Open utterances-bot opened 1 year ago
James, great work and very useful! I just stumbled unto an issue with the storage account needed for the copy and the storage policies set in Azure for this tenant. Using keys and public blob access is locked down (must be set to disabled to create the storage account) so I'm hitting a wall on the script execution. Do you see a way to use AAD credientals for this?
James, great work and very useful! I just stumbled unto an issue with the storage account needed for the copy and the storage policies set in Azure for this tenant. Using keys and public blob access is locked down (must be set to disabled to create the storage account) so I'm hitting a wall on the script execution. Do you see a way to use AAD credientals for this?
Honestly no :) I haven't spent any time looking at this sort of thing, if the environment is that locked down, you might actually be better looking at the Compute Gallery Option for replication here
James, I did some research and test-runs as I had to get a replication going. And since you had done a great job on this script, my thinking was this is a great start instead of starting from scratch - I managed to get it to work. Let me summarize the changes I did:
$StorageAccount = New-AzStorageAccount -ResourceGroupName $TargetResourceGroup -Name $StorageAccountName -SkuName "Standard_LRS" -Location $TargetRegion -AllowBlobPublicAccess $false -Kind "StorageV2" -PublicNetworkAccess "Enabled" -MinimumTlsVersion "TLS1_2" -AllowSharedKeyAccess $true -EnableHttpsTrafficOnly $true -errorAction Stop -NetworkRuleSet @{Bypass="AzureServices"; ipRules=(@{IPAddressOrRange="xx.xx.xx.0/24";Action="allow"}, @{IPAddressOrRange="xx.xx.xx.xx/7";Action="allow"});
On the process of creating the container, the permission parameter needs to be to "Off"
$Container = New-AzStorageContainer -Name $StorageAccountName -Permission "Off" -Context $DestinationContext -ErrorAction Stop
That was really it!
James, I did some research and test-runs as I had to get a replication going. And since you had done a great job on this script, my thinking was this is a great start instead of starting from scratch - I managed to get it to work. Let me summarize the changes I did:
- The managed identity you are using, be it a system managed or managed user, it will besides the Contributor role also need RBAC role "Storage Blob Data Contributor" on the destination resource group. A bit funny that you need this when you are a owner of the resource but never the less - this is true.
- When creating the storage account, I needed these parameters set:
$StorageAccount = New-AzStorageAccount -ResourceGroupName $TargetResourceGroup -Name $StorageAccountName -SkuName "Standard_LRS" -Location $TargetRegion -AllowBlobPublicAccess $false -Kind "StorageV2" -PublicNetworkAccess "Enabled" -MinimumTlsVersion "TLS1_2" -AllowSharedKeyAccess $true -EnableHttpsTrafficOnly $true -errorAction Stop -NetworkRuleSet @{Bypass="AzureServices"; ipRules=(@{IPAddressOrRange="xx.xx.xx.0/24";Action="allow"}, @{IPAddressOrRange="xx.xx.xx.xx/7";Action="allow"});
On the process of creating the container, the permission parameter needs to be to "Off"$Container = New-AzStorageContainer -Name $StorageAccountName -Permission "Off" -Context $DestinationContext -ErrorAction Stop
That was really it!
Nice work and thank you for sharing - do you mind if I summarize this and add a small snippet at the end of the post so its easily consumable by others too?
Sure James, you are welcome to use it any way you like.
Replicating Azure Snapshots to Multiple Azure Regions
Replicating or synchronising Snapshots across multiple Azure Regions and Azure Subscriptions
https://jkindon.com/microsoft-azure-snapshot-replication-framework/