Can I run the APIM backup operation to a blob container with a time-based immutability policy set?

Tom Wolverson 21 Reputation points
2021-09-23T08:57:24.337+00:00

I am designing a backup and restore process for API Management. I was hoping to use immutability policy as an extra level of security over the backup files, ensuring that it is impossible to accidentally or intentionally tamper with or delete backups. Backup works fine without, but when I set the policy the following error message is emitted on backup: 

2021-09-22T16:47:54.4076381Z ERROR: InvalidParameters: Invalid parameter: This operation is not permitted as the blob is immutable due to a policy.

I can see the operation writes the first 22 bytes, and I assume expects to be able to update the blob with more data, which counts as modifying an existing blob and is not permitted.

Allowing appends doesn't make any difference, presumably because the operation doesn't create an append blob but a block blob. This is not that surprising, but I'd like to know whether I should expect this to be possible, or whether there is any prospect of the product being updated to support this. Backups do seem to be a good use case for the immutability feature so I'd like it to be supported.

Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
1,752 questions
Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
2,427 questions
0 comments
Accepted answer
  1. Sumarigo-MSFT 43,641 Reputation points Microsoft Employee
    2021-09-26T09:36:38.707+00:00

    @Tom Wolverson Firstly, apologies for the delay in responding here and any inconvenience this issue may have caused.

    If the backup solution modifies the blob multiple times (either with PutBlob, PutBlockList, or other mutation), it will be blocked by design. You don’t want malicious designed or user to accidentally overwrite their backup with encrypted or empty data.

    For blockblobs, it typically isn’t necessary to do partial commits with PutBlockList as the temporary block list will last 7 days from the last block written. Some apps still do call PutBlockList with partial data uploaded, but it usually isn’t necessary. The backup app should just put all of the blocks and call PutBlockList once.

    Please let us know if you have any further queries. I’m happy to assist you further.

    ----------------------------------------------------------------------------------------------------------------------------------------------------------------------

    Please do not forget to 135314-image.png and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest