We are doing an implementation of Veeam Backup for Azure with a customer that is following the Azure Cloud adoption framework.
Their network is configured in a hub-spoke topology and their company policy prohibits public access for resources.
The resources are put in different subscriptions and different VNET's, all in the same region.
So Veeam needs to perform backups using disk access resources and private endpoints.
We follow the steps for a private deployment: https://helpcenter.veeam.com/docs/vbazu ... html?ver=8
When Veeam Backup for Azure takes a backup of a VM in the same subscription as the Veeam workers:
- Source VM disks are set to "disable public and private access"
- Veeam takes a snapshot of the VM disks
- Veeam sets the snapshot networking to "Disable public access and enable private access" with the Disk Access resource selected.
- Veeam is able to take a backup of vm disk snapshot via the Disk Access resource.
When Veeam takes a backup of a VM that is NOT in the same subscription as the Veeam workers:
- Source VM disks are set to "disable public and private access"
- Veeam takes a snapshot of the VM disks
- The snapshot inherits the source VM disks network settings
- Veeam spits out an error and is unable to take a backup.
Error:
Failed to perform backup of "Source-VM" to "Azure Storage account". Access not permitted for resource "snapshot resource" because the network access policy is DenyAll.
With the help of Veeam support (case 07653003) we found the following solution to this problem:
- Manually create a disk access resource in the Source VM Subscription.
* For this Disk Access resource, we will needed to manually add a private endpoint, this private endpoints should:
- Be in the subscription with the VB for Azure server and the resource group in that is selected for worker deployment.
- Be created in the virtual network & subnet used by the worker network configuration in the region used for the protected VM.
- The private endpoint must be added to the blob private DNS zone
The Disk Access and the Private Endpoints must have the appliance tag: If you check the VB for Azure appliance VM , you can find the "Veeam backup appliance ID" tag.
Then we need to set the source VM disks networking setting from 'Disable public and private access' to 'Disable public access and enable private access' and select the created Disk Access resource.
This is too much of a hassle, we need to:
- Add all the Disk access resources with the correct private endpoints, tags, ...
- Change all the VM disks networking settings to allow private mode with the correct Disk access resource.
I would like to submit a feature request that Veeam does this automatically.
Because Veeam Backup for Azure can already do this for VM's in the same subscription/VNET. But apparently is unable to do this for the other subscriptions?
-
MathiasV
- Service Provider
- Posts: 1
- Liked: 2 times
- Joined: Apr 09, 2025 10:08 am
- Full Name: Mathias Verlinden
- Contact:
-
sandsturm
- Veteran
- Posts: 317
- Liked: 32 times
- Joined: Mar 23, 2015 8:30 am
- Location: Switzerland
- Contact:
Re: [Feature/Product request] Automatic deployment of Disk access resources in private environments
+1 for this feature request.
We just implemented Veeam for Azure VMs currently only for one region, but we have different VNETs and in the future we will also have VMs in different regions to backup.
thx,
sandsturm
We just implemented Veeam for Azure VMs currently only for one region, but we have different VNETs and in the future we will also have VMs in different regions to backup.
thx,
sandsturm
Who is online
Users browsing this forum: No registered users and 1 guest