AIR Gap For Backup protection

What Does Air Gapping Mean?


The answer is pretty simple. An air-gapped backup, as part of your backup and recovery strategy, is a copy of your organization’s data that’s offline and inaccessible. Without an internet or other network connection, it’s impossible for your backup device to be remotely hacked or corrupted. That leaves only a direct physical attack as a means to getting to your data. Traditionally, air gapping has been referred to in the context of tape backups, but today’s options for backing up to the cloud offer a virtual equivalent of air-gapped tape. But, while the cloud’s object-based storage defenses are incredibly powerful, a physically air gapped backup is your absolutely final line of defense.

Updating the 3-2-1 Rule

This ties back to our recent post about StorageCraft’s take on the traditional 3-2-1 rule. There we discuss how you should store one copy of your backups in a secure, offsite location. If that offsite copy is disconnected, it’s protected from malicious software, direct cyberattacks, and other threats. It also protects your backups even if ransomware compromises admin passwords or other data. If everything else fails, your air-gapped backups should be capable of restoring your entire network system.

Air Gapping Challenges

Although air gapping is your ultimate defense against disaster, it can also be costly in terms of labor. When your backup device is completely disconnected from your network, the only way to access it is with direct physical contact. That limits your ability to automate backups, and, while there are automated solutions available, any device that is connected from a network could become compromised. That means going to the device and physically transferring data is your best bet.


Ultimately, whether you choose to include air-gapped backups in your strategy depends on your unique situation. What matters most is that you have a solid backup and recovery plan in place and that you keep it up to date. StorageCraft offers solutions for organizations of every size that simplify backup and recovery and ensure your data is always protected.

What is Azure Key Vault and how to configure it with the dotnet core application

What is Azure Key Vault?

Azure Key Vault is a cloud-based service offered by Microsoft Azure that provides secure storage for keys, secrets, and certificates. It allows users to create and manage cryptographic keys and secrets used by cloud applications and services. Azure Key Vault enables users to store sensitive information such as passwords, connection strings, API keys, and certificates in a secure manner.

Azure Key Vault uses hardware security modules (HSMs) to provide enhanced security for cryptographic keys and secrets. HSMs are physical devices that are designed to securely store and manage cryptographic keys. Azure Key Vault also supports multi-factor authentication and access control policies to ensure that only authorized users and applications can access sensitive information stored in the Key Vault.

Azure Key Vault can be used to store a wide range of keys and secrets, including SSL/TLS certificates, cryptographic keys, passwords, and API keys. It can be accessed through a REST API or using SDKs for various programming languages. Azure Key Vault can also be integrated with other Azure services such as Azure Active Directory, Azure Functions, and Azure DevOps.

Configure Azure Key Vault with .Net Core 6 Application:

Step 1: Create an Azure Key Vault

First, you need to create an Azure Key Vault in your Azure subscription. Here are the steps:

  1. Log in to the Azure Portal and go to the Azure Key Vault page.
  2. Click the “+ Add” button to create a new Key Vault.
  3. Fill in the required information, such as the name, subscription, resource group, and region.
  4. Set the access policies for your Key Vault. This is where you define who has access to your Key Vault and what they can do with it. For example, you might want to allow a specific Azure AD user or group to access your Key Vault.

Step 2: Create a .NET Core 6 application

Next, you need to create a .NET Core 6 application. Here are the steps:

  1. Open Visual Studio 2022 or higher and create a new .NET Core 6 Console Application project.
  2. Install the Azure.Extensions.AspNetCore.Configuration.Secrets package by running the following command in the Package Manager Console:

Install-Package Azure.Extensions.AspNetCore.Configuration.Secrets
  1. Modify the Program.cs file to load configuration settings from the Azure Key Vault:

using Azure.Extensions.AspNetCore.Configuration.Secrets; using Azure.Identity; using Microsoft.Extensions.Configuration; var builder = new ConfigurationBuilder() .AddJsonFile("appsettings.json", optional: true, reloadOnChange: true) .AddUserSecrets<Program>() .AddEnvironmentVariables(); builder.AddAzureKeyVault(new Uri("https://<your-key-vault-name>"), new DefaultAzureCredential()); var configuration = builder.Build(); // Use configuration values here

Note: Replace <your-key-vault-name> with the name of your Azure Key Vault.

Step 3: Grant access to the application

Finally, you need to grant access to the .NET Core 6 application to access the Azure Key Vault. Here are the steps:

  1. Go to the Access policies page of your Azure Key Vault.
  2. Click the “+ Add Access Policy” button to add a new access policy.
  3. Select the principal type. This is the identity that you want to grant access to.
  4. Select the permissions that you want to grant. For example, you might want to grant “Get” and “List” permissions to allow the application to read secrets from the Key Vault.
  5. Click the “Add” button to add the access policy.

That’s it! Your .NET Core 6 application should now be able to read configuration settings from the Azure Key Vault.

