Overview
Nasuni Data Service (NDS) provides access to data stored on Nasuni volumes via an Azure Blob Storage–compatible interface.
This guide explains how to:
Deploy UniFS as a Service (UaaS) in Microsoft Azure (NDS is a component of the UaaS platform).
Enable and configure NDS for one or more volumes.
Retrieve connection information.
Update an existing deployment.
Audience and Scope
This document is intended for administrators who manage Nasuni environments and Azure resources.
You should be comfortable with the following:
Nasuni Management Console (NMC).
Azure Resource Manager concepts.
PowerShell 7+.
Prerequisites
Ensure you have the following prerequisites before beginning.
Nasuni
UaaS serial number and authentication code.
Serial numbers and authentication codes are available in the Nasuni Portal.
Note: NDS is available at no additional cost. Contact your Account Manager to request licensing for NDS.
NMC version 25.1 or higher.
Nasuni Edge Appliance (NEA) version 10.0.1 or higher.
The target volumes must be shared (Remote Access enabled) via the NMC.
Azure or AWS object storage for the target volumes.
Important: Connecting to object storage in a different cloud provider or region than your NDS deployment generates cloud egress costs, billed to you by AWS or Azure. To avoid these charges, whenever possible, deploy NDS in the same provider and region as the object storage.
Software
PowerShell 7.0 or higher.
Azure PowerShell module (Az) version 14.0.0 or higher.
Azure subscription and permissions
An active Azure subscription.
Owner access at the scope of the resource group used for deployment.
Alternatively, create a custom Azure role with granular permissions. Reference the example JSON below with the minimum requirements when creating a custom role.
"permissions": [ { "actions": [ "Microsoft.Authorization/roleAssignments/read", "Microsoft.Authorization/roleAssignments/write", "Microsoft.Authorization/roleAssignments/delete", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Resources/subscriptions/resourceGroups/write", "Microsoft.Resources/subscriptions/resourceGroups/delete", "Microsoft.Resources/deployments/read", "Microsoft.Resources/deployments/write", "Microsoft.Resources/deployments/delete", "Microsoft.Resources/deployments/operationstatuses/read", "Microsoft.Resources/deploymentScripts/read", "Microsoft.Resources/deploymentScripts/write", "Microsoft.Resources/deploymentScripts/delete", "Microsoft.Resources/deploymentStacks/read", "Microsoft.Resources/deploymentStacks/write", "Microsoft.Resources/deploymentStacks/delete", "Microsoft.Storage/storageAccounts/read", "Microsoft.Storage/storageAccounts/write", "Microsoft.Storage/storageAccounts/delete", "Microsoft.Storage/storageAccounts/blobServices/read", "Microsoft.Storage/storageAccounts/blobServices/write", "Microsoft.Storage/storageAccounts/blobServices/containers/read", "Microsoft.Storage/storageAccounts/blobServices/containers/write", "Microsoft.Storage/storageAccounts/blobServices/containers/delete", "Microsoft.Storage/storageAccounts/listKeys/action", "Microsoft.Storage/storageAccounts/managementPolicies/read", "Microsoft.Storage/storageAccounts/managementPolicies/write", "Microsoft.Storage/storageAccounts/managementPolicies/delete", "Microsoft.ServiceBus/namespaces/authorizationRules/read", "Microsoft.ServiceBus/namespaces/authorizationRules/write", "Microsoft.ServiceBus/namespaces/authorizationRules/delete", "Microsoft.ServiceBus/namespaces/queues/read", "Microsoft.ServiceBus/namespaces/queues/write", "Microsoft.ServiceBus/namespaces/queues/delete", "Microsoft.ServiceBus/namespaces/AuthorizationRules/listKeys/action", "Microsoft.DocumentDB/databaseAccounts/read", "Microsoft.DocumentDB/databaseAccounts/write", "Microsoft.DocumentDB/databaseAccounts/delete", "Microsoft.DocumentDB/databaseAccounts/listKeys/action", "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/write", "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/delete", "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/operationResults/read", "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/write", "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