Creating a Commvault Cloud Library for Azure with Powershell
The primary two components necessary to configuring Commvault in Azure are Blob storage and/or a Virtual Machine. Below is Powershell that accomplishes both. All commands are specific to creating new entities but at the bottom is a command to update the Network Security Group. The variables should be modified as appropriate. Each section is discussed inline.
The new Az module replaces AzureRM. From what I can tell, the commands and options are similar if not exactly the same. It has specific minimum requirements. More information: Overview of Azure PowerShell
- If not already installed, then install Azure module
Install-Module -Name Az -AllowClobber
- The following command will bring up a GUI login prompt. Make sure the account you specify has sufficient privileges. Connect to Azure with enough priviledges if not already connected.
Connect-AzAccount
- All the following command does is bring up a GUI login prompt to store username and password values securely. This will be used later for the admin account to login to the new VM created. From my testing the username needed to have at least 5 characters and could not be admin nor administrator. Input new credentials for VM Admin User. Only necessary if creating VM. This will prompt to create via login UI.
$credential = Get-Credential
- The following provide the name to be used for the new Resource Group and Virtual Network. It also specifies the region. All of the these values should be specific to your environment. Make sure the region is correct. Provide a name and location for the new resource group and virtual network.
$resourceGroupName = "CVTestLabWest01" $location = "westus" $vnetname = "CVTestLabWestVirtualNetwork"
- The following will be how the new Azure VM will be configured. This will determine the size, name, and operating system of the new server. To determine the appropriate size naming, the following link is helpful: Azure Windows VM sizes - General purpose
To determine the specific OS of choice the following link is helpful: Select Windows VM images in Azure. Below are Virtual Machine Variables
$ma = "CVMA01" $vmSize = "Standard_B2ms" $publisherName = "MicrosoftWindowsServer" $offer = "WindowsServer" $skus = "2016-Datacenter"
- Below are customer specific storage name information. Both new values must be globally unique and all lowercase. Provide names for storage account and container.
$storageaccountName = "cvtestlabweststorage01" $container = "cvtestlabwestcontainer01"
- The base component necessary for all of the other components is the Resource Group. If you do not already have this or want everything for Commvault in a new dedicated Resource Group then it can be expected that all of the following steps will be necessary depending on what is required. Create New Resource Group
New-AzResourceGroup -Name $resourceGroupName -Location $location
- After the Resource Group is created the next component required whether creating a cloud library and/or configuring a new Azure VM for Commvault is a Storage Account. The storage kind and sku will vary depending on requirements. The following link may be of some help with determining the storage to specify: link. Create Storage Account.
$storageaccount = New-AzStorageAccount -ResourceGroupName $resourcegroupName -Name $storageaccountName -Location $location -Kind "StorageV2" -SkuName "Standard_LRS"
- Once the storage account is created then create a new container for the Commvault cloud library. Create a new storage container
$ctx = $storageaccount.Context New-AzStorageContainer -Name $container -Context $ctx -Permission Off
- Now that we have created a Storage Account and Container we have the necessary values the Commvault Cloud Library wizard will ask for when configuring an Azure Cloud Library. We will need three values for later use including the storage account name, container name, and access key. Let’s store them in a text file for later use. Get details for cloud lib creation and export out to file for reference use later in Commvault cloud library creation
$storageAccountKey = (Get-AzStorageAccountKey -ResourceGroupName $resourcegroupName -Name $storageAccountName).Value[0] "StorageAccountName: $storageaccountName, ContainerName: $container, Access Key: $storageAccountKey" | Out-File -FilePath c:\cloudlib_details.txt
- If we are to configure an Azure VM then it will need a network to function in. If you don’t have the network infrastructure, then the following commands create a new network and associated subnet. Create a virtual network for use by Commvault infrastructure in Azure.
