AvePoint Docs
Graph API
My support tickets
Graph API
My support tickets
English

Home > Manage Your Storage

Export to PDF

Manage Your Storage

Navigate to Settings > Storage profiles > Backup storage, and all the backup storage profiles are displayed in the table.

If you are using your own storage, you can choose to use the following storage type: Amazon S3, Amazon S3-Compatible, Microsoft Azure Blob Storage, IBM Storage Protect – S3, IBM Cloud Object Storage, and Google Cloud Storage. In addition, if you may have set up the storage firewall to only allow trusted clients to access your storage, read the instructions in the Allow AvePoint Agent Servers to Access Your Storage Account section carefully and complete the settings as needed.

*Note: If you are using the default storage (either Microsoft Azure storage or Amazon S3 storage), you can skip this topic. After December 2023 release, the Amazon S3 storage is an available option for AvePoint hosted default storage location. If you want to change your default storage type to another, you can contact AvePoint support for assistance. The backup data in the previous default storage can still be used for data recovery until the retention expires.

If you have updated your subscription from using default storage to your own storage, you must navigate to this page, click Storage, and click the Change to my own storage link to configure the storage profiles connecting to your own storage. Otherwise, the backup will be interrupted.

If you updated the subscription by using your own storage to default AvePoint storage, the backup service will force a full backup for the subsequent backup job in the schedule and automatically store the backup data to the default AvePoint storage. The legacy backup data stored on your own storage can still be used for restoring until it expires the retention period.

Go to configure your own storage.

You can click the storage profile name to view the details of the storage location and click Edit to update the profile information. The storage information, apart from its path information, can be modified.

View details of a storage profile.

Follow the instructions below to create a storage profile:

In the Backup storage tab, click the Create button. The Create a storage profile pane appears on the right.

![The Create a storage profile panel.](/en/iaas-paas/images/image60.png "The Create a storage profile panel.")

Enter a profile name for the storage location that you want to connect to and provide an optional description.

In the Storage Type field, select a storage type from the list and then refer to the following sections for the storage configuration.

Microsoft Azure Storage

Note the following before configuring Azure Blob storage location:

- The supported Azure account kinds are **Storage** and **StorageV2** of **Standard** performance type. For details on creating a storage account, refer to the Microsoft article: . - Before you add the Azure storage account to the Cloud Backup interface, you must ensure your storage can be accessed by AvePoint products. For details, refer to [Allow AvePoint Agent Servers to Access Your Storage Account](#missing-link). - If you use Microsoft Azure Blob Storage to store backup data for **Azure VM** and **Azure Storage**, navigate to **Storage account** > **Settings** > **Configuration** > **Permitted scope for copy operations**, and ensure the permitted scope for copy operations of the storage account used by the storage profile is properly configured as follows: - For the storage account within the same Microsoft Entra tenant, you can select the **From** **storage accounts in the same Microsoft Entra tenant** option. - For the storage account from a different Microsoft Entra tenant, ensure the **From** **any storage account** option is selected. - To help reduce storage costs, the backup data generated after October 2023 release will be automatically stored to the Microsoft Azure storage cold tier, if the retention period is more than 45 days.

Complete the following steps:

  1. Storage type – Select Microsoft Azure Blob Storage from the drop-down list.

  2. Access point – Enter the URL for the Blob Storage Service. The default URL is https://blob.core.windows.net.

  3. Container name – Enter the container name you wish to access.

    *Note: The entered name must match an existing container.

  4. Account name – Enter the corresponding account name to access the specified container.

  5. Account key – Enter the corresponding account key to access the specified container.

  6. Extended parameters – Enter the following extended parameters if necessary. If you have multiple parameters to enter, use a semicolon (;) to separate the parameters. Refer to the instructions below to add parameters.

    • RetryInterval – Customize the retry interval when the network connection is interrupted. You are allowed to enter any positive integer between 0 and 2147483646 (the unit is in milliseconds). For example, RetryInterval=30000 means that it will try to reconnect every 30000 milliseconds.

      If you do not configure this parameter, the value is 30000 milliseconds by default.

    • RetryCount – Customize the reconnection times after the network connection is interrupted. You are allowed to enter any positive integer between 0 and 2147483646. For example, RetryCount=10 represents when the network connection is interrupted, it can reconnect at most 10 times.

      If you do not configure this parameter, the value is 6 by default.

