Considerations and Limitations

When you plan to deploy and configure Veeam Backup for Microsoft Azure, keep in mind the following limitations and considerations.

Hardware

Component

Recommended Azure VM size

Backup appliance

  • Standard_B2s with 2 CPUs and 4 GB RAM
  • Standard_B2ms with 2 CPUs and 8 GB RAM

Worker instances

  • Standard_F2s_v2 with 2 CPUs and 4 GB RAM for regular backup
  • Standard_E2_v5 with 2 CPUs and 16 GB RAM for archived backup

For more information on Azure VM sizes, see Microsoft Docs.

Software

To access Veeam Backup for Microsoft Azure, use Microsoft Edge (latest version), Mozilla Firefox (latest version) or Google Chrome (latest version). Internet Explorer is not supported.

Security Certificates

Veeam Backup for Microsoft Azure supports certificates in the formats .PFX and .P12.

Backup Appliances

Before you start deploying backup appliances, consider the following:

  • Microsoft Azure Plug-in for Veeam Backup & Replication does not support deployment of backup appliances using Microsoft Azure compute accounts registered in China. For more information, see Microsoft Docs.

Backup Repositories

Before you start managing backup repositories, consider the following:

  • Veeam Backup for Microsoft Azure does not support creation of backup repositories in storage accounts with the Azure Data Lake Storage Gen2 hierarchical namespace enabled.
  • Veeam Backup for Microsoft Azure does not support creation of backup repositories in storage accounts with the container soft delete option enabled.
  • Veeam Backup for Microsoft Azure does not support creation of backup repositories in storage accounts with the blob soft delete option enabled.
  • Due to Microsoft Azure limitations, Veeam Backup for Microsoft Azure does not support creation of archive repositories in storage accounts with the Zone-redundant storage (ZRS), Geo-zone-redundant storage (GZRS) or Read-access geo-zone-redundant storage (RA-GZRS) redundancy option enabled. For more information, see Microsoft Docs.
  • Veeam Backup for Microsoft Azure does not support copying backup data from one Azure blob container to another using Microsoft Azure tools and adding the new container as a repository.
  • One backup repository must not be managed by multiple backup appliances simultaneously. Retention sessions running on different backup appliances may corrupt backups stored in the repository, which may result in unpredictable data loss.
  • It is recommended that you use a dedicated storage account for backup repositories where Veeam Backup for Microsoft Azure will store backed-up data. Otherwise, Veeam Backup for Microsoft Azure may fail to recover the data due to folder synchronization issues.
  • Since Veeam Backup for Microsoft Azure runs retention sessions at 12:15 AM according to the time zone set on the backup appliance, it is not recommended that you schedule backup policies to execute at 12:15 AM. Otherwise, Veeam Backup for Microsoft Azure will not be able to run retention sessions.

Network Settings for Worker Instances

Before you start adding worker configurations, consider the following:

  • A virtual network service endpoint (routing) for the Microsoft.Storage.Global service must be configured for virtual networks to which worker instances will be connected — you can either configure the endpoint manually in Microsoft Azure beforehand or let Veeam Backup for Microsoft Azure do it for you automatically while deploying the worker instances. To learn how to configure virtual network service endpoints manually, see Microsoft Docs.
  • A subnet to which worker instances will be connected must have at least one free IP address in the subnet range — Veeam Backup for Microsoft Azure will be able to launch and simultaneously run as many worker instances as many free IP addresses there are in the subnet range.
  • By default, worker instances use public endpoints to connect to Azure SQL Managed Instances through port 3342. If a worker tries to connect to an Azure SQL Managed Instance and public endpoints are disabled for this instance, the worker will use a private endpoint to connect to the instance through port 1433 instead. However, for the worker to be able to establish the connection, virtual networks to which the worker and the Azure SQL Managed Instance are connected must be peered in the Microsoft Azure portal. To learn how to peer virtual networks, see Microsoft Docs.
  • For each automatically created worker configuration, Veeam Backup for Microsoft Azure creates a virtual network, a subnet and a network security group.
  • It is not recommended that you manually change settings of automatically created configurations. If you want to use a specific worker configuration, add it manually as described in section Adding Worker Configurations.

For more information on worker configurations, see Managing Worker Instances.

