Manage Storage Profiles
Storage profiles are applied in subscriptions for services that use the customers’ own storage locations. To manage storage profiles, go to the Settings page, and click Storage profile in the System area.
To enhance security when using your storage device, it is highly recommended that you configure the storage firewall to allow only AvePoint Online Services access to your storage. For detailed instructions, refer to Allow AvePoint Agent Servers to Access Your Storage Account.
You can perform the following actions:
- **Create** – Click **Create**. The **Create a** **storage** **profile** window appears. For more information, refer to Create a Storage Profile.
- **Edit** – Select a profile and click **Edit**, or click the More actions () button in the **Action** column of the profile and select **Edit** in the drop-down list. You can edit the name, description, and other settings of different storage types. When you finish the edits, click **Save**.
- **Delete** – To delete a profile, select the profile and click **Delete**, or click the More actions () button in the **Action** column of the profile and select **Delete** in the drop-down list. To delete multiple profiles, select the profiles and click **Delete**. A pop-up window appears asking for your confirmation. Click **Confirm** to confirm your deletion.
Create a Storage Profile
In the Create a storage profile window, enter the profile name and description, select FTP, SFTP, Amazon S3, Amazon S3-Compatible Storage, Google Cloud Storage, or Microsoft Azure Storage from the Storage type drop-down list, and then configure the settings below based on the selected storage type.
- **FTP** or **SFTP** – In a storage profile for an FTP or SFTP server, configure the following settings:
- **Host** – Enter the IP address of the server.
- **Port** – Enter the port used to connect to this server. The default port is **1**.
- **Folder** or **Root Folder** – Once this profile is assigned to a customer, a folder named with the customer’s registered account will be automatically created.
- **Username** – Enter the username used to connect to this server.
- **Password** – Enter the password of the specified username.
- **Advanced** – If you want to configure extended parameters, select the **Advanced** checkbox, and enter the parameters in the **Extended Parameters** field. If you have multiple parameters to enter, press **Enter** on your keyboard to separate the parameters.
- **Retain the Data for** – Enter a number between 1 and 99 in this field.
- **Amazon S3** – In a storage profile for Amazon S3, configure the following settings:
- **Bucket** **name** – Once this profile is assigned to a customer, a bucket named with the customer’s registered account will be automatically created.
- **Access** **key ID** – Enter the access key ID used to access the created bucket. You can view the access key ID from your AWS account.
> ***Note**: The AWS account must have the AmazonS3FullAccess policy assigned.
- **Secret** **access** **key** – Enter the secret Key ID used to access the created bucket.
- **Storage** **region** – Select a storage region from the drop-down list for the created bucket.
- **Advanced** – If you want to configure extended parameters, select the **Advanced** checkbox, and enter the parameters in the **Extended Parameters** field. If you have multiple parameters to enter, press **Enter** on your keyboard to separate the parameters.
- **Retain the** **data for** – Enter a number between 1 and 99 in this field.
- **Amazon S3-Compatible Storage** – In a storage profile for Amazon S3-Compatible Storage, configure the following settings:
- **Bucket** **name** – Once this profile is assigned to a customer, a bucket named with the customer’s registered account will be automatically created.
- **Access** **key ID** – Enter the access key ID used to access the created bucket.
- **Secret** **access** **key** – Enter the secret Key ID used to access the created bucket.
- **Endpoint** – Enter the URL used to connect to the place where you want to store the data.
> ***Note**: The URL must begin with “http://” or “https://”.
- **Advanced** – If you want to configure extended parameters, select the **Advanced** checkbox, and enter the parameters in the **Extended Parameters** field. If you have multiple parameters to enter, press **Enter** on your keyboard to separate the parameters. You can enter the following extended parameter if necessary.
- **SignatureVersion** – By default, Cloud Backup uses V4 authentication to access your storage. If you want to use V2 authentication, add **SignatureVersion=V2** into the extended parameters.
- **IBM Storage Protect - S3** – In a storage profile for IBM Storage Protect - S3, configure the following settings:
- **Bucket** **name** – Once this profile is assigned to a customer, a bucket named with the customer’s registered account will be automatically created.
- **Access** **key ID** – Enter the access key ID used to access the created bucket.
- **Secret** **access** **key** – Enter the secret Key ID used to access the created bucket.
- **Endpoint** – Enter the URL used to connect to the place where you want to store the data.
> ***Note**: The URL must begin with “http://” or “https://”.
- **Advanced** – If you want to configure extended parameters, select the **Advanced** checkbox, and enter the parameters in the **Extended Parameters** field. If you have multiple parameters to enter, press **Enter** on your keyboard to separate the parameters. You can enter the following extended parameters if necessary.
