Cross-Region Storage Access
During DR recovery, the secondary cluster must read the global snapshot from the primary cluster's Azure Blob Storage container.
Requirements:
Network-level access - Storage firewall IP rules allowing the secondary's NAT Gateway IP
Authentication - Storage account key (
AZURE_RECOVER_FROM_ACCOUNTKEY)(Optional) RBAC - Storage Blob Data Reader role on primary storage account
Cross-Region Storage Architecture
 |
Data Flow Summary
| Direction | Data Exchanged | Purpose |
|---|---|---|
| Primary → Secondary | storage_account_id | Target for firewall update |
| Primary → Secondary | storage_encryption_key | Decrypt global snapshot |
| Primary → Secondary | storage_account_key | Authenticate to primary storage |
| Primary → Secondary | storage_account_name, storage_container_name | Locate primary bucket |
| Primary → Secondary | storage_ip_rules | Existing IP rules to merge |
| Primary → Secondary | storage_vnet_rules | Existing VNet rules to merge |
| Secondary → Primary | NAT Gateway IP | Merged into storage firewall |
| Secondary → Primary | Subnet IDs | Merged into VNet rules |
Verification
shell
# Check primary storage account firewall IP rules
az storage account show \
--name <primary-storage-account> \
--resource-group <primary-rg> \
--query "networkRuleSet.ipRules" -o table
# Get secondary NAT Gateway IP for comparison
terraform workspace select secondary
terraform output nat_gw_public_ip
# Test connectivity from secondary LogScale pod
kubectl exec -n logging -it <humio-pod> --context aks-secondary -- \
curl -s -o /dev/null -w "%{http_code}" \
"https://<primary-storage-account>.blob.core.windows.net/<container>?restype=container"