Agentless, cloud-native backup for Microsoft Azure
Post Reply
agrob
Expert
Posts: 217
Liked: 23 times
Joined: Sep 05, 2011 1:31 pm
Full Name: Andre
Contact:

Veeam Backup for Azure deployment in a separate Tenant for Security

Post by agrob »

Good Day

Thinking about security. In my optinion it could be a good decision to create a separate tenant apart from the production tenant for backup purposes. If you have backup and prod in the same tenant and something happens to it (hacking, deleting or whatever) you lose everything in a worst case szenario. Is there, from a technical point of view, any limitation if the Veam Backup for Azure is deployed in a different tenant. Can i Backup VMs or in the future also other Azure Resources if backup and prod is not in the same tenant? I can't think of any at the moment but...?


Thanks
Best Regards

nielsengelen
Veeam Software
Posts: 3418
Liked: 686 times
Joined: Jul 15, 2013 11:09 am
Full Name: Niels Engelen
Contact:

Re: Veeam Backup for Azure deployment in a separate Tenant for Security

Post by nielsengelen »

Hi Andre, good suggestion. We will think about how we can maybe add this as a feature in the future. Keep the feedback coming! Thanks.
https://foonet.be

agrob
Expert
Posts: 217
Liked: 23 times
Joined: Sep 05, 2011 1:31 pm
Full Name: Andre
Contact:

Re: Veeam Backup for Azure deployment in a separate Tenant for Security

Post by agrob »

Hello Niels

Thanks for your Feedback. So at the moment Veeam Backup for Azure must be deployed in the same Subscription? It is not possible to deploy it in a separate "Backup Subscription" and protect VMs in another "Production Subscription"?

Best Regards
André

Mike Resseler
Product Manager
Posts: 6122
Liked: 712 times
Joined: Feb 08, 2013 3:08 pm
Full Name: Mike Resseler
Location: Belgium
Contact:

Re: Veeam Backup for Azure deployment in a separate Tenant for Security

Post by Mike Resseler »

Hey @agrob

If you add your Azure account, the VBA server indeed needs to be deployed in the "default" subscription for that account. However, if that account also has access to different subscriptions, you can start protecting VMs from that other subscription.

agrob
Expert
Posts: 217
Liked: 23 times
Joined: Sep 05, 2011 1:31 pm
Full Name: Andre
Contact:

Re: Veeam Backup for Azure deployment in a separate Tenant for Security

Post by agrob »

Thanks i understand about subscriptions.
How about the Tenants? Can i create a new Tenant "Backup" deploy the VBA there. Then add a spearate Account to VBA which has rights on Subscriptions in another Tenant to Backup VMs from there?

nielsengelen
Veeam Software
Posts: 3418
Liked: 686 times
Joined: Jul 15, 2013 11:09 am
Full Name: Niels Engelen
Contact:

Re: Veeam Backup for Azure deployment in a separate Tenant for Security

Post by nielsengelen »

Andre, are you a service provider by any chance and looking at VB for Azure as a service? In v1, you can only add 1 Azure account to VB for Azure.
https://foonet.be

agrob
Expert
Posts: 217
Liked: 23 times
Joined: Sep 05, 2011 1:31 pm
Full Name: Andre
Contact:

Re: Veeam Backup for Azure deployment in a separate Tenant for Security

Post by agrob »

Hi Niels, no im not a service provider but i'm looking into the best way to implement VBA in a one cloud "vendor" strategy. to be honest i haven't looked to deep into the VBA config yet, just thinking about the best implementation regarding security. if you deploy VBA in your production tentant, even if it is a separate subscriptions, in my opinion this is not the most secure way. because if someone can access the tenant with global admin rights, then i'm pretty sure he can delete the prod vm and also the backup infrastructure. i know when all Global Admins are secured by MFA, this chance is little, but we do backups to be able to recover from such things..
Just thinking if it would work if we have two tenants with two different azure ad directories. one tenant is "prod" the other tentant is "backup". The Azure Account from Backup Service can be added as a guest account in the prod tenant with minimal permissions to backup the vms. so if somone get access to the prod tenant, he can i a worst case szenario delete all prod resources, but as backup is in another tenant with anotzre azure ad, it wont be possible to delete backup as well with the same account from prod tenant...

the other thing is, we can copy the cloud backups with VBR to on prem and offload it to tape, so it is completely offline. but maybe this is for many companies not the way to go if they decide to go to the cloud...

szwicker
Service Provider
Posts: 128
Liked: 1 time
Joined: Jan 08, 2010 5:15 pm
Full Name: Seth Zwicker
Contact:

Re: Veeam Backup for Azure deployment in a separate Tenant for Security

Post by szwicker »

nielsengelen wrote:
May 04, 2020 9:54 am
Andre, are you a service provider by any chance and looking at VB for Azure as a service? In v1, you can only add 1 Azure account to VB for Azure.
I *AM* a service provider and I would be very interested in learning if there's a way to manage all my client backups centrally.

Mike Resseler
Product Manager
Posts: 6122
Liked: 712 times
Joined: Feb 08, 2013 3:08 pm
Full Name: Mike Resseler
Location: Belgium
Contact:

Re: Veeam Backup for Azure deployment in a separate Tenant for Security

Post by Mike Resseler »

@szwicker With VB for Azure we do support Lighthouse so technically this is already possible. There is information in the helpcenter around this. However, we are looking for feedback on the subject so please try this out in POC mode first.
Thanks
Mike

PS: @agrob You can obviously do the same :-)

szwicker
Service Provider
Posts: 128
Liked: 1 time
Joined: Jan 08, 2010 5:15 pm
Full Name: Seth Zwicker
Contact:

Re: Veeam Backup for Azure deployment in a separate Tenant for Security

Post by szwicker »

I haven't used Helpcenter. Can you please direct me to that?

Maxim Karganov
Veeam Software
Posts: 9
Liked: 4 times
Joined: Jun 08, 2020 9:18 am
Contact:

Re: Veeam Backup for Azure deployment in a separate Tenant for Security

Post by Maxim Karganov » 1 person likes this post

Hello Szwicker,

Please refer to this KB article for more info. As for backup policy configuration, please refer here.

Do not hesitate to ask if you have additional questions.

Post Reply

Who is online

Users browsing this forum: No registered users and 2 guests