Skip to main content
commvault.com commvault.com
Solved

Unable to configure VSA clients in AZURE

  • January 24, 2022
  • 6 replies
  • 644 views
Michal128
Byte
Forum|alt.badge.img+9

Hello, 

After Installation Media Agent in AZURE the next step is configuration VSA backup client for on of the subscription where the Media Agent is located. I checked the roles which were added to subscription for the Media Agents: 

  • Infrastructure Administrator Networking
  • Infrastructure Administrator

Media Agent has enabled Managed Identity, Which is required for access VSA proxy server to subscription. 

After when my colleague try to configure VSA client. He received the error: 

“Unable to connect to Virtual Machine host [ID number for subscription] as user [].  [Failed to get access token. Connection failed.“

Please let me know when I should take a look more details about that issue or steps to verify configuration for the Media Agent. 

Best answer by Michal128

Hello, 

The solution was implemented rules in Firewall to grant access to URLs from VSA proxy server. 

https://management.azure.com/

https://login.microsoftonline.com/

https://*.blob.core.windows.net

https://vault.azure.net

https://graph.windows.net/

http://169.254.169.254/metadata/identity/oauth2/token

Regards, 

Michal 

View original
Did this answer your question?
If you have a question or comment, please create a topic

Mike Struening
Vaulter
Forum|alt.badge.img+23

@Michal128 , can you check the following?

Ensure the following URLs are able to be accessed from the Azure MediaAgent on port 443:

https://management.azure.com/

https://login.microsoftonline.com/

https://*.blob.core.windows.net

https://vault.azure.net

https://graph.windows.net/

http://169.254.169.254/metadata/identity/oauth2/token

Additional information can be found at: https://documentation.commvault.com/commvault/v11/article?p=3319.htm 

https://www.linkedin.com/in/michael-struening
L
1 person likes this
  • L
    Laurent
Michal128
Byte
Forum|alt.badge.img+9

Hello Mike, 

Thanks for the info about the links which should be working from Media Agent. Maybe it is silly question, but how I can check the access by port 443. Some of the link I checked by Test-NetConnection by Powershell. But on some of the links I receive the info, that the ComputerName paratmeter is not recoginzed by DNS server. Could You check or provide different way to verify the connection. 

Regards, 

Michal  

D
Vaulter
Forum|alt.badge.img+8
  • Dan WhiteVaulter
  • Vaulter
  • February 10, 2022

@Michal128  

 

Can you ensure that you meet the requirements and that this was configured correctly from the Azure side?

 

https://docs.microsoft.com/en-us/azure/azure-functions/functions-identity-based-connections-tutorial#prerequisites

"If you give a man a fish, you feed him for a day. If you teach a man to fish, they will probably burn your spot"
Michal128
Byte
Forum|alt.badge.img+9

Hello, 

Thanks for the info. Today I am talking with the user which has that type of issue. I think tomorrow I can check and update the topic, if the problem still appears. 

Regards, 

Michal 

Mike Struening
1 person likes this
  • Mike Struening
    Mike Struening
Michal128
Byte
Forum|alt.badge.img+9

Hello, 

The solution was implemented rules in Firewall to grant access to URLs from VSA proxy server. 

https://management.azure.com/

https://login.microsoftonline.com/

https://*.blob.core.windows.net

https://vault.azure.net

https://graph.windows.net/

http://169.254.169.254/metadata/identity/oauth2/token

Regards, 

Michal 

Mike Struening
Vaulter
Forum|alt.badge.img+23

Thanks for confirming!!

https://www.linkedin.com/in/michael-struening

Most helpful members this week

Terms & ConditionsCookie settings

Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings