Prepare production workloads, the Azure Cleanroom, and the Commvault Cloud environment for recovery to a cleanroom site.
Production Workloads
Complete the following steps to prepare your production workloads for conversion to Azure VMs.
Windows VMs
-
Reboot the source VMs.
The reboot step is recommended, but not required.
Linux VMs
-
Run a snapshot or a backup of the source VMs.
-
To the /etc/dracut.conf file, add the following command:
add/_drivers+="hv/_vmbus hv/_netvsc hv/_storvsc" -
For all dracut conf files (such as /usr/lib/dracut/dracut.conf.d/01-dist.conf), comment out the following line:
hostonly="yes" -
To rebuild the initramfs, run the following command:
sudo dracut -f -v -
Reboot the VM and verify that it boots correctly.
-
Reboot the source VMs.
The reboot step is recommended, but not required.
Azure Cleanroom Environment
Complete the following steps to prepare your Azure cleanroom environment.
-
Verify that the following resource providers must be enabled in your Azure cleanroom subscription:
- microsoft.support
- microsoft.Storage
- microsoft.SerialConsole
- microsoft.ResourceNotifications
- microsoft.ResourceGraph
- microsoft.Portal
- microsoft.OperationalInsights
- microsoft.Network
- microsoft.MarketplaceOrdering
- microsoft.MarketplaceNotfications
- microsoft.MachineLearning
- microsoft.GuestConfiguration
- microsoft.Features
- microsoft.CostManagement
- microsoft.Consumption
- microsoft.Compute
- microsoft.Commerce
- microsoft.CloudShell
- microsoft.ClassicSubscription
- microsoft.ChangeAnalysis
- microsoft.Billing
- microsoft.Authorization
- microsoft.ADHybridHealthService
-
Create an Azure app for Commvault Cloud with the required permissions for the entire Azure cleanroom recovery subscription and for the storage account (Storage Account Contributor and Storage Blob Data Contributor).
-
Create a resource group and a storage account, with the accurate configuration, in the region where the VMs will be recovered.
Only locally-redundant storage (LRS) and StorageV2-general purpose v2-accounts are supported.
-
Verify that the storage account is accessible by Commvault Cloud.
-
Set up an isolated virtual network for the recovered VMs:
-
Create a virtual network where the VMs will be recovered to.
-
Verify that the cleanroom virtual network is isolated. This means there must be no inbound and outbound connectivity, except RDP/SSH through specific IP addresses to access the recovered machines.
Alternatively, you can enable bastion host to access the machines directly from the Azure portal without opening the RDP/SSH ports.
-
Commvault Environment
Complete the following steps to prepare Commvault Cloud environment.
-
Verify auxiliary copies on Air Gap Protect.
-
Verify that auxiliary copy jobs on Air Gap Protect are not fallen behind and that at least one full backup is completed and hosted in cleanroom to perform recovery.
-
Verify that the jobs in the Air Gap Protect copy are valid and that there is at least one full backup for each VM.
-
Verify that the Air Gap Protect region and the cleanroom target region are the same.
For more information, see the following topics:
-
-
Create a cleanroom hypervisor.
This hypervisor represents your cleanroom subscription.
-
Create a cleanroom recovery target.
This recovery target represents your cleanroom destination.
Important
If you want your Security Operations team to create a recovery group automatically from external SIEM and SOAR solutions, you must create a dedicated recovery target and assign permissions to allow access to the Security Operations team. This ensures that the correct target is selected during the creation of recovery groups from external solutions such as Palo Alto XSOAR. This is a crucial step to guarantee that the recovery groups are created accurately when initiated from external solutions.
-
Create cleanroom recovery groups and add the workloads that you want to recover to the recovery groups.