Azure Backup and Private Endpoints (UserErrorNetworkAccessPolicyIsDenyAll:Network access policy is set to deny all)

Anonymous
2023-05-03T20:36:13.12+00:00

Hi All,

we are looking to configure an Azure Recovery Services Vault which will be used for both Azure VM backups as well as (later) for MARS agent file-based backups of some on-prem servers - see below for the bicep template.

Due to the latter we want to configure a private endpoint and disable Public Network Access. (If I read the docs right this should not make a difference to the Azure VM backup as it essentially operates in the backplane of Azure and doesnt need any public or private endpoint at all). I also understand from the docs that its really important to create the private endpoint first before any backup workloads (which is what we did).

We have the Recovery Services Vault and the Private Endpoint configured:

  • The Private Endpoint has Connection State "Approved"
  • Public Network access of the vault is denied (kind of the point of a private endpoint)
  • I removed all NSGs for debug purposes
  • The effective route of the Azure VM routes to the private endpoint
  • DNS zone integration has worked and entries were added to the privatelink.we.backup.windowsazure.com zone which is resolvable from the VM
  • Per the docs this setup should auto-create private endpoints for storage and queues. This has not happened yet, however, I understand this only happens when the first workload is created.

I am now trying to create (manually in the portal) my first VM backup. This consistently fails deplpyment with

code":"UserErrorNetworkAccessPolicyIsDenyAll","message":"Network access policy is set to deny all"

This has the sound as if it doesnt like the fact that Public Network Access is denied. However for testing purposes I set Public network access back to "Allow from all networks" and the deployment still fails.

It seems we have created an essentially unusable Recovery Services Vault no matter the network settings.

Any idea what could be wrong?

Kind Regards

Jens


Bicep for the vault:

resource rsv_prdsec_westeu_001 'Microsoft.RecoveryServices/vaults@2023-02-01' = {
  name: vaultName
  location: location
  tags: tags
  sku: {
    name: 'RS0'
    tier: 'Standard'
  }
  identity: {
    type: 'SystemAssigned'
  }
  properties: {
    monitoringSettings: {
      azureMonitorAlertSettings: {
        alertsForAllJobFailures: 'Enabled'
      }
      classicAlertSettings: {
        alertsForCriticalOperations: 'Disabled'
      }
    }
    securitySettings: {}
    publicNetworkAccess: 'Disabled'
    restoreSettings: {
      crossSubscriptionRestoreSettings: {
        crossSubscriptionRestoreState: 'Enabled'
      }
    }
  }
}

and here is the private endpoint as well as the DNS Zone integration:

resource pep_rsv_prdsec_westeu_001 'Microsoft.Network/privateEndpoints@2022-09-01' = {
  name: 'pep-rsv-prdsec-westeu-001'
  location: location
  tags: tags
  properties: {
    privateLinkServiceConnections: [
      {
        name: 'pep-rsv-prdsec-westeu-001'
        properties: {
          privateLinkServiceId: rsv_prdsec_westeu_001.id
          groupIds: [
            'AzureBackup'
          ]
        }
      }
    ]
    manualPrivateLinkServiceConnections: []
    subnet: {
      id: privateEndpointSNetID
    }
    ipConfigurations: [  ]
    customDnsConfigs: [  ]   
  }
}


resource backupDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' existing = {
  name: 'privatelink.we.backup.windowsazure.com'
  scope: resourceGroup('XXXXXXXXXXXXXXXXXX','rg-connectivity-westeu-002') 
}

resource queueDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' existing = {
  name: 'privatelink.queue.core.windows.net'
  scope: resourceGroup('XXXXXXXXXXXXXXXXX','rg-connectivity-westeu-002') 
}

resource blobDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' existing = {
  name: 'privatelink.blob.core.windows.net'
  scope: resourceGroup('XXXXXXXXXXXXXXXX','rg-connectivity-westeu-002') /
}


resource zoneGroup 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups@2022-09-01'= {
  name: 'backupdnsgroup'
  parent: pep_rsv_prdsec_westeu_001
  properties: {
    privateDnsZoneConfigs: [
      {
        name: 'config1'
        properties: {
          privateDnsZoneId: backupDNSZone.id
        }
      }
      {
        name: 'config2'
        properties: {
          privateDnsZoneId: queueDNSZone.id
        }
      }
      {
        name: 'config3'
        properties: {
          privateDnsZoneId: blobDNSZone.id
        }
      }
    ]
  }
}

and here is the backup the portal wants to submit:

