How to Connect to an Object Storage Repository via Azure Blob Private Endpoints

Prepare the Azure Environment

1. (If using ExpressRoute, skip to Step 2.) For Azure Blob Private Endpoint support, configure a site-to-site or point-to-site Azure VPN connection to the virtual network required.
   1. For VPN support, create a virtual network gateway, of type VPN. Give it an instance name and region to match the virtual network you plan to use for the storage account, public IP address name, and the availability zone. It is assumed if you're using Azure ExpressRoute that you have configured this prior.
      
   2. Under ↔ Point-to-site configuration, select Configure now. You'll need to generate a certificate using PowerShell for your connection. Specify an address pool, select IKEv2 and OpenVPN (SSL) as your tunnel type, and for authentication type, choose Azure certificate, uploading the root certificate contents.
   3. ↓ Download VPN client and install this and the corresponding client certificate on the backup repository gateway servers that will be communicating with Azure Blob. If you have not specified a gateway server, all scale-out backup repository extents must have access.
2. Create a storage account with a private endpoint. Make sure you use supported options and create a container to use.
   
   1. To disable public access for an existing storage account, select Networking > Firewall and virtual networks and ensure public network access is disabled. If you need to access Azure Blob from another resource without using a private endpoint, for example, to see container contents in the Azure Portal you will need to choose enabled for selected virtual networks and IP addresses instead.
      
   2. Under Networking > Private endpoint connections, click add a + Private endpoint.
      • Under Basics, enter a name and network interface name.
      • For Resource, target sub-resource select blob.
      • For Virtual Network, select the virtual network you want to associate. You can statically or dynamically allocate an IP address. In these instructions, we’ll be using a static IP address.
      • For DNS, make sure you’ve selected ◉ Yes to integrate with DNS zone.

3. Ensure your backup repository gateway servers can resolve the private endpoint via DNS or add the IP address to your hosts file. If you go to the private endpoint in Azure under DNS configuration, you should be able to see a private link entry that points to the specific IP address. This is required to support Azure Archive Tier as Veeam Backup & Replication Azure Proxy Appliances are deployed dynamically.
   
   Note: The Veeam Backup Server must be able to resolve *.blob.core.windows.net to the private link you created. This means the Azure DNS private link needs to resolve correctly on the Veeam Backup Server. This may require modifying DNS or modifying the Veeam Backup Server's hosts file to point *.blob.core.windows.net to the relevant *.privatelink.blob.core.windows.net endpoint.