/delete", "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/operationResults/read", "Microsoft.ManagedIdentity/userAssignedIdentities/read", "Microsoft.ManagedIdentity/userAssignedIdentities/write", "Microsoft.ManagedIdentity/userAssignedIdentities/delete", "Microsoft.ManagedIdentity/userAssignedIdentities/assign/action", "Microsoft.ServiceBus/namespaces/read", "Microsoft.ServiceBus/namespaces/write", "Microsoft.ServiceBus/namespaces/delete", "Microsoft.ContainerInstance/register/action", "Microsoft.ContainerInstance/containerGroups/read", "Microsoft.ContainerInstance/containerGroups/write", "Microsoft.ContainerInstance/containerGroups/delete", "Microsoft.OperationalInsights/workspaces/*", "Microsoft.App/managedEnvironments/read", "Microsoft.App/managedEnvironments/write", "Microsoft.App/managedEnvironments/delete", "Microsoft.App/jobs/read", "Microsoft.App/jobs/write", "Microsoft.App/jobs/delete", "Microsoft.App/containerApps/read", "Microsoft.App/containerApps/write", "Microsoft.App/containerApps/delete", "Microsoft.App/managedEnvironments/join/action", "Microsoft.CustomProviders/*/read", "Microsoft.CustomProviders/*/write", "Microsoft.CustomProviders/*/delete", "Microsoft.Portal/dashboards/write", "Microsoft.Portal/dashboards/delete", "Microsoft.StreamAnalytics/*/action", "Microsoft.StreamAnalytics/streamingjobs/*/read", "Microsoft.StreamAnalytics/streamingjobs/*/write", "Microsoft.StreamAnalytics/streamingjobs/*/delete", "Microsoft.EventHub/namespaces/read", "Microsoft.EventHub/namespaces/write", "Microsoft.EventHub/namespaces/delete", "Microsoft.EventHub/namespaces/authorizationRules/read", "Microsoft.EventHub/namespaces/authorizationRules/write", "Microsoft.EventHub/namespaces/authorizationRules/delete", "Microsoft.EventHub/namespaces/authorizationRules/listKeys/action", "Microsoft.EventHub/namespaces/eventhubs/consumergroups/read", "Microsoft.EventHub/namespaces/eventhubs/consumergroups/write", "Microsoft.EventHub/namespaces/eventhubs/consumergroups/delete", "Microsoft.EventHub/namespaces/eventhubs/read", "Microsoft.EventHub/namespaces/eventhubs/write", "Microsoft.EventHub/namespaces/eventhubs/delete", "Microsoft.Insights/autoscalesettings/read", "Microsoft.Insights/autoscalesettings/write", "Microsoft.Insights/autoscalesettings/delete", "Microsoft.Portal/dashboards/read", "Microsoft.DocumentDB/databaseAccounts/listConnectionStrings/action" ], "notActions": [], "dataActions": [], "notDataActions": [] } ]
Connectivity between resources. For more information, see NDS for Azure - Supported Parameters and Limits.
Downloading and verifying the NDS Setup Script
To download and verify the NDS setup script, follow these steps:
Download the latest NDS Setup Script here: NDS-AZ-Setup.ps1
In PowerShell, verify by printing the help text:
./NDS-AZ-Setup.ps1 -Help
Important: The script creates and maintains each deployment’s state in a file named
{StackName}-state.json. Keep the script and the JSON file(s) together for future updates. The JSON file(s) must be located in the same directory as the script so it can reference them correctly.Without the JSON file, future updates to the deployment are not possible. In that case, any updates require you to redeploy from scratch.
1. New Deployment
Complete the following steps for a new deployment of UaaS/NDS in Azure.
1a. Collect inputs
Begin by collecting the following inputs:
Parameter | Description |
|---|---|
-ResourceGroupName | Dedicated Azure resource group for UaaS/NDS. |
-SerialNumber | Available UaaS serial number from the Nasuni Portal. |
-AuthCode | Matching authentication code for the serial number. |
-Location | Azure region (ideally co‑located with the Nasuni volumes’ object storage to avoid egress fees).
|
1b. Start the deployment
Run the script in PowerShell:
./NDS-AZ-Setup.ps1 -Action New-Deployment -ResourceGroupName <RG> -SerialNumber <SN> -AuthCode <AC> -Location <LOC>
If you need help with syntax, run the following script in PowerShell:
./NDS-AZ-Setup.ps1 -Help
Note: It takes approximately ten minutes for the initial deployment to complete. The script displays the deployment status in Azure for you to follow.
