Link Search Menu Expand Document
Veeam

Build for Azure

Deployment

Service Provider can deploy new Appliance directly from Veeam Backup and Replication or from Azure Marketplace.

If Veeam Backup for Azure Appliance is deployed from Veeam Backup and Replication, there is no need to make extra connection.
If appliance already exists in Azure, but not connected to Veeam Backup and Replication, it can be added from VBR UI.
There is no limitation on number of appliances deployed and connected.

Storage

See supported storage accounts and limitations of Cloud storage here.
Service Provider may create backup copies from Azure Blob storage container using Veeam Backup and Replication.

Note that Backup Copies can land on regular VBR repository.

Pros:

  • Storage agnostic
  • Backups can be sent to a Repository in another Cloud or region
  • Enables Immutability options for copied backups

Cons:

  • Requires another repository
  • Egress cost for backup copy
  • Immutability is available only for Veeam Hardened Repository or within a SOBR with S3 attached Capacity Tier with Object Lock. All Veeam Ready vendors of S3 immutable storage are listed here

S3 bucket with Cloud backups can be attached as External repository to any Veeam Backup and Replication, e.g. for DR purposes.

Licensing

Licensing for Service Providers is Rental (pay as you go), consumed from the pool of Veeam Backup and Replication licenses.
Number of deployed Appliances doesn’t affect license consumption.

Veeam Service Provider Console within the standard feature set will transparently show Veeam Backup for Azure protected workloads. Pulse plugin will work for Cloud VMs.

Useful resources

See more details on deployment steps and sizing for Veeam Backup for Azure below:

  • Deployment steps for Veeam Backup for Azure are fully described in the deployment guide
  • Sizing of the Appliance is described in Best Practices for Public Cloud here
  • Sizing of workers is fully described in Best Practices for Public Cloud here
  • Repository sizing is described in Best Practices for Public Cloud here
  • Required accounts permissions are described here

Pod Architecture

POD Design is a good choice when requirement is to share full access to the Appliance. However, make sure you separate production subscription and backup account. So if one account is compromised, another will be safe.
All PODs connected in Veeam Backup Replication are visible with the protected data.

  • Deployment of new Appliance Since it’s dedicated infrastructure to a specific tenant, you may run it under tenant’s subscription.
  • Deployment of workers Workers that will process the data will be automatically provisioned and tenant may control amount of available resources for data processing per his subscription. Costs will also be covered by that account.
  • Storage account in the Cloud Azure Storage Containers can be deployed in any region under subscription and there is no limit on number of buckets you’d like to keep the data in. Storage costs will also be covered by the tenant subscription.
  • Access to Appliance
    Appliance and its configuration is available via web UI or from Veeam Backup and Replication. Service Provider can share a dedicated URL for access to the appliance with his tenants. Access can be restricted with built-in RBAC when needed, MFA is supported.

Pod Design

Listed ports don’t include ports required for product updates and specific operations like Application-Aware Processing for Azure VMs. Check full ports requirements here

Shared Access Architecture

Shared Access design fits well when Service Provider builds services around his Cloud subscription to cover all management operations for data protection.

When Service Provider builds service under his subscription and operates all backup and restore operations, shared access design is the best. Cloud costs for backup processing and storage will be on him, which might be a part of the service.

  • Deployment of new Appliance Since it’s shared infrastructure with number of tenants, service provider can deploy one Veeam Backup for Azure appliance without giving access for tenants. Otherwise they might see each other’s data. The data access control in Azure is managed via Azure Service Bus and accounts permissions that will peer workers to Azure VMs and other workloads for processing.
  • Deployment of workers Workers that will process the data will be automatically provisioned under service provider subscription with shared access to client infrastructure. Workers can be deployed in tenant’s region to reduce costs and increase backup operations efficiency.
  • Storage account in the Cloud In this scenario Azure Storage Containers are managed by Service Provider. It’s recommended to have at least one Container per tenant. Storage costs will also be covered by Service Provider under his subscription.
  • Access to Appliance
    Appliance and its configuration is available via web UI or from Veeam Backup and Replication. In this scenario you won’t share access to appliance with the tenant, otherwise they will manage all data there, even with lowest restore operator role, because there is no split per data sets.

Shared access Design

Listed ports don’t include ports required for product updates and specific operations like Application-Aware Processing for Azure VMs. Check full ports requirements here

Back to top

Copyright © 2019-2022 Solutions Architects, Veeam Software.