Reputation: 17
Backup-AzApiManagement failed to access blob storage because of VNETs in Network settings
Running PowerShell to Backup Azure API Management instance into Blob Storage, from an Azure VM within a subnet A.
When the blob storage is set to Network - All Network, it works.
However, When the blob storage is set to Network - Selected Subnet A, then the PowerShell start to error.
The message says Operation returned an invalid status code 'BadRequest'
I also add Azure APIM Management public IP into Blob Storage firewall, it still doesn't work.
Using Debug Mode, it has some more info
{ "error": { "code": "InvalidParameters", "message": "Invalid parameter: This request is not authorized to perform this operation.\r\nParameter name: backupContainerName (value: [apim-backup])", "details": null, "innerError": null } }
After searching around, apparently this means the IP is not allowed by Blob Storage. Only Backup-AzApiManagement command failed. Other storage operations in PowerShell will work within that Azure VM. Also, Storage Explorer UI in the VM can access the Blobs and upload blob from it too.
Does this mean, this access to blob storage request is issued by Microsoft infrastructure internal server behind the scenes, and not from the Azure VM I am running?
Upvotes: 1
Views: 1295
Answers (1)
Reputation: 679
Please look at the Network requirement if you have secured Blob Storage account https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-disaster-recovery-backup-restore#access-using-storage-access-key-2
TL;DR
If your service in East US, and your storage account in East US, adding APIM IP address will not help. Create Storage account in East US2 and add APIM IP address from East US. Same region Storage Account and APIM service will not work because only Cross-region storage requests will be SNATed to the public IP address.
We have released Backup support using Managed Identity, where you dont need to provide Access Keys. https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-disaster-recovery-backup-restore#access-using-managed-identity-2 Using Managed identity you dont need to add IP Addresses. You can enable "Allow Trusted Services" on the Storage account. The Storage account in this case can be in the same region as APIM service.
E.g for Backup - https://learn.microsoft.com/en-us/rest/api/apimanagement/current-ga/api-management-service/backup#apimanagementbackupwithsystemmanagedidentity
Upvotes: 0
Related Questions
- Azure Function BlobTrigger: Microsoft.WindowsAzure.Storage: No connection could be made because the target machine actively refused it
- az storage account: 'blob-service-properties' is not in the 'az storage account' command group
- Unable to upload to Azure BLOB storage via Az Module or Az/CLI
- AzCopy v10.5.1: error copying from file share to blob container
- Get-AzStorageBlob: Container name 'Microsoft.WindowsAzure.Commands.Common.Storage.ResourceModel.AzureStorageContainer' is invalid
- az copy failed on premium storage account
- Error while taking backup in Azure
- AzCopy: "The transfer failed: Unable to write data to the transport connection"
- Azure Blob Storage Not found
- Cannot download BLOBs from Azure Storage using AzCopy