AvePoint Docs
Graph API
My support tickets
Graph API
My support tickets
English

Home > Manage CAP Gateways > Get Started

Export to PDF

Get Started

The CAP Gateway mode is now available for the following services: Azure VM, Google VM instance and Azure Storage.

Before configuring your CAP Gateways, prepare by following the instructions in the sections below.

Pre-Configuration Requirements

Complete the prerequisites for your specific services before configuring CAP Gateways.

If you want to protect Azure VMs or Azure Storage, connect your tenant and configure an app profile.

  1. Connect your tenant – If you want to protect your tenant, your tenant owner or service administrator must first connect the tenant to AvePoint Online Services. Refer to for details.

  2. Configure the app profile – Set up the app profile for the app required to protect your data. Use your Microsoft 365 Global Admin account to consent the application. Refer to for details.

If you want to protect Google VM instances, refer to the instructions below to create a service account.

  1. Enable IAM API in Google Cloud Platform – Refer to for details.

  2. Create a service account in Google Cloud Platform – Refer to for details.

  3. Obtain credentials – See for details.

  4. Create a service account – Go to AvePoint Online Services to create a service account. Refer to for details.

    1. To get more details on how to enable backup for Google VM instances, refer to Enable Backup for Google VM Instances .

Configuration Preparation

Complete the following steps to prepare for CAP Gateway configuration.

  1. Create a cache storage profile to temporarily retain data in a secure manner before its transmission to permanent storage. See Manage Cache Storage for details.

  2. Register an app to get the Application (client) ID. See Register an App for details.

Register an App

Follow the steps below to register an app.

  1. Navigate to AvePoint Online Services > App registration. On the App registrations page, click Create.

  2. On the Create app registration page, complete the following steps:

    1. Enter a name for the app.

    2. Click Add service and permission.

    3. In the Add service and permission pane, select the services and the following permissions, and then click Add.

      • Cloud Backup for IaaS + PaaS

        • platformbackup.cap.readwrite.all

      • Hybrid Service

        • hybridserver.agent.readwrite.all

        • hybridserver.common.readwrite.all

    4. Credentials enable applications to identify themselves to the authentication service when receiving tokens at a web addressable location (using an HTTPS scheme). For a higher level of assurance, use a certificate as a credential. Follow the instructions below to configure credentials:

      • Select the Certificate tab, and then click Upload new certificate to upload a certificate (.cer or .crt file). The certificate serves as credentials that allow your application to authenticate itself, requiring no interaction from a user at runtime. If your organization does not have any certificate files, you can refer to Prepare a Certificate for the Custom Azure App to find a proper method to prepare a self-signed certificate.

        *Note: If your organization is using AvePoint Opus, you can generate and download a certificate in AvePoint Opus Settings > Agent management. For details, refer to the .

      • Select the Client secret tab, click Add client secret, set the Effective duration to 1 year, 2 years, or 3 years, and then click Add to generate a client secret. Client secret values cannot be entirely shown once they are saved. To get a client secret value for later use, click the Copy button to copy and save it upon creation.

      If you want to delete a certificate or client secret, click the Delete button.

  3. Click Save to save your configurations.

  4. When you finish the registration, click the app name to view the registration details, and you can copy the generated application (client) ID on the details page. You can use the client ID to configure CAP Gateways.

Prepare a Certificate for the Custom Azure App

Three methods for preparing certificates are outlined below. Choose one of the following methods based on your scenario or use your own preferred method.

- Key Vault – To prepare certificates using a Key Vault, refer to . - Windows PowerShell – To prepare certificates using Windows PowerShell, refer to . - Linux OpenSSL – To prepare certificates using Linux OpenSSL, refer to the section below.

Use Linux OpenSSL to Prepare Certificates

Several Linux distributions are available. For this guide, we recommend using Ubuntu 24.04 LTS. If you use a different distribution, ensure OpenSSL is installed before generating your certificate. Follow the instructions below to proceed.

  1. Log in to the Linux Ubuntu 24.04 LTS system

  2. Execute the following command to generate a private key.

    openssl genrsa -out private.key 2048

  3. After generating the private key, execute the following command to create a self-signed certificate using the private key and export it into a .crt file.

    openssl req -new -x509 -days 365 -key private.key -out certificate.crt

  4. Export the generated private key and certificate into a .pfx file by executing the following command.

    openssl pkcs12 -export -out self_signed.pfx -inkey private.key -in certificate.crt