Question

using custom domain name with Azure Blob Storage account

  • 28 November 2023
  • 5 comments
  • 135 views

Userlevel 1

By default when you create an Azure Blob Storage repository inside of VEEAM you are only required to enter the Blob Storage account name and key.
Somehow VEEAM knows how to connect to Azure Blob and I assume it then relates to the actual Blob Account’s URL  eg.  https://myblobaccount.blob.core.windows.net/


We have multiple sites and have set up multiple Azure Blob accounts (1 for each site)
We also have a distributed firewall system whereby each site has its own set of firewall rules

To date we have been setting firewall allow rules to allow VEEAM to access AZURE Blob storage site-by-site meaning X sites == X firewall rules

We are trying to move to a single wildcard-based rule which can be applied in a consistent manner to all edge firewalls however in our testing we were unable to get this to work.

Using MS Azure Custom Domain for access blob data (see excerpt at bottom of this post) we created a cname like below:

myblobaccount.myinternalstorage.mycompanydomain.com CNAME  myblobaccount.blob.core.windows.net

 

then deployed a single firewall rule like
ALLOW:   *.myinternalstorgae.mycomanydomain.com
 

We have confirmed that the CNAME resolves both internally and externally to our network


So the question is:
Is there a way in VEEAM (VBR12) to configure the URL that is associated with the Azure Blob account such that i can over-ride the (‘Default’) myblobaccount.blob.core.windows.net references and use my custom domain name

---excerpt from MS Blob Account - Custom Domain ----
From MS Blob Account page - Networking - Custom Domain

Configure a custom domain for accessing blob data in your Azure storage account, like www.contoso.com. There are two methods you can use to set up a custom domain.

  1. Create a CNAME record with your DNS provider that points from your domain (like www.contoso.com) to myblobaccount.blob.core.windows.net or myblobaccount.z8.web.core.windows.net then enter you domain below. This method is simpler, but results in a brief downtime while Azure verifies the domain registration.
  2. Create a CNAME record with your DNS provider that points from the "asverify" subdomain (like asverify.www.contoso.com) to asverify.myblobaccount.blob.core.windows.net or asverify.myblobaccount.z8.web.core.windows.net. After this step completes, enter your domain below (exclude the 'asverify' subdomain). This method does not incur any downtime. To use this method, select the 'Use indirect CNAME validation' checkbox.

 


5 comments

Userlevel 1

wild carding blob.core.windows.net is not an option due to security constraints/policies

Userlevel 7
Badge +20

Based on the excerpt from the MS Blob account page for custom domains you need to update your DNS as stated and then in Veeam you can use the URL that you create for the CNAME record to point to.  It should be that easy.

Userlevel 7
Badge +20

Hi,

 

The steps you’ve provided are the ones necessary for HTTP but there are additional steps for HTTPS, utilising Azure front door or Azure CDN will incur additional costs.

 

In short, I don’t know if Veeam support this, I would strongly suggest raising the question via Veeam Support as it might be an XML file change or registry key change for example to amend the domain suffix.

 

What is the core problem you’re trying to solve here, administrative headaches for firewall rules?

Userlevel 1

@MicoolPaul  - we are trying to solve both security and admin headaches.
i’m going to raise a support case.
Thanks to those who responded and will post back what comes of it

Userlevel 7
Badge +16

Hi @DMOZDFE -

I’m just following up on your post here...were you able to contact Support, and were they able to answer your question about Azure supportability for what you’re wanting to do? If so, do you mind sharing what they suggested so others with a similar question who come across your post may benefit?

Thank you.

Comment