HomeProtectHow AvePoint is Enabling Better Security for Azure BYOS Customers

How AvePoint is Enabling Better Security for Azure BYOS Customers

Many AvePoint products allow customers to leverage a Bring-Your-Own-Storage (BYOS) model to meet their security and business requirements. For customers using Azure Storage as the BYOS device, we typically prefer for customers to use the same Azure region as AOS to ensure the best performance.

Security controls often include firewall provisions for added security. So, we publish our known IP addresses to provide you with a known endpoint, enabling us to work within your defined firewall settings.

The challenge with this approach happens at the intersection of these two solutions. Due to the way Microsoft Azure handles traffic within the same region, access from AvePoint services to the same-region Azure Storage will be routed through Azure internal IPs for performance. As a result, customers with this setup cannot use IP-based firewalls.

But some good news is in store! Microsoft Azure’s Virtual Network (VNet) now has a function to allow Azure Storage firewall rules based on endpoint VNet setup. AvePoint’s BYOS customers will now be able to use Azure storage in the same region while also maintaining the security standards of secure network traffic. We will be publishing an update to our cloud platform, AOS, to leverage VNet in our November 2021, at which point existing IP address restrictions need to be updated to prevent impacting backup jobs.

azure security

Who Does This Affect?

This change will be transparent to most customers. Those who’re using BYOS with IP-based firewalls enabled, however, should keep reading! As of January 2022, the VNet storage endpoint will be enabled globally for the following products:

  • Cloud Backup: Customers who configure their own storage to place the backup data instead of using AvePoint’s default storage are in scope
    • Cloud Backup for Microsoft 365
    • Cloud Backup for Dynamics 365
    • Cloud Backup for Google Workspace
    • Cloud Backup for Salesforce
    • Classic Backup (Formerly known as DocAve Online Exchange Online and Granular backup).
  • Cloud Archiver: Customers who configure custom storage. This includes Cloud Records customers who use Cloud Archiver.
  • Cloud Governance: Customers who configured their own Azure blob storage in “Report Export Location”
  • AvePoint Online Services for Partner: Partners who configure their own storage when using “Start Service” functionality for Cloud Backup for M365 and Cloud Backup for G-suite.
  • AvePoint Online Services: Customers who use “Report Data Collection” to save the audit logs in their own storage, usually this configuration works for Policies for Microsoft 365, the Report Center function in Cloud Management, and Cloud Insights.

This planned change will be transparent to the majority of our customers. However, a very small number of customers may be impacted. For example:

  1. You’ve signed up with AvePoint Online Services in the East US data center with BYOS enabled. If your storage is in Azure West US and you’ve enabled IP-based firewalls, this change is for you! (West US is the paired Azure region for East US).
  2. You’ve signed up with AvePoint Online Services in the East US data center with BYOS enabled. If your storage is in Azure Central US and you’ve enabled IP-based firewalls, this change is NOT going to impact you! (Central US is not the paired Azure region for East US).

The following table is a list of factors to decide whether you could be impacted:

Table of paring Azure regions of AOS data centers:

azure

Ok, This Affects Me, What’s Next?

If you ARE affected (again, this is a small fraction of customers) Azure Virtual Network (vNet) based-firewall rules need to be added to your BYOS Azure Storage. Our support and customer success teams are willing to work with you on this when you’re ready, preferably scheduled right around our November release.

To summarize, for customers who use BYOS with Azure Storage and need to enable a firewall on storage:

  • If Azure storage is on the same Azure region or pairing region of AOS, need to add vNet based firewall rules
    • It’s recommended to add IP based firewall rule as well for more flexibility
  • If Azure storage is on other Azure regions, you’ll need to add an IP-based firewall

The change should be made right after the AOS Nov release, which will complete on 11/07/2021, 9:00AM UTC. Please note that the release date for our Gov Cloud customers will be one week later on 11/14/2021.


Keep up with all things AvePoint by subscribing to our blog.

More Stories