As organizations deploy more and more cloud native workloads, the ability to protect them in a secure and cost-effective manner is becoming increasingly important. Data access is also more widely spread, making it even more critical to meet this protection need with a secure, logically air-gapped copy of that data. However, without the ability to efficiently protect your data, the cost of meeting business or compliance requirements can not only rapidly exceed planned cloud budgets but also possibly put backup data at risk by keeping it close to its source.

Rubrik understands this need for economical, efficient, and easy-to-use protection of cloud-based workloads and is constantly delivering solutions to meet them. We’re pleased to introduce a new way for joint customers of Rubrik and Microsoft to take control of their cloud native security and costs with up to 40% savings – automated storage tiering for Azure Virtual Machines.

Getting Started

Leveraging the Rubrik SaaS platform, organizations can now enable an SLA to move Azure VM & Managed Disk backups to lower-cost Azure Blob storage with a variety of possible configurations in order to meet business requirements.  

Setting up Storage Tiering involves 4 components to be configured in Rubrik SaaS:

Source Subscription - The Azure Subscription where the protected workload resides.

Exocompute - Rubrik’s lightweight cloud native compute framework deployed in Azure Kubernetes Service (AKS)

Destination Subscription - The Azure Subscription where the tiered (archived) snapshots will be stored. This subscription can be located in either the same Azure Tenant as the source or one that is logically air-gapped from the source.  A logically air-gapped subscription is one that exists in a different Azure Tenant than the source Subscription and therefore exists outside the protected workload’s administrative domain.

Target Storage - A storage account in the target subscription where the tiered snapshots will be stored. In order to provide flexibility from a cost and redundancy perspective, this can be configured to use either Hot or Cool Azure Storage Tiers, a different region and/or subscription than the source workload, and any of the following redundancy levels -  LRS, ZRS, GRS, GZRS, and RA-(Z)GRS. Additionally, a customer can either use their own encryption key (Azure Key Vault) or let Rubrik manage the SSE encryption on their behalf.


How it Works

Once Storage Tiering is configured and an SLA has been configured & assigned to leverage Archiving, Rubrik SaaS now takes the following steps in order to archive snapshots:

  1. Rubrik makes an API call to Microsoft Azure and creates a VM and/or Managed Disk snapshot.  

  2. The exocompute node processes the disk snapshot to identify the blocks that have changed. These changed blocks are compressed, encrypted, and tiered to the specified archival location

  3. The exocompute node indexes the disk snapshot to identify the files on the backup. This enables users to simply search and recover individual files as necessary from the tiered backup rather than recovering the entire backup


Decrease Risk and Save on Costs

It is recommended for customers to use an Azure Subscription in a different and isolated Azure Tenant in conjunction with Rubrik Storage Tiering for Microsoft Azure in order to provide a logically air-gapped and encrypted copy of their data. By leveraging an isolated tenant, a customer can ensure that while still in their control, access can be determined using a different Azure AD than their production data, therefore minimizing the blast radius of a compromise.

Combined with customizable redundancy, geographic, and encryption options, Rubrik is introducing a powerful way to protect customer data that is native to the cloud against ransomware. Plus, policy-based tiering leveraging compression and lower cost storage classes adds an economical benefit capable of helping customers optimize their cloud expenditure by up to 40%.

Zero Trust for Cloud Doesn’t Need to be Difficult

Advanced data protection and cost savings don’t need to be difficult to manage at scale either.  By providing advanced automation and governance, customers can define protection policies regardless of where resources are located. For Azure, this ensures that once set, any new workloads can be provided the same levels of protection and compliance no matter what subscription or tenant they reside in.