Network Security Groups (NSGs) are widely used to secure resources inside a VNet from various security-related threats by blocking outbound internet connectivity. However, backing up SQL servers in VMs to Azure requires connectivity from within the guest to the Azure Backup service, Azure Storage and Azure Active Directory. In order to enable backups, customers need to whitelist Azure IP addresses, which need to be managed.
NSG service tag for Azure Backup, now available, aims to ease the process of running backups in an environment locked down using NSGs. With this, you now have the option to simply use the ‘AzureBackup’ tag to allow outbound access to Azure Backup for your workload (SQL Server) agent running inside the VM, instead of managing whitelisting of required IPs. Apart from backup of SQL in VMs, the Azure Backup service tag can also be used when backing up locked down VMs using MARS agent.
The Azure Backup service tag is available for public and national clouds, and rules using this tag can currently be created through PowerShell and CLI. For running backups, outbound access to Azure Storage and Azure Active Directory is also required, and hence, the appropriate rules containing tags for the same also need to be added along with that for Azure Backup. For more details on network connectivity for backing up SQL in Azure VMs, refer here.