Veeam Backup for Azure deployment in a separate Tenant for Security

[agrob]

Good Day

Thinking about security. In my optinion it could be a good decision to create a separate tenant apart from the production tenant for backup purposes. If you have backup and prod in the same tenant and something happens to it (hacking, deleting or whatever) you lose everything in a worst case szenario. Is there, from a technical point of view, any limitation if the Veam Backup for Azure is deployed in a different tenant. Can i Backup VMs or in the future also other Azure Resources if backup and prod is not in the same tenant? I can't think of any at the moment but...?


Thanks
Best Regards

[nielsengelen]

Hi Andre, good suggestion. We will think about how we can maybe add this as a feature in the future. Keep the feedback coming! Thanks.

[agrob]

Hello Niels

Thanks for your Feedback. So at the moment Veeam Backup for Azure must be deployed in the same Subscription? It is not possible to deploy it in a separate "Backup Subscription" and protect VMs in another "Production Subscription"?

Best Regards
André

[Mike Resseler]

Hey @agrob

If you add your Azure account, the VBA server indeed needs to be deployed in the "default" subscription for that account. However, if that account also has access to different subscriptions, you can start protecting VMs from that other subscription.

[agrob]

Thanks i understand about subscriptions.
How about the Tenants? Can i create a new Tenant "Backup" deploy the VBA there. Then add a spearate Account to VBA which has rights on Subscriptions in another Tenant to Backup VMs from there?

[nielsengelen]

Andre, are you a service provider by any chance and looking at VB for Azure as a service? In v1, you can only add 1 Azure account to VB for Azure.

[agrob]

Hi Niels, no im not a service provider but i'm looking into the best way to implement VBA in a one cloud "vendor" strategy. to be honest i haven't looked to deep into the VBA config yet, just thinking about the best implementation regarding security. if you deploy VBA in your production tentant, even if it is a separate subscriptions, in my opinion this is not the most secure way. because if someone can access the tenant with global admin rights, then i'm pretty sure he can delete the prod vm and also the backup infrastructure. i know when all Global Admins are secured by MFA, this chance is little, but we do backups to be able to recover from such things..
Just thinking if it would work if we have two tenants with two different azure ad directories. one tenant is "prod" the other tentant is "backup". The Azure Account from Backup Service can be added as a guest account in the prod tenant with minimal permissions to backup the vms. so if somone get access to the prod tenant, he can i a worst case szenario delete all prod resources, but as backup is in another tenant with anotzre azure ad, it wont be possible to delete backup as well with the same account from prod tenant...

the other thing is, we can copy the cloud backups with VBR to on prem and offload it to tape, so it is completely offline. but maybe this is for many companies not the way to go if they decide to go to the cloud...

[szwicker]

Andre, are you a service provider by any chance and looking at VB for Azure as a service? In v1, you can only add 1 Azure account to VB for Azure.

I *AM* a service provider and I would be very interested in learning if there's a way to manage all my client backups centrally.

[Mike Resseler]

@szwicker With VB for Azure we do support Lighthouse so technically this is already possible. There is information in the helpcenter around this. However, we are looking for feedback on the subject so please try this out in POC mode first.
Thanks
Mike

PS: @agrob You can obviously do the same

[szwicker]

I haven't used Helpcenter. Can you please direct me to that?

[Maxim Karganov]

Hello Szwicker,

Please refer to this KB article for more info. As for backup policy configuration, please refer here.

Do not hesitate to ask if you have additional questions.

[agrob]

I have a question about Light House and permissions on the Source Tenant. In kb3154, permissions are listed which are required apart from the default Tentant where VBA was deployed.

The idea was, to create a custom role on the source Tenant with the permissions described in KB3154 to give the "VBA Application" the least privilege needed. But Azure Light House does not support custom Roles. So i can't assign a Custom Role on the source Tenant for VBA access. What is the recommendation here? Configure "Contributor" rights? (which are actually way to much rights for VBA, but i guess as long as Light House does not support custom Roles, we have no other option)

Thanks

[Crystal]

Are you a service provider by any chance and looking at VB for Azure as a service?

[agrob]

No

[Mike Resseler]

Hey @agrob ,

For some reason it seems that the information around lighthouse is gone missing. Not sure why that is. I will try to figure this out. With lighthouse, a Tenant will need to delegate access to the service provider. There is a procedure for it. But it seems we have removed it from our helpcenter. There is no need for a custom role I believe, but again, let me find out.

[agrob]

Hi Mike

Thanks for your reply. Not sure if i get you right, but yes, there is no need for a custom role, BUT we would like have a custom role for it.

At the moment, it is like this:
Backup Tenant
If you have a dedicated tanent for backup, where you deploy VBA, then VBA Setup create an Azure AD App as service principal. Now on the Backup Tenant we created an Azure AD Group. In this Group, we added the Azure AD App service principal as a Member of this group. So far so good.

Pro[ductive Tenant
The VMs from the prod tenant, we want to backup with VBA from Backup Tenant. To achive this, we need Azure Lighthouse and give the AD Group from the Backup Tenant needed rights on our Production site. To do this, we configured Light house and added the AD Group from Backup Tenant to the Prod Resources. But, we can only delegate Roles from Microsoft. So we need to give the AD Group "Contributor" rights on the prod tenant resources. This is not very good. We wanted to configure a Custom Role which has only the needed rights from the Veeam KB (least privilege). But those Custom Roles can not be used with Azure Light house... I guess this is a Azure limitaten, nothing to do with Veeam

Thanks
Regards

[Mike Resseler]

Ah, my apologies. I misunderstood the actual question...

Correct, at this point in time, Lighthouse has its limitations when it comes to custom roles. We expect that this is on MSFT's roadmap, but obviously I cannot give you any ETA on it. Lighthouse was developed for MSP's, and in most cases the MSP manages a full service on the resources, hence the needed rights. Again, it will come at a certain point in time but for now...

That said, question, if (no promises ) we would allow multiple service accounts to be added to the VBA, from different subscriptions, would that work as well for you? The downside would be that all of the security and networking and so on need to get arranged by yourself.

[agrob]

Hi Mike, No Problems

Hmm not sure to be honest. as VBA is in a different Tenant, not just differend Subscriptions, i'm not sure if this works?
What if we add the VBA Service Account from the Backup tenant as guest in the Prod Tenant and then assign this guest account the custom role? (not with lighthouse) Not sure if this works with service principals, but should at least work with "normal" service accounts (azure users). Is it that what you mean?

Well if MS introduce custom rules for lighthouse in the near future, this would be the most convenient way. Maybe we should all vote here:
https://feedback.azure.com/forums/92275 ... stom-roles

[Mike Resseler]

Feel free to vote.
I do my best to push this to the LightHouse team, but today lighthouse is a v1 and I already have a few requests running, and obviously they need to make decisions on what to implement first

[agrob]

Thanks Mike, appreciate your efford!

[RKZA]

Hi

We want to use Veeam Backup for Azure as a Service Provider and use a Azure VM in our tenant to backup a server in our customers tenant. Is this at all possible and is there any setup guides that can assist with this?

We have deployed VBAz version 4 and also want to integrate it in our VBR11a - we do have the documentation for this.

Thanks in advance

[nielsengelen]

You can add multiple service accounts to Veeam Backup for Azure that can cover this scenario.

[RKZA]

Hi Nielsengelen

Is there any documentation available on how to set this scenario up?

[nielsengelen]

You can find more details about requirements and how to leverage service accounts in the user guide.