Dell EMC PowerProtect DDVE in the Azure Cloud 7.8 Installation and Administration Guide

Virtual Private Cloud: Azure Virtual Network in the Cloud Architecture

Your virtual private cloud (VPC) in Azure is the Virtual Network (VNet). We recommend that you use public or private subnet architecture to deploy DDVE in a private subnet. The subnet secures the DDVE VMs with the appropriate use of various VNet service components, such as route tables, access control lists, and security groups.

Public IP address

For security and to protect DDVE from potential attacks over the open internet, never expose the DDVE using a Public IP address directly over internet. We strongly recommend that you use VPN connections between different geographical regions (VNets). For example, you can use secure VPN connections for replication between different VNets, different cloud regions, cloud to on-premises, and vice versa.

Network interfaces

You can add multiple network interfaces to the DDVE instance. The maximum number of network interfaces varies by VM size. See Add network interfaces to or remove network interfaces from virtual machines for more information.

Static private IP Address

Dell Technologies recommends that you use DHCP for DDVE in Azure. If you want to assign the DDVE network interface with a static private IP address, follow the steps at Change private IP address to static on the Azure website.

Within DDVE, DHCP is used to retrieve the static private IP address provisioned in the Azure cloud environment. In DDOS you should always configure the network interface with DHCP, which is enabled by default, and you should not statically configure the private IP address to the given network interface.

Object store connectivity

The DDVE object store feature needs connectivity to its object storage, such as to the Azure storage account container. Because the object store communication is over https, the outbound security group setting must allow communication over port 443. There are different ways to enable DDVE connectivity to the object store. Of the following three options, we recommend only the third option (Using a VNet service endpoint).

• Using the public IP from the public subnet—Should not be used.
• Using NAT (Network Address Translation)—If the private subnet is configured to use NAT, DDVE will be able to communicate to an object store over NAT.
• We strongly recommend using VNet service endpoint for accessing the Azure hot blob storage. It does not require the DDVE to have a public IP address to communicate to Azure blob storage but uses the private IP address instead. In this case, an internet gateway, NAT, or virtual private gateway are not needed to access Azure blob storage. This method also allows the traffic to the Azure endpoint to stay within the Azure network and is routed internally to Azure blob storage.