Click Save to save your storage. The storage path cannot be changed once saved, and the storage profile cannot be deleted once the storage has been applied to store the backup data for a region.

Amazon S3

AvePoint will by default use HTTPS (SSL) communication to access your Amazon S3 storage and store your backup data to the S3 Glacier Instant Retrieval / Standard-IA storage class automatically. You can move the backup data from S3 Standard-IA to S3 Standard, S3 One Zone-IA, or S3 Intelligent-Tiering, and Cloud Backup for IaaS + PaaS can restore the backup data of those storage classes. However, it is not recommended to activate the archive access tier if you are using S3 Intelligent-Tiering. Activating the archive access tier will cause data object files that have not yet been accessed for 90 days to be archived, and Cloud Backup cannot access the archived data in your Amazon S3 storage.

Follow the instructions below:

Storage type – Select Amazon S3 from the drop-down list.

Bucket name – Enter the bucket name you wish to access.

Note the following: - The entered name **must** match an existing bucket. If no bucket is available, refer to to create one. - Ensure the bucket policy in Amazon S3 storage applied to your account **contains** the following required permissions: - **Read**: GetObject - **List**: ListBucket - **Write**: DeleteObject; PutObject; DeleteObjectVersion

Access key ID – Enter the corresponding access key ID to access the specified bucket. You can view the Access key ID from your AWS account.

Secret access key – Enter the corresponding secret key ID to access the specified bucket. You can view the Secret access key from your AWS account.

> ***Note**: The AWS account must have the AmazonS3FullAccess policy assigned.

Storage region – Select the Storage region of this bucket from the drop-down menu. You can use the Search box to search for region via keywords.

Extended parameters – Enter the following extended parameters if necessary. If you have multiple parameters to enter, use a semicolon (;) to separate the parameters. Refer to the instructions below to add parameters.

- **RetryInterval** – Customize the retry interval when the network connection is interrupted. Enter any positive integer between 0 and 2147483646 (the unit is millisecond). For example, RetryInterval=30000 means that it will try to reconnect every 30000 milliseconds. If you do not configure this parameter, the value is 30000 milliseconds by default. - **RetryCount** – Customize the reconnection times after the network connection is interrupted. Enter any positive integer between 0 and 2147483646. For example, RetryCount=6 represents when the network connection is interrupted, and it can reconnect at most 6 times. If you do not configure this parameter, the value is 6 by default. - **RetryMode** – Customize the retry mode for the requests not being completed successfully. If this parameter is not configured or configured incorrectly, the **Legacy** will be applied as the default value. You can also set the value to **Standard** or **Adaptive**. **Standard** represents the standardized request retry strategy which is consistent across all SDKs; **Adaptive** represents an experimental request retry strategy that builds on the Standard strategy and introduces congestion control through client-side rate limiting.

Click Save to save your storage profile. The storage path cannot be changed once saved, and the storage profile cannot be deleted once the storage has been applied to store the backup data for a region.

Amazon S3-Compatible

Follow the instructions below:

  1. Storage type – Select Amazon S3-Compatible Storage from the drop-down list.

  2. Bucket name – Enter the bucket name you wish to access.

    Note the following:

    • The entered name must match an existing bucket. If no bucket is available, refer to to create one. Note that it’s a general guidance, the exact steps may vary depending on the specific product, refer to your specific product documentation for any additional configurations required.

    • Ensure the bucket policy in Amazon S3-compatible storage applied to your account contains the following required permissions:

      • Read: Get Object

      • List: ListBucket

      • Write: DeleteObject; PutObject; DeleteObjectVersion

  3. Access key ID – Enter the corresponding access key ID to access the specified bucket.

  4. Secret access key – Enter the corresponding secret key ID to access the specified bucket.

  5. Endpoint – Enter the URL used to connect to the place where you want to store the data.

    *Note: The URL must begin with “http://” or “https://”.

  6. Extended parameters – Enter the following extended parameters if necessary. If you have multiple parameters to enter, use a semicolon (;) to separate the parameters. Refer to the instructions below to add parameters.

    • SignatureVersion – By default, Cloud Backup uses V4 authentication to access your storage. If you want to use V2 authentication, add SignatureVersion=2 into the extended parameters.

    • RetryInterval – Customize the retry interval when the network connection is interrupted. Enter any positive integer between 0 and 2147483646 (the unit is millisecond). For example, RetryInterval=30000 means that it will try to reconnect every 30000 milliseconds.

