Configure backup for multi-account access in Azure

Contributors netapp-tonacki Download PDF of this page

Cloud Backup enables you to create backup files in an Azure account that is different than where your source volumes reside. And both of those accounts can be different than the account where the Cloud Manager Connector resides.

Just follow the steps below to set up your configuration in this manner.

Set up VNet peering between accounts

Note that if you want Cloud Manager to manage your Cloud Volumes ONTAP system in a different account/region, then you need to setup VNet peering. VNet peering is not required for storage account connectivity.

  1. Log in to the Azure portal and from home, select Virtual Networks.

  2. Select the subscription you are using as subscription 1 and click on the VNet where you want to set up peering.

    screenshot azure peer1

  3. Select cbsnetwork and from the left panel, click on Peerings, and then click Add.

    screenshot azure peer2

  4. Enter the following information on the Peering page and then click Add.

    • Peering link name for this network: you can give any name to identify the peering connection.

    • Remote virtual network peering link name: enter a name to identify the remote VNet.

    • Keep all the selections as default values.

    • Under subscription, select the subscription 2.

    • Virtual network, select the virtual network in subscription 2 to which you want to set up the peering.

      screenshot azure peer3

  5. Perform the same steps in subscription 2 VNet and specify the subscription and remote VNet details of subscription 1.

    screenshot azure peer4

    The peering settings are added.

    screenshot azure peer5

Create a private endpoint for the storage account

Now you need to create a private endpoint for the storage account. In this example, the storage account is created in subscription 1 and the Cloud Volumes ONTAP system is running in subscription 2.

Note You need network contributor permission to perform the following action.
{
  "id": "/subscriptions/d333af45-0d07-4154-943dc25fbbce1b18/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7",
  "properties": {
    "roleName": "Network Contributor",
    "description": "Lets you manage networks, but not access to them.",
    "assignableScopes": [
      "/"
    ],
    "permissions": [
      {
        "actions": [
          "Microsoft.Authorization/*/read",
          "Microsoft.Insights/alertRules/*",
          "Microsoft.Network/*",
          "Microsoft.ResourceHealth/availabilityStatuses/read",
          "Microsoft.Resources/deployments/*",
          "Microsoft.Resources/subscriptions/resourceGroups/read",
          "Microsoft.Support/*"
        ],
        "notActions": [],
        "dataActions": [],
        "notDataActions": []
      }
    ]
  }
}
  1. Go to the storage account > Networking > Private endpoint connections and click + Private endpoint.

    screenshot azure networking1

  2. In the Private Endpoint Basics page:

    • Select subscription 2 (where the Cloud Manager Connector and Cloud Volumes ONTAP system are deployed) and the resource group.

    • Enter an endpoint name.

    • Select the region.

      screenshot azure networking2

  3. In the Resource page, select Target sub-resource as blob.

    screenshot azure networking3

  4. In the Configuration page:

    • Select the virtual network and subnet.

    • Click the Yes radio button to "Integrate with private DNS zone".

      screenshot azure networking4

  5. In the Private DNS zone list, ensure that the Private Zone is selected from the correct Region, and click Review + Create.

    screenshot azure networking5

    Now the storage account (in subscription 1) has access to the Cloud Volumes ONTAP system which is running in subscription 2.

  6. Retry enabling Cloud Backup on the Cloud Volumes ONTAP system and this time it should be successful.