You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: support/azure/azure-storage/blobs/connectivity/copy-blobs-between-storage-accounts-network-restriction.md
+6-4Lines changed: 6 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -67,20 +67,22 @@ Here's the full process of this mechanism for the two scenarios:
67
67
4. The client sends PutBlockList to the destination storage to commit the blocks and finish the process after receiving a success response code from the request.
68
68
69
69
## Copy blobs between storage accounts in a Hub-spoke architecture using private endpoints
70
-
A 403 Error occurs when using AzCopy to copy blobs between Storage accounts connected to private endpoints in different Spoke VNets from a VM in a Hub VNet. You can find a "403 This request is not authorized to perform this operation - CannotVerfiyCopySource" error in the AzCopy logs or in the Azure Storage logs. The following architecture diagram shows the scenario in which the error occurs.
70
+
A 403 Error occurs when using AzCopy to copy blobs between Storage accounts connected to private endpoints in different Spoke VNets from a VM in a Hub VNet. You can find a "403 This request is not authorized to perform this operation - CannotVerifyCopySource" error in the AzCopy logs or in the Azure Storage logs. The following architecture diagram shows the scenario in which the error occurs.
71
71
72
72
:::image type="content" source="media/copy-blobs-between-storage-accounts-network-restriction/hub-spoke-network-topology-architecture.png" alt-text="Diagram that shows the 403 error of copying blobs between storage accounts in a Hub & Spoke architecture using Private Endpoints.":::
73
73
74
74
### Workaround 1: Create a private endpoint for the destination storage account in the source VNet
75
-
A Possible workaround is to create a private endpoint for the destination storage account in the source VNet. This configuration allows the VM to successfully copy the blobs between the storage accounts by using AzCopy. The following architecture diagram shows the process of copying blobs between storage accounts in the Workaround 1.
75
+
A possible workaround is to create a private endpoint for the destination storage account in the source VNet. This configuration allows the VM to successfully copy the blobs between the storage accounts by using AzCopy. The following architecture diagram shows the process of copying blobs between storage accounts in Workaround 1.
76
76
77
77
:::image type="content" source="media/copy-blobs-between-storage-accounts-network-restriction/hub-spoke-network-topology-architecture-mitigation-1.png" alt-text="Diagram that shows the process of copying blobs between storage accounts in Workaround 1.":::
78
78
79
-
### Workaround 2: Place the VM in the same VNet as the source storage account and peer the VNet with the destination VNet
80
-
Another option is to place the VM within the same VNet as the source storage account. Then, establish peering between this VNet and the destination VNet. The following architecture diagram shows the process of copying blobs between storage accounts in Workaround 2.
79
+
### Workaround 2: Place the VM in the same VNet as the source storage account and configure VNet peering between the source and destination VNets
80
+
Another option is to place the VM within the same VNet as the source storage account and set up [virtual network peering](/azure/virtual-network/virtual-network-peering-overview) between this VNet and the destination VNet. This peering needs to be directly between the two VNets and cannot be done through the hub VNet. The following architecture diagram shows the process of copying blobs between storage accounts in Workaround 2.
81
81
82
82
:::image type="content" source="media/copy-blobs-between-storage-accounts-network-restriction/hub-spoke-network-topology-architecture-mitigation-2.png" alt-text="Diagram that shows the process of copying blobs between storage accounts in Workaround 2.":::
83
83
84
+
More information, see [Virtual network peering FAQ](/azure/virtual-network/virtual-networks-faq#virtual-network-peering).
85
+
84
86
### Workaround 3: Use a temporary staging account to copy the data
85
87
If you're unable to implement the previously mentioned workarounds or are restricted from changing the existing network configuration of the storage account or VNet, you can use a temporary staging account to copy the data:
0 commit comments