Storage Account and Azure NetApp Files backup

[DomAl]

Can we use Veeam Backup & R. to backup an Azure Storage Account and Azure NetApp Files volume?

Please share any useful documentation.

Thanks

[nielsengelen]

Hi, you can use the NAS backup feature in VBR v10 to backup Azure NetApp Files.

[DomAl]

Many thanks,

is this feature present in VBR v9.5?

[nielsengelen]

This is a v10 feature.

[DomAl]

Many thanks,

Can we use Nas Backup with the VBR v9.5?

I am asking because seems a separate product, with free eligibility https://www.veeam.com/nas-cloud-backup-solution.html

[nielsengelen]

As it states on the promo page, this is a v10 feature, not a separate product. Please contact your local sales for more information and around the promo.

[jveerd1]

Is it be possible to add Azure NetApp Files as a NAS Filer in v11?

[Asahi]

Hi,

I have a question about Veeam NAS backup feature.
I believe that even in the case of cloud services such as Azure NetApp Files or Cloud volumes ONTAP, if they can communicate using SMB/CIFS/NFS protocols, file backup and restore can be done using Veeam NAS backup feature.

Are there any specific considerations when protecting the above cloud services with the Veeam NAS Backup feature?

Kind Regards,
Asahi,
Climb Inc.

[david.domask]

Hi @Asahi,

I've merged your topic with an existing one. Indeed, if you can present the source file share as SMB (CIFS) or NFS, you can protect it with Unstructured Backup jobs.

As for considerations, likely you will want to have a proxy as close to the source share as possible (meaning in Azure) to avoid the proxy having to work over WAN connection. This is not a requirement, but likely you will see more stable performance.

But in short, it likely will work. I'm not aware of any limitations that need special attention.

[sumeet]

Hello,

Veeam backup of Azure File share - is by only creating native Azure snapshots
https://helpcenter.veeam.com/docs/vbazu ... tml?ver=70

But we require the backup of this file share data out of Azure. So we cannot use the above option.

If we use VBR's SMB File share backup --
https://helpcenter.veeam.com/docs/backu ... ml?ver=120
And then create a file share backup job -- https://helpcenter.veeam.com/docs/backu ... ml?ver=120

We will make sure appropriate FW rules and access is available to allow these Azure File shares to be accessible to VBR server installed at on-prem.
Is there a concern or issue with this process?

And if no concerns, then will the default port required for SMB backup TCP/445 be sufficient (https://helpcenter.veeam.com/docs/backu ... onnections)
And if the account/user-credentials has read/write permissions -- https://helpcenter.veeam.com/docs/backu ... ml?ver=120
These two should be sufficient, is this correct?

[Mildur]

Hello Sumeet

I moved your question to an existing topic.
In theory, as long a file backup proxy can access the SMB endpoint, backup and restore will work. We have no software limitations regarding Azure File Shares.

If you want to use our File Backup Jobs, I suggest to deploy a File Backup proxy and cache repository in Azure.

Best,
Fabian

[sumeet]

Hello Fabian,

Thanks for the update.
We got FW rules implemented and verified using tnc that port 445 is accessible to the file share (which is Azure file share).
But unable to configure the backup job. The error is similar to what is discussed in KB -- file-shares-and-object-storage-f57/fail ... 65394.html
We tried the creds with domain\username and username@domain format. But no success.

The client says that he is able to access the shares with the same credentials, but the difference is that their servers from where they can access the file share, are in the same domain, where as the VBR server is external and not in the customer domain. The VBR server is not in our domain too, it is in Workgroup.

The only port allowed for access is 445 and that is what your documentation says. Is any other port required for SMB file share backup that requires access credentials?

Case #07573342

Does VBR require to be able to communicate with clients AD to validate the creds?

-Sumeet.

[Mildur]

Hi Sumeet

Can you access the share from the File backup Proxy with Windows Explorer? The File backup proxy is the one connecting to the Azure File share through SMB.

According to Microsoft, only port 445 is required for accessing Azure File Share through SMB:

Prerequisites
Ensure port 445 is open: The SMB protocol requires TCP port 445 to be open. Connections will fail if port 445 is blocked. You can check if your firewall or ISP is blocking port 445 by using the Test-NetConnection cmdlet. See Port 445 is blocked.

I suggest tracing the firewall connections while you try to configure the file share. Monitor all connections from the backup server & file backup proxy towards the internet. There is also a troubleshooting page from Microsoft: Troubleshoot Azure Files connectivity and access issues (SMB)

Best,
Fabian

[sumeet]

Hi Fabian,

We are unable to access the file share using windows explorer.

https://learn.microsoft.com/en-us/azure ... -ad-domain

Since the VBR server is at our DC, which ofcourse is out of our clients domain, so based on the above article, we have to allow FW/connectivity from the VBR server to the clients AD domain controller. For now, it seems there is no need to join the domain, but the ports are to be allowed. This can be a security concern, but we are checking with our network/security team.
We do not want to add VBR server to any domain for security concerns.

That's exactly what I asked in my post above.
But when we use Microsoft network monitor or wireshark to see the ports being accessed, we did not see any access or entry showing the VBR server (source) trying to reach a AD.
Maybe it does not reach out directly to AD.

As service providers, I was hoping others to have faced similar scenario.

-Sumeet.

[sumeet]

Hi Fabian,

Unfortunately, with some testing, we observe that a workgroup server, which has access to AD is unable to access the shares with the AD creds.

I want to understand, if we can use a proxy that is within our clients domain and can access the Azure file shares.
From what I know, we have never done this before and not sure what security concerns can this raise (if someone gets access to this proxy, what all can they get access to on the VBR server)?

I checked your doco -- https://helpcenter.veeam.com/docs/backu ... ml?ver=120
For general purpose proxy - how does the data traffic flow if a proxy can be used in my scenario.
Does the proxy send the backup data to the VBR server and then VBR server writes the data to backup repository (which is S3 compatible) or does the proxy have access to the backup repository. This will have firwall and security implications if proxy requires access direct access to the backup repository.

Please, any assistance will be helpful.

Thanks,
-Sumeet.

[Mildur]

Hi Sumeet

I will review your questions and try to get an answer.

Best,
Fabian

[sumeet]

Hi Fabian,

Thanks for assisting with this.

Current update -- Our client worked with Microsoft and were able to map the file share on a non-domain server.
The below ports had to be opened to get this to work as network map in windows.

But we have not yet tried this on the VBR server which is at our site and nor has this been tested yet using VBR.
Security team is not comfortable opening these ports to their Domain controller (AD) for an external server (which is at our site)

non-domain server --> Azure file share private end point TCP/445
non-domain server --> Domain controller TCP/88
non-domain server <-> Domain controller TCP/135 (bi-directional)
non-domain server --> Domain controller TCP/53

Will be great if we can get an update on other aternative options to solve this (my above question on Feb 04)

I have asked these questions to our local Veeam account team and they are aware of my questions posted here in R&D forum too.

Thanks,
-Sumeet.

[Mildur]

Hi Sumeet,

Using a proxy in the customer's environment may be possible, but as you mentioned, it introduces additional security considerations.

In the case of object storage repository, the file proxy can communicate directly or through a gateway server with the S3 endpoint to store the backup data.
However, the File Backup Cache will still need to be stored on a non-object storage repository, which will require you to open ports 2500 to 3300 to the backup repository holding the cache data.

I want to understand, if we can use a proxy that is within our clients domain and can access the Azure file shares.
From what I know, we have never done this before and not sure what security concerns can this raise (if someone gets access to this proxy, what all can they get access to on the VBR server)?

