#Manage Storage Profiles

Storage profiles are applied in subscriptions for services that use the customers’ own storage locations. To manage storage profiles, go to the Settings page, and click Storage profile in the System area.

To enhance security when using your storage device, it is highly recommended that you configure the storage firewall to allow only AvePoint Online Services access to your storage. For detailed instructions, refer to Allow AvePoint Agent Servers to Access Your Storage Account.

You can perform the following actions:

• Create – Click Create. The Create a storage profile window appears. For more information, refer to Create a Storage Profile.

• Edit – Select a profile and click Edit, or click the ellipsis button in the Action column of the profile and select Edit in the drop-down list. You can edit the name, description, and other settings of different storage types. When you finish the edits, click Save.

• Delete – To delete a profile, select the profile and click Delete, or click the ellipsis button in the Action column of the profile and select Delete in the drop-down list. To delete multiple profiles, select the profiles and click Delete. A pop-up window appears asking for your confirmation. Click Confirm to confirm your deletion.

#Create a Storage Profile

In the Create a storage profile window, enter the profile name and description, select FTP, SFTP, Amazon S3, Amazon S3-Compatible Storage, Google Cloud Storage, or Microsoft Azure Storage from the Storage type drop-down list, and then configure the settings below based on the selected storage type.

• FTP or SFTP – In a storage profile for an FTP or SFTP server, configure the following settings:

  • Host – Enter the IP address of the server.

  • Port – Enter the port used to connect to this server. The default port is 1.

  • Folder or Root Folder – Once this profile is assigned to a customer, a folder named with the customer’s registered account will be automatically created.

  • Username – Enter the username used to connect to this server.

  • Password – Enter the password of the specified username.

  • Advanced – If you want to configure extended parameters, select the Advanced checkbox, and enter the parameters in the Extended Parameters field. If you have multiple parameters to enter, press Enter on your keyboard to separate the parameters.

  • Retain the Data for – Enter a number between 1 and 99 in this field.

• Amazon S3 – In a storage profile for Amazon S3, configure the following settings:

  • Bucket name – Once this profile is assigned to a customer, a bucket named with the customer’s registered account will be automatically created.

  • Access key ID – Enter the access key ID used to access the created bucket. You can view the access key ID from your AWS account.

    NOTE

    The AWS account must have the AmazonS3FullAccess policy assigned.

  • Secret access key – Enter the secret Key ID used to access the created bucket.

  • Storage region – Select a storage region from the drop-down list for the created bucket.

  • Advanced – If you want to configure extended parameters, select the Advanced checkbox, and enter the parameters in the Extended Parameters field. If you have multiple parameters to enter, press Enter on your keyboard to separate the parameters.

  • Retain the data for – Enter a number between 1 and 99 in this field.

• Amazon S3-Compatible Storage – In a storage profile for Amazon S3-Compatible Storage, configure the following settings:

  • Bucket name – Once this profile is assigned to a customer, a bucket named with the customer’s registered account will be automatically created.

  • Access key ID – Enter the access key ID used to access the created bucket.

  • Secret access key – Enter the secret Key ID used to access the created bucket.

  • Endpoint – Enter the URL used to connect to the place where you want to store the data.

    NOTE

    The URL must begin with “http://” or “https://”.

  • Advanced – If you want to configure extended parameters, select the Advanced checkbox, and enter the parameters in the Extended Parameters field. If you have multiple parameters to enter, press Enter on your keyboard to separate the parameters. You can enter the following extended parameter if necessary.

    • SignatureVersion – By default, Cloud Backup uses V4 authentication to access your storage. If you want to use V2 authentication, add SignatureVersion=V2 into the extended parameters.

• IBM Storage Protect - S3 – In a storage profile for IBM Storage Protect - S3, configure the following settings:

  • Bucket name – Once this profile is assigned to a customer, a bucket named with the customer’s registered account will be automatically created.

  • Access key ID – Enter the access key ID used to access the created bucket.

  • Secret access key – Enter the secret Key ID used to access the created bucket.

  • Endpoint – Enter the URL used to connect to the place where you want to store the data.

    NOTE

    The URL must begin with “http://” or “https://”.

  • Advanced – If you want to configure extended parameters, select the Advanced checkbox, and enter the parameters in the Extended Parameters field. If you have multiple parameters to enter, press Enter on your keyboard to separate the parameters. You can enter the following extended parameters if necessary.

