Troubleshooting automatic protection of managed disks with network policy set to DENY_ALL
The private endpoint connection approval operation fails with the following error:
ERROR: Failed to approve private endpoint connection HttpResponseError: 403 Forbidden
The service principal or managed identity used by NetBackup Snapshot Manager does not have the following required permission to approve private endpoint connections for disk access objects:
Microsoft.Compute/diskAccesses/PrivateEndpointConnectionsApproval/action
Workaround:
Verify that the required permission is included in the custom role assigned to the service principal or managed identity.
Check whether the following permission exists in the role definition:
az role definition list \ --name "<role-name>" \ --query "[].permissions[].actions" \ --output tsv
If the permission is missing, add the permission to the custom role:
az role definition update \ --name "<role-name>" \ --add-operation "Microsoft.Compute/diskAccesses/PrivateEndpointConnectionsApproval/action"
Private endpoint creation fails with the following error:
ERROR: Failed to create private endpoint Subnet has private endpoint network policies enabled
The subnet in which NetBackup Snapshot Manager is deployed has private endpoint network policies enabled. Azure requires these policies to be disabled on the subnet where private endpoints are created.
Workaround:
Disable private endpoint network policies on the NetBackup Snapshot Manager subnet:
az network vnet subnet update \ --resource-group <nbsm-rg> \ --vnet-name <vnet-name> \ --name <subnet-name> \ --disable-private-endpoint-network-policies true
Snapshot or backup operations fail with the following error:
ERROR: Private DNS zone resource ID is not configured in flexsnap.conf.
The parameter is not configured in the Azure section of the flexsnap.conf file.
Workaround:
Add the private DNS zone resource ID to the [azure] section of the flexsnap.conf file:
private_dns_zone_id = /subscriptions/<sub-id>/resourceGroups/<rg>/providers/Microsoft.Network/
privateDnsZones/privatelink.blob.core.windows.net
After updating the configuration file, restart the NetBackup Snapshot Manager services and retry the operation.
Updating the private DNS zone associated with an existing private endpoint fails with the following error:
ERROR: UpdatingPrivateDnsZoneIdOnPrivateDnsZoneConfigNotAllowed.
Message: Updating private dns zone id from/subscriptions/<subscription-id-1>/resourceGroups/
<RG-1>/providers/ Microsoft.Network/privateDnsZones/privatelink.queue.core.windows.netto/subscriptions/<subscription-id-2>/resourceGroups/
<RG-2>/providers/Microsoft.Network/privateDnsZones/privatelink.blob.core.windows.neton private dns zone config/subscriptions/<subscription-id-1>/resourceGroups/
<RG-3>/providers/Microsoft.Network/privateEndpoints/<nbsm-pe-id>/privateDnsZoneGroups/default/privateDnsZoneConfigs/<nbsm-pe-id>-dns-zone-confignot allowed.
Error code: 400
A private DNS zone configuration already exists for the private endpoint. Azure does not allow updating the DNS zone ID for an existing private DNS zone configuration with the same name.
Workaround:
Manually delete the existing private DNS zone configuration associated with the private endpoint, and then allow NetBackup Snapshot Manager to recreate it with the updated configuration.
Snapshot or backup operations fail with the following error:
ERROR: DiskAccessObjectHasTooManyActiveSASes
The disk access object has reached the maximum allowed number of concurrent SAS URIs due to multiple snapshot or backup operations running at the same time.
Workaround:
Avoid running multiple snapshot or backup jobs at the same time on disks that share the same disk access object.
Backup jobs for virtual machines that use a disk access policy may fail even after enabling the required feature.
The feature is not enabled correctly, or the VM association with the policy is outdated.
Workaround:
Perform the following steps to resolve the issue:
Verify feature enablement:
Ensure that the feature is enabled in your environment.
Confirm that all prerequisite requirements are met.
Reassign the VM to the policy:
Remove the VM from the existing policy.
Reassign the VM to the same policy.
Verify backup execution:
Wait for the next scheduled backup run.
Confirm that the backup job completes successfully.