After the deployment is complete, you see the following message in PowerShell:
1c. Configure NDS in Nasuni Portal
With NDS deployed in Azure, the next step is to configure it in the Nasuni Portal.
Log in to the Nasuni Portal: https://portal.nasuni.com/.
Navigate to Cloud Services → UniFS as a Service, and click on your newly deployed stack to open it.
In the left pane under Services, click Nasuni Data Service (NDS).
Click Enable NDS on the right.
After enabling NDS, you can see your Endpoint URL. Use this URL when connecting to NDS.
Attach at least one volume, following the instructions in 3a. Attach a Volume below.
(Optional) You can add rules to define path inclusions and exclusions for the volume. These rules determine which data is presented via NDS. The rules do not modify the volume (NDS is read-only). Exclude rules always take precedence over include rules. All paths are recursive and cover paths below the one that is specified in the rule. Follow the instructions in 3c. Configure Rules for Path Inclusions/Exclusions below if desired.
After a new deployment of NDS for Azure, Access Keys must be generated. They can be subsequently regenerated as needed. Follow the instructions in 3e. Generate/Regenerate Access Keys below.
(Optional) In addition to the two Access Keys, you can generate Shared Access Signature (SAS) Tokens as an authentication method. SAS Tokens benefit from an expiration date, providing greater control and security.
For more information, see 3f. Generate Shared Access Signature (SAS) Tokens.
2. Update deployment
Use the NDS Setup script to update your existing UaaS/NDS deployment, preserving your configuration. Release notes are available here: UniFS™ as a Service (UaaS) Release Notes.
To check the version of your deployment, follow these steps:
Log in to the Nasuni Portal: https://portal.nasuni.com/.
Navigate to Cloud Services → UniFS as a Service.
Locate your deployment and version or build number.
2a. Collect inputs
Collect the following inputs:
Parameter | Description |
|---|---|
-ResourceGroupName | Existing Azure resource group for your UaaS/NDS deployment. |
2b. Start the update
Run the script in PowerShell:
./NDS-AZ-Setup.ps1 -Action Update-Deployment -ResourceGroupName <RG>
If you need help with syntax, run the following script in PowerShell:
./NDS-AZ-Setup.ps1 -Help
Note: It takes approximately ten minutes for the update to complete. The script displays the deployment status in Azure for you to follow.
When the deployment is complete, you see the following message in PowerShell:
3. Managing an existing NDS deployment
Complete the following steps to modify the volumes enabled for NDS, update their included and excluded path configurations, and generate Access Keys or SAS Tokens.
Access NDS Management
To complete all subsequent operations, first access NDS management in the Nasuni Portal:
Log in to Nasuni Portal: https://portal.nasuni.com/.
Navigate to Cloud Services → UniFS as a Service.
Locate your deployment and click to open it.
In the left pane under Services, click Nasuni Data Service (NDS).
Note: Allow up to 15 minutes for the operations below to take effect after being configured.
3a. Attaching a volume
To attach a volume, follow these steps:
Click Attach new volume, then select a volume to present through NDS. Only volumes meeting the prerequisites noted above under Prerequisites - Nasuni can be selected.
The volume appears in the Volumes list. The Container Name is used when connecting to NDS and accessing this volume.
Follow NDS Volume Registration to complete the volume registration. This step must be completed for every volume attached to NDS.
Note: This is a one-time step for each volume, unless you change or rotate your credentials for the object storage in AWS/Azure. In that case, you lose access to the volume via NDS until you complete this step again.
3b. Detaching a volume
To remove the volume from NDS, click Detach.
Note: This has no effect on the volume itself, and does not delete data.
