> For the complete documentation index, see [llms.txt](https://docs.platform9.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.platform9.com/private-cloud-director/integrations/rubrik-integration-with-pcd.md). # Rubrik Integration with PCD Rubrik Cloud Data Management (CDM) is a backup appliance that provides agentless backup, recovery, and disaster recovery for virtual machines running in space.vars.product\_name (space.vars.product\_acronym). This guide explains how to connect Rubrik to your space.vars.product\_acronym environment so it can automatically discover and protect your VMs. ### Prerequisites Before you begin, ensure you meet the following criteria. **Rubrik CDM:** * Access to your Rubrik portal at `https://.my.rubrik.com` * Rubrik CDM appliance deployed and accessible from your space.vars.product\_acronym environment. * Administrator privileges in the Rubrik portal. space.vars.product\_acronym **environment:** * space.vars.product\_acronym version **2025.10-112 or later.** For space.vars.product\_acronym **2026.1**, see [Rubrik integration](https://docs.platform9.com/private-cloud-director/2026.1/integrations/rubrik-integration-with-pcd) in 2026.1 documentation. * Administrator access to create users and assign roles. * Access to run `pcdctl` commands. **Network requirements:** * Rubrik appliance can reach the endpoint (HTTPS/443). * Rubrik appliance can reach proxy VMs on TCP ports 12800 and 12801. * Proxy VMs and the Rubrik appliance are on the same network, or routing is configured between them. **For disaster recovery replication (optional):** * Second Rubrik CDM appliance * Network connectivity between both Rubrik appliances. * Rubrik **9.4.1-p1-30807** or later ## Configure space.vars.product\_acronym user for Rubrik Rubrik requires a dedicated space.vars.product\_acronym user with system-scoped admin privileges. System-scoped privileges enable Rubrik to discover and manage VMs across all tenants and domains, without being restricted to a single project. #### Create the Rubrik user 1. Create a dedicated user for Rubrik in space.vars.product\_acronym:
```shellscript # Example user: rubrik-system-user@acme.com # Replace with your actual domain ``` 2. Assign system-scoped admin privileges to the user:
```bash pcdctl role add --user 'rubrik-system-user@acme.com' --user-domain default --system all admin ``` 3. Verify the role assignment:
```bash pcdctl role assignment list --user 'rubrik-system-user@acme.com' ``` Confirm the output includes: * The user exists in the list * An assignment row where the **System** column shows `all` Example output: ``` +-------------+---------------------------+-------+---------+--------+--------+-----------+ | Role | User | Group | Project | Domain | System | Inherited | +-------------+---------------------------+-------+---------+--------+--------+-----------+ | 0a39274e... | b38b3de8cd904395... | | 857... | | | False | | 0a39274e... | b38b3de8cd904395... | | | | all | False | +-------------+---------------------------+-------+---------+--------+--------+-----------+ ``` 4. Grant the user the **Administrator** role in each tenant where you want Rubrik to perform backup and restore operations. Do not grant the user **Read Only** or **Self-Service User** access in other tenants. For tenants Rubrik should not access, leave the user unassigned. #### Test the connection Before configuring Rubrik, verify that the user can authenticate with the system scope: 1. Set environment variables for the Rubrik user:
```bash export OS_USERNAME=rubrik-system-user@acme.com export OS_PASSWORD= export OS_AUTH_URL=https:///keystone/v3 export OS_IDENTITY_API_VERSION=3 export OS_USER_DOMAIN_NAME=Default export OS_SYSTEM_SCOPE=system ``` 2. Test authentication:
```bash openstack token issue ``` If successful, you will see token details. If this fails, verify the user credentials and role assignment before proceeding. ## Connect Rubrik CDM to space.vars.product\_acronym After configuring the space.vars.product\_acronym user, add your space.vars.product\_acronym environment as a data source in Rubrik CDM. #### Add Certificates to Rubrik CDM Starting with Rubrik CDM 9.4.2, import the certificates for the endpoints Rubrik uses to connect to space.vars.product\_acronym. 1. Identify the endpoints whose certificates Rubrik must trust: * `https:///`: the region-specific URL users sign in to * The Keystone identity endpoint shown in the API endpoint list * All Glance (image) endpoints used by your deployment

2. Export the certificate for each endpoint as a `.pem` file. Open each URL in a browser. Select the **HTTPS** lock icon. Export the root or self-signed certificate. 3. In the Rubrik portal, navigate to **Settings > Security > Certificate Management**. 4. Import the certificates into Rubrik CDM. Add each exported certificate and enable **Include in Truststore** for every import.

#### Add space.vars.product\_acronym as an OpenStack data source 1. In the Rubrik portal, navigate to **Settings** > **Datasource** > **OpenStack** > **Add OpenStack**.

