Set Up Azure Blob Storage

You can use the Azure IAM AD application to access backed-up and restored files in the Azure Blob storage.

Before you begin

• Verify that the storage account is not behind a firewall.

  Tip

  To configure the firewall settings for your storage account:

  1. In the Azure portal, go to storage > Security + networking > Networking.

  2. On the Firewalls and virtual networks tab, select Enabled from all networks.

• Verify that you have a minimum of the following settings enabled when generating the SAS token:

  • Allowed Services: Blob

  • Allowed resource type: Container and Object

  • Allowed Permissions: Read, Write, and Create

Procedure

1. You can generate a shared access signature (SAS) token for your Azure Storage by using the Azure portal, by using the Azure command line, or by using PowerShell.

   You can generate one of the three shared access signatures that Azure Storage supports. For more information, go to Delegate Access with Shared Access Signatures on the Azure documentation website.

   The following steps describe how to use the Azure portal to generate a shared access signature.

   1. Log on to the Azure portal.

   2. Click your Storage Account, click the Shared access signature menu, and then click Generate SAS and connection string.

      An SAS token value is generated.

   3. Copy the SAS token value so you can use it in the next step.

2. Using CREATE CREDENTIAL (Transact-SQL), create a T-SQL credential in your Azure SQL managed instance that allows Azure SQL managed instances to access the files from Azure Blob Storage. Use the following values for the parameters:

   • CREDENTIAL_NAME: The Azure Blob Storage URL that has commvault appended.

     For example, your URL should look like this: https://testazurestorage.blob.core.windows.net/commvault.

   • IDENTITY: Use Shared Access Signature.

   • SECRET: The SAS token.

     For example, assume that the name of your Azure storage account is “testazurestorage”, and the value for the SAS token is the following:

     sv=2018-03-28&sr=c&si=test_Policy&sig=4gFj4b%2BJPywWFrDIJbV6L69R4iQtlw72695oFBjepVM%3D

     For this example, you would use the following T-SQL credential generation statement:

     CREATE CREDENTIAL https://testazurestorage.blob.core.windows.net/commvault WITH IDENTITY='Shared Access Signature', SECRET='sv=2018-03-28&sr=c&si=test_Policy&sig=4gFj4b%2BJPywWFrDIJbV6L69R4iQtlw72695oFBjepVM%3D'

You can use the Azure Managed Identity solution to access backed-up and restored files in the Azure Blob storage.

Before you begin

• Verify that the storage account is not behind a firewall.

  Tip

  To configure the firewall settings for your storage account:

  1. In the Azure portal, go to storage > Security + networking > Networking.

  2. On the Firewalls and virtual networks tab, select Enabled from all networks.

Procedure

1. Assign the Storage Blob Data Contributor role to the managed identity for the Azure storage account.

2. Using CREATE CREDENTIAL (Transact-SQL), create a T-SQL credential in your Azure SQL managed instance that allows Azure SQL managed instances to access the files from Azure Blob Storage. Use the following values for the parameters:

   • CREDENTIAL_NAME: The Azure Blob Storage URL that has commvault appended.

     For example, your URL should look like this: https://testazurestorage.blob.core.windows.net/commvault.

   • IDENTITY: Use Managed Identity.

   For example, use the following T-SQL credential generation statement:

   CREATE CREDENTIAL [https://testazurestorage.blob.core.windows.net/commvault] WITH IDENTITY = 'Managed Identity'