3c. Configuring rules for path inclusions and exclusions
You can add rules to define path inclusions or exclusions for the volume. These rules determine the data presented via NDS and do not modify the volume (NDS is read-only).
Exclude rules always take precedence over include rules.
All paths are recursive and include all subpaths beneath the path specified in the rule.
Paths are defined relative to the volume’s root, using forward slashes (see example below).
The concept of shares and Edge Appliances is not a factor here. Paths are always defined from the volume's root, not in relation to an Edge Appliance or any share.
To configure rules for path inclusions and exclusions, follow these steps:
Click Add Rule, and choose Exclude or Include. Enter the desired path relative to the volume's root, following the format shown in the example. Consider excluding
/.nasuniwhich is a system directory.
Example:/topfolder/secondfolder
Click Done.
Click Save Changes.
3d. Modifying a rule for path inclusions and exclusions
To modify a rule for path inclusions and exclusions, follow these steps:
For the volume and rule you want to modify, click the ellipses (three dots) … next to the existing rule.
To modify the rule, click Edit Path and make any necessary changes.
To delete the rule, click Delete Rule.
Click Done.
Click Save Changes.
3e. Generating or regenerating Access Keys
The Access Keys provide unrestricted read access to the Nasuni volumes (containers) via NDS.
Click Access Keys, and then Regenerate Key 1 and Regenerate Key 2.
The Access Keys can be used with an account name of
ndsand the Endpoint URL (from the Setup screen) to authenticate to NDS. The keys are interchangeable.
For a simplified authentication process, use a Connection String. The Connection Strings are interchangeable.
3f. Generating Shared Access Signature (SAS) Tokens
In addition to the two Access Keys, you can optionally generate Shared Access Signature (SAS) Tokens as a method of authentication. SAS Tokens benefit from an expiration date, providing greater control and security. The SAS Token provides unrestricted read access to the Nasuni volumes (containers) via NDS.
SAS Tokens are signed by one of the two Access Keys. Regenerating Access Keys invalidates any SAS Tokens signed by them. Consider implementing SAS Tokens as the sole authentication method for your deployment.
Click Shared Access Signature (SAS), and then on the date selector for Token Expiry. Select the validity date range for the SAS token. Note that the permissions are fixed and cannot be modified.
Click Generate SAS Token and Connection String.
Copy the SAS Token. You can use this SAS Token for authentication against NDS.
Important: SAS tokens cannot be viewed after the initial generation. Store the token information in a secure location.
Legacy NDS Management - Versions 1.2.X and lower
Management of existing UaaS/NDS for Azure deployments with versions 1.2.X and lower is performed through the PowerShell script. Deployments with versions 1.2.X and higher are performed through the Nasuni Portal, as described above.
We strongly recommend updating to the latest version of UaaS/NDS, following the steps in section 2 for Update Deployment.
We strongly recommend updating to the latest version of UaaS/NDS, following the steps in section 2 for Update Deployment.
Legacy step 1. Update volumes (add, remove, change inclusions and exclusions)
Use the script to modify the volumes enabled for NDS and update their included and excluded path configurations.
Legacy step 1a. Collect inputs
Collect the following inputs:
Parameter | Description |
|---|---|
-ResourceGroupName | Existing Azure resource group for your UaaS/NDS instance |
Legacy step 1b. Run the script
Run the following script in PowerShell:
./NDS-AZ-Setup.ps1 -Action Update-Volumes -ResourceGroupName <RG>
Use this script to accomplish the following:
Update the UaaS/NDS instance.
Progress appears in the terminal and can be monitored in the Azure Portal via the link provided.
Legacy step 1c. Register volumes in the NMC
Follow NDS Volume Registration.
Legacy step 1d. Enable volumes and define inclusions and exclusions
To enable volumes and define exclusions, follow these steps:
Navigate to the terminal window and press Enter to continue.
For each discovered volume, type “Y” to enable it for NDS.
(Optional) Provide path prefixes that are included or excluded from NDS. Wildcards are not supported. Excluded paths take precedence over included paths; if a path appears in both lists, it is excluded.
Provide a comma-separated list of absolute paths from the root to include. By default, everything is included.
