Does repositories in Azure get created for workers and log

[sumeet]

Hi Team,

Hope you are well.
We have a Veeam backup for Azure appliance deployment, which we use for Azure VMs backup.
The backups are working fine to the local repository and backup copy too.

What we have observed is that two additional storage accounts, whose name start with veeam<characters> exists on the setup.
From the events logs, it looks like these two repositories are being used by veeam backup for Azure appliance for workers and log.
Is this correct? I need help with following questions:

1. Are these two additional storage accounts created by VBAz appliance?
2. Is it correct that this is used for workers deployment and log?
3. How does VBAz appliance access these storage accounts? Does it use secret keys?
4. What if we want to rotate the storage keys? Will this break VBAz? If yes, what is the correct process to rotate the storage/secret keys (this is a requirement from security team)
5. Any documentation that can help with additional details?
6. If this is incorrect that these storage accounts are not used/created by VBAz and no such storage account is required for workers or logs - please confirm. Then can these SAs be disabled? Will this impact the backup or appliance functionality.

Thanks.

[nielsengelen]

Hi,

1. Yes, we make those. These should be temporary normally.
2. They are used for both.
3 and 4. Let me verify the latest logic.
5. I’ll see if we can add a section to the user guide.

[sumeet]

Hi Niels,

Hope you are well and had a good weekend.
Thanks for assisting with this query.
Please let me know if you have an update for #3 and #4?

-Sumeet.

[nielsengelen]

Hi Sumeet,

Sorry I haven't received an update yet. Let me try to resolve it.

[sumeet]

Hi Niels,

Thanks. Appreciate your help.
Will be great if I can get an update by tomorrow end.

[nielsengelen]

Hi,

We do use secret keys for this, you should be able to rotate them manually if required using the Azure portal. It will deploy a new worker as a result and continue processing data as usual.

[sumeet]

Hi Niels,

Thanks for the confirmation. We will try this.
Appreciate your help.

[sumeet]

Hi Niels,

Hope you are well.
I need help for these two storage accounts that I have listed in my first message.
These storage account have public network access enabled. Is this required? If yes, what is the purpose for this public network access?
What is the impact or issues if this public network access is disabled.

Also, as informed earlier, will be helpful to get additional details of the purpose and usage of these storage accounts.

[nielsengelen]

Hi,

You can enable private deployment mode to ensure nothing has public network access. Have you considered this setup?

As mentioned, we use these for workers and log storage as well as communication with VMs when enabling appliation-aware processing or in-guest scripting.

[sumeet]

Hi Niels,

We did not enable private deployment mode. We were under the assumption that the network that we connect the appliance and the storage account used as repository is private, so that should be taken care off.
Were not aware of these additional storage account will get created and their requirement to connect to public network access.

I'm not sure what will happen if we enable the private deployment mode at this stage, where-in we have everything working fine.
We do not use application-aware processing or in-guest scripting. So is it ok to disable this public network access for these storage account?