- **Allow_Insecure_SSL** – By default, the storage client expects an SSL certificate issued by a public trusted certificate authority over HTTPS transport to ensure integrity. A self-signed certificate on the storage server side will fail the certificate validation. If you choose to use a self-signed certificate, you can set the **Allow_Insecure_SSL** to **true** in the **Extended parameters** to bypass the certificate validation.
- **SignatureVersion** – By default, Cloud Backup uses V4 authentication to access your storage. If you want to use V2 authentication, add **SignatureVersion=V2** into the extended parameters.
- **Cert_thumbprint** – If you have a self-signed certificate for S3 server and only want to pass the certificate validation with a specific thumbprint, enter your thumbprint as the value of the parameter.
> ***Note**: The **Allow_Insecure_SSL** and **Cert_thumbprint** parameters cannot be added simultaneously.
- **Retain the Data for** – Enter a number between 1 and 99 in this field.
- **IBM Cloud Object Storage** – In a storage profile for IBM Cloud Object Storage, configure the following settings:
- **Bucket** **name** – Once this profile is assigned to a customer, a bucket named with the customer’s registered account will be automatically created.
- **Access** **key ID** – Enter the access key ID used to access the created bucket.
- **Secret** **access** **key** – Enter the secret Key ID used to access the created bucket.
- **Endpoint** – Enter the URL used to connect to the place where you want to store the data.
> ***Note**: The URL must begin with “http://” or “https://”.
- **Advanced** – If you want to configure extended parameters, select the **Advanced** checkbox, and enter the parameters in the **Extended Parameters** field. If you have multiple parameters to enter, press **Enter** on your keyboard to separate the parameters. You can enter the following extended parameter if necessary.
- **SignatureVersion** – By default, Cloud Backup uses V4 authentication to access your storage. If you want to use V2 authentication, add **SignatureVersion=V2** into the extended parameters.
- **Retain the** **data for** – Enter a number between 1 and 99 in this field.
- **Google Cloud Storage** – In a storage profile for Google Cloud Storage, configure the following settings:
- **Bucket** **name** – Once this profile is assigned to a customer, a bucket named with the customer’s registered account will be automatically created.
- **Service** **account** **email** – Enter the email address of a service account that has permission to access your bucket.
- **Private** **key** – Enter a private key that is associated with the service account.
- **Project ID** – Enter the ID of a project that is associated with your bucket.
- **Advanced** – If you want to configure extended parameters, select the **Advanced** checkbox, and enter the parameters in the **Extended Parameters** field. If you have multiple parameters to enter, press **Enter** on your keyboard to separate the parameters.
- **Microsoft Azure Storage** – In a storage profile for Microsoft Azure Storage, configure the following settings:
- **Access** **point** – Enter the URL for the Blob Storage Service. The default URL is .
- **Container** **name** – Once this profile is assigned to a customer, a container named with the customer’s registered account will be automatically created.
- **Account** **name** – Enter the account name used to access the created container.
- **Account** **key** – Enter the access key used to access the created container.
- **Advanced** – If you want to configure extended parameters, select the **Advanced** checkbox, and enter the parameters in the **Extended Parameters** field. If you have multiple parameters to enter, press **Enter** on your keyboard to separate the parameters.
- **Retain the** **data for** – Enter a number between 1 and 99 in this field.
Allow AvePoint Agent Servers to Access Your Storage Account
If the customers are using or plan to use their own storage devices, read the instructions in this section carefully and complete the settings upon their need. Otherwise, skip this topic.
When customers are using their own storage devices, they may have set up the storage firewall to only allow trusted clients for security concerns. To ensure that AvePoint cloud products can access the storage, complete the settings as required in the following conditions:
*Note: If customers are using a trial subscription and the storage account they want to use in the trial has a firewall enabled, read the conditions below and contact AvePoint Support for the corresponding reserved IP addresses or ARM VNet IDs.
- If customers are using a storage type other than Microsoft Azure storage, they must add reserved IP addresses to their storage firewall. To get the list of the reserved IP addresses, refer to .
- If customers are using Microsoft Azure storage, refer to the following:
- **If the storage account is in the same data center as the one they use to sign up for AvePoint Online Services or the storage account is in its** , add the Azure Resource Manager (ARM) vNet subnets where the AvePoint agents are running on to their storage networking. Find additional details in this Microsoft article: . To get the ARM VNet subnet IDs for the data center, go to AvePoint Online Services > **Advanced Settings** > **Firewalls and Virtual Networks**. For detailed instructions, refer to the **Add ARM virtual networks** section below.
