Rubrik Integration with PCD

Integrate Rubrik Cloud Data Management with Private Cloud Director for VM backup, restore, and disaster recovery replication.

Rubrik Cloud Data Management (CDM) is a backup appliance that provides agentless backup, recovery, and disaster recovery for virtual machines running in Private Cloud Director (PCD).

This guide explains how to connect Rubrik to your PCD environment so it can automatically discover and protect your VMs.

Prerequisites

Before you begin, ensure you meet the following criteria.

Rubrik CDM:

Access to your Rubrik portal at https://<your-domain>.my.rubrik.com
Rubrik CDM appliance deployed and accessible from your PCD environment.
Administrator privileges in the Rubrik portal.

PCD environment:

PCD version 2025.10-112 or later. For PCD 2026.1, see Rubrik integration in 2026.1 documentation.
Administrator access to create users and assign roles.
Access to run pcdctl commands.

Network requirements:

Rubrik appliance can reach the endpoint (HTTPS/443).
Rubrik appliance can reach proxy VMs on TCP ports 12800 and 12801.
Proxy VMs and the Rubrik appliance are on the same network, or routing is configured between them.

For disaster recovery replication (optional):

Second Rubrik CDM appliance
Network connectivity between both Rubrik appliances.
Rubrik 9.4.1-p1-30807 or later

Configure PCD user for Rubrik

Rubrik requires a dedicated PCD user with system-scoped admin privileges. System-scoped privileges enable Rubrik to discover and manage VMs across all tenants and domains, without being restricted to a single project.

Create the Rubrik user

Create a dedicated user for Rubrik in PCD:

# Example user: rubrik-system-user@acme.com
# Replace with your actual domain

Assign system-scoped admin privileges to the user:

pcdctl role add --user 'rubrik-system-user@acme.com' --user-domain default --system all admin

Verify the role assignment:

pcdctl role assignment list --user 'rubrik-system-user@acme.com'

Confirm the output includes:

The user exists in the list
An assignment row where the System column shows all

Example output:

+-------------+---------------------------+-------+---------+--------+--------+-----------+
| Role        | User                      | Group | Project | Domain | System | Inherited |
+-------------+---------------------------+-------+---------+--------+--------+-----------+
| 0a39274e... | b38b3de8cd904395...       |       | 857...  |        |        | False     |
| 0a39274e... | b38b3de8cd904395...       |       |         |        | all    | False     |
+-------------+---------------------------+-------+---------+--------+--------+-----------+

Grant the user the Administrator role in each tenant where you want Rubrik to perform backup and restore operations. Do not grant the user Read Only or Self-Service User access in other tenants. For tenants Rubrik should not access, leave the user unassigned.

Test the connection

Before configuring Rubrik, verify that the user can authenticate with the system scope:

Set environment variables for the Rubrik user:

export OS_USERNAME=rubrik-system-user@acme.com
export OS_PASSWORD=<your-password>
export OS_AUTH_URL=https://<DU-FQDN>/keystone/v3
export OS_IDENTITY_API_VERSION=3
export OS_USER_DOMAIN_NAME=Default
export OS_SYSTEM_SCOPE=system

Test authentication:
```
openstack token issue
```

If successful, you will see token details. If this fails, verify the user credentials and role assignment before proceeding.

Connect Rubrik CDM to PCD

After configuring the PCD user, add your PCD environment as a data source in Rubrik CDM.

Add Certificates to Rubrik CDM

Starting with Rubrik CDM 9.4.2, import the certificates for the endpoints Rubrik uses to connect to PCD.

Identify the endpoints whose certificates Rubrik must trust:
- https://<DU-FQDN>/: the region-specific URL users sign in to
- The Keystone identity endpoint shown in the API endpoint list
- All Glance (image) endpoints used by your deployment
Export the certificate for each endpoint as a .pem file. Open each URL in a browser. Select the HTTPS lock icon. Export the root or self-signed certificate.
In the Rubrik portal, navigate to Settings > Security > Certificate Management.
Import the certificates into Rubrik CDM. Add each exported certificate and enable Include in Truststore for every import.

Add PCD as an OpenStack data source

In the Rubrik portal, navigate to Settings > Datasource > OpenStack > Add OpenStack.