    • Allow_Insecure_SSL – By default, the storage client expects an SSL certificate issued by a public trusted certificate authority over HTTPS transport to ensure integrity. A self-signed certificate on the storage server side will fail the certificate validation. If you choose to use a self-signed certificate, you can set the Allow_Insecure_SSL to true in the Extended parameters to bypass the certificate validation.

    • SignatureVersion – By default, Cloud Backup uses V4 authentication to access your storage. If you want to use V2 authentication, add SignatureVersion=V2 into the extended parameters.

    • Cert_thumbprint – If you have a self-signed certificate for S3 server and only want to pass the certificate validation with a specific thumbprint, enter your thumbprint as the value of the parameter.

    NOTE

    The Allow_Insecure_SSL and Cert_thumbprint parameters cannot be added simultaneously.

    • Retain the Data for – Enter a number between 1 and 99 in this field.

• IBM Cloud Object Storage – In a storage profile for IBM Cloud Object Storage, configure the following settings:

  • Bucket name – Once this profile is assigned to a customer, a bucket named with the customer’s registered account will be automatically created.

  • Access key ID – Enter the access key ID used to access the created bucket.

  • Secret access key – Enter the secret Key ID used to access the created bucket.

  • Endpoint – Enter the URL used to connect to the place where you want to store the data.

    NOTE

    The URL must begin with “http://” or “https://”.

  • Advanced – If you want to configure extended parameters, select the Advanced checkbox, and enter the parameters in the Extended Parameters field. If you have multiple parameters to enter, press Enter on your keyboard to separate the parameters. You can enter the following extended parameter if necessary.

    • SignatureVersion – By default, Cloud Backup uses V4 authentication to access your storage. If you want to use V2 authentication, add SignatureVersion=V2 into the extended parameters.

  • Retain the data for – Enter a number between 1 and 99 in this field.

• Google Cloud Storage – In a storage profile for Google Cloud Storage, configure the following settings:

  • Bucket name – Once this profile is assigned to a customer, a bucket named with the customer’s registered account will be automatically created.

  • Service account email – Enter the email address of a service account that has permission to access your bucket.

  • Private key – Enter a private key that is associated with the service account.

  • Project ID – Enter the ID of a project that is associated with your bucket.

  • Advanced – If you want to configure extended parameters, select the Advanced checkbox, and enter the parameters in the Extended Parameters field. If you have multiple parameters to enter, press Enter on your keyboard to separate the parameters.

• Microsoft Azure Storage – In a storage profile for Microsoft Azure Storage, configure the following settings:

  • Access point – Enter the URL for the Blob Storage Service. The default URL is https://blob.core.windows.net.

  • Container name – Once this profile is assigned to a customer, a container named with the customer’s registered account will be automatically created.

  • Account name – Enter the account name used to access the created container.

  • Account key – Enter the access key used to access the created container.

  • Advanced – If you want to configure extended parameters, select the Advanced checkbox, and enter the parameters in the Extended Parameters field. If you have multiple parameters to enter, press Enter on your keyboard to separate the parameters.

  • Retain the data for – Enter a number between 1 and 99 in this field.

#Allow AvePoint Agent Servers to Access Your Storage Account

If the customers are using or plan to use their own storage devices, read the instructions in this section carefully and complete the settings according to their need. Otherwise, skip this topic.

When customers are using their own storage devices, they may have set up the storage firewall to only allow trusted clients for security concerns. To ensure that AvePoint cloud products can access the storage, complete the settings as required in the following conditions:

• If customers are using a storage type other than Microsoft Azure storage, they must add reserved IP addresses to their storage firewall. To get the list of the reserved IP addresses, refer to Download a List of Reserved IP Addresses.

• If customers are using Microsoft Azure storage, refer to the following:

  • If the storage account is in the same data center as the one they use to sign up for AvePoint Online Services or the storage account is in its paired region, add the Azure Resource Manager (ARM) vNet subnets where the AvePoint agents are running on to their storage networking. Find additional details in this Microsoft article: Grant access from a virtual network. To get the ARM VNet subnet IDs for the data center, go to AvePoint Online Services > Advanced Settings > Firewalls and Virtual Networks. For detailed instructions, refer to the Add ARM virtual networks section below.

  • Other than the condition above, they need to add all the reserved IP addresses to the Azure storage firewall. For details, refer to the Add reserved IP addresses section below.

#Add reserved IP addresses

Follow the steps below:

1. Navigate to AvePoint Online Services interface > Advanced settings > Reserved IP addresses to download the list of reserved IP addresses of AvePoint Online Services. For details, refer to Download a List of Reserved IP Addresses.