2. On the first screen of the configuration wizard, enter the following: * **IP Address/Fully Qualified Domain Name:** `/keystone/v3`

Do not include https:// in this field. Rubrik adds the protocol automatically.
Example: pcd-region1.example.com/keystone/v3

* **Certificate:** Paste the contents of the exported `.pem` certificate file for each Glance endpoint. If your deployment uses multiple Glance endpoints, paste the `.pem` contents one after another in the same field. * **Username:** `rubrik-system-user@acme.com` * **Password:** The password you set for this user * **User Domain Name:** `Default` 3. On the next screen, for the **Image (Glance)** endpoint type, select **Admin endpoint**.

The admin endpoint allows Rubrik to access the full image catalog across all tenants. The public endpoint will not provide sufficient access. 4. Complete the remaining wizard fields with your environment details. 5. Click **Add** to save the configuration. {% hint style="warning" %} **Failed to validate the credentials** If Rubrik shows **Failed to validate the credentials** even when the username and password are correct, first confirm you imported the required certificates into the Rubrik certificate store, as described in [Add Certificates to Rubrik CDM](#add-certificates-to-rubrik-cdm). If the error persists, contact Rubrik Support. Enable the support tunnel on the Rubrik CDM appliance and ask Rubrik Support to set the `enableOpenstackX509TrustManager` feature flag to `false`. {% endhint %} #### Verify inventory discovery After adding the data source, Rubrik begins discovering your VM inventory. This process takes 5-10 minutes. To verify successful discovery: 1. Navigate to **Data Protection** > **Inventory** > **OpenStack Virtual Machine**.

2. Confirm all expected VMs appear in the list. * VMs are organized by availability zone, which maps to your space.vars.product\_acronym clusters. * You can filter by **Domains or Projects** in the inventory view.

3. If VMs do not appear after 10 minutes, verify the following: * Network connectivity from the Rubrik appliance to the space.vars.product\_acronym keystone endpoint. * User credentials and system-scoped privileges. * Rubrik appliance logs for connection errors. {% hint style="info" %} **Common discovery failure** If the Rubrik user has **Read Only** or **Self-Service User** access in any tenant, inventory refresh fails with **Failed to refresh** and this error: ``` Policy doesn't allow os_compute_api:os-availability-zone:detail to be performed. ``` The Rubrik user must have the **Administrator** role in every tenant Rubrik needs to access, or no role assignment in that tenant at all. {% endhint %} ### Network configuration Rubrik creates a proxy VM in each tenant during backup or restore operations. The Rubrik appliance communicates with these proxy VMs to transfer data. #### Proxy VM deployment When you run your first backup or restore in a tenant, Rubrik automatically: * Uploads a proxy image to the tenant's Glance catalog. * Creates a proxy VM instance in the tenant. * Configures the proxy VM for data transfer operations. The proxy VM remains running throughout backup/restore operations, and you will find new Rubrik Proxy VMs in your tenant, as shown here.

{% hint style="warning" %} **Proxy image upload fails** Rubrik can fail to upload the proxy image with an error like **Too many failed attempts. Will no longer retry.** When this happens, backup and restore operations fail because Rubrik cannot deploy the proxy VM. To resolve this issue: 1. Contact Rubrik Support to identify the exact image ID it is trying to create or use. You can also use the **Download server logs** button on the error event in Rubrik to find the image ID yourself. 2. Contact Platform9 Support and ask them to delete all references to that image ID from the Glance database. Include reference `TCHALL-68`. 3. After cleanup is complete, ask Rubrik Support to trigger the proxy image upload manually. {% endhint %} #### Network requirements For successful backup and restore operations: * **Network placement:** Rubrik appliance and proxy VMs must be on the same network. * **Port access:** The Rubrik appliance must reach proxy VMs on TCP ports 12800 and 12801. * **Routing:** Ensure no firewalls or security groups block traffic between the appliance and proxy VMs. #### Troubleshooting After Rubrik creates a proxy VM in your tenant, verify connectivity: * Identify the proxy VM in your tenant (typically named `rubrik-proxy-`). * Note the proxy VM's IP address. * From the Rubrik appliance, test connectivity on required ports:
```bash nc -zv 12800 nc -zv 12801 ``` Both ports should show as open/connected. If either test fails, check: * Security group rules on the proxy VM. * Network routing between the Rubrik appliance and the space.vars.product\_acronym tenant network. * Firewall rules in your environment. #### Constraints * Rubrik backup only works for VMs and volumes that are not ephemeral * The Rubrik system relies on VM snapshots, and this depends on the snapshot quota of the tenant under which the VM lives. If you have a large number of VMs that need backup concurrently, increase the snapshot quota. * Layer 2 Networks (introduced in PCD 2026.1) are not supported. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.platform9.com/private-cloud-director/integrations/rubrik-integration-with-pcd.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.