This is an archive version of the document. To get the most up-to-date information, see the current version.Architecture Overview
The Veeam Backup for Microsoft Azure architecture includes the following components:
- Manages architecture components.
- Coordinates snapshot creation, backup and recovery tasks.
- Controls backup policy scheduling.
- Generates daily reports and email notifications.
The backup appliance uses the following components:
- Configuration database — stores data on the existing backup policies, worker instance configurations, connected Microsoft Azure accounts and so on, as well as information on the available and protected resources collected from Microsoft Azure.
- Configuration restore service — allows users to restore the configuration of the backup appliance and migrate the Veeam Backup for Microsoft Azure configuration from one backup appliance to another backup appliance in Microsoft Azure.
- Web UI — provides a web interface that allows users to access the Veeam Backup for Microsoft Azure functionality.
- Updater service — allows Veeam Backup for Microsoft Azure to check and install product and package updates.
- REST API service — allows users to perform operations with Veeam Backup for Microsoft Azure entities using HTTP requests and standard HTTP methods. For details, see the Veeam Backup for Microsoft Azure REST API Reference.
To communicate with a backup repository, Veeam Backup for Microsoft Azure uses Veeam Data Mover — the service that runs on a worker instance and that is responsible for data processing and transfer. When a backup policy addresses the backup repository, the Veeam Data Mover establishes a connection with the repository to enable data transfer.
Important |
Backups are stored in backup repositories in the native Veeam format and must be modified neither manually nor by 3rd party tools. Otherwise, Veeam Backup for Microsoft Azure may fail to restore the backed-up data. |
For enhanced data security, Veeam Backup for Microsoft Azure allows you to enable encryption at the repository level. Veeam Backup for Microsoft Azure uses the same encryption standards as Veeam Backup & Replication to encrypt backups stored in backup repositories. To learn what encryption standards Veeam Backup & Replication uses to encrypt its data, see the Encryption Standards section of the Veeam Backup & Replication User Guide.
To learn how to enable encryption at the repository level, configure the repository settings as described in section Adding Backup Repositories, and choose whether you want to encrypt data using a password or using an Azure Key Vault cryptographic key.
Limitations for Repositories
To use a blob container as a target location for backups, you must connect to an Azure storage account in which this blob container resides, as described in section Adding Backup Repositories.
Veeam Backup for Microsoft Azure supports the following types of Azure storage accounts:
Storage Account Type | Supported Performance Tiers | Supported Access Tiers |
|---|---|---|
General-purpose V2 | Standard | Hot, Cool, Archive |
BlobStorage | Standard | Hot, Cool, Archive |
Important |
Consider the following limitations for storage accounts:
|
Veeam Backup for Microsoft Azure automatically launches worker instances to process Azure VMs and Azure SQL databases when performing a backup or restore operation, and keeps the instances running for the duration of the operation. Veeam Backup for Microsoft Azure launches one worker instance per each Azure resource specified in a backup policy or restore task. To minimize cross-region traffic charges and to speed up the data transfer, depending on the performed operation, Veeam Backup for Microsoft Azure launches worker instances in the following locations:
Operation | Worker Instance Location | Default Worker Instance Size |
|---|---|---|
Creating image-level backups of Azure VMs | Azure region in which a processed Azure VM resides | Standard_F2s_v2, 2 CPU, 4 GB RAM |
Creating backups of Azure SQL databases | Azure region in which a SQL Server hosting the processed database resides | |
Azure file share indexing | Azure region in which a processed file share resides | |
Creating archived image-level backups of Azure VMs | Azure region in which an archive backup repository storing backed-up data resides | Standard_E2_v5, 2 CPU 16 GB RAM |
Creating archived image-level backups of Azure SQL databases | Azure region in which an archive backup repository storing backed-up data resides | |
Performing health check for created restore points | Azure region in which a target backup repository resides | Standard_F2s_v2, 2 CPU, 4 GB RAM |
Applying retention policy settings to created restore points | Azure region in which a backup repository with backed-up data resides | |
Restoring Azure VMs and Azure SQL databases | Azure region in which the restored Azure VM or SQL Server hosting the restored database resides | |
Restoring individual virtual disks of Azure VMs | Azure region in which the restored virtual disk resides | |
File-level restore from cloud-native snapshots | Azure region in which a cloud-native snapshot resides | |
File-level restore from image-level backups | Azure region in which a backup repository storing backed-up data resides |
Worker instances are launched based on worker configurations and profiles. For more information, see Managing Worker Instances.
Worker Instance Components
A worker instance uses the following services:
- Veeam Data Mover — the service that performs data processing tasks. During backup, the Veeam Data Mover service retrieves source data to backup repositories. During restore, the Veeam Data Mover transfers backed-up data from backup repositories to the target location.
- File-level recovery browser — the web service that allows you to find and save files and folders of a backed-up Azure VM to a local machine. The File-level recovery browser is installed automatically on every worker instance that is launched for file-level recovery.
For more information on recovering files of Azure VMs using the File-level recovery browser, see Performing File-Level Recovery.
Note |
By design, Veeam Backup for Microsoft Azure installs the unattended-upgrades package on every launched worker instance. This package automatically sends requests to the Ubuntu Security Update repository (security.ubuntu.com) to get and install security updates on the worker instance. To reconfigure or disable these updates, open a support case. |
Security Certificates for Worker Instances
Veeam Backup for Microsoft Azure uses self-signed TLS certificates to establish secure communication between the web browser on a user workstation and the File-level recovery browser running on a worker instance during the file-level recovery process. A self-signed certificate is generated automatically on the worker instance when the recovery session starts.
Requirements for Worker Instances
By default, Veeam Backup for Microsoft Azure creates a new network configuration for each Azure region in which it launches worker instances. However, you can add custom worker configurations to provide network settings that will be used to launch worker instances in a specific region. In this case, for every Azure region where worker instances will be launched, you must specify a virtual network and a subnet to which the worker instances must be connected. You can also specify a security group that will be associated with the specified subnet. To learn how to configure network settings for worker instances, see Adding Worker Configuration.
