Access permissions process for copy and restore operations

Due to Azure limitations, Cloud Snapshot Manager cannot assign managed identity role to Azure Container Instance group (CSM Proxy) deployed inside a private virtual network.

For more information about the limitations, see Azure documentation, Managed Identity limitations and other limitations.

To overcome the limitations, Cloud Snapshot Manager grants permissions to the CSM Proxy Azure container in the following manner:

• Asks for the Microsoft.Storage/storageAccounts/listKeys/action permission and uses the SAS (Shared Access Signature) token authorization method.
• Creates SAS tokens for Azure storage queues using storage account keys to communicate with the CSM Proxy container.
• Creates SAS tokens for snapshots and provides them to the CSM Proxy container to read snapshots during the copy operation.
• Creates SAS tokens for page blobs to restore snapshots within a storage account. Cloud Snapshot Manager deletes these page blobs after the restore operation is complete.
• Encrypts SAS tokens (for better security) while passing them to the CSM Proxy container over a secure HTTPS channel.
• Expires SAS tokens after the copy and the restore operations are complete. By default, the tokens expire after 48 hours.
• Recommends that a network firewall be placed on the storage account while accessing the account since Azure does not restrict access. In the firewall, you must do the following:
  • Allowlist Cloud Snapshot Manager public IPs so that Cloud Snapshot Manager can communicate with the CSM Proxy container using Azure storage queues inside the storage account.
  • Allowlist CSM Proxy virtual network and subnet so that the CSM Proxy container can communicate with Cloud Snapshot Manager using Azure storage queues for copy and restore operations. For more information, see Configure CSM Proxy Network.