{
    "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "armProviderNamespace": {
            "type": "String"
        },
        "vaultName": {
            "type": "String"
        },
        "vaultRG": {
            "type": "String"
        },
        "vaultSubID": {
            "type": "String"
        },
        "policyName": {
            "type": "String"
        },
        "fabricName": {
            "type": "String"
        },
        "protectionContainers": {
            "type": "Array"
        },
        "protectedItems": {
            "type": "Array"
        },
        "sourceResourceIds": {
            "type": "Array"
        },
        "extendedProperties": {
            "type": "Array"
        }
    },
    "resources": [
        {
            "type": "Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems",
            "apiVersion": "2016-06-01",
            "name": "[concat(parameters('vaultName'), '/', parameters('fabricName'), '/',parameters('protectionContainers')[copyIndex()], '/', parameters('protectedItems')[copyIndex()])]",
            "properties": {
                "protectedItemType": "Microsoft.ClassicCompute/virtualMachines",
                "policyId": "[resourceId(concat(parameters('armProviderNamespace'), '/vaults/backupPolicies'), parameters('vaultName'), parameters('policyName'))]",
                "sourceResourceId": "[parameters('sourceResourceIds')[copyIndex()]]",
                "extendedProperties": "[parameters('extendedProperties')[copyIndex()]]"
            },
            "copy": {
                "name": "protectedItemsCopy",
                "count": "[length(parameters('protectedItems'))]"
            }
        }
    ]
}

and last the parameters the portal filled in:

{
    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "armProviderNamespace": {
            "value": "Microsoft.RecoveryServices"
        },
        "vaultName": {
            "value": "rsv-prdsec-westeu-001"
        },
        "vaultRG": {
            "value": "rg-prdsec-weu-001"
        },
        "vaultSubID": {
            "value": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
        },
        "policyName": {
            "value": "bp-prdsec-vm-westeu-001"
        },
        "fabricName": {
            "value": "Azure"
        },
        "protectionContainers": {
            "value": [
                "IaasVMContainer;iaasvmcontainerv2;rg-prdsec-weu-001;vmtrakaprdweu01"
            ]
        },
        "protectedItems": {
            "value": [
                "vm;iaasvmcontainerv2;rg-prdsec-weu-001;vmtrakaprdweu01"
            ]
        },
        "sourceResourceIds": {
            "value": [
                "/subscriptions/XXXXXXXXXXXXXXXXXXXXXXX/resourceGroups/rg-prdsec-weu-001/providers/Microsoft.Compute/virtualMachines/vmtrakaprdweu01"
            ]
        },
        "extendedProperties": {
            "value": [
                {}
            ]
        }
    }
}
Azure Backup
Azure Backup
An Azure backup service that provides built-in management at scale.
1,143 questions
Azure Private Link
Azure Private Link
An Azure service that provides private connectivity from a virtual network to Azure platform as a service, customer-owned, or Microsoft partner services.
473 questions
0 comments No comments
{count} votes

Accepted answer
  1. SwathiDhanwada-MSFT 18,031 Reputation points
    2023-05-04T08:22:49.8933333+00:00

    @Anonymous Thank you for the detailed information. Can you please let me know if you are backing up your azure vm using Enhanced policy ? If so, your backup operation using enhanced policy will fail due to network access policy settings. Only disks with ‘Public endpoint’ are supported currently (for backup using enhanced policy). To resolve this issue, Navigate to 'Disk setting > Networking > Network connectivity method' and set connectivity method to "Public Endpoint" for enabling backups with Enhanced Policy.

    2 people found this answer helpful.

0 additional answers

Sort by: Most helpful