2. Go to the storage account that you want to secure.

3. Select Networking on the menu.

4. Check that you’ve selected to allow access from Selected networks.

5. Enter the IP address or address range under Firewall > Address range.

6. Select Save to apply your changes.

#Add ARM virtual networks

You can refer to Download ARM Vnet IDs to get the VNet IDs for your data center. There are two ways to add ARM virtual networks:

• Use the Azure CLI tool (https://docs.microsoft.com/en-us/cli/azure/install-azure-cli?view=azure-cli-latest)

  ## Use the Azure CLI tool # Step 1 (Optional): If you have multiple Azure subscriptions, please switch to the correct subscription # This command sets the active subscription to the specified subscription ID. az account set --subscription xxxxxxxx-xxxx-xxxx-xxxx-yyyyyyyyyyyy # Step 2 (Optional): Confirm whether the subscription switch is correct # This command displays the current subscription information in a table format. az account show --output table # Step 3: Get the AvePoint Online Services network subnet resource ID # This variable stores the resource ID of the subnet in the virtual network. # Replace with the Azure Resource Manager (ARM) VNet ID downloaded from your AvePoint Online Services tenant. $SUBNETID="/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-yyyyyyyyyyyy/resourceGroups/ResourceGroupName/providers/Microsoft.Network/virtualNetworks/VirtualNetworkName/subnets/SubnetName" # Step 4: Set your resource group name # This variable stores the name of the resource group where your storage account is located. $DESTRG="customer_resource_group_name" # Step 5: Set your storage account name # This variable stores the name of the storage account to which you want to add the network rule. $DESTSTA="customer_storage_account_name" # Step 6: Add the firewall virtual network rule to grant access to AvePoint Online Services # This command adds a network rule to the specified storage account, allowing access from the specified subnet. az storage account network-rule add --resource-group $DESTRG --account-name $DESTSTA --subnet $SUBNETID # Step 7: List the current network rules for the storage account to verify the addition # This command lists the virtual network rules for the specified storage account. az storage account network-rule list --resource-group $DESTRG --account-name $DESTSTA --query virtualNetworkRules # Step 8 (Optional): Disable the public access to storage account # This command updates the storage account to deny public network access. az storage account update --resource-group $DESTRG --name $DESTSTA --default-action Deny # Step 9 (Optional): Verify that the default action for network rules is set to Deny # This command shows the network rule set for the specified storage account, including the default action. az storage account show --resource-group $DESTRG --name $DESTSTA --query networkRuleSet.defaultAction

• Use the Azure Az PowerShell (https://learn.microsoft.com/en-us/powershell/azure/install-azure-powershell?view=azps-14.2.0)

  ## Use Azure PowerShell (Az Module) # Step 1: Sign in to Azure with your Azure Admin account Connect-AzAccount # Step 2 (Optional): If you have multiple Azure subscriptions, please switch to the correct subscription # This command sets the active subscription to the specified subscription ID. Set-AzContext -SubscriptionId "xxxxxxxx-xxxx-xxxx-xxxx-yyyyyyyyyyyy" # Step 3: Get the AvePoint Online Services network subnet resource ID # This variable stores the resource ID of the subnet in the virtual network. # Replace with the Azure Resource Manager (ARM) VNet ID downloaded from your AvePoint Online Services tenant. $SUBNETID="/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-yyyyyyyyyyyy/resourceGroups/ResourceGroupName/providers/Microsoft.Network/virtualNetworks/VirtualNetworkName/subnets/SubnetName" # Step 4: Set resource group name # This variable stores the name of the resource group where your storage account is located. $DESTRG="customer_resource_group_name" # Step 5: Set storage account name # This variable stores the name of the storage account to which you want to add the network rule. $DESTSTA="customer_storage_account_name" # Step 6: Add the firewall virtual network rule to grant access to AvePoint Online Services # This cmdlet adds a network rule to the specified storage account, allowing access from the specified subnet. Add-AzStorageAccountNetworkRule -ResourceGroupName $DESTRG -Name $DESTSTA -VirtualNetworkResourceId $SUBNETID # Step 7: Verify the newly added network rule # This cmdlet retrieves the network rule set for the specified storage account. Get-AzStorageAccountNetworkRuleSet -ResourceGroupName $DESTRG -AccountName $DESTSTA

You will see the virtual network rules in Azure Portal. You may also notice that a warning message “Insufficient Permission…” is displayed. It is because the subnet is not in your subscription. You can ignore it.