For example:
/visible_dir1/,/visible_dir2/
Provide a comma-separated list of absolute paths from the root to exclude. By default, nothing is excluded.
For example:
/.nasuni/,/excluded_dir1/,/excluded_dir2/subdir/.Consider excluding
/.nasuniwhich is a system directory.
Legacy step 1e. Save configuration to Cosmos DB
To save the configuration to Cosmos DB, follow these steps:
Confirm that the script displays a JSON snippet and copies it to your clipboard. For example, this is what is copied from the screenshot below:
The script attempts to open the Azure Cosmos DB in your web browser; if not, open the link manually.
In the Azure Cosmos DB, navigate to Data Explorer > ControlData > Items.
Click New Item.
In the right pane, replace the template with the JSON. Ensure it starts and ends with the brackets { }, as shown in the screenshot below. Click Save.
Return to the terminal, enter
continue, and press Enter.
Legacy step 1f. Generate SAS Tokens and connection strings
To generate SAS tokens and connection strings, follow these steps:
(Optional) If you decide to generate SAS tokens, type Y. Otherwise, type N and continue to step 3.
Provide start and end dates for the SAS tokens. The tokens are only valid during this time period. You can accept the defaults by pressing Enter for each, or modify them according to the format shown.
There are two sets of keys, tokens, and connection strings that produce the same results. Store this information securely. The keys and SAS tokens provide unrestricted read access to the Nasuni volumes (containers).
Legacy step 2. Updating Access Keys
Use the script to manage previously generated access keys. This process allows you to rotate individual keys for enhanced security while maintaining access to NDS.
Legacy step 2a. Collect inputs
Collect the following inputs:
Parameter | Description |
|---|---|
-ResourceGroupName | Existing Azure resource group for your UaaS/NDS instance |
Legacy step 2b. Run the script
Run the following script in PowerShell:
./NDS-AZ-Setup.ps1 -Action Update-Key -ResourceGroupName <RG>
Legacy step 2c. Regenerate keys
For each of the two keys, choose Y to regenerate or N to keep the existing value.
Note: If you answer Yes, the key regenerates with a new value, and any existing clients using the previous value need to be reconfigured in order to authenticate again.
Regenerating a key invalidates any SAS tokens that are signed by it.
Legacy step 2d. Save configuration to Cosmos DB
Follow step Legacy 1e. Save Configuration to Cosmos DB above.
Legacy step 3. Get connection information
Use this action to retrieve all the information needed to connect applications or tools to your NDS Blob Storage endpoint.
This includes the following:
Endpoint URLs.
Account names.
Access keys.
Connection strings.
SAS tokens (with the option to regenerate them).
Available containers (Nasuni Volumes).
Legacy step 3a. Collect inputs
Collect the following inputs:
Parameter | Description |
|---|---|
-ResourceGroupName | Existing Azure resource group for your UaaS/NDS instance. |
Legacy step 3b. Run the script
Run the following script in PowerShell:
./NDS-AZ-Setup.ps1 -Action Get-ConnectionInfo -ResourceGroupName <RG>
You are given the option to regenerate the SAS tokens. If desired, follow Step 1e from the New Deployment section.
The script displays the connection information.
Important: Store this information securely. The keys and SAS tokens provide unrestricted read access to the Nasuni volumes (containers).
Legacy step 4. Check versions
Use this action to retrieve the following information:
The version of the NDS Setup script.
Download the latest NDS Setup Script here: NDS-AZ-Setup.ps1.
The version of your UaaS/NDS instance.
The current available version of UaaS/NDS. For more information, see UniFS as a Service (UaaS) Release Notes for additional details.
If this is higher than the version of your instance, you can update it by running 2 - Update Deployment.
Legacy step 4a. Collect inputs
Collect the following inputs:
Parameter | Description |
|---|---|
-ResourceGroupName | Existing Azure resource group for your UaaS/NDS instance |
Legacy step 4b. Run the script
Run the following script in PowerShell:
./NDS-AZ-Setup.ps1 -Version -ResourceGroupName <RG>
