How to Connect to an Object Storage Repository via Google Cloud Private Access
Purpose
This article documents how to configure Veeam Backup & Replication to use Google Cloud Private Access to connect to a GCS bucket instead of the public IPs for Scale-Out Backup Repository offload to Capacity Tier or Archive Tier or to connect to an Object Storage Repository in Veeam Backup & Replication 12 or newer.
Connectivity from on-premises to private access can be accomplished via Cloud VPN or Direct/Partner Interconnects to Google Cloud, and Private Access enabled on the VPC Subnet.
Note: Backup repository servers located in GCE need to be on a VPC Subnet where Private Access is enabled.
Solution
Prepare the Google Cloud Environment
- Make sure the VPC Subnet(s) that traffic will traverse have Private Google Access enabled:
Prepare the On-Prem DNS
- On the DNS server(s) used by the repository server(s), create a new Primary Forward Lookup Zone named 'googleapis.com'.
- Set up a CNAME record for *.googleapis.com to point to private.googleapis.com.
- Create DNS A Records for private.googleapis.com pointing to:
- 199.36.153.8
- 199.36.153.9
- 199.36.153.10
- 199.36.153.11.
- Create a blank DNS A Record to point googleapis.com to 199.36.153.8.
Value in name column will appear as (same as parent folder).
- For repository server and gateway servers on-premises, ensure the CloudVPN or Cloud Interconnect uses dynamic routes or has a static route for the 199.36.153.8/30 pointing to the VPC subnet with Private Google Access enabled, and that the subnet is configured to send this traffic to the default internet gateway.
Prepare the Veeam Backup & Replication Environment
- To configure the Helper Appliance used for Object Storage Repository Health Checks to use the private IP address, add the following registry value on the Veeam Backup Server:
Key Location: HKLM\SOFTWARE\Veeam\Veeam Backup and Replication
Value Name: ArchiveUsePrivateIpForGoogleHelperAppliance
Value Type: DWORD (32-Bit) Value
Value Data: 1
1 = Enable Archive Appliance use Private IP | 0 = Disable (Default)
Add Object Storage Repository
Add the Google Cloud Oject Storage to Veeam Backup & Replication.
More Information
If the Gateway server assigned with the Object Storage Repository settings has a restricted internet connection, that machine cannot perform Certificate Renovation List (CRL) checks. In such a scenario, disable certificate revocation checks by creating the following setting on the machine assigned as the Gateway server within the Object Storage Repository settings.
Note: This setting will disable TLS revocation checks for all interactions with Object Storage performed by the machine where the registry value is created.
- For Windows-based Gateway servers, create the following registry value:
Key Location: HKLM\SOFTWARE\Veeam\Veeam Backup and Replication\
Value Name: ObjectStorageTlsRevocationCheck
Value Type: DWORD (32-Bit) Value
Value Data: 0 - For Linux-based Gateway servers, add the following entry to the /etc/VeeamAgentConfigIf the /etc/VeeamAgentConfig file is not present, it must be created. file:
ObjectStorageTlsRevocationCheck=0
If this KB article did not resolve your issue or you need further assistance with Veeam software, please create a Veeam Support Case.
To submit feedback regarding this article, please click this link: Send Article Feedback
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.
Spelling error in text
Thank you!
Your feedback has been received and will be reviewed.
KB Feedback/Suggestion
This form is only for KB Feedback/Suggestions, if you need help with the software open a support case
Thank you!
Your feedback has been received and will be reviewed.
Oops! Something went wrong.
Please, try again later.