#1 Global Leader in Data Protection & Ransomware Recovery

How to Connect to an Object Storage Repository via Azure Blob Private Endpoints

KB ID: 4373
Product: Veeam Backup & Replication | 11 | 12 | 12.1
Published: 2023-01-10
Last Modified: 2024-05-09
mailbox
Get weekly article updates
By subscribing, you are agreeing to have your personal information managed in accordance with the terms of Veeam's Privacy Notice.

Cheers for trusting us with the spot in your mailbox!

Now you’re less likely to miss what’s been brewing in our knowledge base with this weekly digest

error icon

Oops! Something went wrong.

Please, try again later.

Purpose

This article documents how to configure Veeam Backup & Replication to use Azure Blob Storage Account private endpoints (via Azure VPN or Azure ExpressRoute) for Scale-Out Backup Repository offload to Capacity Tier or Archive Tier or to connect to an Object Storage Repository in Veeam Backup & Replication 12 or newer.

Solution

The Veeam Backup Server and the Archiver Appliance must have access to CRLs used by Azure over port 80.

Prepare the Azure Environment

  1. (If using ExpressRoute, skip to Step 2.) For Azure Blob Private Endpoint support, configure a site-to-site or point-to-site Azure VPN connection to the virtual network required.
    1. For VPN support, create a virtual network gateway, of type VPN. Give it an instance name and region to match the virtual network you plan to use for the storage account, public IP address name, and the availability zone. It is assumed if you're using Azure ExpressRoute that you have configured this prior.
    2. Under ↔ Point-to-site configuration, select Configure now. You'll need to generate a certificate using PowerShell for your connection. Specify an address pool, select IKEv2 and OpenVPN (SSL) as your tunnel type, and for authentication type, choose Azure certificate, uploading the root certificate contents.
    3. ↓ Download VPN client and install this and the corresponding client certificate on the backup repository gateway servers that will be communicating with Azure Blob. If you have not specified a gateway server, all scale-out backup repository extents must have access.
  2. Create a storage account with a private endpoint. Make sure you use supported options and create a container to use.
    1. To disable public access for an existing storage account, select Networking > Firewall and virtual networks and ensure public network access is disabled. If you need to access Azure Blob from another resource without using a private endpoint, for example, to see container contents in the Azure Portal you will need to choose enabled for selected virtual networks and IP addresses instead.
    2. Under Networking > Private endpoint connections, click add a + Private endpoint.
      • Under Basics, enter a name and network interface name.
      • For Resource, target sub-resource select blob.
      • For Virtual Network, select the virtual network you want to associate. You can statically or dynamically allocate an IP address. In these instructions, we’ll be using a static IP address.
      • For DNS, make sure you’ve selected ◉ Yes to integrate with DNS zone.
  1. Ensure your backup repository gateway servers can resolve the private endpoint via DNS or add the IP address to your hosts file. If you go to the private endpoint in Azure under DNS configuration, you should be able to see a private link entry that points to the specific IP address. This is required to support Azure Archive Tier as Veeam Backup & Replication Azure Proxy Appliances are deployed dynamically.

Prepare the Veeam Backup & Replication Environment

  1. If the Object Storage Repoistory you are adding will be used as an Archive Tier for Scale-Out Backup Repository, and want to ensure that the Archive Appliance communicates via a private IP address, add the following registry value on the Veeam Backup & Replication server:

    Key Location: HKLM\Software\Veeam\Veeam Backup and Replication
    Value Name: ArchiveFreezingUsePrivateIpForAzureAppliance
    Value Type: DWORD (32-Bit) Value
    Value Data: 1

    1 = Enable using Private IP | 0 = Disable

    PowerShell cmdlet to create  the registry value and enable the setting:
New-ItemProperty -Path 'HKLM:\SOFTWARE\Veeam\Veeam Backup and Replication\' -Name 'ArchiveFreezingUsePrivateIpForAzureAppliance' -Value "1" -PropertyType DWORD -Force
  1. To configure the Helper Appliance used for Object Storage Repository Health Checks to use the private IP address, add the following registry value on the Veeam Backup Server:

    Key Location: HKLM\SOFTWARE\Veeam\Veeam Backup and Replication
    Value Name: ArchiveUsePrivateIpForAzureHelperAppliance
    Value Type: DWORD (32-Bit) Value
    Value Data: 1

    1 = Enable Archive Appliance use Private IP | 0 = Disable (Default)

    PowerShell cmdlet to create the registry value and enable the setting:
New-ItemProperty -Path 'HKLM:\SOFTWARE\Veeam\Veeam Backup and Replication\' -Name 'ArchiveUsePrivateIpForAzureHelperAppliance ' -Value "1" -PropertyType DWORD -Force
  1. (Optional - Limited Network Access Only)
    If the Gateway server does not have access to the internet to perform certificate revocation checks, disable them by creating the following setting on the machine that is assigned as the Gateway server within the Object Storage Repository settings:
    • For Windows-based Gateway servers, create the following registry value:

      Key Location: HKLM\SOFTWARE\Veeam\Veeam Backup and Replication\
      Value Name: ObjectStorageTlsRevocationCheck
      Value Type: DWORD (32-Bit) Value
      Value Data: 0
    • For Linux-based Gateway servers, add the following entry to the /etc/VeeamAgentConfigIf the /etc/VeeamAgentConfig file is not present, it must be created. file:
      ObjectStorageTlsRevocationCheck=0
      

Add Object Storage Repository

Add your Azure object storage account to Veeam Backup & Replication.

  1. Under credentials, add the account and shared key, select Azure Global, and click next.
  2. Select or create a folder under an existing container and click next.
  3. All traffic to this Azure storage account should flow via your private endpoint.
To submit feedback regarding this article, please click this link: Send Article Feedback
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.

Spelling error in text

This site is protected by hCaptcha and its Privacy Policy and Terms of Service apply except as noted in our Privacy Policy.
Thank you!

Thank you!

Your feedback has been received and will be reviewed.

Oops! Something went wrong.

Please, try again later.

You have selected too large block!

Please try select less.

KB Feedback/Suggestion

This form is only for KB Feedback/Suggestions, if you need help with the software open a support case

By submitting, you are agreeing to have your personal information managed in accordance with the terms of Veeam's Privacy Notice.
This site is protected by hCaptcha and its Privacy Policy and Terms of Service apply except as noted in our Privacy Policy.
Verify your email to continue your product download
We've sent a verification code to:
  • Incorrect verification code. Please try again.
An email with a verification code was just sent to
Didn't receive the code? Click to resend in sec
Didn't receive the code? Click to resend
Thank you!

Thank you!

Your feedback has been received and will be reviewed.

error icon

Oops! Something went wrong.

Please, try again later.