The best practice is to create a dedicated “backup” account and run the Veeam components there, so that any violation of the production account will not impact the backups.
High level idea
The core idea of Shared design is to provide fully managed backup service for customers. A Service Provider should host and manage Veeam Backup infrastructure for customers’ Cloud workloads. In this case backup and recovery operations will run in the Service Provider’s subscription.
Source of data:
Production data is located in Public Cloud account of the tenant.
Service Provider will host:
- Veeam Backup for Public Cloud Appliance
Service account and set of permissions should be configured between Veeam Backup for Public Cloud appliance and customer’s subscription for backup and restore operations.
- Worker instances per tenant
Workers should be placed as close as possible to production infrastructure. At least in same region to reduce costs of backup and restore processing.
- Storage Accounts per tenant You may attach Storage from the Cloud to Veeam Backup and Replication and make recoveries from there, without exposing 3rd parties data.
Service Provider will manage data from UI of Public Cloud appliance or Veeam Backup and Replication server.
Self service capabilities are possible if Service Provider shares access to Veeam for Public Cloud Appliance with a tenant.
Keep in mind, that if customer workloads located in a shared account of a Service Provider, relevant permissions should be assigned to Service and Repository Accounts. Otherwise, customer will have access to 3rd party data. RBAC won’t fit here, since it’s just roles limitations for the entire protected scope of the Appliance.
As a part of self-service, tenants may attach Cloud Storage as External Repository to a Veeam Backup and Replication server and make recoveries from there, without exposing 3rd parties data.
Consider that in this scenario, costs for backup and recovery operations and storage will be charged from Service Provider account.