$virtualNetwork = New-AzVirtualNetwork -ResourceGroupName $resourceGroupName -Location $location -Name $vnetname -AddressPrefix 10.0.0.0/16 $subnetConfig = Add-AzVirtualNetworkSubnetConfig -Name default -AddressPrefix 10.0.0.0/24 -VirtualNetwork $virtualNetwork $virtualNetwork | Set-AzVirtualNetwork
- Out-of-the-box the VM will be almost completely restricted. It is necessary to open ports to access the server and for Commvault communication. In the following example, incoming traffic is allowed for RDP and Commvault traffic but the source is limited to (1) one IP address, but this will vary. A rule is added to allow all outbound traffic or else tunneling back in a one-way firewall configuration will fail. So for example, if your testing this at home the source IP would be your router public IP. The one-way firewall would then be set as blocked incoming to your home lab CommServe and restricted on 8403 to the Azure VM. Only the CommServe can initiate communication in this configuration. Configure network to allow certain network traffic including Commvault and RDP
$rule1 = New-AzNetworkSecurityRuleConfig -Name 'Allow-RDP-All' -Description "Allow RDP" -Access Allow -Protocol Tcp -Direction Inbound -Priority 100 -SourceAddressPrefix 239.2.2.5 -SourcePortRange * -DestinationAddressPrefix * -DestinationPortRange 3389 $rule2 = New-AzNetworkSecurityRuleConfig -Name 'Allow-CV' -Description "Allow Commvault" -Access Allow -Protocol Tcp -Direction Inbound -Priority 200 -SourceAddressPrefix 239.2.2.5 -SourcePortRange * -DestinationAddressPrefix * -DestinationPortRange 8400-8403 $rule3 = New-AzNetworkSecurityRuleConfig -Name 'Allow-Outbound-All' -Description "Allow All Outbound" -Access Allow -Protocol Tcp -Direction Outbound -Priority 100 -SourceAddressPrefix * -SourcePortRange * -DestinationAddressPrefix * -DestinationPortRange * $cvnsg = New-AzNetworkSecurityGroup -ResourceGroupName $resourceGroupName -Location $location -Name "CvNsg-Incoming" -SecurityRules $rule1,$rule2,$rule3 Set-AzVirtualNetworkSubnetConfig -Name "default" -VirtualNetwork $virtualNetwork -AddressPrefix "10.0.0.0/24" -NetworkSecurityGroup $cvnsg $virtualNetwork | Set-AzVirtualNetwork
- Once the network is in place we can create a NIC to be used by the VM. Configure networking for new VM
$vnet = Get-AzVirtualNetwork -Name $vnetname -ResourceGroupName $ResourceGroupName $mypubIP = New-AzPublicIpAddress -Name myVMPublicIP -ResourceGroupName $ResourceGroupName -AllocationMethod static -Location $location $NIC = New-AzNetworkInterface -Name "basic-NIC" -ResourceGroupName $ResourceGroupName -Location $location -SubnetId $vnet.Subnets[0].Id -PublicIpAddressId $mypubIP.Id
- Configure and then create your new VM. This process takes ~5 minutes. Configure VM Settings
$VirtualMachine = New-AzVMConfig -VMName $ma -VMSize $vmSize $VirtualMachine = Set-AzVMOperatingSystem -VM $VirtualMachine -Windows -ComputerName $ma -Credential $Credential -ProvisionVMAgent -EnableAutoUpdate $VirtualMachine = Add-AzVMNetworkInterface -VM $VirtualMachine -Id $NIC.Id $VirtualMachine = Set-AzVMSourceImage -VM $VirtualMachine -PublisherName $publisherName -Offer $offer -Skus $skus -Version latest
- Create new VM with settings
New-AzVM -ResourceGroupName $ResourceGroupName -Location $location -VM $VirtualMachine
You made it all the way down here. Well, good on ya! Now, relax and enjoy a coffee.
Extra
It may be the case, that you already have everything in place and you just need to open ports to an existing NSG (Network Security Group). The following command can be used for this. If need to add more open ports the following command can be used to add more. Just modify as necessary
Get-AzNetworkSecurityGroup -Name "CvNsg-Incoming" -ResourceGroupName $ResourceGroupName | Add-AzNetworkSecurityRuleConfig -Name "Test-Rule" -Description "Allow Outbound All Test" -Access "Allow" -Protocol "Tcp" -Direction "Outbound" -Priority 200 -SourceAddressPrefix "*" -SourcePortRange "*" -DestinationAddressPrefix "*" -DestinationPortRange "*" | Set-AzNetworkSecurityGroup