How to Offload Backup Files to Capacity and Archive Tiers via Azure Blob Private Endpoints

KB ID: 4373
Product: Veeam Backup & Replication | 11
Published: 2023-01-10
Last Modified: 2023-01-10
Get weekly article updates
By subscribing, you are agreeing to have your personal information managed in accordance with the terms of Veeam's Privacy Notice.

Cheers for trusting us with the spot in your mailbox!

Now you’re less likely to miss what’s been brewing in our knowledge base with this weekly digest

error icon

Oops! Something went wrong.

Please try again later.

Purpose

This article documents how to configure Veeam Backup & Replication to use Azure Blob Storage Account private endpoints for object storage offload.

To access Azure Blob private endpoints, you must configure networking using Azure VPN or Azure ExpressRoute.

Solution

Prepare the Environment

  1. (If using ExpressRoute, skip to Step 2.) For Azure Blob Private Endpoint support, configure a site-to-site or point-to-site Azure VPN connection to the virtual network required.
    1. For VPN support, create a virtual network gateway, of type VPN. Give it an instance name and region to match the virtual network you plan to use for the storage account, public IP address name, and the availability zone. It is assumed if you're using Azure ExpressRoute that you have configured this prior.
    2. Under ↔ Point-to-site configuration, select Configure now. You'll need to generate a certificate using PowerShell for your connection. Specify an address pool, select IKEv2 and OpenVPN (SSL) as your tunnel type, and for authentication type, choose Azure certificate, uploading the root certificate contents.
    3. ↓ Download VPN client and install this and the corresponding client certificate on the backup repository gateway servers that will be communicating with Azure Blob. If you have not specified a gateway server, all scale-out backup repository extents must have access.
  2. Create a storage account with a private endpoint. Make sure you use supported options and create a container to use.
    1. To disable public access for an existing storage account, select Networking > Firewall and virtual networks and ensure public network access is disabled. If you need to access Azure Blob from another resource without using a private endpoint, for example, to see container contents in the Azure Portal you will need to choose enabled for selected virtual networks and IP addresses instead.
    2. Under Networking > Private endpoint connections, click add a + Private endpoint.
      • Under Basics, enter a name and network interface name.
      • For Resource, target sub-resource select blob.
      • For Virtual Network, select the virtual network you want to associate. You can statically or dynamically allocate an IP address. In these instructions, we’ll be using a static IP address.
      • For DNS, make sure you’ve selected ◉ Yes to integrate with DNS zone.
  1. Ensure your backup repository gateway servers can resolve the private endpoint via DNS or add the IP address to your hosts file. If you go to the private endpoint in Azure under DNS configuration, you should be able to see a private link entry that points to the specific IP address. This is required to support Azure Archive Tier as Veeam Backup & Replication Azure Proxy Appliances are deployed dynamically.
  1. If you are Adding Azure Archive Storage to Veeam Backup & Replication, and want to ensure that the Archive Appliance communicates via a private IP address, add the following registry value on the Veeam Backup & Replication server:

    Key Location: HKLM\Software\Veeam\Veeam Backup and Replication
    Value Name: ArchiveFreezingUsePrivateIpForAzureAppliance
    Value Type: DWORD (32-Bit) Value
    Value Data: 1

    1 = Enable using Private IP | 0 = Disable

    PowerShell cmdlet to create  the registry value and enable the setting:
New-ItemProperty -Path 'HKLM:\SOFTWARE\Veeam\Veeam Backup and Replication\' -Name 'ArchiveFreezingUsePrivateIpForAzureAppliance' -Value "1" -PropertyType DWORD -Force

Add Object Storage Repository

With the host file modified, Veeam Backup & Replication will connect to the storage account's private endpoint.

Add your Azure object storage account to Veeam Backup & Replication.

  1. Under credentials, add the account and shared key, select Azure Global, and click next.
  2. Select or create a folder under an existing container and click next.
  3. All traffic to this Azure storage account should flow via your private endpoint.
To submit feedback regarding this article, please click this link: Send Article Feedback
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.

Spelling error in text

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Thank you!

Thank you!

Your feedback has been received and will be reviewed.

Oops! Something went wrong.

Please try again later.

KB Feedback/Suggestion

This form is only for KB Feedback/Suggestions, if you need help with the software open a support case

By submitting, you are agreeing to have your personal information managed in accordance with the terms of Veeam's Privacy Notice.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Verify your email to continue your product download
We've sent a verification code to:
  • Incorrect verification code. Please try again.
An email with a verification code was just sent to
Didn't receive the code? Click to resend in sec
Didn't receive the code? Click to resend
Thank you!

Thank you!

Your feedback has been received and will be reviewed.

error icon

Oops! Something went wrong.

Please try again later.