Outbound Connections
Before configuring Air Gap Protect storage on Azure Blob Storage, add the required endpoints to your Air Gap Protect MediaAgent's allowlist.
Replacing * in *.blob.core.windows.net
After you configure your Air Gap Protect storage on Azure Blob Storage, you can replace *
in *.blob.core.windows.net
with the specific storage account name. For example, in the following image, the name of the storage account is AGP_Azure_Mumbai
:
Global Azure
-
*.blob.core.windows.net
: All endpoints that containblob.core.windows.net
-
https://login.microsoftonline.com
Azure Government
-
*.blob.core.usgovcloudapi.net
: All endpoints that contain.blob.core.usgovcloudapi.net
-
https://login.microsoftonline.us
Azure IP ranges and service tags
For a downloadable list of IP addresses required by the following, see Azure IP Ranges and Service Tags – Public Cloud:
-
blob.core.windows.net
-
login.microsoftonline.com
-
blob.core.usgovcloudapi.net
-
login.microsoftonline.us
In the name: "Storage.[region]"
values—such as "name": "Storage.AustraliaCentral"
—[region]
is the region of the Air Gap Protect storage.
Azure ExpressRoute and Azure Private Link
You can configure the Azure ExpressRoute circuit and Azure Private Link (Private Endpoint) for Air Gap Protect.
Configuring Azure ExpressRoute
Because the ExpressRoute is completely transparent to Air Gap Protect, no additional approval or configuration is required for Air Gap Protect. For information about configuring the Azure ExpressRoute circuit, see Quickstart: Create and modify ExpressRoute circuits.
Configuring Azure Private Link (Private Endpoint)
-
Configure Air Gap Protect in Commvault software. For more information, see Configuring Air Gap Protect.
-
Contact Commvault Customer Support and obtain a Storage Resource ID. You can contact Commvault Customer Support by logging a ticket in the Maintenance Advantage Customer Support Portal.
-
Create a Private Endpoint using the Storage Resource ID in your own Azure subscription. For more information, see Create a private endpoint.
-
Contact Commvault Customer Support and provide the name of the Private Endpoint that you created, to request approval.
Note
The approval might take up to 10 business days.
-
Once the Private Endpoint is approved, verify that the value for the CONNECTION STATE for the endpoint is displayed as Approved.
-
Update your DNS server to resolve your storage account endpoint to the Private Link's IP address.
Notes
-
To obtain the storage account endpoint, see Obtaining the Storage Account Name.
-
The network policy must be disabled for the subnet containing the Private Endpoint. Specifically, the following subnet properties must be disabled:
-
privateLinkServiceNetworkPolicies: Disabled
-
privateEndpointNetworkPolicies: Disabled
-
-