Agentless, cloud-native backup for Microsoft Azure
Post Reply
Lewpy
Enthusiast
Posts: 80
Liked: 17 times
Joined: Nov 27, 2012 1:00 pm
Full Name: Lewis Berrie
Location: Southern England
Contact:

Backing up virtual appliance attached to a public Azure Load Balancer

Post by Lewpy »

When we attempt to backup a FortiGate virtual appliance in Azure IaaS sandwiched between Azure Load Balancers (part of an HA pair), we get this error
The client 'xxx' with object id 'xxx' does not have authorization to perform action 'Microsoft.Network/loadBalancers/read' over scope '/subscriptions/xxx/resourceGroups/xxx/providers/Microsoft.Network/loadBalancers/xxx-publicLoadBalancer' or the scope is invalid
I can see that we could add the required permission to the Veeam Azure Service Account (it is not part of the set of permissions that Veeam automatically grants it), but would this be an "okay" thing to do and not cause problems?
I get the feeling that restoration of the virtual appliance may be problematic at best anyway, with the Azure Load Balancers thrown in the mix, and normal configuration backups within the virtual appliance's interface are best maintained (Azure's own backup doesn't let you back the VMs up).

Thanks,
Lewis.
HannesK
Product Manager
Posts: 14449
Liked: 2919 times
Joined: Sep 01, 2014 11:46 am
Full Name: Hannes Kasparick
Location: Austria
Contact:

Re: Backing up virtual appliance attached to a public Azure Load Balancer

Post by HannesK »

Hello,
To me it sounds like deploying a fresh appliance and restoring the configuration backup is the way how it is designed.

I would stick to the vendors (Fortinet) recommendations. What does Fortinet say about backup & restore?

Best regards,
Hannes
nielsengelen
Product Manager
Posts: 5667
Liked: 1190 times
Joined: Jul 15, 2013 11:09 am
Full Name: Niels Engelen
Contact:

Re: Backing up virtual appliance attached to a public Azure Load Balancer

Post by nielsengelen »

Agree with Hannes. While we may be able to back it up, there is no direct integration with the solution and knowing the importance of these - it may be required.

Does Fortinet provide any guidance in this case as we may be able to look into this for enhancements within VBA?

I can see statements from 2020 that it was not supported at all to back it up and customers who use SCP to back up the config.
Personal blog: https://foonet.be
GitHub: https://github.com/nielsengelen
Lewpy
Enthusiast
Posts: 80
Liked: 17 times
Joined: Nov 27, 2012 1:00 pm
Full Name: Lewis Berrie
Location: Southern England
Contact:

Re: Backing up virtual appliance attached to a public Azure Load Balancer

Post by Lewpy »

Hi Hannes/Niels,

Thank you for your replies :D
The FortiGate firewall appliance supports backing up the configuration to local disk via the management GUI, so there is an inbuilt backup process (the same as their physical firewalls).
Due to the "complexities" of the Azure configuration, which mixes appliance VMs with Azure Load Balancers, I question the "value" of a VM-level backup, to be honest.
It was more a case of "We can pick it for backup in the GUI, let's back it up".
I guess the ability to restore the entire VM back quickly (from snapshot or storage) could be useful if someone does something drastic to the virtual appliance, such that gaining access to the management console is no longer possible, so a configuration backup can't be restored. Although this will be against manufacturers (FortiNet) advice I suspect.
Redeploying the entire appliance from scratch is do-able, just highly complex, and would take down Internet access for the whole vNet while happening (the FortiGate's act as the Internet firewall) not to mention having to be very careful to keep any Public IPs allocated and migrated, otherwise all site-to-site VPNs, DNS records, etc. will need changed.

I am guessing this permission error isn't something that has been seen before then? :)
Perhaps blocking the VM from being selected for backup in the console is the "correct" enhancement :lol:

Thanks,
Lewis.
Post Reply

Who is online

Users browsing this forum: No registered users and 2 guests