Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  2. NetBackup™ Snapshot Manager for Cloud Install and Upgrade Guide
  3. Section II. NetBackup Snapshot Manager for Cloud maintenance
  4. Troubleshooting NetBackup Snapshot Manager for Cloud
  5. Troubleshooting automatic protection of managed disks with network policy set to DENY_ALL
NetBackup™ Snapshot Manager for Cloud Install and Upgrade Guide

Troubleshooting automatic protection of managed disks with network policy set to DENY_ALL

Private endpoint connection approval fails

The private endpoint connection approval operation fails with the following error:

ERROR: Failed to approve private endpoint connection
HttpResponseError: 403 Forbidden

The service principal or managed identity used by NetBackup Snapshot Manager does not have the following required permission to approve private endpoint connections for disk access objects:

Microsoft.Compute/diskAccesses/PrivateEndpointConnectionsApproval/action

Workaround:

Verify that the required permission is included in the custom role assigned to the service principal or managed identity.

  1. Check whether the following permission exists in the role definition:

    az role definition list \
    --name "<role-name>" \
    --query "[].permissions[].actions" \
    --output tsv
  2. If the permission is missing, add the permission to the custom role:

    az role definition update \
    --name "<role-name>" \
    --add-operation "Microsoft.Compute/diskAccesses/PrivateEndpointConnectionsApproval/action"

Private endpoint creation fails due to subnet policy

Private endpoint creation fails with the following error:

ERROR: Failed to create private endpoint
Subnet has private endpoint network policies enabled

The subnet in which NetBackup Snapshot Manager is deployed has private endpoint network policies enabled. Azure requires these policies to be disabled on the subnet where private endpoints are created.

Workaround:

Disable private endpoint network policies on the NetBackup Snapshot Manager subnet:

az network vnet subnet update \
--resource-group <nbsm-rg> \
--vnet-name <vnet-name> \
--name <subnet-name> \
--disable-private-endpoint-network-policies true

Private DNS zone configuration missing

Snapshot or backup operations fail with the following error:

ERROR: Private DNS zone resource ID is not configured in flexsnap.conf.

The private_dns_zone_id parameter is not configured in the Azure section of the flexsnap.conf file.

Workaround:

Add the private DNS zone resource ID to the [azure] section of the flexsnap.conf file:

private_dns_zone_id = /subscriptions/<sub-id>/resourceGroups/<rg>/providers/Microsoft.Network/
privateDnsZones/privatelink.blob.core.windows.net

After updating the configuration file, restart the NetBackup Snapshot Manager services and retry the operation.

Updating an existing private DNS zone configuration fails

Updating the private DNS zone associated with an existing private endpoint fails with the following error:

ERROR: UpdatingPrivateDnsZoneIdOnPrivateDnsZoneConfigNotAllowed.
Message: Updating private dns zone id from/subscriptions/<subscription-id-1>/resourceGroups/
<RG-1>/providers/ Microsoft.Network/privateDnsZones/privatelink.queue.core.windows.netto/subscriptions/<subscription-id-2>/resourceGroups/
<RG-2>/providers/Microsoft.Network/privateDnsZones/privatelink.blob.core.windows.neton private dns zone config/subscriptions/<subscription-id-1>/resourceGroups/
<RG-3>/providers/Microsoft.Network/privateEndpoints/<nbsm-pe-id>/privateDnsZoneGroups/default/privateDnsZoneConfigs/<nbsm-pe-id>-dns-zone-confignot allowed. 
Error code: 400

A private DNS zone configuration already exists for the private endpoint. Azure does not allow updating the DNS zone ID for an existing private DNS zone configuration with the same name.

Workaround:

Manually delete the existing private DNS zone configuration associated with the private endpoint, and then allow NetBackup Snapshot Manager to recreate it with the updated configuration.

Too many active SAS URIs for disk access object

Snapshot or backup operations fail with the following error:

ERROR: DiskAccessObjectHasTooManyActiveSASes

The disk access object has reached the maximum allowed number of concurrent SAS URIs due to multiple snapshot or backup operations running at the same time.

Workaround:

Avoid running multiple snapshot or backup jobs at the same time on disks that share the same disk access object.

Backup job failures for VMs with DENY_ALL disk access policy after enabling the feature

Backup jobs for virtual machines that use a DENY_ALL disk access policy may fail even after enabling the required feature.

The manage_private_disk_access feature is not enabled correctly, or the VM association with the policy is outdated.

Workaround:

Perform the following steps to resolve the issue:

  1. Verify feature enablement:

    • Ensure that the manage_private_disk_access feature is enabled in your environment.

    • Confirm that all prerequisite requirements are met.

  2. Reassign the VM to the policy:

    • Remove the VM from the existing policy.

    • Reassign the VM to the same policy.

  3. Verify backup execution:

    • Wait for the next scheduled backup run.

    • Confirm that the backup job completes successfully.

Feedback

Was this page helpful?
Previous

(For AWS) Crash-consistent snapshot created instead of filesystem-consistent snapshot

Next

Introduction

Feedback

Was this page helpful?