AvePoint Learn
Request article
Contact support
Request article
Contact support
English

Home > Configure Settings > Configure a Custom Storage Location and Database

Export to PDF

Configure a Custom Storage Location and Database

When Bring your own storage is selected in the subscription of AvePoint Cloud Backup for Salesforce®, administrators can configure a custom storage location to store the files and configure a database to store the records and relational data of the backup data.

If you have purchased a subscription for BYOS (Bring your own storage) but are currently using AvePoint default storage for your backup data, your backup jobs will fail, and we will send you an email notification every 7 days to remind you to update your BYOS storage configuration.

Complete the following steps to configure the custom storage location and database:

  1. Navigate to Settings > Storage.

  2. Click Storage. All organizations that you manage are displayed in the panel. You can click the down arrow button next to an organization to view the storage location details.

    After the administrator’s login, the Startup wizard page will appear if the storage location and database have not been configured. You can turn on the toggle of an organization to configure the storage information.

    For distributor customers, after the administrator’s login, the Startup wizard page will appear if they have not been configured. You can turn on the toggle of an organization and select to use AvePoint default storage or select Bring your own storage to configure a custom storage location and database.

  3. Click the pencil button next to the organization you want to manage.

  4. Select the storage type you want to use and configure the settings. The Microsoft Azure Storage, SFTP, Amazon S3, Amazon S3-Compatible Storage, IBM Cloud Object Storage, and IBM Storage Protect -S3 types are supported.

    With Microsoft Azure Storage selected, configure the following settings to configure the storage location and database:

    • Access point – Enter the URL for the Storage Service.

    • Account name – Enter the corresponding account name to access the specified storage.

    • Account key – Enter the corresponding account key to access the specified storage.

    • Extended parameters – Enter the following extended parameters if necessary. If you have multiple parameters to enter, press Enter on your keyboard to separate the parameters. Refer to the instructions below to add parameters.

      • RetryInterval – Customize the retry interval when the network connection is interrupted. You are allowed to enter any positive integer between 0 and 2147483646 (the unit is millisecond). For example, RetryInterval=30000 means that it will try to reconnect every 30000 milliseconds.

        If you do not configure this parameter, the value is 30000 milliseconds by default.

      • RetryCount – Customize the reconnection times after the network connection is interrupted. You are allowed to enter any positive integer between 0 and 2147483646. For example, RetryCount=10 represents when the network connection is interrupted, and it can reconnect at most 10 times.

        If you do not configure this parameter, the value is 6 by default.

      • CustomizedMetadata={} – User-added metadata is supported. Configure the metadata in the parameter. For example: CustomizedMetadata={[testKey1,testValue1],[testKey2,testValue2],[testKey3,testValue3]}.

      • CustomizedMode=Close – User-added metadata is not supported.

    With SFTP selected, configure the following settings to configure the storage location:

    • Host – Enter the IP address of the SFTP server.

    • Port – Enter the port to use to connect to this SFTP server.

    • Root folder – Enter the root folder that you wish to access.

    • Username – Enter the username used to access the root folder.

    • Password – Enter the corresponding password of the user used to access the root folder.

    • Private key – If the SFTP server supports the private key, enter the private key here.

    • Private key password – Enter the corresponding password of the private key.

    With Amazon S3 selected, configure the following settings to configure the storage location:

    • Bucket name – Enter the bucket name you wish to access.

      Note the following:

      • If the entered name doesn’t match an existing bucket, a new bucket will be automatically created.

      • Ensure the bucket policy in Amazon S3 storage applied to your account contains the following required permissions:

        • Read: Get Object

        • List: ListBucket

        • Write: DeleteObject; PutObject; DeleteObjectVersion

    • Access key ID – Enter the corresponding access key ID to access the specified bucket. You can view the Access key ID from your AWS account.

      NOTE

      The AWS account must have the AmazonS3FullAccess policy assigned.

    • Secret access key – Enter the corresponding secret key ID to access the specified bucket. You can view the Secret access key from your AWS account.