In theory, no attacker can leverage this ports to gain administrative access to the backup server. It would only be possible if security vulnerabilities are detected in Services using these ports. Which we are trying our best to not have them in the first place (e.g. by investing in our security team).
As an example regarding Veeam components in customer facing subnets, many service providers with hosting services are already deploying our guest interaction proxy in their tenants' subnets, which allows guest processing without opening ports like 445.

Best,
Fabian

[sumeet]

Hi Fabian,

Thanks for the details.

I do not understand this - However, the File Backup Cache will still need to be stored on a non-object storage repository, which will require you to open ports 2500 to 3300 to the backup repository holding the cache data.
Please provide reference to some documentation.

I should be testing this end-to-end (from file share backup using a proxy that is part of a domain, while VBR server isn't part of domain, and then writing to tapes from the VBR server), but due to time constraints, i'm asking these questions here.

So if I do the following,

1. Deploy a windows servers in clients azure subscription. Then add this server to clients domain.
2. This server should be able to access Azure file shares using AD user creds, which are read-only (for restores, this has to change to rw)
3. Open ports for backup proxy from VBR server (backup server) to this server in Azure subscription - https://helpcenter.veeam.com/docs/backu ... ckup-proxy
a. This goes through multiple firewalls (one at our site), the other at our client. Similar to the ports that we currently have working for Veeam backup for Azure on this same VBR server
4. Add this proxy server to VBR server - the user account has to be part of Local administrator group - https://helpcenter.veeam.com/docs/backu ... -and-hosts
5. Add SMB file share. At this step -- https://helpcenter.veeam.com/docs/backu ... ml?ver=120
a. Specify the backup proxy added in #4 above
6. Create file backup job
a. At step 4 (https://helpcenter.veeam.com/docs/backu ... ml?ver=120) I use the existing S3 backup repository that exists on this server, on which we are already doing backup copy jobs for Azure VMs backup
7. We do not need archive and secondary repository settings
8. And then finally be able to write this out to tape


I'm asking a lot, but does the above steps look fine for implementation? Or is anything missing?

Thanks,
-Sumeet.

[Mildur]

Hi Sumeet

However, the File Backup Cache will still need to be stored on a non-object storage repository, which will require you to open ports 2500 to 3300 to the backup repository holding the cache data.
Please provide reference to some documentation.

In a file backup job, the cache tracks the changes between two backup sessions and allow us to run faster incremental sessions. We recommend to put the cache as near as possible to the proxy server. Or on the same machine used as the proxy.
This cache repository is configured for each repository in the data source properties. This cache cannot reside on object storage:


Port requirement between File Proxy and Backup Repository used for the Cache is documented in our help center.

I should be testing this end-to-end (from file share backup using a proxy that is part of a domain, while VBR server isn't part of domain, and then writing to tapes from the VBR server), but due to time constraints, i'm asking these questions here.

I'm currently on business travel and won't be able to access my lab for further testing. I can run a test myself earliest next week.
But from a high level, these steps looks ok to me. But consider the cache location in step 5 (Add SMB file share). I suggest to add the proxy machine as a repository and use that repository for the cache.

Best,
Fabian

[sumeet]

Hi Fabian,

Thanks for the details. This is very helpful.
I will setup the cache repository on the same proxy. I just need to find the steps on how to create the cache repository, as I cannot find them in the documentation? Please point it out to me.

We have got the ports opened, but currently having issues with adding the server as proxy. I have highlighted that in -- vmware-vsphere-f24/manual-proxy-install-t67154.html

Regards,
-Sumeet.

[sumeet]

Hi Fabian,

We got this to work.

A proxy which is in our clients env, and which is added to their domain, so that it can access the fileshares using AD creds worked.
We setup a backup/cache respoistory on this same server and are able to write the data to backup repository (object storage) on the VBR server which is at our site.

Appreciate your help and assistance.
This is a good learning for me and going forward for new customers which require backup for Azure or other public clouds, we can have multiple options to get it to work depending on the security design.

-Sumeet.