Prerequisites for Microsoft Azure Storage

Outbound Connections

Before configuring Air Gap Protect storage on Azure Blob Storage, add the required endpoints to your Air Gap Protect MediaAgent's allowlist.

Replacing * in *.blob.core.windows.net

After you configure your Air Gap Protect storage on Azure Blob Storage, you can replace * in *.blob.core.windows.net with the specific storage account name. For example, in the following image, the name of the storage account is AGP_Azure_Mumbai:

agp-storage-account-name

Global Azure

  • *.blob.core.windows.net: All endpoints that contain blob.core.windows.net

  • https://login.microsoftonline.com

Azure Government

  • *.blob.core.usgovcloudapi.net: All endpoints that contain .blob.core.usgovcloudapi.net

  • https://login.microsoftonline.us

Azure IP ranges and service tags

For a downloadable list of IP addresses required by the following, see Azure IP Ranges and Service Tags – Public Cloud:

  • blob.core.windows.net

  • login.microsoftonline.com

  • blob.core.usgovcloudapi.net

  • login.microsoftonline.us

In the name: "Storage.[region]" values—such as "name": "Storage.AustraliaCentral"[region] is the region of the Air Gap Protect storage.

You can configure the Azure ExpressRoute circuit and Azure Private Link (Private Endpoint) for Air Gap Protect.

Configuring Azure ExpressRoute

Because the ExpressRoute is completely transparent to Air Gap Protect, no additional approval or configuration is required for Air Gap Protect. For information about configuring the Azure ExpressRoute circuit, see Quickstart: Create and modify ExpressRoute circuits.

  1. Configure Air Gap Protect in Commvault software. For more information, see Configuring Air Gap Protect.

  2. Contact Commvault Customer Support and obtain a Storage Resource ID. You can contact Commvault Customer Support by logging a ticket in the Maintenance Advantage Customer Support Portal.

  3. Create a Private Endpoint using the Storage Resource ID in your own Azure subscription. For more information, see Create a private endpoint.

  4. Contact Commvault Customer Support and provide the name of the Private Endpoint that you created, to request approval.

    Note

    The approval might take up to 10 business days.

  5. Once the Private Endpoint is approved, verify that the value for the CONNECTION STATE for the endpoint is displayed as Approved.

  6. Update your DNS server to resolve your storage account endpoint to the Private Link's IP address.

    Notes

    • To obtain the storage account endpoint, see Obtaining the Storage Account Name.

    • The network policy must be disabled for the subnet containing the Private Endpoint. Specifically, the following subnet properties must be disabled:

      • privateLinkServiceNetworkPolicies: Disabled

      • privateEndpointNetworkPolicies: Disabled

×

Loading...