    • Storage region – Select the Storage region of this bucket from the drop-down list. The available regions are

      US East (N. Virginia)US East (Ohio)US West (Northern California)
      US West (Oregon)Canada (Central)EU (Ireland)
      EU (Frankfurt)EU (London)Asia Pacific (Singapore)
      Asia Pacific (Tokyo)Asia Pacific (Sydney)Asia Pacific (Seoul)
      Asia Pacific (Mumbai)South America (Sao Paulo).

    • Extended parameters – Enter the following extended parameters if necessary. If you have multiple parameters to enter, press Enter on your keyboard to separate the parameters. Refer to the instructions below to add parameters.

      • RetryInterval – Customize the retry interval when the network connection is interrupted. Enter any positive integer between 0 and 2147483646 (the unit is millisecond). For example, RetryInterval=30000 means that it will try to reconnect every 30000 milliseconds.

        If you do not configure this parameter, the value is 30000 milliseconds by default.

      • RetryCount – Customize the reconnection times after the network connection is interrupted. Enter any positive integer between 0 and 2147483646. For example, RetryCount=6 represents when the network connection is interrupted, and it can reconnect at most 6 times.

        If you do not configure this parameter, the value is 6 by default.

      • CustomizedMetadata – Configure if customized metadata or user-added metadata is supported. By default, customized metadata and user-added metadata are all supported.

      • CustomizedMode=Close – This physical device will not support customized metadata or user-added metadata.

      • CustomizedMode=SupportAll – This physical device will support all customized metadata and user-added metadata.

      • CustomizedMode=CustomizedOnly – This physical device will only support user-added metadata.

      • CustomizedRegion – Configure the customized region of the physical device. For example, enter CustomizedRegion=s3.us-gov-west-1.amazonaws.com to configure the GovCloud account.

    With Amazon S3-Compatible Storage selected, configure the following settings to configure the storage location:

    • Bucket name – Enter the bucket name you wish to access.

      Note the following:

      • If the entered name doesn’t match an existing bucket, a new bucket will be automatically created.

      • Ensure the bucket policy in Amazon S3 storage applied to your account contains the following required permissions:

        • Read: Get Object

        • List: ListBucket

        • Write: DeleteObject; PutObject; DeleteObjectVersion

    • Access key ID – Enter the corresponding access key ID to access the specified bucket.

    • Secret access key – Enter the corresponding secret key ID to access the specified bucket.

    • Endpoint – Enter the URL used to connect to the place where you want to store the data.

      NOTE

      The URL must begin with http:// or https://.

    • Extended parameters – Enter the following extended parameters if necessary. If you have multiple parameters to enter, press Enter on your keyboard to separate the parameters. Refer to the instructions below to add parameters.

    • SignatureVersion – By default, AvePoint Cloud Backup for Salesforce® uses V4 authentication to access your storage. If you want to use V2 authentication, add SignatureVersion=2 into the extended parameters.

    • RetryInterval – Customize the retry interval when the network connection is interrupted. Enter any positive integer between 0 and 2147483646 (the unit is millisecond). For example, RetryInterval=30000 means that it will try to reconnect every 30000 milliseconds.

      If you do not configure this parameter, the value is 30000 milliseconds by default.

    • RetryCount – Customize the reconnection times after the network connection is interrupted. Enter any positive integer between 0 and 2147483646. For example, RetryCount=6 represents when the network connection is interrupted, and it can reconnect at most 6 times.

      If you do not configure this parameter, the value is 6 by default.

    • CustomizedMetadata – Configure if customized metadata or user-added metadata is supported. By default, customized metadata and user-added metadata are all supported.

    • CustomizedMode=Close – This physical device will not support customized metadata or user-added metadata.

    • CustomizedMode=SupportAll – This physical device will support all customized metadata and user-added metadata.

    • CustomizedMode=CustomizedOnly – This physical device will only support user-added metadata.

    With IBM Cloud Object Storage selected, configure the following settings to configure the storage location:

    • Bucket name – Enter the bucket name you wish to access.

      Note the following:

      • If the entered name doesn’t match an existing bucket, a new bucket will be automatically created.

      • Ensure the bucket policy in Amazon S3 storage applied to your account contains the following required permissions:

        • Read: Get Object

        • List: ListBucket

        • Write: DeleteObject; PutObject; DeleteObjectVersion

    • Access key ID – Enter the corresponding access key ID to access the specified bucket.

    • Secret access key – Enter the corresponding secret key ID to access the specified bucket.

    • Endpoint – Enter the URL used to connect to the place where you want to store the data.

      NOTE

      The URL must begin with “http://” or “https://”.

    • Extended parameters – Enter the following extended parameters if necessary. If you have multiple parameters to enter, press Enter on your keyboard to separate the parameters. Refer to the instructions below to add parameters.

      • SignatureVersion – By default, AvePoint Cloud Backup for Salesforce® uses V4 authentication to access your storage. If you want to use V2 authentication, add SignatureVersion=2 into the extended parameters.

      • RetryInterval – Customize the retry interval when the network connection is interrupted. Enter any positive integer between 0 and 2147483646 (the unit is millisecond). For example, RetryInterval=30000 means that it will try to reconnect every 30000 milliseconds.

        If you do not configure this parameter, the value is 30000 milliseconds by default.

      • RetryCount – Customize the reconnection times after the network connection is interrupted. Enter any positive integer between 0 and 2147483646. For example, RetryCount=6 represents when the network connection is interrupted, and it can reconnect at most 6 times.

        If you do not configure this parameter, the value is 6 by default.

      • CustomizedMetadata – Configure if customized metadata or user-added metadata is supported. By default, customized metadata and user-added metadata are all supported.

      • CustomizedMode=Close – This physical device will not support customized metadata or user-added metadata.

      • CustomizedMode=SupportAll – This physical device will support all customized metadata and user-added metadata.

      • CustomizedMode=CustomizedOnly – This physical device will only support user-added metadata.

    With IBM Storage Protect - S3 selected, configure the following settings to configure the storage location:

    • Bucket name – Enter the bucket name you wish to access.

      Note the following:

      • If the entered name doesn’t match an existing bucket, a new bucket will be automatically created.

      • Ensure the bucket policy in Amazon S3 storage applied to your account contains the following required permissions:

        • Read: Get Object

        • List: ListBucket

        • Write: DeleteObject; PutObject; DeleteObjectVersion

    • Access key ID – Enter the corresponding access key ID to access the specified bucket.

    • Secret access key – Enter the corresponding secret key ID to access the specified bucket.

    • Endpoint – Enter the URL used to connect to the place where you want to store the data.

      NOTE

      The URL must begin with “http://” or “https://”.

    • Extended parameters – Enter the following extended parameters if necessary. If you have multiple parameters to enter, press Enter on your keyboard to separate the parameters. Refer to the instructions below to add parameters.

      • Allow_Insecure_SSL – By default, the storage client expects an SSL certificate issued by a public trusted certificate authority over HTTPS transport to ensure integrity. A self-signed certificate on the storage server side will fail the certificate validation. If you choose to use a self-signed certificate, you can set the Allow_Insecure_SSL to true in the Extended parameters to bypass the certificate validation.

      • SignatureVersion – By default, AvePoint Cloud Backup for Salesforce® uses V4 authentication to access your storage. If you want to use V2 authentication, add SignatureVersion=2 into the extended parameters.

      • RetryInterval – Customize the retry interval when the network connection is interrupted. Enter any positive integer between 0 and 2147483646 (the unit is millisecond). For example, RetryInterval=30000 means that it will try to reconnect every 30000 milliseconds.

        If you do not configure this parameter, the value is 30000 milliseconds by default.

      • RetryCount – Customize the reconnection times after the network connection is interrupted. Enter any positive integer between 0 and 2147483646. For example, RetryCount=6 represents when the network connection is interrupted, it can reconnect at most 6 times.

        If you do not configure this parameter, the value is 6 by default.

      • CustomizedMetadata – Configure if customized metadata or user-added metadata is supported. By default, customized metadata and user-added metadata are all supported.

      • CustomizedMode=Close – This physical device will not support customized metadata or user-added metadata.

      • CustomizedMode=SupportAll – This physical device will support all customized metadata and user-added metadata.

      • CustomizedMode=CustomizedOnly – This physical device will only support user-added metadata.

