# Rubrik Integration with PCD ## Overview Rubrik Cloud Data Management (CDM) is a backup appliance that provides agentless backup, recovery, and disaster recovery for virtual machines running in space.vars.product\_name ( space.vars.product\_acronym). This guide explains how to connect Rubrik to your space.vars.product\_acronym environment so it can automatically discover and protect your VMs. ### Prerequisites Before you begin, ensure you meet the following criteria. **Rubrik CDM:** * Access to your Rubrik CDM portal at `https://.my.rubrik.com` * Rubrik CDM appliance deployed and accessible from your space.vars.product\_acronym environment. * Administrator privileges in the Rubrik portal. space.vars.product\_acronym **environment:** * space.vars.product\_acronym version **2025.10-112** or later. * Administrator access to create users and assign roles. * Access to run `pcdctl` commands. **Network requirements:** * Rubrik appliance can reach the endpoint (HTTPS/443). * Rubrik appliance can reach proxy VMs on TCP ports 12800 and 12801. * Proxy VMs and the Rubrik appliance are on the same network, or routing is configured between them. **For disaster recovery replication (optional):** * Second Rubrik CDM appliance * Network connectivity between both Rubrik appliances. * Rubrik **9.4.1-p1-30807** or later ## Configure space.vars.product\_acronym user for Rubrik Rubrik requires a dedicated space.vars.product\_acronym user with system-scoped admin privileges. System-scoped privileges enable Rubrik to discover and manage VMs across all tenants and domains, without being restricted to a single project. #### Create the Rubrik user 1. Create a dedicated user for Rubrik in space.vars.product\_acronym: ```bash # Example user: rubrik-system-user@acme.com # Replace with your actual domain ``` 2. Assign system-scoped admin privileges to the user: ```bash pcdctl role add --user 'rubrik-system-user@acme.com' --user-domain default --system all admin ``` 3. Verify the role assignment: ```bash pcdctl role assignment list --user 'rubrik-system-user@acme.com' ``` Confirm the output includes: * The user exists in the list * An assignment row where the **System** column shows `all` Example output: ``` +-------------+---------------------------+-------+---------+--------+--------+-----------+ | Role | User | Group | Project | Domain | System | Inherited | +-------------+---------------------------+-------+---------+--------+--------+-----------+ | 0a39274e... | b38b3de8cd904395... | | 857... | | | False | | 0a39274e... | b38b3de8cd904395... | | | | all | False | +-------------+---------------------------+-------+---------+--------+--------+-----------+ ``` #### Test the connection Before configuring Rubrik, verify that the user can authenticate with the system scope: 1. Set environment variables for the Rubrik user: ```bash export OS_USERNAME=rubrik-system-user@acme.com export OS_PASSWORD= export OS_AUTH_URL=https:///keystone/v3 export OS_IDENTITY_API_VERSION=3 export OS_USER_DOMAIN_NAME=Default export OS_SYSTEM_SCOPE=system ``` 2. Test authentication: ```bash openstack token issue ``` If successful, you will see token details. If this fails, verify the user credentials and role assignment before proceeding. ## Connect Rubrik CDM to space.vars.product\_acronym After configuring the space.vars.product\_acronym user, add your space.vars.product\_acronym environment as a data source in Rubrik CDM. #### Add Certificates to Rubrik CDM Starting version 9.4.2 of Rubrik CDM, please add the certificate(s) 1. Get the list of endpoints. There are two primary: * `https:///` * `https://

2. Export the certificate(s) for both endpoints.\ Go to the URls (a, b) above and click on the `https` and use certificate export for the root or the self-signed certificates to export those certificates as `.pem` files. 3. Import certificates into the CDM\ On Rubirk CDM portal, navigate to **Settings > Security > Certificate Management** and import the certificates. Ensure you enable **Include in Truststore**

#### Add space.vars.product\_acronym as an OpenStack data source 1. In the Rubrik CDM portal, navigate to **Settings** > **Datasource** > **OpenStack** > **Add OpenStack**.

2. In the configuration wizard, enter the following:\ **IP Address/Fully Qualified Domain Name:** ``` /keystone/v3 ``` {% hint style="info" %} **Important:** Do not include `https://` in this field. Rubrik adds the protocol automatically. {% endhint %} Example: `pcd-region1.example.com/keystone/v3` 3. For the **Image (Glance)** endpoint type, select **Admin endpoint**.

The admin endpoint allows Rubrik to access the full image catalog across all tenants. The public endpoint will not provide sufficient access. 4. Enter the credentials for your Rubrik user: * **Username:** `rubrik-system-user@acme.com` * **Password:** The password you set for this user * **User Domain Name:** `Default` 5. Complete the remaining wizard fields with your environment details. 6. Click **Add** to save the configuration. #### Verify inventory discovery After adding the data source, Rubrik begins discovering your VM inventory. This process takes 5-10 minutes. To verify successful discovery: 1. Navigate to **Data Protection** > **Inventory** > **OpenStack Virtual Machine**.

2. Confirm all expected VMs appear in the list. * VMs are organized by availability zone, which maps to your space.vars.product\_acronym clusters. * You can filter by **Domains or Projects** in the inventory view.

3. If VMs do not appear after 10 minutes, verify the following: * Network connectivity from the Rubrik appliance to the space.vars.product\_acronym keystone endpoint. * User credentials and system-scoped privileges. * Rubrik appliance logs for connection errors. ### Network configuration Rubrik creates a proxy VM in each tenant during backup or restore operations. The Rubrik appliance communicates with these proxy VMs to transfer data. #### Proxy VM deployment When you run your first backup or restore in a tenant, Rubrik automatically: 1. Uploads a proxy image to the tenant's Glance catalog. 2. Creates a proxy VM instance in the tenant. 3. Configures the proxy VM for data transfer operations. The proxy VM remains running throughout backup/restore operations, and you will find new Rubrik Proxy VMs in your tenant, as shown here.

#### Network requirements For successful backup and restore operations: * **Network placement:** Rubrik appliance and proxy VMs must be on the same network. * **Port access:** The Rubrik appliance must reach proxy VMs on TCP ports 12800 and 12801. * **Routing:** Ensure no firewalls or security groups block traffic between the appliance and proxy VMs. #### Troubleshooting After Rubrik creates a proxy VM in your tenant, verify connectivity: 1. Identify the proxy VM in your tenant (typically named `rubrik-proxy-`). 2. Note the proxy VM's IP address. 3. From the Rubrik appliance, test connectivity on required ports: ```bash nc -zv 12800 nc -zv 12801 ``` Both ports should show as open/connected. If either test fails, check: * Security group rules on the proxy VM. * Network routing between the Rubrik appliance and the space.vars.product\_acronym tenant network. * Firewall rules in your environment. #### Constraints * Rubrik backup only works for VMs and volumes that are not ephemeral * The Rubrik system relies on VM snapshots, and this depends on the snapshot quota of the tenant under which the VM lives. If you have a large number of VMs that need backup concurrently, increase the snapshot quota.