      If you do not configure this parameter, the value is 30000 milliseconds by default.

    • RetryCount – Customize the reconnection times after the network connection is interrupted. Enter any positive integer between 0 and 2147483646. For example, RetryCount=6 represents when the network connection is interrupted, it can reconnect at most 6 times.

      If you do not configure this parameter, the value is 6 by default.

    • RetryMode – Customize the retry mode for the requests not being completed successfully. If this parameter is not configured or configured incorrectly, the Legacy will be applied as the default value. You can also set the value to Standard or Adaptive. Standard represents the standardized request retry strategy which is consistent across all SDKs; Adaptive represents an experimental request retry strategy that builds on the Standard strategy and introduces congestion control through client-side rate limiting.

    • Allow_Insecure_SSL – By default, the storage client expects an SSL certificate issued by a public trusted certificate authority over HTTPS transport to ensure integrity. A self-signed certificate on the storage server side will fail the certificate validation. If you choose to use a self-signed certificate, you can set the Allow_Insecure_SSL to true in the Extended parameters to bypass the certificate validation.

    • Cert_thumbprint – If you have a self-signed certificate for storage server and only want to pass the certificate validation with a specific thumbprint, enter your thumbprint as the value of this parameter.

    • Use_PathStyle=true – This parameter is required to ensure the Cloud Backup for IaaS + PaaS can work with your storage properly.

    • Use_ClientMultiUpload=true – This parameter is required to ensure the Cloud Backup for IaaS + PaaS can work with your storage properly.

    • Use_UnsignedPayload=true – This parameter is required to ensure the Cloud Backup for IaaS + PaaS can work with your storage properly.

Click Save to save your storage profile. The storage path cannot be changed once saved, and the storage profile cannot be deleted once the storage has been applied to store the backup data for a region.

IBM Storage Protect - S3

Follow the instructions below:

  1. Storage type – Select IBM Storage Protect -S3 from the drop-down list.

  2. Bucket name – Enter the bucket name you wish to access.

    *Note: The entered name must match an existing bucket.

  3. Access key ID – Enter the corresponding access key ID to access the specified bucket.

  4. Secret access key – Enter the corresponding secret key ID to access the specified bucket.

  5. Endpoint – Enter the URL used to connect to the place where you want to store the data.

    *Note: The URL must begin with http:// or https://.

Extended parameters – Enter the following extended parameters if necessary. If you have multiple parameters to enter, use a semicolon (;) to separate the parameters. Refer to the instructions below to add parameters.

- **Use_PathStyle=true** – This **parameter** is required to ensure the Cloud Backup for IaaS + PaaS can work with your storage properly. - **Allow_Insecure_SSL** – By default, the storage client expects an SSL certificate issued by a public **trusted** certificate authority over HTTPS transport to ensure integrity. A self-signed certificate on the storage server side will fail the certificate validation. If you choose to use a self-signed certificate, you can set the Allow_Insecure_SSL to true in the Extended parameters to bypass the certificate validation. - **Cert_thumbprint** – If you have a self-signed certificate for S3 server and only want to pass **the** certificate validation with a specific thumbprint, enter your thumbprint as the value of this parameter. - **RetryInterval** – Customize the retry interval when the network connection is **interrupted**. Enter any positive integer between 0 and 2147483646 (the unit is millisecond). For example, RetryInterval=30000 means that it will try to reconnect every 30000 milliseconds. If you do not configure this parameter, the value is 30000 milliseconds by default. - **RetryCount** – Customize the reconnection times after the network connection is interrupted. Enter any positive integer between 0 and 2147483646. For **example**, **RetryCount=6** represents when the network connection is interrupted, and it can reconnect at most 6 times. If you do not configure this parameter, the value is 6 by default. - **RetryMode** – Customize the retry mode for the requests not being completed successfully. If this parameter is not configured or configured incorrectly, the **Legacy** will be applied as the default value. You can also **set** the value to **Standard** or **Adaptive**. **Standard** represents the standardized request retry strategy which is consistent across all SDKs; **Adaptive** represents an experimental request retry strategy that builds on the Standard strategy and introduces congestion control through client-side rate limiting.
  1. Click Save to save your storage. The storage path cannot be changed once saved, and the storage profile cannot be deleted once the storage has been applied to store the backup data for a region.

