Configure storage for Azure Application Consistent Snapshot tool

This article provides a guide for configuring the Azure storage to be used with the Azure Application Consistent Snapshot tool (AzAcSnap).

Select the storage you're using with AzAcSnap.

Either set up a system-managed identity (recommended) or generate the service principal's authentication file.

When you're validating communication with Azure NetApp Files, communication might fail or time out. Check that firewall rules aren't blocking outbound traffic from the system running AzAcSnap to the following addresses and TCP/IP ports:

  • (https://)management.azure.com:443
  • (https://)login.microsoftonline.com:443

Enable communication with storage

This section explains how to enable communication with storage. Use the following tabs to correctly select the storage back end that you're using.

There are two ways to authenticate to the Azure Resource Manager using either a system-managed identity or a service principal file. The options are described here.

Azure system-managed identity

From AzAcSnap 9, it's possible to use a system-managed identity instead of a service principal for operation. Using this feature avoids the need to store service principal credentials on a virtual machine (VM). To set up an Azure managed identity by using Azure Cloud Shell, follow these steps:

  1. Within a Cloud Shell session with Bash, use the following example to set the shell variables appropriately and apply them to the subscription where you want to create the Azure managed identity. Set SUBSCRIPTION, VM_NAME, and RESOURCE_GROUP to your site-specific values.

    export SUBSCRIPTION="99z999zz-99z9-99zz-99zz-9z9zz999zz99"
    export VM_NAME="MyVM"
    export RESOURCE_GROUP="MyResourceGroup"
    export ROLE="Contributor"
    export SCOPE="/subscriptions/${SUBSCRIPTION}/resourceGroups/${RESOURCE_GROUP}"
    
  2. Set Cloud Shell to the correct subscription:

    az account set -s "${SUBSCRIPTION}"
    
  3. Create the managed identity for the virtual machine. The following command sets (or shows if it's already set) the AzAcSnap VM's managed identity:

    az vm identity assign --name "${VM_NAME}" --resource-group "${RESOURCE_GROUP}"
    
  4. Get the principal ID for assigning a role:

    PRINCIPAL_ID=$(az resource list -n ${VM_NAME} --query [*].identity.principalId --out tsv)
    
  5. Assign the Contributor role to the principal ID:

    az role assignment create --assignee "${PRINCIPAL_ID}" --role "${ROLE}" --scope "${SCOPE}"
    

Optional RBAC

It's possible to limit the permissions for the managed identity by using a custom role definition in role-based access control (RBAC). Create a suitable role definition for the virtual machine to be able to manage snapshots. You can find example permissions settings in Tips and tricks for using the Azure Application Consistent Snapshot tool.

Then assign the role to the Azure VM principal ID (also displayed as SystemAssignedIdentity):

az role assignment create --assignee ${PRINCIPAL_ID} --role "AzAcSnap on ANF" --scope "${SCOPE}"

Generate a service principal file

  1. In a Cloud Shell session, make sure you're logged on at the subscription where you want to be associated with the service principal by default:

    az account show
    
  2. If the subscription isn't correct, use the az account set command:

    az account set -s <subscription name or id>
    
  3. Create a service principal by using the Azure CLI, as shown in this example:

    az ad sp create-for-rbac --name "AzAcSnap" --role Contributor --scopes /subscriptions/{subscription-id} --sdk-auth
    

    The command should generate output like this example:

    {
      "clientId": "00001111-aaaa-2222-bbbb-3333cccc4444",
      "clientSecret": "Dd4Ee~5Ff6.-Gg7Hh8Ii9Jj0Kk1Ll2_Mm3Nn4Oo5",
      "subscriptionId": "cccc2c2c-dd3d-ee4e-ff5f-aaaaaa6a6a6a",
      "tenantId": "aaaabbbb-0000-cccc-1111-dddd2222eeee",
      "activeDirectoryEndpointUrl": "https://login.microsoftonline.com",
      "resourceManagerEndpointUrl": "https://management.azure.com/",
      "activeDirectoryGraphResourceId": "https://graph.windows.net/",
      "sqlManagementEndpointUrl": "https://management.core.windows.net:8443/",
      "galleryEndpointUrl": "https://gallery.azure.com/",
      "managementEndpointUrl": "https://management.core.windows.net/"
    }
    

    This command automatically assigns the RBAC Contributor role to the service principal at the subscription level. You can narrow down the scope to the specific resource group where your tests will create the resources.

  4. Cut and paste the output content into a file called azureauth.json that's stored on the same system as the azacsnap command. Secure the file with appropriate system permissions.

    Make sure the format of the JSON file is exactly as described in the previous step, with the URLs enclosed in double quotation marks (").

Next steps