Skip to content
English
Customer ticket portal
  • There are no suggestions because the search field is empty.

Azure Pre-flight Checklist

his checklist prepares teams for setting up a new Arpio application on Azure, particularly for Proof of Concept (POC) engagements—a 10-day sprint demonstrating backup and restore capabilities across Azure subscriptions and regions.

1. Choose an Application

  • An application is a set of Azure resources that work together in a single Azure subscription and region.
  • An application may work together with other applications in other Azure subscriptions and regions as part of an end-to-end workload.
  • Arpio will let you configure all the applications you need, but for a given POC we recommend focusing on just one.
  • A POC is a time-boxed exercise. There we recommend choosing a workload running in a non-production environment (staging/test). Onboarding to Arpio may require changes to permissions and resources which can usually be done more quickly/easily in a non-production environment.
  • Select an application name that is easily recognizable within your organization.

2. Source Azure Subscription and Region

  • Note the Azure subscription name/ID, and region where your source workload resides.
  • If you are using a non-production workload for a POC, these details should pertain to that environment.

3. Recovery Azure Subscription and Region

  • Determine Azure subscription and region for recovery of the application.
  • If you choose cross-subscription recovery, then it is recommended that the recovery subscription not be running any other production workloads.
  • Verify the target Azure region is available for your subscription.
  • Confirm required resource types and quantity/quota are available in the recovery region

4. Deployment Stacks for Source and Recovery locations

  • The trust between Arpio and your environment is established by consenting to add the Arpio Application to your AAD/Entra tenant. Depending on your organizations security policies, you may see a message to this effect when linking your IDP to Arpio or this may need to be done manually by someone with appropriate permission.
  • Arpio generates CLI commands that leverage an environment specific ARM templates for source and recovery locations to create deployment stacks necessary for Arpio to operate. These deployment stacks are used to give Arpio limited access to your Azure subscriptions, so that it can protect and recover your Azure workloads.
  • The person that will execute these commands should have the "Owner" role for the source and recovery subscriptions, or appropriate permission to create managed identities and assign the roles needed to read and create Azure resources that are supported by Arpio. More can be found in Appendix A.
  • If you require InfoSec approval or Change Management approval before installing these templates, please ensure you identify the processes to get these approvals. Please schedule time before your POC to work with Arpio to generate the stack deployment templates, so you have time to get approvals.

5. Azure Credentials for Examination

  • Ensure you have AAD/Entra credentials that you can use to access the Azure Portal's command shell and run Azure CLI commands for the source and recovery/destination subscriptions.
  • Ensure you have connectivity to the source and recovery subscriptions to help verify resources are being created/recovered appropriately and identify what adjustments may be necessary to ensure proper recovery.
  • Subscription "Owner" permission is well suited for this, but more granular permissions can be used if desired.

6. Identify Key Resources

  • You will identify the key resources used by your application. Based on this Arpio will not only backup those key resources but will also attempt to identify underlying dependencies and backup other necessary resources for your application.
  • Optional: If you have a tagging strategy to identify the resources that comprise your application, then please note the tag name and value.

7. Personnel Assignments

  • POC Engineer: Please designate a Cloud Operations Engineer (or similar role) as the primary point of contact for the Arpio POC or onboarding. This person should be familiar with your Azure environment and RBAC permissions as outlined above.
  • Application Support: Ensure that the relevant application team is aware of the POC and has committed to provide support as needed for any application specific issues that may arise.
  • Security Support: Since adjustments to permission/role assignments are often required, please confirm that someone from your security team will be available to assign them as needed.

Optional Worksheet

Field Description
Application Name An internally recognizable name that describes the workload that you’ll be testing for the POC.
Primary Subscription ID In which Azure subscription do you currently operate this application?
Primary Region Which Azure regions hosts the workload resources?
Recovery Subscription ID Where do you want to recover this application? This should be distinct from the primary subscription for ransomware resiliency.
Recovery Region This should be distinct from the primary region for regional resiliency.
Azure Deployment permissions Did you obtain all necessary approvals to install the templates?

If you are meeting with Arpio staff to run a POC, will someone with access to the necessary credentials to install the templates be at the meeting?
Azure Verification/Troubleshooting permissions If you are meeting with Arpio staff to run a POC, will someone with access to these credentials be at the meeting?
Identify the key resources for your workload What are the featured compute and storage resources in this application that you will protect and recover with Arpio. You do not need to list every resource - once you select the key ones, Arpio will attempt to identify other dependencies.

Refer to the list of supported Arpio resource types for Azure.
List any relevant resource tags and values Arpio can automatically select resources for replication by matching against tag rules in your app settings. This is optional.
Personnel Names and contact information for the POC Engineer, Application support/verification, and Security/InfoSec support

Resource-Specific Checklists

Azure SQL Database and SQL Virtual Machine

  • Store the SQL administrator password in an Azure Key Vault secret
  • Add the arpio-config:admin-password-secret tag to the primary SQL Server resource with the Key Vault secret URL as the value (format: https://<keyvault-name>.vault.azure.net/secrets/<secret-name>)
  • The Arpio primary delegate must have list and get permissions on the Key Vault secret if the vault uses Access Policies (RBAC-enabled vaults are handled automatically)
  • See admin-password-secret for full details

Azure Virtual Machines

  • Use User Data (not Custom Data) for environment-specific settings that Arpio needs to translate; Azure does not expose Custom Data through its control plane, so Arpio cannot translate references within it

Virtual Machine Scale Sets

  • Confirm Marketplace images referenced by the scale set are available in the recovery region
  • Store the scale set administrator password in an Azure Key Vault secret
  • Add the arpio-config:admin-password-secret tag to the scale set resource with the Key Vault secret URL as the value
  • Scale sets without Linux SSH configuration require this tag to recover successfully
  • See admin-password-secret for full details

Azure Key Vault

Legacy Access Policy-based Vaults: After installation of the templates, explicity grant the following permissions to the Arpio managed identity in the primary location.

  • Keys: listget
  • Secrets: listget
  • Certificates: listget
  • RBAC-enabled vaults are configured automatically during ARM template deployment

Non-Exportable Certificates:

  • Manually create a matching certificate in the recovery Key Vault prior to recovery
  • Arpio will "adopt" the recovery certificate and update references during failover

Appendix A: Arpio delegate resources and setup permissions

The Arpio ARM templates you run will create or update the following resource types:

  • Resource Groups
  • Container App
  • Container Apps Environment
  • Storage Account
  • Managed Identity
  • Application Insights & Action Group
  • Log Analytics workspace
  • Key vault (recovery only)
  • Container App Job (recovery only)
  • other resources as needed (such as Storage Accounts) to store recovery artifacts

Required Azure AD Permission:

The account deploying the ARM templates must have permission to create app registrations and assign roles in the target subscriptions. This typically requires the User Access Administrator role in addition to Contributor, or the Owner role.