VBAZ Plugin; required connections to Azure

[sandsturm]

I found the required firewallports that needs to be opened for the VBAZ plugin on this page: https://helpcenter.veeam.com/docs/vbazu ... tml?ver=60
One of the required rules is therefore:

From: Microsoft Azure Plug-in for Veeam Backup & Replication
To: Backup appliance, Azure services
Port: https

I found a list of IP address behind the "Azure services" here: https://www.microsoft.com/en-us/downloa ... x?id=56519

that is a huge amount of ip address behind these "Azure Services". Our VBR Server, where the plugin will run is installed in a "secure" networkzone with very limited access to internet resources. Our security department will probably kill me, if I tell them that they have to allow the communication from the VBR server to this huge range of endpoints for these Azure services. Therefore my question: Are all these Azure services really required as a destination for the VBAZ plugin? It's clear for me, that this range needs to be opened from the VBAZ appliance itself. But is it really required from the VBAZ plugin as well or is it possible to decrease the amount of endpoints which needs to be reachable for the VBAZ plugin?

thx,
sandsturm

[lyudmila.ezerskaya]

Hi! We'll check the list of services required from the plug-in side and get back to you as soon as possible.

[lyudmila.ezerskaya]

The User Guide now contains the updated list of Microsoft Azure services and ports required for the Microsoft Azure Plug-in for Veeam Backup & Replication. Please, check it out and let us know if you have any questions.

[sandsturm]

thanks a lot, I'll test that as soon as possible

[sandsturm]

Update from my side: your mentioned connections work for me now. But I'm just struggling with the next problem. During the process of creating the first repository, the workers will be installed/configured as well. I saw that one of the requirements is, that workers and VBAZ appliance need access to ubuntu repositories for example. I hoped to be able to install all components without opening this connection, but the worker deployment relies on that connection. I hoped that the initial installation will work and just future updates will not work without this connection. Our internal company security guidelines do not allow us to have connections to the internet without having at least a httpproxy in between. I learned that it's not possible to configure a httpproxy for VBAZ (currently). Is there another way of deploying workers without having a connection to the internet? I cannot believe that other (larger) companies can open such connections without problems?

thx,
sandsturm

[lyudmila.ezerskaya]

Hi! Connection to security.ubuntu.com and azure.archive.ubuntu.com is required from workers to get OS updates. You can disable auto-updates using a configuration key. For the config key, please contact our support team.