Solved

Unable to configure VSA clients in AZURE

  • 24 January 2022
  • 6 replies
  • 455 views

Userlevel 1
Badge +8

Hello, 

After Installation Media Agent in AZURE the next step is configuration VSA backup client for on of the subscription where the Media Agent is located. I checked the roles which were added to subscription for the Media Agents: 

  • Infrastructure Administrator Networking
  • Infrastructure Administrator

Media Agent has enabled Managed Identity, Which is required for access VSA proxy server to subscription. 

After when my colleague try to configure VSA client. He received the error: 

“Unable to connect to Virtual Machine host [ID number for subscription] as user [].  [Failed to get access token. Connection failed.“

Please let me know when I should take a look more details about that issue or steps to verify configuration for the Media Agent. 

icon

Best answer by Michal128 6 April 2022, 15:19

View original

If you have a question or comment, please create a topic

6 replies

Userlevel 7
Badge +23

Thanks for confirming!!

Userlevel 1
Badge +8

Hello, 

The solution was implemented rules in Firewall to grant access to URLs from VSA proxy server. 

https://management.azure.com/

https://login.microsoftonline.com/

https://*.blob.core.windows.net

https://vault.azure.net

https://graph.windows.net/

http://169.254.169.254/metadata/identity/oauth2/token

Regards, 

Michal 

Userlevel 1
Badge +8

Hello, 

Thanks for the info. Today I am talking with the user which has that type of issue. I think tomorrow I can check and update the topic, if the problem still appears. 

Regards, 

Michal 

Userlevel 4
Badge +8

@Michal128  

 

Can you ensure that you meet the requirements and that this was configured correctly from the Azure side?

 

https://docs.microsoft.com/en-us/azure/azure-functions/functions-identity-based-connections-tutorial#prerequisites

Userlevel 1
Badge +8

Hello Mike, 

Thanks for the info about the links which should be working from Media Agent. Maybe it is silly question, but how I can check the access by port 443. Some of the link I checked by Test-NetConnection by Powershell. But on some of the links I receive the info, that the ComputerName paratmeter is not recoginzed by DNS server. Could You check or provide different way to verify the connection. 

Regards, 

Michal  

Userlevel 7
Badge +23

@Michal128 , can you check the following?

Ensure the following URLs are able to be accessed from the Azure MediaAgent on port 443:

https://management.azure.com/

https://login.microsoftonline.com/

https://*.blob.core.windows.net

https://vault.azure.net

https://graph.windows.net/

http://169.254.169.254/metadata/identity/oauth2/token

Additional information can be found at: https://documentation.commvault.com/commvault/v11/article?p=3319.htm