question

TomWolverson-5201 avatar image
0 Votes"
TomWolverson-5201 asked TomWolverson-5201 commented

Can I run the APIM backup operation to a blob container with a time-based immutability policy set?

I am designing a backup and restore process for API Management. I was hoping to use immutability policy as an extra level of security over the backup files, ensuring that it is impossible to accidentally or intentionally tamper with or delete backups. Backup works fine without, but when I set the policy the following error message is emitted on backup:

 2021-09-22T16:47:54.4076381Z ERROR: InvalidParameters: Invalid parameter: This operation is not permitted as the blob is immutable due to a policy.

I can see the operation writes the first 22 bytes, and I assume expects to be able to update the blob with more data, which counts as modifying an existing blob and is not permitted.

Allowing appends doesn't make any difference, presumably because the operation doesn't create an append blob but a block blob. This is not that surprising, but I'd like to know whether I should expect this to be possible, or whether there is any prospect of the product being updated to support this. Backups do seem to be a good use case for the immutability feature so I'd like it to be supported.

azure-blob-storageazure-api-management
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

Sumarigo-MSFT avatar image
0 Votes"
Sumarigo-MSFT answered TomWolverson-5201 commented

@TomWolverson-5201 Firstly, apologies for the delay in responding here and any inconvenience this issue may have caused.

If the backup solution modifies the blob multiple times (either with PutBlob, PutBlockList, or other mutation), it will be blocked by design. You don’t want malicious designed or user to accidentally overwrite their backup with encrypted or empty data.

For blockblobs, it typically isn’t necessary to do partial commits with PutBlockList as the temporary block list will last 7 days from the last block written. Some apps still do call PutBlockList with partial data uploaded, but it usually isn’t necessary. The backup app should just put all of the blocks and call PutBlockList once.

Please let us know if you have any further queries. I’m happy to assist you further.


Please do not forget to 135314-image.png and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.



image.png (3.1 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks @Sumarigo-MSFT - that's what I assumed. To be clear, this is using the API Management backup and restore commands that are supplied as part of the platform, not something I have built myself, so I don't have a means to change it. I was not aware of PutBlock/PutBlockList as a pattern; is it right that potentially if the API Management team are aware of this, it might provide an avenue to making the backup operation respect atomicity of blobs as an enhancement and therefore permit backing up to an immutable container?

0 Votes 0 ·