Solved

Immutable storage for Commvault in Azure with on-permises Media Agent.

  • 8 March 2023
  • 4 replies
  • 151 views

Userlevel 1
Badge +8

Hello,

Today we would like to check the working solution for immutable storage in Azure. And I am really wondering how to configure that type of access: 

If the access node is local server and resource is not appeared in Azure. 

Regards, 

Michal 

icon

Best answer by Jiye 15 March 2023, 01:37

View original

4 replies

Userlevel 2
Badge +3

Hi @Michal128,

 

If your Media agent is on-prem you can use other methods to authenticate. 

 

Easiest way would be to use the access key. 

 

You can find the access key id from your azure portal > storage account > your storage account > access keys on the left panel under Security+Networking.

When you use this, you don’t need to assign role to your storage account because this works like a root password (has all permissions)

 

When you configure on Commcell console, go to Storage resources > Libraries > Add > Cloud Storage library > Cloud storage. Then name the storage (doesn’t have to match the storage account name), select your local MediaAgent, select Access & secret keys, leave service host to blob.core.windows.net, click Create new for credentials.

 

 

Then add the credential name, then put your storage account as ‘Account name’ and add the key that you copied from azure portal.

 

Then find the container on azure portal under the storage account, specify it, and continue. 

 

The second method is to create an application on azure and use it to authenticate. On azure portal, go to App registration and New registration. Name the application and register.

 

Then go to the storage account > IAM > Add the application as ‘Contributor’

 

When you configure on Commcell console, go to Storage resources > Libraries > Add > Cloud Storage library > Cloud storage. Then name the storage (doesn’t have to match the storage account name), select MediaAgent, select IAM AD application role assignment, leave service host to blob.core.windows.net, click Create new for credentials.

For the Tenant id, application id, copy it from your azure portal > app registration > your app > overview.

 

For application secret, on your azure portal > app registration > your app > certificates & secret > +new client secret and copy it from there

 

For account name, type your storage account name (jlsoutheast in my case). 

Thank you. 

Kind regards,

Jiye Lee

 

Userlevel 1
Badge +8

Hello Onno van den Berg, 

From our configuration backup I use mostly the first option, so using direct key from Azure portal and creating some Access account in the Commserve server. 

But Another question which appeared in my head is how the local Media Agent is connected to the storage account which protocol is using to send the data on them (http or https). It is very important from site of secure sending data. I checked documentation but I can’t find out that information which is very critical for configuration part. 

Regards, 

Michal 

Userlevel 1
Badge +8

Hello Jiye.,

Thanks for the details how it can be set and what’s type of configuration can be implemented. Your way of showing what can be done in the case is simple and clear :).  As I remember I used the first approach with Storage Account Key. 

I have one question more, maybe You know which option is more secure? 

Regards, 

Michal 

Userlevel 7
Badge +18

@Michal128 can you explain which options you are referring to? 

Reply