Architecture Overview
The backup infrastructure of Veeam Backup for Microsoft Azure includes the following components:
The backup appliance is a Linux-based Azure VM where Veeam Backup for Microsoft Azure is installed. The backup appliance performs the following administrative activities:
- Manages infrastructure components.
- Coordinates snapshot creation, backup and recovery tasks.
- Controls backup policy scheduling.
The backup appliance also maintains the configuration database that stores data collected from Veeam Backup for Microsoft Azure for existing backup policies, protected Azure resources, deployed worker instances, connected Microsoft Azure accounts and so on.
Backup Appliance Components
The backup appliance uses the following components:
- Backup service — coordinates data protection and disaster recovery operations.
- Configuration database — stores data collected for the Veeam Backup for Microsoft Azure infrastructure, backup policies, sessions and so on.
- Web UI — provides a web interface that allows user access to the Veeam Backup for Microsoft Azure functionality.
- Updater service — allows to check, view and install product and package updates.
- REST API service — allows to perform operations with Veeam Backup for Microsoft Azure entities using HTTP requests and standard HTTP methods. For details, see the Veeam Backup for Microsoft Azure REST API Reference.
To access Microsoft Azure services and resources, the backup appliance uses Azure REST API.
A backup repository is a folder in a blob container where Veeam Backup for Microsoft Azure stores backups of Azure VMs.
Important |
Backup files are stored in backup repositories in the native Veeam format and must be modified neither manually nor by 3rd party tools. Otherwise, Veeam Backup for Microsoft Azure may fail to restore the backed-up data. |
Encryption on Repositories
For enhanced data security, Veeam Backup for Microsoft Azure allows you to enable encryption at the repository level. Veeam Backup for Microsoft Azure uses the same encryption standards as Veeam Backup & Replication to encrypt backup files stored in backup repositories. For more information on Veeam Backup & Replication encryption standards, see the Encryption Standards section of the Veeam Backup & Replication User Guide.
To enable encryption for a backup repository added to the Veeam Backup for Microsoft Azure infrastructure, configure the repository settings as described in section Adding Backup Repositories and choose whether you want to encrypt data using a password or using an Azure Key Vault cryptographic key.
Limitations for Repositories
To use a blob container as a target location for Azure VM and Azure SQL backups, you must connect to an Azure storage account in which this blob container resides, as described in section Adding Backup Repositories.
Veeam Backup for Microsoft Azure supports the following types of Azure storage accounts:
Storage Account Type | Supported Performance Tiers | Supported Access Tiers |
---|---|---|
General-purpose V2 | Standard | Hot, Cool, Archive |
BlobStorage | Standard | Hot, Cool, Archive |
Important |
Consider the following limitations for storage accounts:
|
A worker instance is an auxiliary Linux-based virtual machine that is responsible for the interaction between the backup appliance and other components of the Veeam Backup for Microsoft Azure infrastructure. Worker instances process the backup workload and distribute backup traffic when transferring data to backup repositories.
Veeam Backup for Microsoft Azure automatically deploys worker instances to process Azure VMs and Azure SQL databases, and keeps the instances running for the duration of the backup or restore process. Workers are deployed based on worker configurations that can be created either automatically by Veeam Backup for Microsoft Azure, or manually by the user as described in Managing Workers. Veeam Backup for Microsoft Azure launches one worker instance per each Azure VM and Azure SQL database specified in a backup policy or restore task. Each worker can process data of only one Azure VM or SQL database at a time. If the number of VMs and databases that must be processed exceeds the maximum number of workers specified in the worker configuration, the VMs and databases exceeding this limit will be queued.
To minimize cross-region traffic charges, depending on the data protection and disaster recovery operation, Veeam Backup for Microsoft Azure launches a worker instance in the following location:
Operation | Worker Instance Location | Default Worker Instance Size |
---|---|---|
Creating backups of Azure VMs | Azure region in which a backup repository storing backed-up data resides | Standard_F2s_v2, 2 CPU, 4 GB RAM |
Creating backups of SQL databases | Azure region in which a SQL Server hosting the processed database resides | |
Creating archived backups of Azure VMs | Azure region in which an archive backup repository storing backed-up data resides | Standard_E2_v4, 2 CPU 16 GB RAM |
Creating archived backups of SQL databases | Azure region in which a SQL Server hosting the processed database resides | |
Azure VM and SQL database restore | Azure region where the restored Azure VM or SQL server hosting the restored database resides | Standard_F2s_v2, 2 CPU, 4 GB RAM |
Volume-level restore | Azure region where the restored virtual disk resides | |
File-level restore from cloud-native snapshots | Azure region in which а cloud-native snapshot resides | |
File-level restore from image-level backups | Azure region in which a backup repository storing backed-up data resides |
A worker instance uses the following services:
- Veeam Data Mover — the service that performs data processing tasks. During backup, the Veeam Data Mover service retrieves data from snapshots and stores the retrieved data to backup repositories. During restore, the Veeam Data Mover transfers backed-up data from backup repositories to the target location.
- File Level Recovery for Veeam Backup Browser — the web service that allows you to find and save files and folders of a backed-up Azure VM to a local machine. The File Level Recovery for Veeam Backup browser is installed automatically on every worker instance that is launched for file-level recovery.
For more information on recovering files of Azure VMs using the File Level Recovery for Veeam Backup browser, see Performing File-Level Recovery.
Note |
By design, Veeam Backup for Microsoft Azure installs the unattended-upgrades package on every deployed worker instance. This package automatically sends requests to the Ubuntu Security Update repository (security.ubuntu.com) to get and install security updates on the worker instance. Due to technical limitations, you can neither configure nor disable these updates in the current version of Veeam Backup for Microsoft Azure. |
Security Certificates for Worker Instances
Veeam Backup for Microsoft Azure uses self-signed TLS certificates to establish secure communication between the web browser on a local machine and the File Level Recovery for Veeam Backup browser running on a worker instance during the file-level recovery process. A self-signed certificate is generated automatically on the worker instance when the recovery session starts.
Requirements for Worker Instances
For every Azure region where worker instances will be launched, you must specify a virtual network, subnet and a security group to which the worker instances must be connected. Otherwise, Veeam Backup for Microsoft Azure will be able neither to launch worker instances nor to perform the required data protection and disaster recovery operations.
To learn how to configure network settings for worker instances, see Adding Worker Configuration.