On the first screen of the configuration wizard, enter the following:
- IP Address/Fully Qualified Domain Name: <DU-FQDN>/keystone/v3
  Do not include https:// in this field. Rubrik adds the protocol automatically. Example: pcd-region1.example.com/keystone/v3
- Certificate: Paste the contents of the exported .pem certificate file for each Glance endpoint. If your deployment uses multiple Glance endpoints, paste the .pem contents one after another in the same field.
- Username: rubrik-system-user@acme.com
- Password: The password you set for this user
- User Domain Name: Default
On the next screen, for the Image (Glance) endpoint type, select Admin endpoint.

The admin endpoint allows Rubrik to access the full image catalog across all tenants. The public endpoint will not provide sufficient access.

Complete the remaining wizard fields with your environment details.
Click Add to save the configuration.

Failed to validate the credentials

If Rubrik shows Failed to validate the credentials even when the username and password are correct, first confirm you imported the required certificates into the Rubrik certificate store, as described in Add Certificates to Rubrik CDM.

If the error persists, contact Rubrik Support. Enable the support tunnel on the Rubrik CDM appliance and ask Rubrik Support to set the enableOpenstackX509TrustManager feature flag to false.

Verify inventory discovery

After adding the data source, Rubrik begins discovering your VM inventory. This process takes 5-10 minutes.

To verify successful discovery:

Navigate to Data Protection > Inventory > OpenStack Virtual Machine.

Confirm all expected VMs appear in the list.
- VMs are organized by availability zone, which maps to your PCD clusters.
- You can filter by Domains or Projects in the inventory view.

If VMs do not appear after 10 minutes, verify the following:
- Network connectivity from the Rubrik appliance to the PCD keystone endpoint.
- User credentials and system-scoped privileges.
- Rubrik appliance logs for connection errors.

Common discovery failure

If the Rubrik user has Read Only or Self-Service User access in any tenant, inventory refresh fails with Failed to refresh and this error:

Policy doesn't allow os_compute_api:os-availability-zone:detail to be performed.

The Rubrik user must have the Administrator role in every tenant Rubrik needs to access, or no role assignment in that tenant at all.

Network configuration

Rubrik creates a proxy VM in each tenant during backup or restore operations. The Rubrik appliance communicates with these proxy VMs to transfer data.

Proxy VM deployment

When you run your first backup or restore in a tenant, Rubrik automatically:

Uploads a proxy image to the tenant's Glance catalog.
Creates a proxy VM instance in the tenant.
Configures the proxy VM for data transfer operations.

The proxy VM remains running throughout backup/restore operations, and you will find new Rubrik Proxy VMs in your tenant, as shown here.

Proxy image upload fails

Rubrik can fail to upload the proxy image with an error like Too many failed attempts. Will no longer retry.

When this happens, backup and restore operations fail because Rubrik cannot deploy the proxy VM.

To resolve this issue:

Contact Rubrik Support to identify the exact image ID it is trying to create or use. You can also use the Download server logs button on the error event in Rubrik to find the image ID yourself.
Contact Platform9 Support and ask them to delete all references to that image ID from the Glance database. Include reference TCHALL-68.
After cleanup is complete, ask Rubrik Support to trigger the proxy image upload manually.

Network requirements

For successful backup and restore operations:

Network placement: Rubrik appliance and proxy VMs must be on the same network.
Port access: The Rubrik appliance must reach proxy VMs on TCP ports 12800 and 12801.
Routing: Ensure no firewalls or security groups block traffic between the appliance and proxy VMs.

Troubleshooting

After Rubrik creates a proxy VM in your tenant, verify connectivity:

Identify the proxy VM in your tenant (typically named rubrik-proxy-<tenant-name>).
Note the proxy VM's IP address.
From the Rubrik appliance, test connectivity on required ports:
```
nc -zv <proxy-vm-ip> 12800
nc -zv <proxy-vm-ip> 12801
```

Both ports should show as open/connected. If either test fails, check:

Security group rules on the proxy VM.
Network routing between the Rubrik appliance and the PCD tenant network.
Firewall rules in your environment.

Constraints

Rubrik backup only works for VMs and volumes that are not ephemeral
The Rubrik system relies on VM snapshots, and this depends on the snapshot quota of the tenant under which the VM lives. If you have a large number of VMs that need backup concurrently, increase the snapshot quota.
Layer 2 Networks (introduced in PCD 2026.1) are not supported.

PreviousPCD CLI - pcdctl NextCommvault Integration with PCD

Last updated 13 days ago

Was this helpful?