This is an archive version of the document. To get the most up-to-date information, see the current version.

Architecture Overview

The backup infrastructure of Veeam Backup for Microsoft Azure includes the following components:

Backup Appliance

The backup appliance is a Linux-based Azure VM where Veeam Backup for Microsoft Azure is installed. The backup appliance performs the following administrative activities:

The backup appliance also maintains the configuration database that stores data collected from Veeam Backup for Microsoft Azure for existing backup policies, protected Azure resources, deployed worker instances, connected Microsoft Azure accounts and so on.

Backup Appliance Components

The backup appliance uses the following components:

To access Microsoft Azure services and resources, the backup appliance uses Azure REST API.

Backup Repositories

A backup repository is a folder in a blob container where Veeam Backup for Microsoft Azure stores backups of Azure VMs.

Important

Backup files are stored in backup repositories in the native Veeam format and must be modified neither manually nor by 3rd party tools. Otherwise, Veeam Backup for Microsoft Azure may fail to restore the backed-up data.

Encryption on Repositories

For enhanced data security, Veeam Backup for Microsoft Azure allows you to enable encryption at the repository level. Veeam Backup for Microsoft Azure uses the same encryption standards as Veeam Backup & Replication to encrypt backup files stored in backup repositories. For more information on Veeam Backup & Replication encryption standards, see the Encryption Standards section of the Veeam Backup & Replication User Guide.

To enable encryption for a backup repository added to the Veeam Backup for Microsoft Azure infrastructure, configure the repository settings as described in section Adding Backup Repositories and choose whether you want to encrypt data using a password or using an Azure Key Vault cryptographic key.

Limitations for Repositories

To use a blob container as a target location for Azure VM and Azure SQL backups, you must connect to an Azure storage account in which this blob container resides, as described in section Adding Backup Repositories.

Veeam Backup for Microsoft Azure supports the following types of Azure storage accounts:

Storage Account Type

Supported Performance Tiers

Supported Access Tiers

General-purpose V2

Standard

Hot, Cool, Archive

BlobStorage

Standard

Hot, Cool, Archive

Important

Consider the following limitations for storage accounts:

  • Veeam Backup for Microsoft Azure does not support creation of backup repositories in storage accounts with enabled blob soft delete option.
  • Veeam Backup for Microsoft Azure does not support archive tiering of storage account with enabled data redundancy (ZRS, GZRS, RA-GZRS) option.

Worker Instances

A worker instance is an auxiliary Linux-based virtual machine that is responsible for the interaction between the backup appliance and other components of the Veeam Backup for Microsoft Azure infrastructure. Worker instances process the backup workload and distribute backup traffic when transferring data to backup repositories.

Veeam Backup for Microsoft Azure automatically deploys worker instances to process Azure VMs and Azure SQL databases, and keeps the instances running for the duration of the backup or restore process. Workers are deployed based on worker configurations that can be created either automatically by Veeam Backup for Microsoft Azure, or manually by the user as described in Managing Workers. Veeam Backup for Microsoft Azure launches one worker instance per each Azure VM and Azure SQL database specified in a backup policy or restore task. Each worker can process data of only one Azure VM or SQL database at a time. If the number of VMs and databases that must be processed exceeds the maximum number of workers specified in the worker configuration, the VMs and databases exceeding this limit will be queued.

To minimize cross-region traffic charges, depending on the data protection and disaster recovery operation, Veeam Backup for Microsoft Azure launches a worker instance in the following location:

Operation

Worker Instance Location

Default Worker Instance Size

Creating backups of Azure VMs

Azure region in which a backup repository storing backed-up data resides

Standard_F2s_v2, 2 CPU, 4 GB RAM

Creating backups of SQL databases

Azure region in which a SQL Server hosting the processed database resides

Creating archived backups of Azure VMs

Azure region in which an archive backup repository storing backed-up data resides

Standard_E2_v4, 2 CPU 16 GB RAM

Creating archived backups of SQL databases

Azure region in which a SQL Server hosting the processed database resides

Azure VM and SQL database restore

Azure region where the restored Azure VM or SQL server hosting the restored database resides

Standard_F2s_v2, 2 CPU, 4 GB RAM

Volume-level restore

Azure region where the restored virtual disk resides

File-level restore from cloud-native snapshots

Azure region in which а cloud-native snapshot resides

File-level restore from image-level backups

Azure region in which a backup repository storing backed-up data resides

A worker instance uses the following services:

For more information on recovering files of Azure VMs using the File Level Recovery for Veeam Backup browser, see Performing File-Level Recovery.

Note

By design, Veeam Backup for Microsoft Azure installs the unattended-upgrades package on every deployed worker instance. This package automatically sends requests to the Ubuntu Security Update repository (security.ubuntu.com) to get and install security updates on the worker instance. Due to technical limitations, you can neither configure nor disable these updates in the current version of Veeam Backup for Microsoft Azure.

Security Certificates for Worker Instances

Veeam Backup for Microsoft Azure uses self-signed TLS certificates to establish secure communication between the web browser on a local machine and the File Level Recovery for Veeam Backup browser running on a worker instance during the file-level recovery process. A self-signed certificate is generated automatically on the worker instance when the recovery session starts.

Requirements for Worker Instances

For every Azure region where worker instances will be launched, you must specify a virtual network, subnet and a security group to which the worker instances must be connected. Otherwise, Veeam Backup for Microsoft Azure will be able neither to launch worker instances nor to perform the required data protection and disaster recovery operations.

To learn how to configure network settings for worker instances, see Adding Worker Configuration.