Hi, I have created one snapshot from azure managed disk with network connectivity as " Disable public access and enable private access ". Specifically, I have created disk access in which I have created private endpoint with private DNS Zone. Now, I ran following command to obtain shared access signature az snapshot grant-access --resource-group resource-group-name --name snapshot-name duration-in-seconds 3600 --query [accessSas] -o tsv After getting that SAS, I ran following command to export snapshot to storage account az storage blob copy start --destination-blob blob_name --destination-container container_name --account-name storageaccountname --account-key key --source-uri $sas-retrieved-from-above-command The command throws this error, Could not verify copy source. ErrorCode:CannotVerifyCopySource After reading this article, I tried to modiy the SAS and then error slightly changed to this Could not verify the copy source within the specified time. ErrorCode:CannotVerifyCopySource Is there something that I am doing wrong here? how can I resolve this error? Thanks

Hi @Gaurav Chawda , I understand that you want to copy a disk snapshot (access via private endpoint) to a storage blob. The command "az storage blob copy start" is telling the storage blob to copy an object from an URI. Azure Storage Blob will try to reach the object from public endpoint, which will fail because you've disabled public access for your managed disk and snapshot. Azure Storage Blob will not have access to the private endpoint. The only way you access the snapshot is from an Azure VM that has network connectivity to the private endpoint of your snapshot, then use azcopy or Storage Explorer from the VM to access the snapshot and copy it into the Storage Blob. azcopy copy <SAS for snapshot> <SAS for Storage Blob> The Storage Blob can either use private endpoint or public endpoint. Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how .

Hi Gaurav Chawda , just checking in to see if the above provided answers helped. If this answers your query, do click "Accept the answer” for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know. Please let us know if you have any further queries. I’m happy to assist you further.

Can't export managed disk snapshot with private endpoint through disk access

Accepted answer

Silvia Wibowo 3,411 Reputation points Microsoft Employee

2024-01-10T05:05:36.08+00:00

Hi @Gaurav Chawda , I understand that you want to copy a disk snapshot (access via private endpoint) to a storage blob.

The command "az storage blob copy start" is telling the storage blob to copy an object from an URI. Azure Storage Blob will try to reach the object from public endpoint, which will fail because you've disabled public access for your managed disk and snapshot. Azure Storage Blob will not have access to the private endpoint. The only way you access the snapshot is from an Azure VM that has network connectivity to the private endpoint of your snapshot, then use azcopy or Storage Explorer from the VM to access the snapshot and copy it into the Storage Blob.

azcopy copy <SAS for snapshot> <SAS for Storage Blob>

The Storage Blob can either use private endpoint or public endpoint.

Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.
Please sign in to rate this answer.
Gaurav Chawda 20 Reputation points

2024-01-10T17:29:33.5333333+00:00

I tried using azcopy but it is failing with this error.

409 Source blob of a copy operation cannot be non-snapshot incremental copy blob

Additionally, if I configure storage account on different tenant, I am getting "CannotVerifyCopySource" error, is there any work around for it?

Silvia Wibowo 3,411 Reputation points Microsoft Employee

2024-01-10T22:35:09.2766667+00:00

-deleted- duplicated entry because of server error.

Silvia Wibowo 3,411 Reputation points Microsoft Employee

2024-01-10T22:38:33.8266667+00:00

Hi @Gaurav Chawda , let's keep this thread for 1 issue: copying from blob to another blob within the same tenant. You can open another question for different tenant. As error message mentioned: Source blob of a copy operation cannot be non-snapshot incremental copy blob. Have you tried copying a full snapshot?

Gaurav Chawda 20 Reputation points

2024-01-11T05:29:18.8133333+00:00

Yes, copying of full snapshot is working.
How can I accomplish the same for incremental snapshot?

Silvia Wibowo 3,411 Reputation points Microsoft Employee

2024-01-11T23:10:20.5566667+00:00

It's incremental snapshot, useless without the full snapshot (can't recover based on incremental snapshot only), which is why there's no point of copying it elsewhere.

Gaurav Chawda 20 Reputation points

2024-01-12T04:43:29.7633333+00:00

But when I was trying this with public snapshots, following command (Azure CLI) worked even with incremental snapshots.

az storage blob copy start --destination-blob blob_name --destination-container container_name --account-name storageaccountname --account-key key --source-uri $sas

In documentation, it is mentioned that it can be copied.
I don't understand we can copy public incremental snapshots but cannot copy private incremental snapshots to storage account.

