I want to deploy VBAZ as private network deployment. This also means, that I do not have access to azure resources, which are available only public. Our VBAZ server sits behind an Azure firewall and we are not allowed to make connections from this server to public endpoints like azure resoures. We need to configure at least a webproxy in between due to our security guidelines. But I read somewhere in veeam helpcenter that no proxy can be configured for the VBAZ appliance (i probably need these connections as well for the workers?). Is there a way to access azure resources via an "internal" way, not traversing the "public" way via internet or how can I solve this? Setting a proxy would help as well
I'm aware of your mentioned chapter in veeam helpcenter. But I'm struggling currently at the step just after the initial deployment of the appliance where I have to add an azure service account https://helpcenter.veeam.com/docs/vbazu ... tml?ver=5a . When I try to create a new service account I get the error: "Unable to obtain device code for Azure CLI authentication. Ensure that outbound communication is not blocked for port 443." At this point, the VBAZ appliance wants to connect to a public Azure resource in my opinion and that is not possible in our environment. If I would choose "use existing service account" instead of "create a new service account", I would probably run into the same issue and this wouldn't help anyway, or am I wrong?
I'm afraid the "private deployment" refers only to our own components like workers without public IP and storage accounts with private endpoints, but to do the authentication you will need to allow the above-mentioned outbound connection. We will highlight it in our documentation.
I can't believe that this is an issue only for our company? Do have all the other companies access from the VBAZ server to the internet without having security measurements like a firewall or a webproxy? If we don't have a chance to set the VBAZ server into a private environment without a connection to the internet, we can't deploy it.
From a strategic point of view, this is a great pity. We want to use the same vendor/solution to backup all our environments (onprem and cloud). In this case I have to use Azure Backup with its limited possibilites or search for another third party solution.
Yes, on-prem and cloud are different worlds and, unfortunately, cannot be compared/mirrored.
When private deployment was introduced it resolved the specific use cases: 1. No public IP must be assigned 2. Storage account must be accessible via private endpoints 3. Outbound connection to the Internet might still be required (for example, to update the VB since we are reaching out to external repositories).
Also, I need to double-check with the RnD team if the above resources can be accessed at all via private network or not. If not, then the only option would be a firewall or a web proxy.
Vitaly, thanks a lot for your fast replies!
If we are able to configure a webproxy on the VBAZ I'm totally fine, but this is not supported currently. So, maybe you are able to push your RnD team, that they will implement the possibility to use a webproxy?
Yes, web proxy is something we would like to support in our next updates. If there are any changes in the upcoming release regarding account registration, we will also let you know. Double-checking with the RnD team now.
I know that timelines are always difficult to communicate... is there an approximate date where you see the update where proxy option would be available? We started to deploy our first azure vm's and really need a backup solution as fast as possible. And I really prefer Veeam above other options, but if I can't see an approximate date where I can use it, I need to go with an alternative solution....
Since the new version is coming shortly (without web proxy), the next release could be somewhere in 2024. We usually do 2 releases per year, so you can understand the approximate schedule.