You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
If you read the Cost Analysis tutorial, then you're familiar with manually downloading your Cost Management data. However, you can create a recurring task that automatically exports your Cost Management data to Azure storage on a daily, weekly, or monthly basis. Exported data is in CSV format and it contains all the information that's collected by Cost Management. You can then use the exported data in Azure storage with external systems and combine it with your own custom data. And you can use your exported data in an external system like a dashboard or other financial system.
17
+
If you read the Cost Analysis tutorial, then you're familiar with manually downloading your Cost Management data. However, you can create a recurring task that automatically exports your Cost Management data to Azure storage on a daily, weekly, or monthly basis. Exported data is in CSV format and it contains all the information thatCost Management collects. You can then use the exported data in Azure storage with external systems and combine it with your own custom data. And you can use your exported data in an external system like a dashboard or other financial system.
18
18
19
19
Watch the [How to schedule exports to storage with Cost Management](https://www.youtube.com/watch?v=rWa_xI1aRzo) video about creating a scheduled export of your Azure cost data to Azure Storage. To watch other videos, visit the [Cost Management YouTube channel](https://www.youtube.com/c/AzureCostManagement).
20
20
@@ -40,8 +40,15 @@ Data export is available for various Azure account types, including [Enterprise
40
40
For Azure Storage accounts:
41
41
- Write permissions are required to change the configured storage account, independent of permissions on the export.
42
42
- Your Azure storage account must be configured for blob or file storage.
43
-
- The storage account must not have a firewall configured.
44
-
- The storage account configuration must have the **Permitted scope for copy operations (preview)** option set to **From any storage account**.
43
+
- To export to storage accounts with configured firewalls, you need other privileges on the storage account. The other privileges are only required during export creation or modification. They are:
44
+
- Owner role on the storage account.
45
+
Or
46
+
- Any custom role with `Microsoft.Authorization/roleAssignments/write` and `Microsoft.Authorization/permissions/read` permissions.
47
+
Additionally, ensure that you enable [Allow trusted Azure service access](../../storage/common/storage-network-security.md#grant-access-to-trusted-azure-services) to the storage account when you configure the firewall.
48
+
- The storage account configuration must have the **Permitted scope for copy operations (preview)** option set to **From any storage account**.
49
+
>[!NOTE]
50
+
> Export to storage accounts behind firewall is in preview. Enable the preview feature in Cost Management labs by selecting **Export behind firewall**. For more information, see [Explore preview features](enable-preview-features-cost-management-labs.md#explore-preview-features).
51
+
45
52
:::image type="content" source="./media/tutorial-export-acm-data/permitted-scope-copy-operations.png" alt-text="Screenshot showing the From any storage account option set." lightbox="./media/tutorial-export-acm-data/permitted-scope-copy-operations.png" :::
46
53
47
54
If you have a new subscription, you can't immediately use Cost Management features. It might take up to 48 hours before you can use all Cost Management features.
### Configure exports for storage accounts with a firewall
252
+
253
+
If you need to export to a storage account behind the firewall for security and compliance requirements, ensure that you have all [prerequisites](#prerequisites) met.
254
+
255
+
Enable **Allow trusted Azure services access** on the storage account from the Exports page. Here's a screenshot showing the page.
A system-assigned managed identity is created for a new job export when it's created or modified. You must have permissions because Cost Management uses the privilege to assign the *StorageBlobDataContributor* role to the managed identity. The permission is restricted to the storage account container scope. After the export job is created or updated, the user doesn't require Owner permissions for regular runtime operations.
260
+
261
+
> [!NOTE]
262
+
> - When a user updates destination details or deletes an export, the *StorageBlobDataContributor* role assigned to the managed identity is automatically removed. To enable the system to remove the role assignment, the user must have `microsoft.Authorization/roleAssignments/delete` permissions. If the permissions aren't available, the user needs to manually remove the role assignment on the managed identity.
263
+
> - Currently, firewalls are supported for storage accounts in the same tenant. However, firewalls on storage accounts aren't supported for cross-tenant exports.
264
+
265
+
Add exports to the list of trusted services. For more information, see [Trusted access based on a managed identity](../../storage/common/storage-network-security.md#trusted-access-based-on-a-managed-identity).
266
+
244
267
### Export schedule
245
268
246
269
Scheduled exports are affected by the time and day of week of when you initially create the export. When you create a scheduled export, the export runs at the same frequency for each export that runs later. For example, for a daily export of month-to-date costs export set at a daily frequency, the export runs during once each UTC day. Similarly for a weekly export, the export runs every week on the same UTC day as it is scheduled. Individual export runs can occur at different times throughout the day. So, avoid taking a firm dependency on the exact time of the export runs. Run timing depends on the active load present in Azure during a given UTC day. When an export run begins, your data should be available within 4 hours.
247
270
248
271
Exports are scheduled using Coordinated Universal Time (UTC). The Exports API always uses and displays UTC.
