Azure CVO HA deployment fails in non-region pair with error "This request is not authorized to perform this operation"
Applies to
- Azure CVO HA deployment
- Azure CVO and Connector in different region pair
- Azure Private Link disabled or not-working
- Azure Storage Account creation
- BlueXP 3.9.25+
Issue
- Azure CVO HA deployment fails with error below when Azure CVO and CM are not in Azure region-pairs and Azure Private links to Storage Accounts is disabled or not-working.
- Error can be seen in the BlueXP timeline:
This request is not authorized to perform this operation
onCreate Container task
Create Container (6)
Failed
{
"storageAccountName": "rootsaxxxx",
"containerName": "blobcontainer",
"requestContext": "Create Azure Ha Working Environment",
"useProxy": true,
"_failure": "This request is not authorized to perform this operation. ",
"_resourceGroup": "CVO-RG"
}
Update Storage Account Network Rules
Failed
{
"storageAccount": "rootsaxxxxx",
"defaultAction": "Deny",
"networkRules": [
{
"action": "Allow",
"id": "/subscriptions/79f9c07a-xxxxx-yyyy-a761-84c910955d4a/resourceGroups/CVO-RG/providers/Microsoft.Network/virtualNetworks/CVO-vNET/subnets/CVO-SUBNET"
},
{
"action": "Allow",
"id": "/subscriptions/3efcd6c9-zzzz-uuuu-a431-0971b4fd6c2c/resourceGroups/CM-RG/providers/Microsoft.Network/virtualNetworks/CM-VNET/subnets/CM-SUBNET"
}
],
"_failure": "Validation of network acls failure: ResourceBeingAcledHasWrongLocation:Microsoft.Storage resources in System.Linq.Enumerable+<ExceptIterator>d__73`1[System.String] cannot be ACL-ed to virtual network /subscriptions/79f9c07a-xxxxx-yyyy-a761-84c910955d4a/resourceGroups/CVO-RG/providers/Microsoft.Network/virtualNetworks/CVO-vNET in uksouth. Only resources in uksouth, ukwest can be ACL-ed to virtual networks in uksouth.. Code: NetworkAclsValidationFailure ",
"_resourceGroup": "RNB-P-NetAppCvo-NA20-RGRP2"
}