Creating Snapshot with Disk Access and Exporting to Azure Blob Storage
1. Context:
1. The disk is in place for which the snapshot is to be taken.
2. The subnet for the snapshot and the storage account's private endpoint is already in place.
3. Since we are attaching the Disk Access resource (Private Endpoint) to the snapshot, it prevents the import and export of the disk to other virtual networks. Therefore, to import or export a snapshot to a storage account, both the snapshot and the storage account must have a private endpoint and be within the same virtual network.
4. The VM running the PowerShell script is in the same virtual network as the snapshot and the storage account. This ensures that the storage account can resolve to the private IP address.
5. The Az modules are installed on the PowerShell.
2. Considerations:
1. If you plan to export your snapshot to an Azure Blob Storage account, the snapshot type must be Full and not Incremental. This is because Incremental snapshots in Azure contain only the changes made since the last snapshot, whereas Full snapshots include the entire disk. Azure Storage Blob Copy does not support copying Incremental snapshots.
2. If you enable the Disk Access resource (Private Endpoint) for the snapshot, you cannot import or export the snapshot to a storage account in a different region. This is because Disk Access prevents the import and export of your disk to other virtual networks. In other words, the region where the Private Endpoint subnet for the snapshot is located must be the same as the region of the storage account.
3. Use Case:
Customers with backup and disaster recovery scenarios should consider exporting an Azure snapshot to Azure Blob Storage. Additionally, enabling Disk Access provides control over the data, as import and export operations will only work within the virtual network and will not traverse the public internet.
4. Create a Disk Access (For Private Endpoint):
1. Before creating snapshots, create the Disk Access for the snapshots.
2. Search for Disk Accesses in the Global search and click on +Create.
3. Select the Subscription and the Resource Group.
4. Give a suitable name.
5. Select the region. This region should be the same as the one for the snapshot you are going to take, and the snapshot region should match the region of the VM disk.
8. Give a suitable Name.
9. The Target resource is selected as Disks by default.
10. Select the Vnet and the Subnet.
11. Say Yes to Integrate with Private DNS Zone.
13. Give the Tags.
14. Click on Create.
5. Create a Snapshot:
1. Search for Snapshots in the Global search and click on +Create.
3. Give a suitable name for the snapshot.
4. Select the region.
5. For the snapshot type, select Full.
6. Select Disk for Source type.
7. Select Source Subscription.
8. Select the required source disk.
9. Select the Storage type as Standard HDD (zone-redundant storage)
10. Click next-Encryption.
11. For the key management, the default option is Platform-managed key. Keep it as is. Click Next-Networking.
13. For Disk access, select the Disk access created above.
14. Click Next-Advanced.
15. Do not check the box for Enable data access authentication mode. Leave it as is. We are using Private Endpoints for both the Snapshot and the Storage Account, so the import/export will only work when both resources are on the same Virtual Network. Additionally, the data will not traverse the public internet. Therefore, an additional layer of authentication is not required.
16. Click Next-Tags.
17. Click Review +Create.
18. Click on Create.
6. Run the PowerShell script:
1. Open the PowerShell command and Run as Admin.
2. The Connect-AzAccount command in PowerShell is used to authenticate and connect to your Azure account.
#Provide the subscription Id of the subscription where snapshot is created
$subscriptionId = "4e96bdf4-8940-4a7a-b21e-d2d48bc3a0e4"
#Provide the name of your resource group where snapshot is created
$resourceGroupName ="DEMO-DISKACCESS-RG-001"
#Provide the snapshot name
$snapshotName = "Snapshot01"
#Provide Shared Access Signature (SAS) expiry duration in seconds e.g. 3600.
#Know more about SAS here: https://docs.microsoft.com/en-us/Az.Storage/storage-dotnet-shared-access-signature-part-1
$sasExpiryDuration = "3600"
#Provide storage account name where you want to copy the snapshot.
$storageAccountName = "strdemo08"
#Name of the storage container where the downloaded snapshot will be stored
$storageContainerName = "demoblob"
#Provide the key of the storage account where you want to copy snapshot.
$storageAccountKey = 'lUQdkVckQDDaYKyAbC5SJaGEhUeORfuLbKVPa9BaNea9caPSEi6WT1mX6KT7IshDlIW7HJBcMjHg+AStfiXo8Q=='
#Provide the name of the VHD file to which snapshot will be copied.
$destinationVHDFileName = "demossfile"
# Set the context to the subscription Id where Snapshot is created
Select-AzSubscription -SubscriptionId $SubscriptionId
#Generate the SAS for the snapshot
$sas = Grant-AzSnapshotAccess -ResourceGroupName $ResourceGroupName -SnapshotName $SnapshotName -DurationInSecond $sasExpiryDuration -Access Read
#Create the context for the storage account which will be used to copy snapshot to the storage account
$destinationContext = New-AzStorageContext -StorageAccountName $storageAccountName -StorageAccountKey $storageAccountKey
#Copy the snapshot to the storage account
Start-AzStorageBlobCopy -AbsoluteUri $sas.AccessSAS -DestContainer $storageContainerName -DestContext $destinationContext -DestBlob $destinationVHDFileName
7. Verify:
1. Go to the Destination storage account and verify if the VHD file is created.
2. Please Note- I have not changed the default configuration of the Storage Account. It is as is.