249
272
250
273
- When you create an export using the [Exports API](/rest/api/cost-management/exports/create-or-update?tabs=HTTP), specify the `recurrencePeriod` in UTC time. The API doesn’t convert your local time to UTC.
251
-
- Example - A weekly export is scheduled on Friday, August 19 with `recurrencePeriod` set to 2:00 PM. The API receives the input as 2:00 PM UTC, Friday, August 19. The weekly export will be scheduled to run every Friday.
274
+
- Example - A weekly export is scheduled on Friday, August 19 with `recurrencePeriod` set to 2:00 PM. The API receives the input as 2:00 PM UTC, Friday, August 19. The weekly export is scheduled to run every Friday.
252
275
- When you create an export in the Azure portal, its start date time is automatically converted to the equivalent UTC time.
253
-
- Example - A weekly export is scheduled on Friday, August 19 with the local time of 2:00 AM IST (UTC+5:30) from the Azure portal. The API receives the input as 8:30 PM, Thursday, August 18. The weekly export will be scheduled to run every Thursday.
276
+
- Example - A weekly export is scheduled on Friday, August 19 with the local time of 2:00 AM IST (UTC+5:30) from the Azure portal. The API receives the input as 8:30 PM, Thursday, August 18. The weekly export is scheduled to run every Thursday.
254
277
255
278
Each export creates a new file, so older exports aren't overwritten.
256
279
@@ -272,7 +295,7 @@ If you have a Microsoft Customer Agreement, Microsoft Partner Agreement, or Ente
If you don't have a Microsoft Customer Agreement, Microsoft Partner Agreement, or Enterprise Agreement, then you won't see the **File Partitioning** option.
298
+
If you don't have a Microsoft Customer Agreement, Microsoft Partner Agreement, or Enterprise Agreement, then you don't see the **File Partitioning** option.
276
299
277
300
Partitioning isn't currently supported for resource groups or management group scopes.
278
301
@@ -348,13 +371,13 @@ You can view the run history of your scheduled export by selecting an individual
348
371
349
372
:::image type="content" source="./media/tutorial-export-acm-data/run-history.png" alt-text="Screenshot shows the Exports pane.":::
350
373
351
-
Select an export to view its run history.
374
+
Select an export to view the run history.
352
375
353
376
:::image type="content" source="./media/tutorial-export-acm-data/single-export-run-history.png" alt-text="Screenshot shows the run history of an export.":::
354
377
355
378
### Export runs twice a day for the first five days of the month
356
379
357
-
If you've created a daily export, you'll have two runs per day for the first five days of each month. One run executes and creates a file with the current month’s cost data. It's the run that's available for you to see in the run history. A second run also executes to create a file with all the costs from the prior month. The second run isn't currently visible in the run history. Azure executes the second run to ensure that your latest file for the past month contains all charges exactly as seen on your invoice. It runs because there are cases where latent usage and charges are included in the invoice up to 72 hours after the calendar month has closed. To learn more about Cost Management usage data updates, see [Cost and usage data updates and retention](understand-cost-mgt-data.md#cost-and-usage-data-updates-and-retention).
380
+
If you've created a daily export, you have two runs per day for the first five days of each month. One run executes and creates a file with the current month’s cost data. It's the run that's available for you to see in the run history. A second run also executes to create a file with all the costs from the prior month. The second run isn't currently visible in the run history. Azure executes the second run to ensure that your latest file for the past month contains all charges exactly as seen on your invoice. It runs because there are cases where latent usage and charges are included in the invoice up to 72 hours after the calendar month has closed. To learn more about Cost Management usage data updates, see [Cost and usage data updates and retention](understand-cost-mgt-data.md#cost-and-usage-data-updates-and-retention).
Copy file name to clipboardExpand all lines: articles/storage/common/storage-network-security.md
+2-1Lines changed: 2 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -546,6 +546,7 @@ The following table lists services that can access your storage account data if
546
546
| Azure Cognitive Search |`Microsoft.Search/searchServices`| Enables access to storage accounts for indexing, processing, and querying. |
547
547
| Azure AI services |`Microsoft.CognitiveService/accounts`| Enables access to storage accounts. [Learn more](../..//cognitive-services/cognitive-services-virtual-networks.md).|
548
548
| Azure Container Registry |`Microsoft.ContainerRegistry/registries`| Through the ACR Tasks suite of features, enables access to storage accounts when you're building container images. |
549
+
| Microsoft Cost Management |`Microsoft.CostManagementExports`| Enables export to storage accounts behind a firewall. [Learn more](../../cost-management-billing/costs/tutorial-export-acm-data.md).|
549
550
| Azure Databricks |`Microsoft.Databricks/accessConnectors`| Enables access to storage accounts. |
550
551
| Azure Data Factory |`Microsoft.DataFactory/factories`| Enables access to storage accounts through the Data Factory runtime. |
0 commit comments