Skip to main content
Solved

Immutable storage for Commvault in Azure with on-permises Media Agent.


Forum|alt.badge.img+9

Hello,

Today we would like to check the working solution for immutable storage in Azure. And I am really wondering how to configure that type of access: 

If the access node is local server and resource is not appeared in Azure. 

Regards, 

Michal 

Best answer by Jiye

Hi @Michal128,

 

If your Media agent is on-prem you can use other methods to authenticate. 

 

Easiest way would be to use the access key. 

 

You can find the access key id from your azure portal > storage account > your storage account > access keys on the left panel under Security+Networking.

When you use this, you don’t need to assign role to your storage account because this works like a root password (has all permissions)

 

When you configure on Commcell console, go to Storage resources > Libraries > Add > Cloud Storage library > Cloud storage. Then name the storage (doesn’t have to match the storage account name), select your local MediaAgent, select Access & secret keys, leave service host to blob.core.windows.net, click Create new for credentials.

 

 

Then add the credential name, then put your storage account as ‘Account name’ and add the key that you copied from azure portal.

 

Then find the container on azure portal under the storage account, specify it, and continue. 

 

The second method is to create an application on azure and use it to authenticate. On azure portal, go to App registration and New registration. Name the application and register.

 

Then go to the storage account > IAM > Add the application as ‘Contributor’

 

When you configure on Commcell console, go to Storage resources > Libraries > Add > Cloud Storage library > Cloud storage. Then name the storage (doesn’t have to match the storage account name), select MediaAgent, select IAM AD application role assignment, leave service host to blob.core.windows.net, click Create new for credentials.

For the Tenant id, application id, copy it from your azure portal > app registration > your app > overview.

 

For application secret, on your azure portal > app registration > your app > certificates & secret > +new client secret and copy it from there

 

For account name, type your storage account name (jlsoutheast in my case). 

Thank you. 

Kind regards,

Jiye Lee

 

View original
Did this answer your question?

4 replies

Forum|alt.badge.img+3
  • Vaulter
  • 14 replies
  • Answer
  • March 15, 2023

Hi @Michal128,

 

If your Media agent is on-prem you can use other methods to authenticate. 

 

Easiest way would be to use the access key. 

 

You can find the access key id from your azure portal > storage account > your storage account > access keys on the left panel under Security+Networking.

When you use this, you don’t need to assign role to your storage account because this works like a root password (has all permissions)

 

When you configure on Commcell console, go to Storage resources > Libraries > Add > Cloud Storage library > Cloud storage. Then name the storage (doesn’t have to match the storage account name), select your local MediaAgent, select Access & secret keys, leave service host to blob.core.windows.net, click Create new for credentials.

 

 

Then add the credential name, then put your storage account as ‘Account name’ and add the key that you copied from azure portal.

 

Then find the container on azure portal under the storage account, specify it, and continue. 

 

The second method is to create an application on azure and use it to authenticate. On azure portal, go to App registration and New registration. Name the application and register.

 

Then go to the storage account > IAM > Add the application as ‘Contributor’

 

When you configure on Commcell console, go to Storage resources > Libraries > Add > Cloud Storage library > Cloud storage. Then name the storage (doesn’t have to match the storage account name), select MediaAgent, select IAM AD application role assignment, leave service host to blob.core.windows.net, click Create new for credentials.

For the Tenant id, application id, copy it from your azure portal > app registration > your app > overview.

 

For application secret, on your azure portal > app registration > your app > certificates & secret > +new client secret and copy it from there

 

For account name, type your storage account name (jlsoutheast in my case). 

Thank you. 

Kind regards,

Jiye Lee

 


Forum|alt.badge.img+9
  • Author
  • Byte
  • 58 replies
  • March 23, 2023

Hello Jiye.,

Thanks for the details how it can be set and what’s type of configuration can be implemented. Your way of showing what can be done in the case is simple and clear :).  As I remember I used the first approach with Storage Account Key. 

I have one question more, maybe You know which option is more secure? 

Regards, 

Michal 


Onno van den Berg
Commvault Certified Expert
Forum|alt.badge.img+19

@Michal128 can you explain which options you are referring to? 


Forum|alt.badge.img+9
  • Author
  • Byte
  • 58 replies
  • April 4, 2023

Hello Onno van den Berg, 

From our configuration backup I use mostly the first option, so using direct key from Azure portal and creating some Access account in the Commserve server. 

But Another question which appeared in my head is how the local Media Agent is connected to the storage account which protocol is using to send the data on them (http or https). It is very important from site of secure sending data. I checked documentation but I can’t find out that information which is very critical for configuration part. 

Regards, 

Michal 


Reply


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings