Considerations and Limitations

When you plan to deploy and configure Veeam Backup for Microsoft Azure, keep in mind the following limitations and considerations.

Hardware

Component	Recommended Azure VM size
Backup appliance	Standard_B2s with 2 CPUs and 4 GB RAM Standard_B2ms with 2 CPUs and 8 GB RAM
Worker instances	Standard_F2s_v2 with 2 CPUs and 4 GB RAM for regular backup Standard_E2_v5 with 2 CPUs and 16 GB RAM for archived backup

For more information on Azure VM sizes, see Microsoft Docs.

Software

To access Veeam Backup for Microsoft Azure, use Microsoft Edge (latest version), Mozilla Firefox (latest version) or Google Chrome (latest version). Internet Explorer is not supported.

Security Certificates

Veeam Backup for Microsoft Azure supports certificates in the formats .PFX and .P12.

Backup Repositories

Before you start managing backup repositories, consider the following:

Veeam Backup for Microsoft Azure does not support creation of backup repositories in storage accounts with the Azure Data Lake Storage Gen2 hierarchical namespace enabled.
Veeam Backup for Microsoft Azure does not support creation of backup repositories in storage accounts with the container soft delete option enabled.
Veeam Backup for Microsoft Azure does not support creation of backup repositories in storage accounts with the blob soft delete option enabled.
Due to Microsoft Azure limitations, Veeam Backup for Microsoft Azure does not support creation of archive repositories in storage accounts with the Zone-redundant storage (ZRS), Geo-zone-redundant storage (GZRS) or Read-access geo-zone-redundant storage (RA-GZRS) redundancy option enabled. For more information, see Microsoft Docs.
Veeam Backup for Microsoft Azure does not support copying backup data from one Azure blob container to another using Microsoft Azure tools and adding the new container as a repository.

One backup repository must not be managed by multiple backup appliances simultaneously. Retention sessions running on different backup appliances may corrupt backups stored in the repository, which may result in unpredictable data loss.
Since Veeam Backup for Microsoft Azure runs retention sessions at 12:15 AM according to the time zone set on the backup appliance, it is not recommended that you schedule backup policies to execute at 12:15 AM. Otherwise, Veeam Backup for Microsoft Azure will not be able to run retention sessions.

Network Settings for Worker Instances

Before you start adding worker configurations, consider the following:

A virtual network service endpoint (routing) for the Microsoft.Storage.Global service must be configured for virtual networks to which worker instances will be connected — you can either configure the endpoint manually in Microsoft Azure beforehand or let Veeam Backup for Microsoft Azure do it for you automatically while deploying the worker instances. To learn how to configure virtual network service endpoints manually, see Microsoft Docs.
A subnet to which worker instances will be connected must have at least one free IP address in the subnet range — Veeam Backup for Microsoft Azure will be able to launch and simultaneously run as many worker instances as many free IP addresses there are in the subnet range.
By default, worker instances use public endpoints to connect to Azure SQL Managed Instances through port 3342. If a worker tries to connect to an Azure SQL Managed Instance and public endpoints are disabled for this instance, the worker will use a private endpoint to connect to the instance through port 1433 instead. However, for the worker to be able to establish the connection, virtual networks to which the worker and the Azure SQL Managed Instance are connected must be peered in the Microsoft Azure portal. To learn how to peer virtual networks, see Microsoft Docs.

For more information on worker configurations, see Configuring Worker Instances.

Backup

Before you start protecting Azure resources, consider the following:

Health check cannot be performed for encrypted backups with missing metadata files, or for backups with corrupted metadata files.
Veeam Backup for Microsoft Azure does not support restore to the original location of locked Azure VMs and Azure virtual disks. For more information on the lock feature, see Microsoft Docs.
When Veeam Backup for Microsoft Azure backs up Azure VMs with IPv6 addresses assigned, it does not save the addresses. That is why if you plan to restore these VMs, you will have to assign IPv6 addresses to the restored VMs manually in the Microsoft Azure portal after the restore process completes.
Veeam Backup for Microsoft Azure does not support backup of databases hosted by Azure Arc-enabled SQL Managed Instances and SQL Servers on Azure Arc-enabled servers.
Veeam Backup for Microsoft Azure uses BACPAC files to back up SQL databases. BACPAC export of databases with external references is not supported. That is why if a SQL database was migrated to an Azure SQL Database Server or Azure SQL Managed Instance, make sure to clear legacy references, orphaned database users and credentials set up with authentication types not supported by Azure SQL, to avoid BACPAC export errors.
Veeam Backup for Microsoft Azure does not support adding of Azure SQL Server accounts using Azure Active Directory authentication. To add an Azure SQL Server account, you must specify credentials of a SQL Server Admin account.
Due to Microsoft Azure limitations, Veeam Backup for Microsoft Azure does not support backup of NFS Azure file shares. For more information on Azure file share snapshots, see Microsoft Docs.
If you delete a file share from Microsoft Azure, the snapshots of this file share will be deleted as well. To protect your snapshots from accidental deletion, you can use the file share soft delete option. For more information on the soft delete option for Azure file shares, see Microsoft Docs.
When performing indexing operations, Veeam Backup for Microsoft Azure uses the Server Message Block (SMB) 3.0 and New Technology LAN Manager (NTLM) v2 protocols to authenticate against the processed file shares. That is why authentication using these protocols must be enabled on the file shares that you plan to index. Otherwise, indexing of the file shares will fail. For more information on Azure Files identity-based authentication options for SMB access, see Microsoft Docs.
Veeam Backup Enterprise Manager does not support management of backup policies created in Veeam Backup for Microsoft Azure.
From backups stored in archive repositories, Veeam Backup for Microsoft Azure supports only entire VM restore to Microsoft Azure.

Restore

Before you start restoring Azure resources, consider the following:

When restoring virtual disks of an Azure VM to a new location from a cloud-native snapshot or image-level backup, Veeam Backup for Microsoft Azure does not attach the restored virtual disks to any Azure VM — the disks are placed to the specified location as standalone virtual disks.
Restore of files and folders is supported for the following file systems only: FAT, FAT32, NTFS, ext2, ext3, ext4, XFS, Btrfs.
Veeam Backup for Microsoft Azure supports file-level recovery for Microsoft Windows basic volumes only. If you use Windows Storage Spaces to store data, restore an entire Azure VM to get access to your files and folders. For more information on Storage Spaces, see Microsoft Docs.

Immutability

Consider that you cannot perform the following operations with image-level backups and archived backups stored in repositories with immutability enabled:

You cannot remove data manually using the Veeam Backup for Microsoft Azure Web UI, as described in sections Removing VM Backups and Snapshots and Removing SQL Backups.
You can neither remove data from Microsoft Azure using any cloud service provider tools nor request the technical support department to do it for you — none of the protected objects can be overwritten or deleted by any user, including the Global Administrator in your Azure Active Directory.

Azure Disk Encryption

Azure Disk Encryption is supported with the following limitations:

Backup and restore operations are supported within one Azure region only. If you choose to back up or restore your data to another region, you must first migrate to the target region all Azure key vaults, cryptographic keys and secrets used to encrypt the source Azure resources, as described in Microsoft Docs.
File-level recovery is not supported for VMs whose virtual disks are encrypted using Azure Disk Encryption. That is, you cannot restore and browse guest OS files on disks encrypted by BitLocker for Windows-based Azure VMs, by DM-Crypt for Linux-based Azure VMs, as well as by any custom disk encryption tools.

For more information on Azure Disk Encryption, see Microsoft Docs.