Backup

Before you start protecting Azure resources, consider the following:

  • Health check cannot be performed for encrypted backups with missing metadata files, or for backups with corrupted metadata files.
  • Veeam Backup for Microsoft Azure does not support restore to the original location of locked Azure VMs and Azure virtual disks. For more information on the lock feature, see Microsoft Docs.
  • When Veeam Backup for Microsoft Azure backs up Azure VMs with IPv6 addresses assigned, it does not save the addresses. That is why if you plan to restore these VMs, you will have to assign IPv6 addresses to the restored VMs manually in the Microsoft Azure portal after the restore process completes.
  • From backups stored in archive repositories, Veeam Backup for Microsoft Azure supports only entire VM restore to Microsoft Azure.
  • Due to Microsoft Azure limitations, you can apply up to 50 tags directly to a subscription. That is why Veeam Backup for Microsoft Azure is able to create a snapshot only if the tag limit is not reached for the subscription to which the processed Azure VM belongs. If the limit is reached, the operation will fail with a serialization error. For more information on subscription limits, see Microsoft Docs.
  • Veeam Backup for Microsoft Azure does not support backup of databases hosted by Azure Arc-enabled SQL Managed Instances and SQL Servers on Azure Arc-enabled servers.
  • Veeam Backup for Microsoft Azure uses BACPAC files to back up SQL databases. BACPAC export of databases with external references is not supported. That is why if a SQL database was migrated to an Azure SQL Database Server or Azure SQL Managed Instance, make sure to clear legacy references, orphaned database users and credentials set up with authentication types not supported by Azure SQL, to avoid BACPAC export errors.
  • Veeam Backup for Microsoft Azure does not support adding of Azure SQL Server accounts using Microsoft Entra ID authentication. To add an Azure SQL Server account, you must specify credentials of a SQL Server Admin account.
  • Veeam Backup for Microsoft Azure allows you to protect only Cosmos DB accounts created using the following APIs: NoSQL, MongoDB RU-based, Apache Gremlin, Table and PostgreSQL.
  • Veeam Backup for Microsoft Azure does not support backup of Cosmos DB accounts that have periodic backup or multi-region writes enabled.
  • Due to Microsoft Azure limitations, Veeam Backup for Microsoft Azure does not support restore of Cosmos DB accounts encrypted using customer-managed keys. For more information, see Microsoft Docs.
  • Due to Microsoft Azure limitations, Veeam Backup for Microsoft Azure does not support backup of NFS Azure file shares. For more information on Azure file share snapshots, see Microsoft Docs.
  • If you delete a file share from Microsoft Azure, the snapshots of this file share will be deleted as well. To protect your snapshots from accidental deletion, you can use the file share soft delete option. For more information on the soft delete option for Azure file shares, see Microsoft Docs.
  • When performing indexing operations, Veeam Backup for Microsoft Azure uses the Server Message Block (SMB) 3.0 and New Technology LAN Manager (NTLM) v2 protocols to authenticate against the processed file shares. That is why authentication using these protocols must be enabled on the file shares that you plan to index. Otherwise, indexing of the file shares will fail. For more information on Azure Files identity-based authentication options for SMB access, see Microsoft Docs.
  • Veeam Backup Enterprise Manager does not support management of backup policies created in Veeam Backup for Microsoft Azure.
  • If you choose to back up Azure resources that are managed by specific subscriptions, belong to specific resource groups or have specific tags assigned, it may take up to 24 hours for Veeam Backup for Microsoft Azure to detect resources that either are newly deployed in the specified subscriptions and resource groups or recently have the specified tags assigned. To speed up this process and update the backup scope list, rescan the resources as described in section Performing Backup.

Restore

Before you start restoring Azure resources, consider the following:

  • When restoring virtual disks of an Azure VM to a new location from a cloud-native snapshot or image-level backup, Veeam Backup for Microsoft Azure does not attach the restored virtual disks to any Azure VM — the disks are placed to the specified location as standalone virtual disks.
  • Restore of files and folders is supported for the following file systems only: FAT, FAT32, NTFS, ext2, ext3, ext4, XFS, Btrfs.
  • Veeam Backup for Microsoft Azure supports file-level recovery for Microsoft Windows basic volumes only. If you use Windows Storage Spaces to store data, restore an entire Azure VM to get access to your files and folders. For more information on Storage Spaces, see Microsoft Docs.

Immutability

Consider that you cannot perform the following operations with image-level backups and archived backups stored in repositories with immutability enabled:

Azure Disk Encryption

Azure Disk Encryption is supported with the following limitations:

  • Backup and restore operations are supported within one Azure region only. If you choose to back up or restore your data to another region, you must first migrate to the target region all Azure key vaults, cryptographic keys and secrets used to encrypt the source Azure resources, as described in Microsoft Docs.
  • File-level recovery is not supported for VMs whose virtual disks are encrypted using Azure Disk Encryption. That is, you cannot restore and browse guest OS files on disks encrypted by BitLocker for Windows-based Azure VMs, by DM-Crypt for Linux-based Azure VMs, as well as by any custom disk encryption tools.

For more information on Azure Disk Encryption, see Microsoft Docs.