Learn how to set up your subscription in Microsoft Azure so that you can use it as a target location for data protection in Tanzu Mission Control.

To use Tanzu Mission Control for storing and retrieving backups in Azure Blob storage, you need the following items:
  • An Azure storage account and a blob container in your Azure subscription.
  • An Azure service principal identity that allows Velero to authenticate to the subscription where you want to store backups. You must create the service principal with Azure’s built-in Contributor role. The service principal requires the following details:
    • Azure Subscription ID
    • Azure Tenant ID
    • Azure Client ID
    • Azure Client Secret
The sections in this topic show the Azure CLI ( az) commands that you can use to create an Azure storage account and blob container, as well as the service principal. For information on how to install the latest Azure CLI, see How to install the Azure CLI in the Azure documentation.

Log in to your Azure subscription and set the context

  1. Log in to your Azure subscription.
    az login
  2. Set variables.

    Replace <name-of-target-subscription> with the name of your subscription.

    AZURE_BACKUP_SUBSCRIPTION_ID=$(az account list --query="[?name=='$AZURE_BACKUP_SUBSCRIPTION_NAME'].id | [0]" -o tsv)
  3. Set your account.
    az account set -s $AZURE_BACKUP_SUBSCRIPTION_ID

Create an Azure storage account and a blob container

If you already have an Azure storage account and blob container in your Azure subscription where you want store backups, you can use that and skip this section.

The following steps guide you through the creation of an Azure storage account and blob container in your Azure subscription, using Azure CLI ( az) commands.
  1. Log in to your Azure subscription, as described above.
  2. Create a resource group and storage account.

    The storage account can be created in an existing resource group or separated into its own resource group.

    The sample script below shows how to generate a random name using uuidgen. You can name the account as you want, provided it is globally unique and follows the Azure naming rules for storage accounts.

    1. Create a resource group for the backup storage account.

      The following commands create a resource group named Velero_Backups.

      az group create -n $AZURE_BACKUP_RESOURCE_GROUP --location WestUS
    2. Create the storage account in the resource group.

      The storage account must be created with a globally unique ID because it is used for DNS. The following commands generate an account ID prepended with mybackups and then create a storage account with that ID. Refer to Azure Storage account for more details.

      AZURE_STORAGE_ACCOUNT_ID="mybackups$(uuidgen | cut -d '-' -f5 | tr '[A-Z]' '[a-z]')"
      az storage account create --name $AZURE_STORAGE_ACCOUNT_ID --resource-group $AZURE_BACKUP_RESOURCE_GROUP --sku Standard_GRS --encryption-services blob --https-only true --kind BlobStorage --access-tier Hot
    3. Create the blob container.

      The commands below create a blob container named myblobcontainer in the storage account you created in the previous step. You can use a different name, preferably unique to a single Kubernetes cluster. Refer to Azure Storage container for more details.

      BLOB_CONTAINER= myblobcontainer
      az storage container create -n $BLOB_CONTAINER --public-access off --account-name $AZURE_STORAGE_ACCOUNT_ID

Create a service principal

When you create and restore backups through Tanzu Mission Control, Velero requires a service principal identity to authenticate to the Azure subscription where backups are stored. If you already have an existing service principal with the appropriate permissions, you can use that and skip this section.

The following steps guide you through the process of creating a service principal using the built-in Contributor role, which has the permissions required by Velero to access the blob container in your subscription. For more information about the service principal identity and how to create it, refer to the following topics in the Azure documentation.

Use the following procedure to create a service principal with the Contributor role.
  1. Log in to your Azure subscription, as described above.
  2. Obtain your Azure account tenant ID.
    AZURE_TENANT_ID=`az account list --query '[?isDefault].tenantId' -o tsv`
  3. Create the service principal and let the CLI generate a password for you. Make sure to capture the generated password.

    This example uses velero for the user name. You can create a unique user name per cluster rather than velero. Make sure that the user name value does not conflict with other service principals or app registrations.

    AZURE_CLIENT_SECRET=`az ad sp create-for-rbac --name "velero" --role $AZURE_ROLE --query 'password' -o tsv --scopes /subscriptions/$AZURE_BACKUP_SUBSCRIPTION_ID`
  4. After creating the service principal, obtain the client ID.
    AZURE_CLIENT_ID=`az ad sp list --display-name "velero" --query '[0].appId' -o tsv`

After you have completed these procedures, you have a storage account with a blob container and a service principal, as well as the information necessary to use your Azure subscription for a target location in Tanzu Mission Control.

For more information about using Velero with Microsoft Azure, go to https://github.com/vmware-tanzu/velero-plugin-for-microsoft-azure#velero-plugins-for-microsoft-azure.