      • Cert_thumbprint - If you have a self-signed certificate for S3 server and only want to pass the certificate validation with a specific thumbprint, enter your thumbprint as the value of the parameter.

  5. Configure the following settings to configure the database:

    NOTE

    The Enterprise edition of SQL Server 2014 or later is supported for the database. You can use either an online SQL server or an on-premises SQL server with the Enterprise edition. Ensure that AvePoint Cloud Backup for Salesforce® can connect to the SQL server. We recommend that you add the reserved IP address of AvePoint Cloud Backup for Salesforce® to the allowed list of your SQL server firewall. To download the reserved IP address, go to AvePoint Online Services > Administration > Security > Reserved IP addresses.

    • Instance name – Enter the instance name of the SQL server where the database resides.

    • Database name – Enter the name of an existing database you want to use.

    • Authentication method – Select an authentication method from SQL authentication and Microsoft Entra authentication.

    • Username – Enter the username of the account that has the db_owner role of the above database.

    • Password – Enter the password of the above account.

    • Encrypt connection – Turn on/off the toggle to define if you want to encrypt the server certificate. The feature is enabled by default.

    • Trust server certificate – Turn on/off the toggle to define if you want to trust the server certificate.

    • Certificate file (.cer) – If your SQL server is protected by a custom SSL certificate, upload the certificate file to connect to your server.

      NOTE

      If you use the Amazon RDS for SQL Server and use the built-in certificate, the certificate file is not required here.

  6. Click Save to save the configurations, or click Cancel to close the panel without saving any configurations.

    If you are on the Startup wizard page, click Back up now to start the backup jobs for the configured organizations.

How to Allow AvePoint Cloud Products to Access Your Storage

If you are using or plan to use your own storage, read the instructions in this section carefully and complete the settings upon your need. Otherwise, you can skip this topic.

When you are using your own storage device, you may have set up the storage firewall to only allow trusted clients for security concerns. To ensure that AvePoint cloud products can access your storage, complete the settings as required in the following conditions:

NOTE

If you are using a trial subscription and the storage account you want to use in the trial has a firewall enabled, read the conditions below and contact AvePoint Support for the corresponding reserved IP addresses or ARM VNet IDs.

  • If you are using a storage type other than Microsoft Azure storage, you must add reserved IP addresses to your storage firewall. To get the list of the reserved IP addresses, refer to Download a List of Reserved IP Addresses.

  • If you are using Microsoft Azure storage, refer to the following:

    • If your storage account is in the same data center as the one you use to sign up for AvePoint Online Services or your storage account is in its paired region, you must add the Azure Resource Manager (ARM) vNet subnets where the AvePoint agents are running on to your storage networking. You can find additional details in this Microsoft article: Grant access from a virtual network. To get the ARM VNet subnet IDs for your data center, go to AvePoint Online Services > Administration > Security > ARM VNet IDs. For detailed instructions, refer to the following Add ARM Virtual Networks section.

    • Other than the condition above, you need to add all reserved IP addresses to the Azure storage firewall. For details, refer to the following Add Reserved IP Addresses section.

Add Reserved IP Addresses

Follow the steps below:

  1. Navigate to AvePoint Online Services interface > Administration > Security > Reserved IP addresses to download the list of reserved IP addresses of AvePoint Online Services. For details, refer to Download a List of Reserved IP Addresses.

  2. Go to the storage account that you want to secure.

  3. Select Networking on the menu.

  4. Check that you’ve selected to allow access from Selected networks.

  5. Enter the IP address or address range under Firewall > Address Range.

  6. Select Save to apply your changes.

Add ARM Virtual Networks

To grant access to a subnet in a virtual network belonging to another tenant, use PowerShell, CLI, or REST API.

NOTE

To get the subnet ID of AvePoint cloud products for your data center, go to AvePoint Online Services > Administration > Security > ARM VNet IDs.

