When Veeam released Veeam FastSCP for Microsoft Azure a couple of months ago, we still deployed our VMs (virtual machines) in the classic ASM (Azure Service Management) model. Microsoft recently released a new model called ARM (Azure Resource Manager). I’m not going into depth about the differences between the two models, but I did want to point out that a VM deployed in the ASM model is deployed differently in the ARM model.

Microsoft views the ARM model as the future to deploy new compute resources. Unfortunately, because of the differences in deployment, Veeam FastSCP for Microsoft Azure doesn’t work anymore out-of-the-box. For this reason, you’ll need to make some changes inside the VM to get it working again.

Here is the procedure to take advantage of Veeam FastSCP for Microsoft Azure with Microsoft ARM-deployed VMs.

Create firewall rules

In the classic model, firewall rules were called endpoints, and they needed to be created per VM. In the ARM model, you can create a security group that you can use to create firewall rules for all VMs in that resource group.

In my example, I have a resource group called Veeam-VMBP and I created a network security group with the exact same name. Here, you’ll want to add an inbound rule to make sure that your traffic is from the computer where you are running FastSCP to the VM on port 5986 (default HTTPS Windows Remote Management).

Veeam VMBP - network security group

As an example, see the below rule that I created:

Add inbound security rule

Install or create a (self-signed) certificate and enable PowerShell remoting

In the classic model, when you deploy a VM, PowerShell remoting is configured for you. In the new model it is not, so you will need to do it yourself.

NOTE: This process will vary, depending on whether you use a publicly signed o self-signed certificate. Since most cases are with a self-signed certificate, I will discuss this variation. When you want to use a publicly signed certificate, the process is much easier because you only need Set-WSManQuickConfig –UseSSL to get things working.

Below you will see the PowerShell one-liners I used to configure my deployed Windows Server 2012 R2:

  • $Cert = New-SelfSignedCertificate -CertstoreLocation Cert:\LocalMachine\My -DnsName "FastSCP-Server"
  • Export-Certificate -Cert $Cert -FilePath C:\temp\cert
  • Enable-PSRemoting -SkipNetworkProfileCheck –Force
  • New-Item -Path WSMan:\LocalHost\Listener -Transport HTTPS -Address * -CertificateThumbPrint $Cert.Thumbprint –Force
  • New-NetFirewallRule -DisplayName "Windows Remote Management (HTTPS-In)" -Name "Windows Remote Management (HTTPS-In)" -Profile Any -LocalPort 5986 -Protocol TCP

Some explanation:

  • The first line creates a self-signed certificate with the DNS name of my server (in this case, FastSCP-Server). It then stores it in the certificate store.

NOTE: Add the certificate details to a variable called $Cert to use it further.

  • The second line exports the certificate to a location (in this case C:\temp\). If you have an error on this line, note that the directory has to exist upfront, it will not be created.
  • Third line will enable PowerShell remoting. I used the -Force to skip the user prompts and -SkipNetworkProfileCheck to ensure that PowerShell doesn’t complain when your network connection type is public (which it probably will be)
  • The fourth line creates the HTTPS listener, which won’t be created automatically, only the HTTP listener and connects the certificate to it
  • Finally, the fifth line creates a new Windows Firewall rule that opens Windows Remote Management over HTTPS

And Poof! You can once again use Veeam FastSCP for Microsoft Azure.

Connecting to the server

Below you can see that I can connect to my server again and I have access to the data on my VM.

Veeam FastSCP for Microsoft Azure


Veeam FastSCP for Microsoft Azure works out-of-the-box when used with a Microsoft Azure VM deployed in the classic model. However, when you deploy a VM in the Azure Resource Manager model, things are a bit different and Remote PowerShell is not configured anymore. To be able to take advantage of Veeam’s solution, you will first need to take a few quick steps to manually enable it.

GD Star Rating
Using Veeam FastSCP for Microsoft Azure with Azure Resource Manager, 4.4 out of 5 based on 5 ratings

View posts related to category:

    Veeam Availability Suite — Download free 30-day trial

    • Amie Colbert

      Valuable post . my business this month located to import pdf ! It’s relatively straightforward to use and it’s practically peanuts . I heard they have a 30 day promotion currently

      GD Star Rating
    • lakshantha peiris

      Hi Mike,

      I’m in the process of setting and test environment and following your documentation,
      under Create Firewall Rules section, when setting up the network security group it requires associating it with a Resource Group ( I’m lost there)

      Do i create a new Resource Group (if so what steps) or Associate it with a existing one?

      Appreciate your help on this.


      GD Star Rating
      • http://www.veeam.com/ Mike Resseler

        You can create a network security group and associate that with the same resource group where your VM is running. A resource group “groups” all the different building blocks together. So a VM is a building block, an external IP, a network security group and so on… So best would be to associate it with the same resource group that holds your VM
        Hope it helps

        GD Star Rating
    Mike Resseler
    Author: Mike Resseler
    Mike Resseler is a Product Strategy Specialist for Veeam. Mike is focused on technologies around Hyper-V and System Center. With years of experience in the field he presents on many occasions on large events such as MMS, TechEd and TechDays. Mike has... 

    Published: February 22, 2016