Hi everyone! Today I’ll start a new topic in this blog about how to protect Azure workloads using Veeam Backup for Azure in a Private Network Deployment.

In Veeam Backup for Azure, the private deployment feature allows you to increase the security of your environment by retaining network traffic within a private network. When using Private Environment, the Veeam Backup appliance it is not assigned with any public IPv4 address, so you have to perform a number of additional configuration actions to allow private network access.

If you want to know all the steps performed by Veeam for Azure when running a Virtual Machine backup in a Private Deployment, check the following link from offical documentation: https://helpcenter.veeam.com/docs/vbazure/guide/vm_backup_pne.html?ver=8.

Now, let’s discuss how to configure Veeam and the Azure components to work in a Private Network Deployment.

 

Deploying Veeam Backup for Azure

Before configuring anything, of course we need to deploy Veeam Backup for Azure. Starting from V7, Veeam Backup for Azure can be deployed ONLY from Veeam Backup & Replication console, which means we need to have a Veeam Backup Server up and running before deploying Veeam for Azure.

To get details about how to deploy the Veeam Backup for Azure appliance, please check the following link: https://helpcenter.veeam.com/docs/vbazure/guide/deploying_appliance.html?ver=8

IMPORTANT: During the deployment of Veeam Backup for Azure, you can choose to use Private IP address for the appliance: https://helpcenter.veeam.com/docs/vbazure/guide/deploying_appliance_connection_type.html?ver=8

 

 

So, as minimum we need to have Veeam Backup Server and Veeam Backup for Azure appliance running. Veeam Backup Server could be running in Azure, or on-premises using VPN or Express Route to get a private connection with the Veeam Backup for Azure appliance. In this blog, we will assume both are running in Azure.

As a best practice, Veeam recommends to deploy Veeam components in a dedicated Resource Group in Azure. Also, you can create a dedicated VNET for Veeam components as you can see in the following image.

 

 

VNET Peering

The next step would be to set a VNET Peering between the VNet to which the backup appliance is connected and the VNet to which worker instances are connected.

In our example we will deploy the workers in the same VNET as the appliance, so for this we don’t need a VNET Peering. However, if we are planning to backup VMs located in different regions, then we need to deploy workers on VNETs located on those regions too. In this case, then we need to configure a VNET Peering for those VNETs in remote locations.

In addition, if we are planning to use application-aware processing for VM backups, or file-level recovery to the original location, then we need to set a VNET Peering between the VNet to which the backup appliance is connected and the VNet to which the protected VM is connected.

 

Backup Repository

The next step will be to create and configure a Backup Repository using Azure Blob.

For this we need to have an Azure Storage Account ready to be used as a repository. You can found the requirements an limitations in the official documentation.

Then, we need to make sure the communication between Veeam components and Azure Blob is of course private, without using any public endpoint, which would mean the traffic will leave the Azure network.

To make sure the communication with Azure Blob is private, the next step will be to configure an Azure Private Endpoint. You must create a separate Private Endpoint for every VNet to which the backup appliance or worker instances are connected as you can see in the following image.

 

Click in the image to enlarge

 

If you want to know how to create this Private Endpoint, you can follow the instructions from official documentation: https://helpcenter.veeam.com/docs/vbazure/guide/app_pne_storage_endpoints.html?ver=8

Now you can add the Backup Repository to Veeam Backup for Azure following the instructions described in the official documentation: https://helpcenter.veeam.com/docs/vbazure/guide/repository_add_ui.html?ver=8

 

Workers

Almost the last step in this first blog post, now we will need to add the Workers to the Veeam Backup for Azure configuration.   We need to add a Worker configuration for every region where we have Virtual Machines or Azure SQL instances we want to protect.

 

 

You can add the Worker configuration following the instructions described in the official documentation: https://helpcenter.veeam.com/docs/vbazure/guide/worker_configuration_add.html?ver=8.

NOTE: I’ll explain how Workers are deployed in a Private Network Deployment in the next part of this series.

Enabling Private Network Deployment

Now we have to enable the Private Network Deployment mode in the Veeam Backup for Azure Appliance.   In oder to to this, we need to:

  1. Switch to the Configuration page, navigate to General > Deployment Mode and set the Private network deployment toggle to On.
  2. Set the Create service endpoints toggle to On, so Veeam Backup for Azure will create the required Service Endpoint.
  3. Click Save.

 

Veeam Backup for Azure will automatically configure some of the network settings required to allow secure communication between the backup appliance and storage accounts where Veeam applications and scripts are stored (Veeam Backup for Azure creates these Storage Accounts in Azure regions where worker instances are launched and protected VMs with VSS agents reside).     Also Veeam for Azure will make sure to have in place the Azure Queue Storage messaging service to transfer data between services in private virtual networks.

 

I hope this has been interesting, and we will continue this series in the next post!!!