\Plugins\Microsoft.Azure.RecoveryServices.VMSnapshot\<version>

Prerequisites

Before you configure the Azure plug-in, complete the following preparatory steps:

  • (Applicable only if user proceeds with application service principal route) Use the Microsoft Azure Portal to create an Azure Active Directory (AAD) application for the Azure plug-in.

  • Assign the required permissions to a role to access resources.

    For more information on Azure plug-in permissions required by NetBackup Snapshot Manager, See Configuring permissions on Microsoft Azure.

    In Azure you can assign permissions to the resources by one of the following methods:

    • Service principal: This permission can be assigned to user, group or an application.

    • Managed identity: Managed identities provide an automatically managed identity in Azure Active Directory for applications to use when connecting to resources that support Azure Active Directory (Azure AD) authentication. There are two types of managed identities:

      • System-assigned

      • User-assigned

For more details, follow the steps mentioned in the Azure documentation.

Table: Microsoft Azure plug-in configuration parameters

NetBackup Snapshot Manager configuration parameter

Microsoft equivalent term and description

Credential type:

Application service principal

Note:

Assign a role to the application service principal.

Tenant ID

The ID of the Azure AD directory in which you created the application.

Client ID

The application ID.

Secret key

The secret key of the application.

Credential type:

System managed identity

Note:

Assign a role to the system managed identity.

Enable system managed identity on NetBackup Snapshot Manager host in Azure.

Credential type:

User managed identity

Note:

Assign a role to the user managed identity.

Client ID

The Client ID of the user managed identity connected to the NetBackup Snapshot Manager host.

Following parameters are applicable for all the above credential type's

Regions

One or more regions in which to discover cloud assets.

Note:

If you configure a government cloud, select US Gov Arizona, US Gov Texas US, or Gov Virginia.

Resource Group prefix

The prefix used to store the snapshots created for the assets in a different resource group other than the one in which the assets exist.

For example, if an asset exists in NetBackup Snapshot Manager and prefix for resource group is snap, then snapshots of assets in NetBackup Snapshot Manager resource group would be stored in snapNetBackup Snapshot Manager resource group.

Protect assets even if prefixed Resource Groups are not found

On selecting this check box, NetBackup Snapshot Manager would not fail the snapshot operation if resource group does not exists. It tries to store the snapshot in the original resource group.

Note:

The prefixed resource group region must be same as the original resource group region.

Configuring multiple accounts or subscriptions or projects
  • If you are creating multiple configurations for the same plug-in, ensure that they manage assets from different Subscriptions. Two or more plug-in configurations should not manage the same set of cloud assets simultaneously.

  • When multiple accounts are all managed with a single NetBackup Snapshot Manager server, the number of assets being managed by a single NetBackup Snapshot Manager instance might get too large. Hence it would be better to segregate the assets across multiple NetBackup Snapshot Manager servers for better load balancing.

  • To achieve application consistent snapshots, we would require agent/agentless network connections between the remote VM instance and NetBackup Snapshot Manager server. This would require setting up cross account/subscription/project networking.

Azure plug-in considerations and limitations

Consider the following before you configure the Azure plug-in:

  • The current release of the plug-in does not support snapshots of blobs.

  • NetBackup Snapshot Manager currently only supports creating and restoring snapshots of Azure-managed disks and the virtual machines that are backed up by managed disks.

  • If you are creating multiple configurations for the same plug-in, ensure that they manage assets from different Tenant IDs. Two or more plug-in configurations should not manage the same set of cloud assets simultaneously.

  • When you create snapshots, the Azure plug-in creates an Azure-specific lock object on each of the snapshots. The snapshots are locked to prevent unintended deletion either from the Azure console or from an Azure CLI or API call. The lock object has the same name as that of the snapshot. The lock object also includes a field named "notes" that contains the ID of the corresponding VM or asset that the snapshot belongs to.

    Ensure that the notes field in the snapshot lock objects is not modified or deleted. Doing so will disassociate the snapshot from its corresponding original asset.

