Veeam Backup for Microsoft Azure – Getting Started: Setting up the Infrastructure

In this blog post we will cover the following topics;

- What is Veeam Backup for Azure
- Getting Started
- - Architecture
- - Deploying from Azure Marketplace
- - Logging on for the first time
- - Connecting to your Microsoft Azure Subscriptions and Storage - - Accounts
- - Configuring a repository account
- Deploying worker VMs
- Monitoring
- Protecting your Veeam Backup for Azure Appliance
- Download Logs

The follow up blog posts are;

- Configuring your first Backup Policy
- - How a backup policy works 
- - Creating a Backup Policy 
- - Viewing and Running a Backup Policy
- Restoring a backup
- - Viewing protected data 
- - File Level Recovery 
- - Virtual Machine Disk Restore 
- - Full VM Restore
- Integrating with Veeam Backup and Replication
- - Adding your Azure Repository to Veeam Backup and Replication 
- - Viewing your protected data 
- - What can you do with your data? 
- - - Restore/Recover/Protect

What is Veeam Backup for Azure?

If we look at the Microsoft document “Shared responsibility in the cloud“, we can see the very open comment;

  • Regardless of the type of deployment, the following responsibilities are always retained by you:
    • Data
    • Endpoints
    • Account
    • Access management

So, if you are always responsible for your data, that means you are responsible for protecting it, at both a security and backup point of view.

Veeam Backup for Azure is a turnkey solution that provides you a backup solution which can quickly and securely protect your data, available within the Azure Marketplace itself. Removing the need to spend hours on designing a solution and configuring the software.

Architecture

There are three main components;

  • Controller Server

A Linux VM deployed into Azure, which runs the Veeam Backup for Azure software.

  • Backup Repositories

Azure blob storage accounts where your Azure VM backups will be saved. The following storage accounts are supported currently;

Image Source

  • Workers

These are Azure VMs which are deployed automatically or manually by Veeam Backup for Azure server and are used for backing up and restoring the data. There is the capability to scale up and scale down the number of workers as needed.

The Azure region that worker VMs are deployed to, depend on the storage account they are linked to.

Each worker can process a single VM at a time, if a worker is idle for 10 minutes or more, then it is decommissioned (when setup to auto scale). Worker VMs, run the following services; A Worker service, which is responsible for fetching data from Azure; File-level recovery service, used for mounting data from a backup to the worker VM to initiate file-level recovery.

(Image Source)

Deploy Veeam Backup for Azure from the Azure Marketplace

The options to access the solution, which is driven via a web portal;

  • Direct via Public IP address
    • I recommend setting up firewall rules if you do this
  • Accessing the portal via a private IP address via the use of a VPN or Azure Express route.
    • If you need a VPN solution, check out VeeamPN.
    • This removes the need to publicly expose the solution.

Logging into the Veeam Backup for Azure Console

Your first login, you’ll provide the username and password configured during the deployment from the marketplace.

In my example, I will be using the publicly assigned IP address to log into the Portal UI. Upon first logon you will need to accept the EULA.

The interface is heavily wizard driven, which makes it simple to use and consume as a solution. If you’ve used Veeam Availability Orchestrator in the past, you’ll recognise similarities with the interface.

Logging into the solution for the first time, you’ll see this getting started screen, which makes it easy to understand how to operationalise the solution and start protecting your data.

Connecting to your Microsoft Azure Subscriptions and Storage Accounts

From the getting started page, we’ll click the first task to connect our Veeam Backup for Azure solution to our Microsoft Azure platform, which takes us to the screen shown below.

Note: you can only connect your solution to a single Azure account, so make sure that account has the relevant permissions to your various subscriptions and resources. If you need to have separation of accounts, you can stand up multiple Veeam Solutions.

By clicking “Add”, we will find our self in the Wizard;

  • Provide account Name and Description

  • Select the service account type to use

Here you can either to let the solution create the necessary service accounts with the correct permissions, or you manually configure this, and provide the service account details.

The solution uses a service account for the following purposes:

- - To perform synchronization of your Microsoft Azure VMs and virtual disks with the configuration databases that is located on the controller server.
- - To perform synchronization of your Azure storage accounts and subscriptions, including Azure LightHouse.
- - To access your Microsoft Azure VMs and virtual disks during a backup.
- - To access Microsoft Azure storage accounts that you want to use as backup repositories.
- - To create and remove snapshots of your Microsoft Azure VMs.
[Source]

If you want to perform this account creation manually, see this post for the steps and the permissions here.

