Configuring Azure Blob Storage repository and enabling immutability

Azure Blob Storage is Microsoft's cloud object storage solution. It is designed to store massive amounts of unstructured data, making it ideal for various use cases, including backups, archives, and data lakes. In Azure Blob Storage, data is organized into containers that act as logical groupings for blobs, which are the actual data objects. Each storage account can have an unlimited number of containers, and each container can store an unlimited number of blobs.

Azure Blob Storage ensures data stored in immutable storage cannot be modified or deleted for a predefined period through its immutability feature. This is crucial for compliance, data retention policies, and protection against ransomware and accidental deletion. Azure offers two types of immutability policies:

• Time-based retention policies: These policies specify a retention period during which blobs cannot be modified or deleted but can be created and read. Once the period expires, objects can be deleted but not overwritten. Blobs are stored in WORM (Write Once, Read Many) format and can be configured in two modes:
  • Container-level WORM: Applies to all blobs in a container, with no individual blob-level policies.
  • Version-level WORM: Configurable at the account, container, or version level and will be inherited by all blobs in the respective account or container. It cannot be created for a container with a legal hold because the legal hold prevents the generation of new versions.
• Legal holds: A legal hold is a temporary WORM policy for legal investigations that lasts until explicitly cleared. When a legal hold is in effect, blobs can be created and read, but not modified or deleted. Use a legal hold when the retention period is unknown. It’s ideal when the retention period is uncertain and can be applied at the following scopes:
  • Version-level WORM: Applies to individual blob versions for granular management of sensitive data.
  • Container-level WORM: Applies to all blobs in a container, with no individual blob-level policies.

Understanding the retention period in Azure and RecoveryManager Plus

You can define a retention period for your Azure Blob Storage backups data to specify how long an object must be retained. Setting clear retention policies is essential when enabling immutability, as it cannot be modified once the immutability period starts.

For example, if a retention period is set to six months in RecoveryManager Plus and the backup immutability period is set to one year in Azure Blob Storage, backups stored in Azure Blob Storage are protected for one year based on the immutability period set. After six months (the retention period set in RecoveryManager Plus), the product will attempt to delete backups that are older than six months. However, because of the one-year immutability set on the repository, Azure will not process any deletion requests until the one-year time period has elapsed.

To avoid data being deleted earlier than intended or stored longer than necessary, ensure that the retention period configured in both RecoveryManager Plus and Azure Blob Storage is the same.

Creating a container in Azure Blob Storage and enabling immutability

To create a container, follow the steps listed below:

1. Log in to the Microsoft Azure portal.
2. Select Storage Accounts from the Azure services and choose a storage account.
3. From the left pane, click Data storage > Containers.
4. To create a new container, click the + Container button at the top-left corner.
5. Provide a Name for the container.
6. Set the Anonymous access level for the container.
7. Click Create to complete the process.

To configure a retention policy on a container

1. Select Storage Accounts from the Azure services and choose a storage account.
2. From the left pane, click Data storage > Containers.
3. Search for the container in the search bar and click it.
4. From the left pane, under Settings, select Access policy.
5. In the Immutable blob storage section, select Add policy.
6. You can create two types of policies:
   • To create a time-based retention policy:
     • In the Policy type field, select Time-based retention.
     • In the Set retention period for field, specify the retention period in days.
     • Leave the Enable version-level immutability checkbox unchecked if you wish to create a container-level policy.
     • Choose one of the options in the Allow protected append writes to field to append new blocks at the end of a blob while preventing existing blobs from being modified or deleted.
     • Click Save.
       Note: To lock a time-based policy, navigate to the Access policy section, locate the policy, and click Lock policy. Once a policy is locked, it cannot be deleted. However, the blob can be deleted once the retention period elapses.
   • To configure a legal hold:
     • In the Policy type field, select Legal hold.
     • Add one or more legal hold tags.
     • Select the Block and append blobs option in the Allow protected append writes to field to add newly created data to the end of an append blob.
     • Click Save.
       Note: To clear a legal hold, navigate to the Access policy section, select Edit in the policy, and delete all tags.

Adding Azure Blob Storage as a repository in RecoveryManager Plus

To add Azure Blob Storage as a repository:

1. Navigate to Admin tab > Administration > Backup Repository > Cloud.
2. Click the Add Repository button in the top-right corner.
3. Select Azure Blob Storage from the Repository Type drop-down.
4. Enter a name in the Repository Name field.
5. Enter the Account Name and Account Key of the Azure storage account. To learn how to find your Account Name and Account Key, click here.
6. Enter the Root Container Name.
   Note: Metadata of the Microsoft 365, on-premises Exchange, Google Workspace, and Zoho WorkDrive backups will be stored in the default Elasticsearch node.
7. Click Save.

The integration of Azure Blob Storage with RecoveryManager Plus, along with the immutability feature, enhances your data protection strategy by preventing accidental or unauthorized modifications to critical backups.

Finding your Azure storage account name and account key

To find the account name and account key for your Azure storage account, follow the steps given below:

1. Open the Microsoft Azure Portal in your web browser and log in with the credentials of a user who can access the storage account.
2. Select Storage Accounts from the Azure services.
3. In the screen that appears, select the storage account for which you would like to find the Account Name and Account Key. The name displayed at the top-left corner is the name of your storage account.
4. Click Security + networking from the left pane and select Access keys.
5. Copy Key1 or Key2. You can use either of the keys.
6. Use the Account Name and Account Key to add your Azure storage account to RecoveryManager Plus.