    The Azure plug-in uses the ID from the notes fields of the lock objects to associate the snapshots with the instances whose source disks are either replaced or deleted, for example, as part of the 'Original location' restore operation.

  • Azure plug-in supports the following GovCloud (US) regions:

    • US Gov Arizona

    • US Gov Texas

    • US Gov Virginia

    • US Gov Iowa

    • US DoD Central

    • US DoD East

  • Azure plug-in supports the following India regions:

    • Jio India West

    • Jio India Central

  • Azure plug-in supports additional regions: Italy North, Poland Central, Qatar Central, Israel Central, New Zealand North (Asia Pacific), Indonesia Central (Jakarta - Indonesia), Malaysia West (Kuala Lumpur - Malaysia)

  • NetBackup Snapshot Manager Azure plug-in does not support the following Azure regions:

    Location

    Region

    US

    • US DoD Central

    • US DoD East

    • US Sec West

    China

    NetBackup Snapshot Manager does not support any regions in China.

    • China East

    • China East 2

    • China North

    • China North 2

    Germany

    • Germany Central (Sovereign)

    • Germany Northeast (Sovereign)

  • NetBackup Snapshot Manager also supports Microsoft Azure generation 2 type of virtual machines.

  • NetBackup Snapshot Manager does not support application consistent snapshots and granular file restores for Windows systems with virtual disks or storage spaces that are created from a storage pool. If a Microsoft SQL server snapshot job uses disks from a storage pool, the job fails with an error. But if a snapshot job for virtual machine which is in a connected state is triggered, the job might be successful. In this case, the file system quiescing and indexing is skipped. The restore job for such an individual disk to original location also fails. In this condition, the host might move to an unrecoverable state and requires a manual recovery.

  • Snapshot Manager does not support Managed Identity database authentication for Azure database for MariaDB server.

  • Consider the following points for snapshots of Azure Disk Encryption (ADE) enabled VM:

    • Indexing on ADE enabled VM is not supported. If user has protection plan with GRT enabled, subscribing ADE enabled VM to this protection plan is disabled.

    • If VM is subscribed to GRT enabled protection plan and later ADE is enabled on the same VM, then indexing will fail for such VMs with an error 9997.

    • If ADE enabled VM is part of intelligent group which is subscribed to protection plan consisting GRT, indexing for ADE enabled VM will fail with an error 9997.

    • Single file restore can be performed to ADE enabled VMs from non-ADE VMs.

    • Proper access to key vault must be assigned to other resource group if user is trying to restore VM to another resource group.

    • Snapshot and restore is not supported for applications deployed on ADE enabled VMs.

    • If Azure Disk Encryption is applied on any OS or Data Disk, then change of encryption form PMK to any other encryption type is not supported.

    • If Operating System disk is encrypted with Azure Disk Encryption and data disk with encryption other than PMK is attached later to the VM, then for successful restore change the encryption to PMK for the data disks.

  • If NetBackup Snapshot Manager is running behind the firewall then ensure that the following endpoints and metadata IP are allowed on port 443 for successful asset discovery:

    • Endpoints:

      *.management.azure.com

      *.login.microsoftonline.com

      *.storage.azure.net

      *.vault.azure.net

    • Metadata IP: 169.254.169.254

    • If NetBackup Snapshot Manager is configured with proxy settings, then refer to the following section for more information:

  • NetBackup version 10.5.0.1 or later provides support for backup of ADE enabled VMs, but with the following limitation:

    For a VM which is already encrypted with ADE and then additional data disks (which are not encrypted) are added to the VM, the snapshot and backup operation would be successful, but after restore the data on extra non-ADE disks would be lost or not present.

    Note:

    Currently there is no workaround. Corresponding new disks would be present in the restored VM, but no data would be present on them.

More Information

Proxy server requirements

Feedback

Was this page helpful?
Previous

GCP shared VPC configuration

Next

Configuring permissions on Microsoft Azure

Feedback

Was this page helpful?