One last comment, due to Microsoft Azure Active Directory limitations, a service account can only access resources linked to the default directory. If you need to access other subscriptions, to backup the linked resources, the recommendation is to look at Azure Lighthouse.

  • Logon to Microsoft Azure

On the next screen, you will need to authenticate to Microsoft Azure, in my example I am choosing to allow the solution to create the necessary service account.

You will be asked to click a link to “https://microsoft.com/devicelogin” and paste the unique code to authenticate the solution against your Azure platform.

And choose the correct account for the Azure subscriptions and resources.

Back on your Veeam Backup for Azure web portal, you will see the wizard polling for an update to the authorization status.

Below I took the screenshot just as the authentication had completed.

  • Service Provider

You would use this option if you are looking to provide access and authorisation via Azure Active Directory groups. Typically, this configuration will be used by Service Providers whom are managing their customers environments that run in Azure.

  • Summary

Like all good wizards, we finish on a Summary page, which confirms linking my solution created service account to my three available subscriptions in I have in Azure. (For testing, I added three pay as you go accounts).

Repository Accounts

Your Microsoft Azure account will be automatically used as repository account, however if you can create a restricted account policy and have a separate account used for accessing your repositories.

Again, this is through a wizard found by going to;

Configuration (top right) > Accounts > Repository accounts > Add

The steps are pretty self-explanatory and mimic in part, setting up a Microsoft Azure Account. So, I’ll just post the screenshots of the steps.

Adding a Repository

At this moment in time, only Blob storage is current supported, either hot or cold access.

Deploying Worker VMs

To deploy a new worker VM deployment configuration (where you are setting how many worker VMs should be deployed for your backup policies). Go to Configuration > Workers > Worker Configuration > Add.

This will setup a region-specific configuration for the deployment of Worker VMs.

  • Select your region configuration an VM sizing, and the minimum and maximum number of worker instances to be deployed during a backup run.

I really like that when selecting the VM size, you are given an estimated cost of running that instance size.

  • Specify the network settings that you want to deploy your VM to, if needed you can create a new network on the fly.

  • Finally review your settings and clicking finish will deploy the minimum number of worker VMs configured.

Below we can now see the status of the deployed worker configuration.

And here is a quick shot of the information show when I click on the status.

Clicking the Instances tab under the Worker navigation page, we can see the status of our individual Worker VMs, below you can see my single instance status updating to fully deployed.

Moving to my Microsoft Azure Portal, we can see the worker virtual machine and associated objects, which I’ve deployed to the same region and network as my Veeam Backup for Microsoft Azure deployment.

Monitoring

To monitor the actions and sessions inside of Veeam Backup for Azure, you have two options;

  • Visit the Monitoring > Overview page

This gives you a 24-hour snapshot of all sessions run which high level numbers on the configuration of your environment, such as virtual machines protected.

You can click to see further Item and Status level info for the sessions run over the past 24 hours.

  • Visit the Management > Sessions Log

This gives you access to all sessions run that is kept in the database, with a search function.

Protecting your Veeam Backup for Azure Appliance

You can protect your deployed appliance by going to;

  • Configuration view > Server Settings: Settings > System

Enabling the “Auto-Backup” setting, will automatically create snapshots for your Veeam Backup for Azure appliance based on the settings you provide.

You can learn how to recover/restore the appliance on Veeam KB 3091.

Download Logs

To download the system and session logs for troubleshooting;

  • Configuration View > Server Settings: Support Information > Download Logs

Select your time period that you want the logs from, and you will be given a Zip file to download.

Summary

In this blog post, we looked at setting up Veeam Backup for Azure and the basic deployments of the components.

In the next blog posts we will go through;

- Configuring your first Backup Policy 
- - How a backup policy works 
- - Creating a Backup Policy 
- - Viewing and Running a Backup Policy 
- Restoring a backup 
- - Viewing protected data 
- - File Level Recovery 
- - Virtual Machine Disk Restore 
- - Full VM Restore 
- Integrating with Veeam Backup and Replication 
- - Adding your Azure Repository to Veeam Backup and Replication 
- - Viewing your protected data 
- - What can you do with your data? 
- - - Restore/Recover/Protect

Regards

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.