Hello guys,
Is very common today to see as a requirement that the Veeam Backup for Azure uses a Private Network Deployment.
As this has MANY steps that involves not only Veeam Backup for Azure, but also Azure knowledge I decided to write this guide with all the necessary.
So, let’s move on! 😊
This guide was created based on Veeam Backup for Azure v7.
This guide assumes the following:
- The Veeam Backup for Azure is deployed and integrated with Veeam Backup & Replication using Private IP (Deploying Backup Appliance - Veeam Backup for Microsoft Azure Guide)
- The basic configuration is already done (Service Account, Repository and Worker settings)
- A private Virtual Network exists on Azure (this means a Virtual Network with no direct access to the internet and no public IP)
- An internet connection is necessary during the deployment in the Virtual Network to create the Default Service Account and update the appliance.
- In my lab, I used a NAT Gateway to provide internet access to the private Virtual Network/Subnet.
- To simplify the guide, I’m using just one Virtual Network and 2 Subnets (1 for the appliance and 1 for the Workers). If you use more than one Virtual Network beware that a Virtual Network Peering will be needed to communicate between the Virtual Networks.
I used the steps described in the User Guide:
- Configuring Deployment Mode - Veeam Backup for Microsoft Azure Guide
- Private Network Deployment - Veeam Backup for Microsoft Azure Guide
- Working in Private Environments - Veeam Backup for Microsoft Azure Guide
First thing to do is enable Private Network Deployment and then we will cover all the configurations needed be done on Azure side.
Configuring Private DNS
As the communication is all private, we need to create the private DNS zone to be able to resolve the FQDN of all resources.
In this example I will use the Private DNS from Azure.
Create the Private DNS Zones for blob and queue:
In the end, we'll have both zones created:
Now that we have the Private DNS Zones, we need to associate the Virtual Networks used by the appliance and the Workers.
We need the Virtual Network entire ID to associate with the zones. To get the ID open the Virtual Network and click on JSON View:
Copy the Resource ID:
Go back to the Private DNS Zone, go to Virtual Network Links:
Choose a name for the link, select the option "I know the resource ID of virtual network" and paste the Resource ID:
Do the same for the other Private DNS Zone and Add the link if you use more than one Virtual Network.
After the registration, it should look like this:
If you are using application-aware for the policies, the Virtual Network used by the VMs must be linked to the Private DNS Zones to be able to resolve the storage account FQDN. Here's an example:
Configuring Storage Account for Repository
Now let's configure the storage account used for the repository to use Private Endpoints.
Make sure the Public network access is disabled in the storage account:
Go to Private endpoint connections and create a new one:
Choose a name and the region:
Choose blob as the resource because this private endpoint is for the repository:
Choose the Virtual Network will be used by the appliance. In my case I'm using the Worker subnet and the Virtual Network is the same for the appliance/worker.
Make sure the option to integrate with a private DNS zone is selected. As we already created the internal DNS, we don't need to change anything:
Make sure an A record was created in the private zone, like the example below:
Also, if the Private Endpoint was created in a different Virtual Network, make sure a Peering between the Virtual Network the Veeam Backup for Azure appliance is using and the Virtual Network used by the Private Endpoint is created. You can find the steps here: Configure Private Endpoint Network Settings - Veeam Backup for Microsoft Azure Guide
Testing a VM Backup Policy (FIRST TRY)
Now we must create a policy to backup a VM to the repository. The policy will fail, but this will automatically create the necessary Private Endpoints for the Service Storage Accounts.
The policy should fail with the error below:
Back to Azure Portal, filter the resources for storage account to find the Service Storage Accounts created:
Open the Private Endpoints section for each storage account and find the private endpoints created:
Check the sub-resource for the private endpoint to make sure which private dns zone we need to use:
Go to DNS Configuration and click "Add Configuration":
Choose the zone related to the sub-resource:
The DNS integration with the Private Zone will be created:
Repeat the steps for all the Private Endpoints created.
Testing a VM Backup Policy (SECOND TRY)
Let's go back to the policy and run again.
This time it will fail because the Private Endpoint for Disk Access is not integrated with the private DNS zone, but it was created when we ran the policy.
Go back to Azure Portal and go to Disk Access.
Find the new Disk Access automatically created by Veeam Backup for Azure:
Go to Private Endpoint connections and check that a new Private Endpoint was created:
The sub-resource for this Private Endpoint will be disks:
We need to integrate with the blob private zone:
Testing a VM Backup Policy (LAST TIME)
Let's run the policy one more time. If everything was configured correctly, the policy should work this time.
Now all the communication to run backups and restore are made via private endpoints and no internet connections is needed. :)