## Get the AvePoint Cloud products network subnet resource ID

$SUBNETID="/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-yyyyyyyyyyyy/resourceGroups/ResrouceGroupName/providers/Microsoft.Network/virtualNetworks/VIrtualNetworkName/subnets/SubnetName"

$DESTRG="customer_resource_group_name"

$DESTSTA="customer_storage_accont_name"

Use the Azure CLI tool (https://docs.microsoft.com/en-us/cli/azure/install-azure-cli?view=azure-cli-latest)


# Step 1 (Optional): If you have multiple Azure subscriptions, please switch to the correct subscription
# This command sets the active subscription to the specified subscription ID.
az account set --subscription xxxxxxxx-xxxx-xxxx-xxxx-yyyyyyyyyyyy

# Step 2 (Optional): Confirm whether the subscription switch is correct
# This command displays the current subscription information in a table format.
az account show --output table

# Step 3: Get the AvePoint Online Services network subnet resource ID
# This variable stores the resource ID of the subnet in the virtual network.
# Replace with the Azure Resource Manager (ARM) VNet ID downloaded from your AvePoint Online Services tenant.
$SUBNETID="/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-yyyyyyyyyyyy/resourceGroups/ResourceGroupName/providers/Microsoft.Network/virtualNetworks/VirtualNetworkName/subnets/SubnetName"

# Step 4: Set your resource group name
# This variable stores the name of the resource group where your storage account is located.
$DESTRG="customer_resource_group_name"

# Step 5: Set your storage account name
# This variable stores the name of the storage account to which you want to add the network rule.
$DESTSTA="customer_storage_account_name"

# Step 6: Add the firewall virtual network rule to grant access to AvePoint Online Services
# This command adds a network rule to the specified storage account, allowing access from the specified subnet.
az storage account network-rule add --resource-group $DESTRG --account-name $DESTSTA --subnet $SUBNETID

# Step 7: List the current network rules for the storage account to verify the addition
# This command lists the virtual network rules for the specified storage account.
az storage account network-rule list --resource-group $DESTRG --account-name $DESTSTA --query virtualNetworkRules

# Step 8 (Optional): Disable the public access to storage account
# This command updates the storage account to deny public network access.
az storage account update --resource-group $DESTRG --name $DESTSTA --default-action Deny

# Step 9 (Optional): Verify that the default action for network rules is set to Deny
# This command shows the network rule set for the specified storage account, including the default action.
az storage account show --resource-group $DESTRG --name $DESTSTA --query networkRuleSet.defaultAction


Use the Azure Az PowerShell Module (https://learn.microsoft.com/en-us/powershell/azure/install-azure-powershell?view=azps-14.2.0)


# Step 1: Sign in to Azure with your Azure Admin account
Connect-AzAccount

# Step 2 (Optional): If you have multiple Azure subscriptions, please switch to the correct subscription
# This command sets the active subscription to the specified subscription ID.
Set-AzContext -SubscriptionId "xxxxxxxx-xxxx-xxxx-xxxx-yyyyyyyyyyyy"

# Step 3: Get the AvePoint Online Services network subnet resource ID
# This variable stores the resource ID of the subnet in the virtual network.
# Replace with the Azure Resource Manager (ARM) VNet ID downloaded from your AvePoint Online Services tenant.
$SUBNETID="/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-yyyyyyyyyyyy/resourceGroups/ResourceGroupName/providers/Microsoft.Network/virtualNetworks/VirtualNetworkName/subnets/SubnetName"

# Step 4: Set resource group name
# This variable stores the name of the resource group where your storage account is located.
$DESTRG="customer_resource_group_name"

# Step 5: Set storage account name
# This variable stores the name of the storage account to which you want to add the network rule.
$DESTSTA="customer_storage_account_name"

# Step 6: Add the firewall virtual network rule to grant access to AvePoint Online Services
# This cmdlet adds a network rule to the specified storage account, allowing access from the specified subnet.
Add-AzStorageAccountNetworkRule -ResourceGroupName $DESTRG -Name $DESTSTA -VirtualNetworkResourceId $SUBNETID

# Step 7: Verify the newly added network rule
# This cmdlet retrieves the network rule set for the specified storage account.
Get-AzStorageAccountNetworkRuleSet -ResourceGroupName $DESTRG -AccountName $DESTSTA

You will see the virtual network rules in Azure Portal. You may also notice that a warning message “Insufficient Permission…” is displayed. It is because the subnet is not in your subscription. You can ignore it.