- **Other than the condition above**, they need to add all the reserved IP addresses to the Azure storage firewall. For details, refer to the **Add reserved IP addresses** section below.
Add reserved IP addresses
Follow the steps below:
-
Navigate to AvePoint Online Services interface > Advanced settings > Reserved IP addresses to download the list of reserved IP addresses of AvePoint Online Services. For details, refer to .
-
Go to the storage account that you want to secure.
-
Select Networking on the menu.
-
Check that you’ve selected to allow access from Selected networks.
-
Enter the IP address or address range under Firewall > Address range.
-
Select Save to apply your changes.
Add ARM virtual networks
You can refer to to get the VNet IDs for your data center. There are two ways to add ARM virtual networks:
- Use the Azure CLI tool ()
## Use the Azure CLI tool
# Step 1 (Optional): If you have multiple Azure subscriptions, please switch to the correct subscription
# This command sets the active subscription to the specified subscription ID.
az account set --subscription xxxxxxxx-xxxx-xxxx-xxxx-yyyyyyyyyyyy
# Step 2 (Optional): Confirm whether the subscription switch is correct
# This command displays the current subscription information in a table format.
az account show --output table
# Step 3: Get the AvePoint Online Services network subnet resource ID
# This variable stores the resource ID of the subnet in the virtual network.
# Replace with the Azure Resource Manager (ARM) VNet ID downloaded from your AvePoint Online Services tenant.
$SUBNETID="/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-yyyyyyyyyyyy/resourceGroups/ResourceGroupName/providers/Microsoft.Network/virtualNetworks/VirtualNetworkName/subnets/SubnetName"
# Step 4: Set your resource group name
# This variable stores the name of the resource group where your storage account is located.
$DESTRG="customer_resource_group_name"
# Step 5: Set your storage account name
# This variable stores the name of the storage account to which you want to add the network rule.
$DESTSTA="customer_storage_account_name"
# Step 6: Add the firewall virtual network rule to grant access to AvePoint Online Services
# This command adds a network rule to the specified storage account, allowing access from the specified subnet.
az storage account network-rule add --resource-group $DESTRG --account-name $DESTSTA --subnet $SUBNETID
# Step 7: List the current network rules for the storage account to verify the addition
# This command lists the virtual network rules for the specified storage account.
az storage account network-rule list --resource-group $DESTRG --account-name $DESTSTA --query virtualNetworkRules
# Step 8 (Optional): Disable the public access to storage account
# This command updates the storage account to deny public network access.
az storage account update --resource-group $DESTRG --name $DESTSTA --default-action Deny
# Step 9 (Optional): Verify that the default action for network rules is set to Deny
# This command shows the network rule set for the specified storage account, including the default action.
az storage account show --resource-group $DESTRG --name $DESTSTA --query networkRuleSet.defaultAction
- Use the Azure Az PowerShell ()
## Use Azure PowerShell (Az Module)
# Step 1: Sign in to Azure with your Azure Admin account
Connect-AzAccount
# Step 2 (Optional): If you have multiple Azure subscriptions, please switch to the correct subscription
# This command sets the active subscription to the specified subscription ID.
Set-AzContext -SubscriptionId "xxxxxxxx-xxxx-xxxx-xxxx-yyyyyyyyyyyy"
# Step 3: Get the AvePoint Online Services network subnet resource ID
# This variable stores the resource ID of the subnet in the virtual network.
# Replace with the Azure Resource Manager (ARM) VNet ID downloaded from your AvePoint Online Services tenant.
$SUBNETID="/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-yyyyyyyyyyyy/resourceGroups/ResourceGroupName/providers/Microsoft.Network/virtualNetworks/VirtualNetworkName/subnets/SubnetName"
# Step 4: Set resource group name
# This variable stores the name of the resource group where your storage account is located.
$DESTRG="customer_resource_group_name"
# Step 5: Set storage account name
# This variable stores the name of the storage account to which you want to add the network rule.
$DESTSTA="customer_storage_account_name"
# Step 6: Add the firewall virtual network rule to grant access to AvePoint Online Services
# This cmdlet adds a network rule to the specified storage account, allowing access from the specified subnet.
Add-AzStorageAccountNetworkRule -ResourceGroupName $DESTRG -Name $DESTSTA -VirtualNetworkResourceId $SUBNETID
# Step 7: Verify the newly added network rule
# This cmdlet retrieves the network rule set for the specified storage account.
Get-AzStorageAccountNetworkRuleSet -ResourceGroupName $DESTRG -AccountName $DESTSTA
You will see the virtual network rules in Azure Portal. You may also notice that a warning message “Insufficient Permission…” is displayed. It is because the subnet is not in your subscription. You can ignore it.