Nehruji R 4,126 Reputation points Microsoft Vendor

2024-01-15T06:21:24.1566667+00:00

Hello Gaurav Chawda,

Incremental snapshots are point-in-time backups for managed disks that, when taken, consist only of the changes since the last snapshot. The first incremental snapshot is a full copy of the disk. The subsequent incremental snapshots occupy only delta changes to disks since the last snapshot.

To create incremental snapshots with private access in Azure, you can follow similar steps as you did for the original snapshot, ensuring that you maintain the private access and private endpoint configuration.

Please refer - https://video2.skills-academy.com/en-us/azure/virtual-machines/disks-incremental-snapshots?tabs=azure-clifor creating a incremental snapshot which describes briefly on how to create in Azure Portal, Azure CLI, ARM or Azure PowerShell.

Ensure that the incremental snapshot creation process is similar to how you created the original snapshot and with the same private endpoint and private DNS zone configurations.

After creating the incremental snapshot, verify that the private access settings are maintained. Check the "Disable public access and enable private access" configuration for the managed disk.

Ensure that the private endpoint connection is established for the incremental snapshot. If it's not, you may need to create a new private endpoint connection.

Review the network policies and configurations for the private endpoint, ensuring that it allows the necessary traffic.

Hope this answer helps! Please let us know if you have any further queries. I’m happy to assist you further.

Gaurav Chawda 20 Reputation points

2024-01-16T04:59:46.15+00:00

@Nehruji R @Silvia Wibowo
I have created one managed disk incremental snapshot with private access and one managed disk incremental snapshot with public access.
As per your suggestion, I have created a VM on same VNET as my private endpoint and used Azcopy to first transfer snapshot with private access where I am getting the following error.

409 Source blob of a copy operation cannot be non-snapshot incremental copy blob

Now when I try to use same command to copy snapshot with public access it gets copied successfully without any errors.

I wanted to understand why we can copy public incremental snapshots but cannot copy private incremental snapshots to storage account?

Silvia Wibowo 3,411 Reputation points Microsoft Employee

2024-01-16T07:24:03.7466667+00:00

Hi @Gaurav Chawda, let's go back to what matters: what is your use case? What's the goal of copying snapshot to another storage blob?

Gaurav Chawda 20 Reputation points

2024-01-16T07:52:59.2066667+00:00

@Silvia Wibowo I wanted to perform certain operation on files of that disk without affecting performance of vm and disk. That's why will create snapshot, copy that snapshot to storage account in different region and create disk from that VHD file in storage account and attach it to the different vm for that operation.

Silvia Wibowo 3,411 Reputation points Microsoft Employee

2024-01-17T23:01:28.1733333+00:00

Hi @Gaurav Chawda, I think you need to copy a full snapshot of the disk. I don't think you can create a disk based on an incremental snapshot. However, I'm happy to be proven wrong. If your goal is to create another copy of the disk, you can do it in the same region, which means you don't have to copy the snapshot across, simpler, isn't it? Unless there's another reason to use another region.

Gaurav Chawda 20 Reputation points

2024-01-18T05:41:57.72+00:00

Hi @Silvia Wibowo
I have tested snapshot export and disk creation on public incremental snapshot, and it is working without any errors and I can see all the data on disk.
I am not understanding why it is not working with private access incremental snapshot.
In this documentation, it is mentioned that the system reconstructs full disk at the time of restore. I think this is happening even when you are exporting snapshot to storage account.
For organizational reasons, I cannot create temporary disk in that same region that's why I have to copy the snapshot to another region.

Silvia Wibowo 3,411 Reputation points Microsoft Employee

2024-01-18T05:58:23.0766667+00:00

Hi @Gaurav Chawda, incremental snapshots will have a reference/pointer to the last snapshot and the full snapshot, to be able to reconstruct the whole disk when restoring. I suspect the reference uses public endpoint, which will explain the behaviour you observed: it works with public endpoint, not with private endpoint. I suggest you create a support request so support engineer can confirm/dispel my suspicion or suggest a better way. They have access to logs and PG (Product Group). Thank you.
Sign in to comment

Share via

Can't export managed disk snapshot with private endpoint through disk access

1 additional answer