Many AvePoint products allow customers to leverage a Bring-Your-Own-Storage (BYOS) model to meet their security and business requirements. For customers using Azure Storage as the BYOS device, we typically prefer for customers to use the same Azure region as AOS to ensure the best performance.
Security controls often include firewall provisions for added security. So, we publish our known IP addresses to provide you with a known endpoint, enabling us to work within your defined firewall settings.
The challenge with this approach happens at the intersection of these two solutions. Due to the way Microsoft Azure handles traffic within the same region, access from AvePoint services to the same-region Azure Storage will be routed through Azure internal IPs for performance. As a result, customers with this setup cannot use IP-based firewalls.
But some good news is in store! Microsoft Azure’s Virtual Network (VNet) now has a function to allow Azure Storage firewall rules based on endpoint VNet setup. AvePoint’s BYOS customers will now be able to use Azure storage in the same region while also maintaining the security standards of secure network traffic. We will be publishing an update to our cloud platform, AOS, to leverage VNet in our November 2021, at which point existing IP address restrictions need to be updated to prevent impacting backup jobs.
Who Does This Affect?
This change will be transparent to most customers. Those who’re using BYOS with IP-based firewalls enabled, however, should keep reading! As of January 2022, the VNet storage endpoint will be enabled globally for the following products:
Cloud Backup: Customers who configure their own storage to place the backup data instead of using AvePoint’s default storage are in scope
Cloud Backup for Microsoft 365
Cloud Backup for Dynamics 365
Cloud Backup for Google Workspace
Cloud Backup for Salesforce
Classic Backup (Formerly known as DocAve Online Exchange Online and Granular backup).
Cloud Archiver: Customers who configure custom storage. This includes Cloud Records customers who use Cloud Archiver.
Cloud Governance: Customers who configured their own Azure blob storage in “Report Export Location”
AvePoint Online Services for Partner: Partners who configure their own storage when using “Start Service” functionality for Cloud Backup for M365 and Cloud Backup for G-suite.
AvePoint Online Services: Customers who use “Report Data Collection” to save the audit logs in their own storage, usually this configuration works for Policies for Microsoft 365, the Report Center function in Cloud Management, and Cloud Insights.
This planned change will be transparent to the majority of our customers. However, a very small number of customers may be impacted. For example:
You’ve signed up with AvePoint Online Services in the East US data center with BYOS enabled. If your storage is in Azure West US and you’ve enabled IP-based firewalls, this change is for you! (West US is the paired Azure region for East US).
You’ve signed up with AvePoint Online Services in the East US data center with BYOS enabled. If your storage is in Azure Central US and you’ve enabled IP-based firewalls, this change is NOT going to impact you! (Central US is not the paired Azure region for East US).
The following table is a list of factors to decide whether you could be impacted:
Table of paring Azure regions of AOS data centers:
Ok, This Affects Me, What’s Next?
If you ARE affected (again, this is a small fraction of customers) Azure Virtual Network (vNet) based-firewall rules need to be added to your BYOS Azure Storage. Our support and customer success teams are willing to work with you on this when you’re ready, preferably scheduled right around our November release.
To summarize, for customers who use BYOS with Azure Storage and need to enable a firewall on storage:
If Azure storage is on the same Azure region or pairing region of AOS, need to add vNet based firewall rules
It’s recommended to add IP based firewall rule as well for more flexibility
If Azure storage is on other Azure regions, you’ll need to add an IP-based firewall
The change should be made right after the AOS Nov release, which will complete on 11/07/2021, 9:00AM UTC. Please note that the release date for our Gov Cloud customers will be one week later on 11/14/2021.
John Hodges is Senior Vice President of Product Strategy at AvePoint, focusing on developing compliance solutions that address modern data privacy, classification, and data protection needs for organizations worldwide. Since joining AvePoint in 2008, John has worked directly with the company’s product management and research & development teams to cultivate creative ideas and bridge the gap between sales and technology – providing a practical target for innovation and a focused message for sales and marketing. John has been actively engaged in the SharePoint community for several years, working with many Fortune 500 companies to drive sustainable adoption of Microsoft technology and optimize SharePoint’s larger purpose-built implementations. John’s insights and opinions on modern Information Technology can be found in various industry publications, as well as throughout this numerous speaking sessions in webinars and at events worldwide.