We have a customer running the latest version of Veeam Backup for Azure. Their Azure tenant has a top-level Deny policy that requires 11 mandatory tags on every resource at creation time. If a resource is created without all 11 required tags, Azure denies the create operation outright.
The "Custom tags" setting in VBA snapshot rules is currently limited to 5 tags. This means VBA cannot supply all 11 tags that the customers Deny policy mandates. As a result, when VBA attempts to create a snapshot, the Azure Deny policy blocks the create operation because the required tags are missing, and the snapshot (and therefore the backup) fails. We temporary exempt RG from policy, but security guys are not happy :/
Is there any chance to expanding that limitation from 5 to greater number?
I selected that option to copy tags from the source disk to the snapshot, but it doesn't seem to work, or I didn't need to enable "Add custom tags to created snapshots" as well. In any case, we hit a policy block when running the backup/snapshot creation job. I'm not entirely clear on the mechanics behind this in Veeam. When I check the resources created by Veeam in Azure, I see my 5 custom tags and a few Veeam-bound tags: Veeam backup appliance ID, veeam01, and veeam02.
Disregard my last post, you're right. The Azure team later came back with info that the machine disks were missing tags. However, we still have legacy machines with only 4 tags, from before this policy was enforced. If I add them to backup, the backup fails because of the mandatory tags policy (11 tags required), and I could easily work around this if the Veeam console allowed more than 5 tags.