Network access restriction

[tm67]

Hi
In VDC M365, I can configure Settings -> Access -> Networking -> Restrict Veeam Data Cloud access to specific IP ranges.
Is this only available for M365? What about other SaaS service like Azure backup?
Does this mean that if I enable this option, I cannot connect to VDC M365 but I can connect to VDC Azure?
In my opinion, it would make sense to move this function outside of VDC M365 into VDC "global settings".
And there I should be able to set what service I want to restrict access to.

And what about self service restore capabilities? Are those restricted as well or can this be configured that restores are available from other network sources as well?
Or is this setting only for self service restore?
The documentation screenshots are not up to date with the "new GUI", but I am refering to this screen (but I am on new UI) https://helpcenter.veeam.com/docs/vdcm3 ... range.html
Thanks
Timo

[micoolpaul]

Hi Timo,

I believe you're using a stale weblink, that is indeed the legacy portal, if you go to https://helpcenter.veeam.com and navigate to VDC, this defaults to the new UI.

https://helpcenter.veeam.com/docs/vdc/u ... twork.html is the equivalent link for the new UI.

At present the IP address restriction here is for VDCM365, including self-service.
To apply an IP address restriction consistently across VDC access you'd apply this at the IdP level, so with Entra ID SSO you can define your policy here.

I don't have timescales for when/if this will move out of VDCM365 specifically to the core VDC platform level, as each tenant within a VDC organisation could have independent IP address restriction requirements.

Thanks,
Michael

[tm67]

Hi Michael
Thanks, I see that it's on a per tenant basis. But it would be nice to see some kind of possible restrictions not only on VDC M365.
About the restrictions on the IDP level. This can make sense for restore account purposes.
But for admin accounts, not so. I think I do not want to add a user with admin privileges from my IDP to VDC as a VDC admin. Because this is the tenant that I am trying to protect.
The same principle as "do not add your backup server to your production domain". If my tenant is attacked, the admin account that can configure VDC M365 is also at risk.

Timo

[micoolpaul]

Hi Timo,

I'm not sure I understand your point here sorry. You don't have to use a production identity for the IdP integration (aligns with your statement of 'do not add your backup server to your production domain'). Are you using Veeam Authentication exclusively or are you using Entra ID SSO?

Thanks,
Michael

[tm67]

Hi Michael
You mean that I add a second IdP? (another EntraID tenant?) This could be an option, but realistically not all customers have a management EntraID tenant.
The same as not every customer has an onprem management active directory domain.
So for all customers that do not have a management tenant, it would be nice to have some restriction configuration available directly within VDC for accounts with Veeam Authentication.
Timo

[micoolpaul]

Hi,

No, you would use one IdP but it does not have to be a production/protected tenant that you use for IdP. You would use one IdP because this ensures a consistent security profile such as Conditional Access Policies and Intune compliance from anyone that can access the platform.

Your feedback has been logged regarding this feature request btw.