The best practice is to create a dedicated “backup” account and run the Veeam components there, so that any violation of the production account will not impact the backups.
The core idea of POD design is to create dedicated management infrastructure per customer.
Pod is a set of Veeam Backup for Public Cloud components deployed in specific accout to protect only data of this account. Pod components include:
- Veeam Backup for Public Cloud
- Set of workers
- Cloud storage
While Service Provider distributes Pods, all protected data is manageable through Veeam Backup and Replication.
All pods and protected data from Public Cloud are visible within Veeam Backup and Replication Server. There is no real limitation on the number of pods managed by Veeam Backup and Replication Server and this amount won’t affect license consumption, just protected workloads will.
This case is applicable if data is located at customer or at service provider infrastructure. Workloads to protect reside in Public Cloud.
In pod designs each VBR server is tied with multiple Veeam Backup for Public cloud appliances. At the same time, pods and it’s components can be deployed in Service Provider or customer’s Cloud subscription. If customer already using Veeam Backup and Replication for on-prem protection - same VBR server can be reused. That will reduce additinal costs.
Note that to simplify service providers usage reporting, Service Providers may deploy Veeam Backup and Replication on per tenant basis too.
With pod design SP can provide self-service capabilities for tenants.
Since dedicated Public Cloud Appliance is deployed for each tenant, SP can provide access to the Appliance using dedicated URL.
However, the scope of permissions that can be assigned to the customer can be limited. From field experience it’s recommended to assign the Restore Operator role. More details on role-based access control for Public Cloud Appliance are listed below:
- RBAC for Veeam Backup for AWS is described here
- RBAC for Veeam Backup for Azure is described here
- RBAC for Veeam Backup for GCP is described here
As a part of self-service, tenants may attach Cloud Storage as External Repository to a Veeam Backup and Replication server and make recoveries from there.