Hi everyone!!  In the previous 2 posts I’ve explained in detail how to configure Veeam Backup for Azure and all related component to enable a Private Network Deployment.  In Veeam Backup for Azure, the private network deployment feature allows you to increase the security of your environment by retaining network traffic within a private network.

Now in this post we will describe in deep how the Azure VM Backup works when using Veeam Backup for Azure in a Private Network Deployment.

 

Pre-Requisites

NOTE: All pre-requisites have been enabled and configured in previous post.

In the region where the processed Azure VM resides, Veeam Backup for Azure checks whether there is a VNET configured for worker instances, and whether there is a storage account assigned the Veeam backup appliance ID tag.  We have described in the previous post how this Storage Account is created when enabling and configuring Private Network Deployment.

Veeam Backup for  Azure also checks whether the following private endpoints are configured for the Veeam storage account:

  • One endpoint for Azure Blob Storage
  • One endpoint for Azure Queue Storage.

 

Azure VM Snapshot

Veeam Backup for Microsoft Azure creates snapshots of virtual disks that are attached to the processed Azure VM.

Disk snapshots are assigned Azure tags upon creation.  Please sonsider that the values of Azure tags contain encrypted metadata that helps Veeam Backup for Azure identify the related disk snapshots and treat them as a single unit. For this reason, you must not delete any Azure tags whose names start with the word veeam.

Worker Deployment

Veeam Backup for Azure launches the worker instance in the Azure region where the processed Azure VM resides in the following way (check the diagram below):

  1. Veeam Backup appliance uploads worker binary files to the Veeam storage account using a shared access signature (SAS) URI (orange lines in diagram below)
    • The communications between the Veeam Backup appliance and the Storage Account go through a VNET Peering in case the Veeam appliance and the Veeam Worker are in different regions.
    • Then, a Private Endpoint is used in the same VNET where the worker is located, to mantain the communication private and local in Azure backbone network.
    • NOTE: In every Azure Region where you need to deploy a Veeam Worker, a new Storage Account will be created automatically by Veeam, and then a Private Endpoint should be created to communicate with that Storage Account from the VNET where the Worker will be located in that region.
  2. Veeam Backup Appliance deploys an Azure VM running Ubuntu 22.04 LTS in the required region and VNET.
  3. Then, the Veeam Backup Appliance sends a Run Command to the deployed Azure VM to download the worker binary files from the Veeam storage account using a SAS URI (Purple lines in diagram below). These files are then used to install software components required for the worker instance to perform backup and restore operations.
  4. Creates an Azure Queue in the Azure region where the Woker resides. Veeam then uses the Azure Queue Storage messaging service to communicate with the worker instance (Blue lines in diagram below).

 

Azure VM Backup

Once the Veeam Worker is deployed in the right region and VNET, then the Worker can process the Azure VM Backup:

  1. In the region where the worker instance is launched, Veeam checks whether disk access resources are sufficient for the backup operation are created for the Azure subscription associated with the backup appliance.  This Disk Access resources are created when enabling Private Network Deployment as explained in the previous post.   If the disk access resources are insufficient, Veeam creates additional ones and associates them with the Azure VM snapshot created before.
  2. Veeam Backup for Azure reads data from the Azure VM snapshot using SAS URIs (green lines in the diagram below), compresses the data and transfers it to the target backup repository, and stores it in the native Veeam format.
    • To keep the communications private, we will use a Private Endpoint for Disk Access resources for the worker to get the data from Azure VM Snapshot, as you can see in the diagram below.  This Private Endpoint should be created in Azure Region and VNET where the Worker is located.
    • In the same way, a Private Endpoint for Azure Blob will be used by the worker to send the backup data to the Backup Repository (Azure Blob), keeping the communications private and without leaving the Azure backbone network.
    • Changed block tracking (CBT) is used to reduce the amount of data read from snapshots during incremental backup sessions.
  3. When the backup is completed, Veeam Backup for Azure removes the SAS URIs, and then deallocates the worker instance to prevent using Azure resources and reduce overall costs.

 

 

 

 

 

In that would be all the steps followed by Veeam Backup for Azure to protect Azure VMs in a secure manner, keeping all communications private, and without using public IP addresses or internet access for the backup data transfer.    See you next time!!