#Get Started

The CAP Gateway mode is now available for the following services: Azure VM, Azure Storage, Azure SQL Backup, Amazon EC2, Google VM Instance, SQL Server (including Microsoft SQL Server in Azure VM and Self-managed SQL Server), VMware (Azure VMware), and Google Cloud Storage.

Before configuring your CAP Gateways, prepare by following the instructions in the sections below.

#Pre-Configuration Requirements

Complete the prerequisites for your specific services before configuring CAP Gateways.

• If you want to protect Azure VMs, Azure Storage, Azure SQL Backup, or VMware (Azure VMware) connect your tenant and configure an app profile.

  1. Connect your tenant - If you want to protect your tenant, your tenant owner or service administrator must first connect the tenant to AvePoint Online Services. Refer to Connect Your Tenants to AvePoint Online Services for details.

  2. Configure the app profile - Set up the app profile for the app required to protect your data. Use your Microsoft 365 Global Admin account to consent to the application. Refer to Configure Default AvePoint App Profiles for Microsoft Tenants for details.

  To get more details on how to enable backup for Azure VM and Azure Storage, refer to Enable Backup for Azure Virtual Machines, Azure Storage, Azure SQL, and VMware .

• If you want to protect Google VM instances or Google Cloud Storage buckets, refer to the instructions below to create a service account.

  1. Enable IAM API in Google Cloud Platform - Refer to Enable IAM API in Google Cloud Platform for details.

  2. Create a service account in Google Cloud Platform - Refer to Create a Service Account in Google Cloud Platform for details.

  3. Obtain credentials - See Obtain Credentials for Service Account for details.

  4. Create a service account - Go to AvePoint Online Services to create a service account. Refer to Manage Google Cloud Service Account Profiles for details.

  To get more details on how to enable backup for Google VM instances, refer to Enable Backup for Google VM Instances or Google Cloud Storage.

• If you want to protect SQL Server (including Microsoft SQL Server in Azure VM and Self-managed SQL Server), connect your tenant, configure an app profile, and enable authentication for SQL Server.

  1. If you want to protect your tenant via AvePoint services, your tenant owner or service administrators must first connect the tenant to AvePoint Online Services. See Connect Your Tenants to AvePoint Online Services for details.

  2. Go to Management > App Management in the AvePoint Online Services interface to create an app profile for Microsoft Delegate. For details, refer to Create an App Profile and Grant Consent.

  3. Add this app to all the subscriptions where the SQL Server databases that you want to protect are running and grant this app the Contributor role. For details, refer to Add to Subscriptions and Assign the Contributor Role.

  4. Enable authentication for your SQL Server.

     • For Microsoft SQL Server in Azure VM, refer to Enable Microsoft Entra ID Authentication.

     • For self-managed SQL Server, refer to Enable SQL Server Authentication.

  To get more details on how to enable backup for SQL Server, refer to Enable Backup for SQL Server .

#Configuration Preparation

Complete the following steps to prepare for CAP Gateway configuration.

1. Create a cache storage profile to temporarily retain data in a secure manner before its transmission to permanent storage. See Manage Cache Storage for details.

2. Register an app to get the Application (client) ID. See Register an App for details.

#Register an App

Follow the steps below to register an app.

1. Navigate to AvePoint Online Services > App registration. On the App registrations page, click Create.

2. On the Create app registration page, complete the following steps:

   1. Enter a name for the app.

   2. Click Add service and permission.

   3. In the Add service and permission pane, select the services and the following permissions, and then click Add.

      • Cloud Backup for IaaS + PaaS

        • platformbackup.cap.readwrite.all

      • Hybrid Service

        • hybridserver.agent.readwrite.all

        • hybridserver.common.readwrite.all

   4. Credentials enable applications to identify themselves to the authentication service when receiving tokens at a web addressable location (using an HTTPS scheme). For a higher level of assurance, use a certificate as a credential. Follow the instructions below to configure credentials:

      • Select the Certificate tab, and then click Upload new certificate to upload a certificate (.cer or .crt file). The certificate serves as credentials that allow your application to authenticate itself, requiring no interaction from a user at runtime. If your organization does not have any certificate files, you can refer to Prepare a Certificate for the Custom Azure App to find a proper method to prepare a self-signed certificate.

        NOTE

        If your organization is using AvePoint Opus, you can generate and download a certificate in AvePoint Opus Settings > Agent management. For details, refer to the AvePoint Opus User Guide.

      • Select the Client secret tab, click Add client secret, set the Effective duration to 1 year, 2 years, or 3 years, and then click Add to generate a client secret. Client secret values cannot be entirely shown once they are saved. To get a client secret value for later use, click the Copy button to copy and save it upon creation.

      If you want to delete a certificate or client secret, click the Delete button.

3. Click Save to save your configurations.

4. When you finish the registration, click the app name to view the registration details, and you can copy the generated application (client) ID on the details page. You can use the client ID to configure CAP Gateways.

#Prepare a Certificate for the Custom Azure App

Three methods for preparing certificates are outlined below. Choose one of the following methods based on your scenario or use your own preferred method.

• Key Vault - To prepare certificates using a Key Vault, refer to Use a Key Vault in Azure to Prepare Certificates.

• Windows PowerShell - To prepare certificates using Windows PowerShell, refer to Use Windows PowerShell to Prepare Certificates.

• Linux OpenSSL - To prepare certificates using Linux OpenSSL, refer to Use Linux OpenSSL to Prepare Certificates.

#Use Linux OpenSSL to Prepare Certificates

Several Linux distributions are available. For this guide, we recommend using Ubuntu 24.04 LTS. If you use a different distribution, ensure OpenSSL is installed before generating your certificate. Follow the instructions below to proceed.

1. Log in to the Linux Ubuntu 24.04 LTS system

2. Execute the following command to generate a private key.

   openssl genrsa -out private.key 2048

3. After generating the private key, execute the following command to create a self-signed certificate using the private key and export it into a .crt file.

   openssl req -new -x509 -days 365 -key private.key -out certificate.crt

4. Export the generated private key and certificate into a .pfx file by executing the following command.

   openssl pkcs12 -export -out self_signed.pfx -inkey private.key -in certificate.crt