How to Connect to an Object Storage Repository via Azure Blob Private Endpoints

Purpose

This article documents how to configure Veeam Backup & Replication to use Azure Blob Storage Account private endpoints (via Azure VPN or Azure ExpressRoute) for Scale-Out Backup Repository offload to Capacity Tier or Archive Tier or to connect to an Object Storage Repository in Veeam Backup & Replication 12 or newer.

Solution

---

The Veeam Backup Server and the Archiver Appliance must have access to CRLs used by Azure over port 80.

Prepare the Azure Environment

1. (If using ExpressRoute, skip to Step 2.) For Azure Blob Private Endpoint support, configure a site-to-site or point-to-site Azure VPN connection to the virtual network required.
   1. For VPN support, create a virtual network gateway, of type VPN. Give it an instance name and region to match the virtual network you plan to use for the storage account, public IP address name, and the availability zone. It is assumed if you’re using Azure ExpressRoute that you have configured this prior.

2. Under **↔ Point-to-site configuration**, select `Configure now`. You'll need to [generate a certificate using PowerShell](<https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-certificates-point-to-site>) for your connection. Specify an address pool, select `IKEv2` and `OpenVPN (SSL)` as your tunnel type, and for authentication type, choose `Azure certificate`, uploading the root certificate contents.
3. **↓ Download VPN client** and install this and the corresponding client certificate on the backup repository [gateway servers](<https://helpcenter.veeam.com/docs/backup/vsphere/azure_repository_account.html>) that will be communicating with Azure Blob. If you have not specified a gateway server, all scale-out backup repository extents must have access.

2. Create a storage account with a private endpoint. Make sure you use supported options and create a container to use.

1. To disable public access for an existing storage account, select **Networking** >**Firewall and virtual networks** and ensure `public network access` is disabled. If you need to access Azure Blob from another resource without using a private endpoint, for example, to see container contents in the Azure Portal you will need to choose `enabled for selected virtual networks and IP addresses` instead.  

2. Under **Networking > Private endpoint connections**, click add a**\+ Private endpoint**. 
  * Under **Basics,** enter a `name` and `network interface name.`
  * For **Resource**, target sub-resource select `blob.`
  * For **Virtual Network,** select the virtual network you want to associate. You can statically or dynamically allocate an IP address. In these instructions, we'll be using a static IP address.
  * For **DNS,** make sure you've selected ◉ Yes to `integrate with DNS zone`.

3. Ensure your backup repository gateway servers can resolve the private endpoint via DNS or add the IP address to your hosts file. If you go to the private endpoint in Azure under DNS configuration, you should be able to see a private link entry that points to the specific IP address. This is required to support Azure Archive Tier as Veeam Backup & Replication Azure Proxy Appliances are deployed dynamically.

Note: The Veeam Backup Server must be able to resolve_ .blob.core.windows.net_ to the private link you created. This means the Azure DNS private link needs to resolve correctly on the Veeam Backup Server. This may require modifying DNS or modifying the Veeam Backup Server’s hosts file to point _.blob.core.windows.net_ to the relevant *.privatelink.blob.core.windows.net endpoint.

Prepare the Veeam Backup & Replication Environment

4. If the Object Storage Repoistory you are adding will be used as an Archive Tier for Scale-Out Backup Repository, and want to ensure that the Archive Appliance communicates via a private IP address, add the following registry value on the Veeam Backup & Replication server:

**Key Location:**HKLM\Software\Veeam\Veeam Backup and Replication
**Value Name:**ArchiveFreezingUsePrivateIpForAzureAppliance
Value Type: DWORD (32-Bit) Value **Value Data: **1

1 = Enable using Private IP | 0 = Disable

PowerShell cmdlet to create the registry value and enable the setting:

New-ItemProperty -Path 'HKLM:\SOFTWARE\Veeam\Veeam Backup and Replication\' -Name 'ArchiveFreezingUsePrivateIpForAzureAppliance' -Value "1" -PropertyType DWORD -Force

Copy

5. To configure the Helper Appliance used for Object Storage Repository Health Checks to use the private IP address, add the following registry value on the Veeam Backup Server:

Key Location: HKLM\SOFTWARE\Veeam\Veeam Backup and Replication **Value Name:**ArchiveUsePrivateIpForAzureHelperAppliance **Value Type: **DWORD (32-Bit) Value Value Data: 1

1 = Enable Archive Appliance use Private IP | 0 = Disable (Default)

PowerShell cmdlet to create the registry value and enable the setting:

New-ItemProperty -Path 'HKLM:\SOFTWARE\Veeam\Veeam Backup and Replication\' -Name 'ArchiveUsePrivateIpForAzureHelperAppliance ' -Value "1" -PropertyType DWORD -Force

Copy

6. (Optional - Limited Network Access Only)
   If the Gateway server does not have access to the internet to perform certificate revocation checks, disable them by creating the following setting on the machine that is assigned as the Gateway server within the Object Storage Repository settings:
   * For Windows-based Gateway servers, create the following registry value:** **
   **Key Location:**HKLM\SOFTWARE\Veeam\Veeam Backup and Replication\
   **Value Name:**ObjectStorageTlsRevocationCheck
   **Value Type:**DWORD (32-Bit) Value
   **Value Data:**0

* For Linux-based Gateway servers, add the following entry to the ****/etc/VeeamAgentConfig**If the /etc/VeeamAgentConfig file is not present, it must be created.****** file:  

    
            ObjectStorageTlsRevocationCheck=0

Add Object Storage Repository

Add your Azure object storage account to Veeam Backup & Replication.

1. Under credentials, add the account and shared key, select Azure Global, and click next.
2. Select or create a folder under an existing container and click next.
3. All traffic to this Azure storage account should flow via your private endpoint.

More Information

Related Articles

• __Using Object Storage with Veeam Products
• __Using Restore to Microsoft Azure with ExpressRoute or site-to-site VPN connectivity to Azure

To submit feedback regarding this article, please click this link: Send Article Feedback
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.