Azure Key Vault Troubleshoots:

There could be a few different reasons why your Azure Key Vault connection is randomly failing

  1. Ensure that the Azure Key Vault access policies are correctly configured to allow access from your application. Make sure that the application’s identity (e.g. managed identity or service principal) is included in the access policies with the appropriate permissions.
  2. Check your application’s code to ensure that it is handling authentication and authorization correctly. Make sure that it is using the appropriate credentials to authenticate with Azure AD and obtain a token to access the Key Vault.
  3. Check your network connection to ensure that there are no intermittent issues that could be causing the connection to fail. For example, if you are using a VPN or a firewall, make sure that the appropriate ports are open and that there are no network connectivity issues.
  4. Check the Azure Key Vault logs to see if there are any errors or warnings that could provide more information about the issue. You can use the Azure Portal or the Azure CLI to view the logs.
  5. If the issue persists, consider contacting Microsoft support for further assistance. They can help you troubleshoot the issue and identify the root cause.

special thanks to my Friend


VMware vSphere health check Guidance

ESXI Server hardware Information :-

  • Server Model
  • Serial Number
  • CPU
  • RAM
  • Local hard drive
  • Number H.D.D
  • Type of HDD
  • BIOS
  • Number of host
  • Application health Check
    • vCenter Build/Release
    • License summary
    • Active Sessions
    • ESX/ESXi Build/Release
    • Cluster(s) Name/Statistics (Hosts, CPU and MEM availabity, HA,DRS and DPM enabled, Resource Pools, Health
    • ESX/ESXi Hardware configuration (NICs/HBAs)
    • ESX/ESXi Hardware Health Sensor via CIM
    • ESX/ESXi State
    • ESX/ESXi Configurations (for detailed information, use detail-hosts option)
    • ESX/ESXi Multipathing Info (only available in host or detail-hosts option)
    • ESX/ESXi Datastore summary
    • ESX/ESXi LUN summary
    • ESX/ESXi Port group summary
    • ESX/ESXi Host logs
    • CDP Summary
    • Recent Task
    • Virtual Machine summary
    • VM Storage summary
    • VM Network summary
    • VM w/Snapshots
    • VM w/Snapshot delta age
    • VM w/RDMs
    • VM w/NPIV enabled
    • VM w/connected CD-ROMs
    • VM w/connected Floppy’s
    • Protection health check
    • Backup virtual machine list
    •  last backup date
    • Pending snapshot for vms (right click the vms and check the snapshot)

What is ExaGrid and How it protects from Ransomware

ExaGrid is a new generation storage device that is built and designed for the backup solution. ExaGrid Doesn’t have a lock-in with one specific backup vendor and it’s supported with the most of backup software.

We all are very well aware of the data Tiered concept mainly for HOT and Cold data, ExaGrid is Tiered backup storage but with more advanced logic which is really fixing major challenges and providing robust protection against a ransomware attack.

Ransomware stories are very common these days and many organizations had faced tuff times and have lost very critical and important data. Ransomware is really scary.

The most Terrifying thing is hackers manage to delete data from the primary storage and backup storage as well and the organization is left with no option to get the data back  

Let us understand how protection works

ExaGrid’s have unique approach is called Retention Time-Lock (RTL). It prevents the threat actors/ hackers from deleting the backups and allows for retention points to be purged.

ExaGrid is Tiered Backup Storage with a front-end disk-cache Landing Zone and separate Repository Tier containing all retention data. Data is written directly to the “network facing”ExaGrid disk-cache Landing Zone. hen it is tiered into a “non-network-facing” long-term retention repository where it is stored as deduplicated data objects to reduce the storage cost of long-term retention data. As data is tiered to the Repository Tier, it is deduplicated and stored in a series of objects and metadata. As with other object storage systems, the ExaGrid objects and metadata never change allowing only for the creation of new objects or deletion of old objects when retention is reached.


  • Any deletion requests are delayed by the number of days in the protection policy
  • Encrypted data written to ExaGrid does not delete or change previous backups in the repository
  • Landing Zone data that is encrypted does not delete or change previous backups in the repository
  • Set delayed deletion in 1-day increments from 0 days to 30 days
  • Protects against loss of any and all retained backups including monthlies and yearlies
  • Two-Factor Authentication (2FA) protects changes to the Time-Lock setting
  • Separate password for primary site versus second site ExaGrid
  • Separate backup staff and security staff roles and passwords
  • Alarm on Delete
  • The alarm on data deduplication ratio change

Supported Backup software

Thanks to visit

Change Nutanix AHV NIC From access Mode to Trunked Mode

Trunked Mode allows multiple VLANs on a single NIC for VMs that are VLAN aware.

by default, NIC cards are in access mode.

mode can’t be changed from the UI (Prism) and the solution is to update from CVM acli

you can also covert exiting NIC card to Trunked Mode however based on my experience best and easy way is to add a new card


