Architecture Overview

In this article

    The backup infrastructure of Veeam Backup for Microsoft Azure includes the following components:

    Backup Appliance

    The backup appliance is a Linux-based Azure VM where Veeam Backup for Microsoft Azure is installed. The backup appliance performs the following administrative activities:

    The backup appliance also maintains the configuration database that stores data collected from Veeam Backup for Microsoft Azure for existing backup policies, protected Azure VMs, deployed worker instances, connected Microsoft Azure accounts and so on.

    Backup Repositories

    A backup repository is a folder in a blob container where Veeam Backup for Microsoft Azure stores backups of Azure VMs.

    Backup Appliance Components

    The backup appliance uses the following components:

    To access Microsoft Azure services and resources, the backup appliance uses Azure REST API.

    Encryption on Repositories

    For enhanced data security, Veeam Backup for Microsoft Azure allows you to enable encryption at the repository level. Veeam Backup for Microsoft Azure uses the same encryption standards as Veeam Backup & Replication to encrypt backup files stored in backup repositories. For more information on Veeam Backup & Replication encryption standards, see the Encryption Standards section of the Veeam Backup & Replication User Guide.

    To learn how to enable encryption at the repository level, see Adding Backup Repositories.

    Limitations for Repositories

    To use a blob container as a target location for Azure VM backups, you must connect to an Azure storage account in which this blob container resides, as described in section Adding Backup Repositories.

    Veeam Backup for Microsoft Azure supports the following types of Azure storage accounts:

    Storage Account Type

    Supported Performance Tiers

    Supported Access Tiers

    General-purpose V2


    Hot, Cool



    Hot, Cool

    Worker Instances

    A worker instance is an auxiliary Linux-based virtual machine that is responsible for the interaction between the backup appliance and other components of the Veeam Backup for Microsoft Azure infrastructure. Worker instances process the backup workload and distribute backup traffic when transferring data to backup repositories.

    Veeam Backup for Microsoft Azure automatically deploys a worker instance to every processed Azure VM and keeps the instance running for the duration of the backup or restore process. Workers are deployed based on worker configurations that can be created either automatically by Veeam Backup for Microsoft Azure, or manually by the user as described in Adding Worker Configuration.

    A worker instance uses the following services:

    • Veeam Data Mover — the service that performs data processing tasks. During backup, the Veeam Data Mover service retrieves data from snapshots and stores the retrieved data to backup repositories. During restore, the Veeam Data Mover transfers backed-up data from backup repositories to the target location.
    • File Level Recovery for Veeam Backup Browser — the web service that allows you to find and save files and folders of a backed-up Azure VM to a local machine. The File Level Recovery for Veeam Backup browser is installed automatically on every worker instance that is launched for file-level recovery.

    For more information on recovering files of Azure VMs using the File Level Recovery for Veeam Backup browser, see Performing File-Level Recovery.


    By design, Veeam Backup for Microsoft Azure installs the unattended-upgrades package on every deployed worker instance. This package automatically sends requests to the Ubuntu Security Update repository ( to get and install security updates on the worker instance. Due to technical limitations, you can neither configure nor disable these updates in the current version of Veeam Backup for Microsoft Azure.

    Security Certificates for Worker Instances

    Veeam Backup for Microsoft Azure uses self-signed TLS certificates to establish secure communication between the web browser on a local machine and the File Level Recovery for Veeam Backup browser running on a worker instance during the file-level recovery process. A self-signed certificate is generated automatically on the worker instance when the recovery session starts.

    Requirements for Worker Instances

    For every Azure region where worker instances will be launched, you must specify a virtual network, subnet and a security group to which the worker instances must be connected. Otherwise, Veeam Backup for Microsoft Azure will be able neither to launch worker instances nor to perform the required data protection and disaster recovery operations.

    To learn how to configure network settings for worker instances, see Adding Worker Configuration.