Veeam Support Knowledge Base
How to Offload Backup Files to Capacity Tier via Google Cloud Private Access

How to Offload Backup Files to Capacity Tier via Google Cloud Private Access

KB ID:	4324
Product:	Veeam Backup & Replication \| 12
Published:	2022-06-14
Last Modified:	2023-10-24

By subscribing, you are agreeing to have your personal information managed in accordance with the terms of Veeam's Privacy Notice.

Cheers for trusting us with the spot in your mailbox!

Now you’re less likely to miss what’s been brewing in our knowledge base with this weekly digest

Oops! Something went wrong.

Please try again later.

Purpose

This article documents configuring an environment so Veeam Backup & Replication Object Repository will use Google Cloud Private Access to connect to a GCS bucket instead of the public IPs.

Connectivity from on-premises to private access can be accomplished via Cloud VPN or Direct/Partner Interconnects to Google Cloud, and Private Access enabled on the VPC Subnet.

Note: Backup repository servers located in GCE need to be on a VPC Subnet where Private Access is enabled.

Solution

Preparing the Environment (link)

Make sure the VPC Subnet(s) that traffic will traverse have Private Google Access enabled:

Configure DNS
1. Configure DNS servers used by repository servers to have a zone for googleapis.com.
2. Create DNS A Records for private.googleapis.com pointing to 199.36.153.8, 199.36.153.9, 199.36.153.10, 199.36.153.11.
3. Set up a CNAME record for *.googleapis.com to point to private.googleapis.com.

For repository servers on-premises, ensure the CloudVPN or Cloud Interconnect uses dynamic routes or has a static route for the 199.36.153.8/30 pointing to the VPC subnet with Private Google Access enabled, and that the subnet is configured to send this traffic to the default internet gateway.

More Information

If the Gateway server assigned with the Object Storage Repository settings has a restricted internet connection, that machine cannot perform Certificate Renovation List (CRL) checks. In such a scenario, disable certificate revocation checks by creating the following setting on the machine assigned as the Gateway server within the Object Storage Repository settings.

Note: This setting will disable TLS revocation checks for all interactions with Object Storage performed by the machine where the registry value is created.

For Windows-based Gateway servers, create the following registry value:

Key Location: HKLM\SOFTWARE\Veeam\Veeam Backup and Replication\
Value Name: ObjectStorageTlsRevocationCheck
Value Type: DWORD (32-Bit) Value
Value Data: 0
For Linux-based Gateway servers, add the following entry to the /etc/VeeamAgentConfigIf the /etc/VeeamAgentConfig file is not present, it must be created. file:
```
ObjectStorageTlsRevocationCheck=0
```

To submit feedback regarding this article, please click this link: Send Article Feedback
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.

Spelling error in text

Thank you!

Your feedback has been received and will be reviewed.

Oops! Something went wrong.

Please try again later.

You have selected too large block!

Please try select less.

KB Feedback/Suggestion

This form is only for KB Feedback/Suggestions, if you need help with the software open a support case

Product

Topic

Description

By submitting, you are agreeing to have your personal information managed in accordance with the terms of Veeam's Privacy Notice.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Verify your email to continue your product download

We've sent a verification code to:

An email with a verification code was just sent to

Didn't receive the code? Click to resend in sec

Didn't receive the code? Click to resend

Thank you!

Your feedback has been received and will be reviewed.

Oops! Something went wrong.

Please try again later.