Arpio Access Model for Azure

This document describes the approach that Arpio uses to securely interact with Azure customer environments (the combination of an Azure subscription and Azure region).

Arpio facilitates the backup and recovery of your cloud resources across Azure subscriptions and Azure regions. Each combination of subscription/region is viewed as an "environment" where your resources exist. Each Arpio application consists of a source or primary environment and a recovery or target environment. The combination of a specific source and recovery environment is referred to as an Arpio region pair.

This initial understanding of how your resources are grouped and managed is at the heart of how Arpio manages its access and works to ensure that they remain secure and protected at all times.

Arpio Delegates

Arpio access to each environment is handled by a "Delegate". A delegate is a collection of Container App Functions/Jobs and storage resources that are installed into the primary and recovery environments during the Connection Process. They act as proxies to the Azure Resource APIs, where the Arpio Control Plane invokes the delegates to perform sensitive operations instead of invoking Azure APIs directly. This allows for finer-grained access control and data isolation to be enforced by the delegates than would otherwise be possible with Azure RBAC alone.

The following diagram illustrates the process that Arpio goes through to obtain an OAuth access token from Entra by presenting a certificate and then invokes either the Primary or Recovery delegate using the access token.

Arpio Entra Application

As a SaaS provider in the Azure ecosystem, the first step in establishing Arpio's access to your environments is to provide consent for the Arpio Entra Application to read users from your Microsoft Entra Tenant/Directory. This establishes a Service Principal for Arpio within your Entra Tenant and (optionally) allows for single-sign-on into the Arpio console, but doesn't grant any access to your Azure subscriptions and resources. This "consent" simply implies that you acknowledge Arpio as a trusted party and allows for Arpio to use that relationship to talk to the delegates you will be deploying in your environments.

Arpio Connection Process

The Arpio Connection Process creates roles, role assignments, and delegates within your Azure subscriptions to allow Arpio to securely interact with the resources within each subscription. You initiate the creation of these delegates from within the Arpio console when a new application is created, where two stack deployment commands are provided: one for the Recovery subscription and one for the Primary subscription.

These CLI commands can be executed either via local command line or the Azure cloud shell. The person executing these commands should have permissions to create resources within the target subscriptions and regions as well as to create role assignments and assign those roles. Subscription Owner or a combination of contributor and access administrator should be sufficient for most organizations. The recovery template must be created prior to the primary.

The primary ARM template creates the following resources:

• ArpioPrimaryAccess (Role and Assignment)
• ArpioPrimaryDelegateAccess (Role and Assignment)
• ArpioRecoveryToPrimaryDelegateAccess (Role and Assignment)
• ArpioPrimaryAccess-{arpioAccountId}-{location} (Resource Group)
  • ArpioPrimaryDelegate (User-assigned Identity)
  • arpio-primary-env (Container App Environment)
  • arpio-primary-delegate (Container App Function)
  • arpio-primary-delegate-job (Container App Job)
  • ArpioPrimaryLogs (Insights Workspace)
• ArpioPrimaryData-{arpioAccountId}-{location} (Resource Group)

The recovery ARM template creates the following resources:

• ArpioRecoveryAccess (Role and Assignment)
• ArpioRecoveryDelegateAccess (Role and Assignment)
• ArpioRecoveryAccess-{arpioAccountId}-{location} (Resource Group)
  • ArpioRecoveryDelegate (User-Assigned Identity)
  • arpio-recovery-env (Container App Environment)
  • arpio-recovery-delegate (Container App Function)
  • arpio-recovery-delegate-job (Container App Job)
  • Arpio-rec-{unique string} (Key Vault)
  • ArpioRecoveryLogs (Insights Workspace)
• ArpioRecoveryData-{arpioAccountId}-{location} (Resource Group)
  • Empty

Arpio Private Delegates

Many Azure resources (such as Key Vaults) can be configured to only be accessible via virtual networks. To access these resources without creating additional attack vectors, Arpio uses Private Delegates.

These private delegates are deployed by Arpio (via the main delegates) during backup and restore operations. They are Flex Consumption Apps in their own private networks that are then peered to the VNets in customer environments. This allows the private delegates to gain network access to the same resources that are reachable by the customer VNets.

Private Delegates follow the same security model as the default delegates, where they can only be invoked by the Arpio Control Plane, and use the same user-assigned identities that are granted to the main delegates.

Custom Roles

This role is granted directly to the Arpio application (control plane) to allow Arpio to list all resources that exist within the primary subscription.

This role is granted directly to the Arpio application (control plane) to allow Arpio to list all resources that exist within the recovery subscription.

This role is granted to the Arpio Primary Delegate(s) to allow for resource metadata and content to be securely read from the primary environment. Limited write access is also granted to allow the delegate to create new restore points and snapshots, which are then copied to the recovery environment during the backup process.

This role is granted to the Arpio Recovery Delegate to allow restore points and snapshots to be securely copied from the primary environment to the recovery environment.

A highly privileged role that is granted to the Arpio Recovery Delegate to allow full management of resources and data within the recovery environment.

Custom Role Assignments