none
How to connect to -secondary storage container ?

    Question

  • I have storage account stacc with type Read-access geo-redundant storage (RA-GRS) in West Europe Region (North Europe is a pair)

    I backup my db to atacc/container: 

    BACKUP DATABASE [fb] TO  URL = N'https://stacc.blob.core.windows.net/container/fb_backup.bak'  WITH CREDENTIAL = 'Credl', COMPRESSION

    and I need restore it on Pair region (North Europe):

    RESTORE DATABASE fb_new FROM URL = 'https://stacc-secondary.blob.core.windows.net/container/fb_backup.bak'
    WITH CREDENTIAL = 'Credl', MOVE 'fb' to 'F:\AL-Data\fb_new.mdf', MOVE 'fb_log' to 'F:\AL-Data\fb_new.ldf', NORECOVERY

    and get ERROR:

    Msg 3271, Level 16, State 1, Line 23
    A nonrecoverable I/O error occurred on file "https://stacc-secondary.blob.core.windows.net/container/fb_backup.bak:" Backup to URL received an exception from the remote endpoint. Exception Message: The remote server returned an error: (403) Forbidden..
    Msg 3013, Level 16, State 1, Line 23
    RESTORE DATABASE is terminating abnormally.

    Why? How I can restore backup from secondary region ?

    Restore from primary(https://stacc.blob.core.windows.net/container/fb_backup.bak) region work well


    • Edited by HELLOWORD1 Tuesday, March 28, 2017 11:13 AM
    Monday, March 27, 2017 2:31 PM

All replies

  • The storage account "stacc" does not have RA-GRS enabled and it is not in west Europe. Did you provide the wrong account name?
    Tuesday, March 28, 2017 4:50 PM
  • This is a fictional account, just for forum sample
    Wednesday, March 29, 2017 6:04 AM
  • Can you verify that you can access the secondary via .NET/Client Library or copy the backup directly to the VM via AzCopy?

    Are you defining credentials for the secondary replica of the storage account by referencing the name of the secondary storage account?

    hth
    Marcin

    Wednesday, March 29, 2017 12:00 PM
  • Can you verify that you can access the secondary via .NET/Client Library or copy the backup directly to the VM via AzCopy?

    I test it. but not access. 403 Forbiden

    string StorageAccount = "stacc";
                string StorageKey = "KEY_1";

                CloudStorageAccount storageAccount = new CloudStorageAccount(new StorageCredentials(StorageAccount, StorageKey), true);

                var blobClient = storageAccount.CreateCloudBlobClient();
                var container = blobClient.GetContainerReference("container");


                var blobDirectory = container.GetDirectoryReference("");
                var list = blobDirectory.ListBlobs().ToList();

    in list all files in container. but if a add suffix (-secondary) to account name (first line):

    string StorageAccount = "stacc-secondary";

    I get Exception 403 Forbiden

    Are you defining credentials for the secondary replica of the storage account by referencing the name of the secondary storage account?

    RA-GRS - It is written that for-secondary suffixes do not need additional keys, or am I wrong?


    • Edited by HELLOWORD1 Thursday, March 30, 2017 2:56 PM
    Thursday, March 30, 2017 2:14 PM
  • That's correct - the secondary replicas are using the same keys - but obviously the storage account name is different (so effectively you would need a separate credential when running the restore).

    CREATE CREDENTIAL [<mycredentialname>] WITH IDENTITY = '<mystorageaccountname>
    ,SECRET = '<mystorageaccountaccesskey>'; 

    hth
    Marcin

    Thursday, March 30, 2017 3:05 PM
  • The storage account does not have a different name on the secondary. It is the same storage account, but you access it using a different URL. So appending -secondary to the name is not correct. To access secondary, send your request to the secondary endpoint. No other changes to the request are needed or permitted. Specifically, sending "account-secondary" in the Authorization header will cause the request to fail. Use the account name without the -secondary suffix instead.
    • Proposed as answer by Md Shihab Thursday, March 30, 2017 5:33 PM
    Thursday, March 30, 2017 3:29 PM
  • , send your request to the secondary endpoint

    In restore cmd I using URL with secondary endpoint. and  CREDENTIAL = 'Credl' - it registered with stacc and key

    RESTORE DATABASE fb_new FROM URL = 'https://stacc-secondary.blob.core.windows.net/container/fb_backup.bak'
    WITH CREDENTIAL = 'Credl', MOVE 'fb' to 'F:\AL-Data\fb_new.mdf', MOVE 'fb_log' to 'F:\AL-Data\fb_new.ldf', NORECOVERY

    Friday, March 31, 2017 9:33 AM
  • In your .NET code, don't set the storage account name to "account-secondary". Instead set LocationMode.SecondaryOnly in the request options.

    Also, if you provide a request ID of a failing request (returned in the x-ms-request-id header) then I can check it for you.

    Friday, March 31, 2017 3:32 PM
  • Yjw can i use LocationMode Enumeration ?

    My Code:

    var blobContainer = GetBlobContainer(containerName);
                    var blobDirectory = blobContainer.GetDirectoryReference(directoryName);
                    var blobInfos = new List<BlobFileInfo>();
                    var blobs = blobDirectory.ListBlobs().ToList();

    blobs  - list my backup files.

    foreach (var blob in blobs) ->

    CloudPageBlob b = blob as CloudPageBlob;
    Console.WriteLine(string.Format("Name: {0}", b.Name));
    Console.WriteLine(string.Format("PrimaryUri: {0}", b.StorageUri.PrimaryUri));
    Console.WriteLine(string.Format("SecondaryUri: {0}", b.StorageUri.SecondaryUri));

    How I can download it (b) from -secondary location?

    I test it:

    var bl = new CloudPageBlob(b.StorageUri.SecondaryUri, storageAccount.Credentials);
    Console.WriteLine("----- SECONDARY -----");
    watch = Stopwatch.StartNew();
    bl.DownloadToFile("c:\\temp\\SECONDARY_" + bl.Name, FileMode.CreateNew);
    watch.Stop();

    If I run code on primary location. download take time longer.

    Correctly  I do ? Or there is another way, more elegant ?

    Saturday, April 1, 2017 12:06 PM
  • I think your code should work, or you can add this line:

    blobContainer.ServiceClient.DefaultRequestOptions.LocationMode = LocationMode.SecondaryOnly;
    Sunday, April 2, 2017 5:03 PM
  • Yes LocationMode work in .NET. I view request in Fiddler to -secondary!

    But. How to correctly execute the RESTORE statement from the secondary ?

    If I use C #. Then first I need to download the file and only then perform the RESTORE operation.
    I would like to do a RESTORE directly from the cloud, from the secondary region, the virtual machine of the reserve is located in the secondary region.

    Monday, April 3, 2017 8:56 AM
  • Can you get a fiddler capture of the RESTORE command to see what it is doing and where it is going wrong?
    Monday, April 3, 2017 11:09 PM