IBM Cloud Object Storage

Follow the instructions below:

Storage type – Select IBM Cloud Object Storage from the drop-down list.

Bucket name – Enter the bucket name you wish to access.

> ***Note**: The entered name must match an existing bucket. If no bucket is available, refer to to create one.

Access key ID – Enter the corresponding access key ID to access the specified bucket.

Secret access key – Enter the corresponding secret key ID to access the specified bucket.

Endpoint – Enter the URL used to connect to the place where you want to store the data.

> ***Note**: The URL must begin with “http://**”** or “https://”.

Extended parameters – Enter the following extended parameters if necessary. If you have multiple parameters to enter, use a semicolon (;) to separate the parameters. Refer to the instructions below to add parameters.

- **RetryInterval** – **Customize** the retry interval when the network connection is interrupted. Enter any positive integer between 0 and 2147483646 (the unit is millisecond). For example, RetryInterval=30000 means that it will try to reconnect every 30000 milliseconds. If you do not configure this parameter, the value is 30000 milliseconds by default. - **RetryCount** – Customize the reconnection times after the network connection is interrupted. Enter any positive integer between 0 and 2147483646. For **example**, RetryCount=6 represents when the network connection is interrupted, and it can reconnect at most 6 times. If you do not configure this parameter, the value is 6 by default. - **RetryMode** – Customize the retry mode for the requests not being completed **successfully**. If this parameter is not configured or configured incorrectly, the **Legacy** will be applied as the default value. You can also set the value to **Standard** or **Adaptive**. **Standard** represents the standardized request retry strategy which is consistent across all SDKs; **Adaptive** represents an experimental request retry strategy that builds on the Standard strategy and introduces congestion control through client-side rate limiting.
  1. Click Save to save your storage. The storage path cannot be changed once saved, and the storage profile cannot be deleted once the storage has been applied to store the backup data for a region.

Google Cloud Storage

Note the following before creating a Google Cloud Storage:

- **Google Cloud** **Storage** is not supported if you are using Cloud Backup for IaaS + PaaS in the data center operated by 21Vianet in China. - The following permissions are required for the Google Cloud Storage. For permission details, refer to . - storage.buckets.get - storage.buckets.list - storage.objects.list - storage.objects.create - storage.objects.delete - storage.objects.get

Follow the instructions below:

  1. Storage type – Select Google Cloud Storage from the drop-down list.

  2. Service account email address – Enter the corresponding client email to access the specified service account.

  3. Private key – Enter the corresponding private key to access the specified service account.

  4. Project ID – Enter the corresponding project ID to access the specified service account.

  5. Bucket name – Enter the bucket name you wish to access.

    *Note: The entered name must match an existing bucket. If no bucket is available, refer to to create a new one.

Click Save to save your storage. The storage path cannot be changed once saved, and the storage profile cannot be deleted once the storage has been applied to store the backup data for a region.

Allow AvePoint Agent Servers to Access Your Storage Account

If you are going to protect Azure storage or use your own storage device to store the backup data, read the instructions in this section carefully and complete the settings upon your need. Otherwise, you can skip this topic.

When you are using your own storage, you may have set up the storage firewall to only allow trusted clients to access for security concerns. To ensure that AvePoint cloud products can access your storage, complete the settings as required in the following conditions:

*Note: If you are in trial and the storage account you want to use in the trial has a firewall enabled, read the conditions below and contact AvePoint Support for the corresponding reserved IP addresses or ARM VNet IDs.

- If you use a storage type other than Microsoft Azure storage, you must add **reserved** IP addresses to your storage firewall. To get the list of the reserved IP addresses, refer to . - If you are using Microsoft Azure storage, refer to the following: - If your storage account is in the same data center as the one you use to sign up for AvePoint Online Services or your storage account is in its , you must add the Azure Resource Manager (ARM) VNet subnets where the AvePoint agents are running on to your storage networking. You can find additional details in this Microsoft article: , and get the subnet ID of AvePoint cloud products for your data center from . For detailed instructions, refer to [Add ARM virtual networks](#missing-link). - **Other than the condition above**, you need to add all the reserved IP addresses to the Azure storage firewall. For details, refer to [Add reserved IP addresses](#missing-link).

Add reserved IP addresses

Follow the steps below:

Navigate to AvePoint Online Services interface > Administration > Security.