  1. SSH CVM
  2. acli
  3. <acropolis> vm.get VMNAME
  4. copy information in notepad
  5. nutanix@CVM~$ acli vm.nic_create <vm name> network=<network name> trunked_networks=<comma separated list of allowed VLAN IDs> vlan_mode=kTrunked


vm.nic_create VT-LAB-1 network=NETWORK0 trunked_networks=2021,2022 vlan_mode=kTrunked

WHY Trunked is Required

Above Setting is required when the virtual machine needs to create multiple networks on a single interface. in my case it’s WAF devices that are configured for multiple VLANs, each VLAN is associated with a different kind of application

if you want to add more VLANs run the below

vm.nic_update TT-WAF-01 00:68:8d:04:bf:4d network=NETWORK2108 trunked_networks=2120,2022,2059,2089 vlan_mode=kTrunked update_vlan_trunk_info=true



what is Nutanix Cloud Infrastructure (NCI), Nutanix Cloud Manager (NCM) & Nutanix Cloud Platform (NCP) Bundles License

Nutanix Cloud Infrastructure (NCI) is a complete software stack to unify your hybrid cloud infrastructure including compute, storage and network, hypervisors, and containers, in public or enterprise clouds; all with built-in resilience, self-healing, disaster recovery capabilities, and security. It includes enterprise data services and consolidated storage, data protection and disaster recovery, native virtualization and container management, networking, and security.

How it looks like in BOQ

NCI Software Editions

Nutanix Cloud Manager (NCM) offers our customers simplicity and ease of use to build and grow their cloud deployments faster and realize rapid ROI, by providing intelligent operations, self service and orchestration, visibility and governance of spend, security and teams, all through a unified Multi-cloud management solution.

NCM licenses can be purchased and applied on the number of physical CPU cores capacity in your deployment. Licenses are portable across hardware platforms and are available in 1 through 5-year term options.

By default, NCM provides coverage for all Nutanix and on-prem VMWare environments, metered per core. For supporting public cloud environments using the same NCM deployment, customers should purchase appropriate NCM Cloud SKUs as add-ons. Three public cloud-focused add-ons are available as SKUs- NCM Self-Service add-on for Public Cloud SKU, NCM Cost Governance SaaS SKU, and NCM Security Central SaaS SKU. These add-ons are metered by the number of Virtual Machines (VM) managed in the public cloud. Note: For on-prem environments, Cost Governance is available for AHV and ESXi on AOS, and Security Central is known for AHV.

NCM is also available as a fully managed Software as Service Option. Customers can experience multi-cloud self-service, app automation, governance, and security compliance capabilities, without requiring to run any on-prem Nutanix software. The NCM SaaS offering is available to purchase as à la carte SaaS licenses for these four NCM SaaS modules:

  • NCM SaaS – Operations (in development) 
  • NCM SaaS – Self-Service
  • NCM SaaS – Cost Governance
  • NCM SaaS – Security Central

NCM SaaS licenses are metered by the number of Virtual Machines (VM) managed in the public cloud.

Nutanix Cloud Infrastructure (NCI) and Nutanix Cloud Manager (NCM) can be purchased together in 3 ‘better together’ Nutanix Cloud Platform (NCP) bundles:

Thanks to visit my blog

What is ICAP and integration with Nutanix files

ICAP stands for internet content adaption protocol is an open standard being adopted to connect devices to enterprise-level virus scan engine . same way with the nutanix files is to enable communication with external servers hosting third-party anti-virus software to scan inbound data (files) in transit via Secure Proxy before sending it to the backend destination server.


The ICAP service runs on each Nutanix Files file server and can interact with more than one ICAP server in parallel to support horizontal scale-out of the antivirus server. The scale-out nature of Files and one-click optimization greatly mitigate any antivirus scanning performance overhead. If the scanning affects Nutanix Files FSVM performance, one-click optimization recommends either increasing the virtual CPU resources or scaling out the FSVMs. This feature also helps both the ICAP server and Files scale out, ensuring fast responses from the customer’s antivirus vendor

WHY Nutanix files integration with AV server is important

Ransomware is a persistent concern that requires multiple security controls and software layers to mitigate integration is important to protect users from malware and viruses,

WHAT all third-party vendor are support with Nutanix files

  1. Trand Micro
  2. McAfee
  3. BitDefender
  4. Symantec
  5. sentinelone

HOW to configure integration

  1. In the Files Console, go to Configuration > Antivirus.
  2. Connect the ICAP server.
    1. Click + Connect ICAP Server.A new row appears for new ICAP server details.
    2. Enter the following information in the corresponding fields:
      • IP address or hostname
      • Port (the default port number is 1344)
      • Description
    3. To save the configuration, click the check mark icon.For a detected antivirus server, the software tests the validity of the configured server and updates the status to OK.
    4. Ensure the connection status automatically updates to OK.
    5. Click Next.
    6. ( for more details