Click Download next to the Reserved IP Addresses tile to download the list of reserved IP addresses of AvePoint Online Services. For details, refer to .

Go to the storage account that you want to secure.

Select Networking on the menu.

Check that you have selected to allow access from Selected networks.

Enter the IP address or address range under Firewall > Address Range.

Select Save to apply your changes.

Add ARM virtual networks

There are two ways to grant access to a subnet in a virtual network belonging to another tenant:

- Use the Azure CLI tool () ## Use the Azure CLI tool # Step 1 (Optional): If you have multiple Azure subscriptions, please switch to the correct subscription # This command sets the active subscription to the specified subscription ID. az account set --subscription xxxxxxxx-xxxx-xxxx-xxxx-yyyyyyyyyyyy # Step 2 (Optional): Confirm whether the subscription switch is correct # This command displays the current subscription information in a table format. az account show --output table # Step 3: Get the AvePoint Online Services network subnet resource ID # This variable stores the resource ID of the subnet in the virtual network. # Replace with the Azure Resource Manager (ARM) VNet ID downloaded from your AvePoint Online Services tenant. $SUBNETID="/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-yyyyyyyyyyyy/resourceGroups/ResourceGroupName/providers/Microsoft.Network/virtualNetworks/VirtualNetworkName/subnets/SubnetName" # Step 4: Set your resource group name # This variable stores the name of the resource group where your storage account is located. $DESTRG="customer_resource_group_name" # Step 5: Set your storage account name # This variable stores the name of the storage account to which you want to add the network rule. $DESTSTA="customer_storage_account_name" # Step 6: Add the firewall virtual network rule to grant access to AvePoint Online Services # This command adds a network rule to the specified storage account, allowing access from the specified subnet. az storage account network-rule add --resource-group $DESTRG --account-name $DESTSTA --subnet $SUBNETID # Step 7: List the current network rules for the storage account to verify the addition # This command lists the virtual network rules for the specified storage account. az storage account network-rule list --resource-group $DESTRG --account-name $DESTSTA --query virtualNetworkRules # Step 8 (Optional): Disable the public access to storage account # This command updates the storage account to deny public network access. az storage account update --resource-group $DESTRG --name $DESTSTA --default-action Deny # Step 9 (Optional): Verify that the default action for network rules is set to Deny # This command shows the network rule set for the specified storage account, including the default action. az storage account show --resource-group $DESTRG --name $DESTSTA --query networkRuleSet.defaultAction - Use the Azure Az PowerShell () ## Use the Azure Az PowerShell # Step 1: Sign in to Azure with your Azure Admin account Connect-AzAccount # Step 2 (Optional): If you have multiple Azure subscriptions, please switch to the correct subscription # This command sets the active subscription to the specified subscription ID. Set-AzContext -SubscriptionId "xxxxxxxx-xxxx-xxxx-xxxx-yyyyyyyyyyyy" # Step 3: Get the AvePoint Online Services network subnet resource ID # This variable stores the resource ID of the subnet in the virtual network. # Replace with the Azure Resource Manager (ARM) VNet ID downloaded from your AvePoint Online Services tenant. $SUBNETID="/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-yyyyyyyyyyyy/resourceGroups/ResourceGroupName/providers/Microsoft.Network/virtualNetworks/VirtualNetworkName/subnets/SubnetName" # Step 4: Set resource group name # This variable stores the name of the resource group where your storage account is located. $DESTRG="customer_resource_group_name" # Step 5: Set storage account name # This variable stores the name of the storage account to which you want to add the network rule. $DESTSTA="customer_storage_account_name" # Step 6: Add the firewall virtual network rule to grant access to AvePoint Online Services # This cmdlet adds a network rule to the specified storage account, allowing access from the specified subnet. Add-AzStorageAccountNetworkRule -ResourceGroupName $DESTRG -Name $DESTSTA -VirtualNetworkResourceId $SUBNETID # Step 7: Verify the newly added network rule # This cmdlet retrieves the network rule set for the specified storage account. Get-AzStorageAccountNetworkRuleSet -ResourceGroupName $DESTRG -AccountName $DESTSTA

You will see the virtual network rules in Azure Portal, as the screenshot below shows. You may also notice that a warning message “Insufficient Permission…” is displayed. It is because the subnet is not in your subscription. You can ignore it.

The vNet rules.