=============== LIBRARY RULES =============== From library maintainers: - This is unofficial documentation - always verify against official Veeam Help Center # Veeam Backup for Microsoft Azure Veeam Backup for Microsoft Azure is an enterprise data protection solution that enables comprehensive backup and recovery of Azure resources including virtual machines, Azure SQL databases, Cosmos DB accounts, Azure file shares, and virtual network configurations. The solution integrates with Veeam Backup & Replication through a dedicated plug-in and deploys backup appliances directly within Azure subscriptions to perform cloud-native data protection operations with minimal cross-region data transfer. The architecture consists of a backup server running Veeam Backup & Replication, backup appliances deployed as Azure VMs, worker instances for data processing, and backup repositories stored in Azure Blob Storage. Service accounts with appropriate Azure permissions enable the solution to enumerate resources, create snapshots and backups, manage worker instances, and perform restore operations across subscriptions and regions. ## Deploying Backup Appliance Deploy a Veeam Backup for Microsoft Azure appliance from the Veeam Backup & Replication console to enable Azure resource protection. The deployment creates an Azure VM with all required components. ```bash # Deployment process overview (performed via VBR console wizard): # 1. Launch New Veeam Backup for Microsoft Azure appliance wizard # 2. Choose deployment mode (Standard or Custom) # 3. Specify service account settings with Azure credentials # 4. Select Azure subscription for appliance deployment # 5. Configure VM name, size, and resource group # 6. Select connection type (Public IP or Private) # 7. Configure network settings (VNet, subnet, NSG) # 8. Set admin credentials for the appliance # The wizard deploys: # - Ubuntu 22.04 LTS Azure VM # - Veeam Backup for Microsoft Azure software # - Default service account with required permissions # - Network configuration for data transfer # Access the deployed appliance Web UI: # https:// # or via VBR console: Home > Backup Infrastructure > Managed Servers ``` ## Adding Service Accounts Service accounts authenticate Veeam Backup for Microsoft Azure to Azure resources and define operational permissions for backup and restore tasks. ```bash # Service Account Configuration (via Web UI): # Navigate to: Configuration > Accounts > Add # Account Types: # 1. Automatic - Veeam creates and manages Microsoft Entra application # 2. Existing Application - Use pre-configured Microsoft Entra app # Required Azure Permissions for service accounts: # - Microsoft.Compute/virtualMachines/* (VM operations) # - Microsoft.Compute/disks/* (disk management) # - Microsoft.Compute/snapshots/* (snapshot operations) # - Microsoft.Storage/storageAccounts/* (repository access) # - Microsoft.Network/* (network configuration) # - Microsoft.Sql/* (SQL database operations) # - Microsoft.DocumentDB/* (Cosmos DB operations) # Assign operational roles: # - Azure VMs Snapshot and Backup # - Azure SQL Backup # - Cosmos DB Backup # - Azure Files Backup # - Repository Management # - Worker Management # Verify permissions after adding: # Configuration > Accounts > Select account > Check Permissions ``` ## Creating VM Backup Policies Backup policies define automated schedules, retention settings, and target resources for Azure VM protection using cloud-native snapshots and image-level backups. ```bash # Create VM Backup Policy (via Web UI): # Navigate to: Policies > Add > Virtual Machines # Step 1: Policy Info # Name: "Production-VMs-Daily" # Description: "Daily backup of production workloads" # Step 2: Sources Configuration # Account: Select service account with VM permissions # Regions: ["East US", "West US 2"] # Resources: # - All resources (auto-discover new VMs) # - OR specific: Subscription, Resource Group, Tag, or VM # Step 3: Schedule Types # Daily Schedule: # Run every: 4 hours # Start time: 00:00 # Days: All days # Retention: 7 restore points # Weekly Schedule: # Run on: Sunday at 23:00 # Retention: 4 restore points # Monthly Schedule: # Run on: First Sunday at 23:00 # Retention: 12 restore points # Step 4: Targets # Snapshots: Enable (stored in same region as VM) # Backups: Enable # Repository: "prod-backup-repo" # Copy to archive: After 30 days # Step 5: Guest Processing (optional) # Application-aware processing: Enable for SQL/Exchange VMs # Guest OS credentials: Specify for file indexing # Enable policy after creation ``` ## Configuring Backup Repositories Backup repositories store image-level backups in Azure Blob Storage containers with support for encryption, immutability, and tiered storage. ```bash # Add Backup Repository (via Web UI): # Navigate to: Configuration > Repositories > Add # Step 1: Repository Settings # Name: "prod-backup-repo" # Description: "Production VM backups" # Step 2: Container Configuration # Service Account: Select account with Repository Management role # Storage Account: "vaboreprodeastus" # Container: "veeam-backups" # Folder: Create new "production-vms" # Step 3: Storage Tier Selection # Hot: Frequent access, higher cost # Cool: 30+ day retention, lower cost # Archive: 180+ day retention, lowest cost (retrieval required) # Inferred: Use storage account default tier # Step 4: Encryption (optional) # Enable encryption: Yes # Password: # Key derivation: AES-256 # Step 5: Immutability Settings # Enable immutability: Yes (requires blob versioning enabled) # Retention period: 30 days minimum # Supported Storage Account Types: # - General-purpose V2 (Standard): Hot, Cool, Archive # - BlobStorage (Standard): Hot, Cool, Archive # Note: Blob soft delete must be DISABLED for Veeam repositories ``` ## Creating Manual VM Snapshots Create on-demand cloud-native snapshots of Azure VMs outside of scheduled backup policies for immediate protection. ```bash # Manual Snapshot Creation (via Web UI): # Navigate to: Resources > Virtual Machines # Step 1: Select VM # Check box next to target VM(s) # Click: Take Snapshot Now # Step 2: Service Account # Select account with snapshot permissions for the VM's subscription # Step 3: Snapshot Options # Tags Configuration: # Copy tags from source volumes: Enable/Disable # Add custom tags: # Key: "backup-type", Value: "manual" # Key: "created-by", Value: "admin" # Step 4: Summary # Review configuration # Option: "Open Session Log after wizard closes" # Click: Finish # Snapshots are stored in the same Azure region as the source VM # Manual snapshots are NOT included in policy retention chains # Must be removed manually via: Resources > Virtual Machines > Manage Snapshots ``` ## Restoring Entire VMs Restore complete Azure VMs from cloud-native snapshots or image-level backups to original or new locations. ```bash # VM Restore Wizard (via Web UI): # Navigate to: Protected Data > Virtual Machines > Select VM > Restore > Entire VM # Step 1: Restore Point Selection # Choose from available restore points: # - Snapshot (fastest, regional) # - Backup (cross-region capable) # - Archive (requires data retrieval first) # Step 2: Service Account # Select account with restore permissions in target subscription # Step 3: Restore Mode # - Restore to original location (overwrites existing) # - Restore to new location (specify new settings) # Step 4: VM Settings (for new location) # Subscription: "Production-Subscription" # Resource Group: "restored-vms-rg" # VM Name: "web-server-restored" # VM Size: "Standard_D4s_v3" # Availability: Zone 1 / Availability Set / None # Step 5: Disk Configuration # OS Disk: "web-server-restored-osdisk" # Data Disks: Rename as needed # Storage Type: Premium SSD / Standard SSD / Standard HDD # Step 6: Network Settings # Virtual Network: "prod-vnet" # Subnet: "web-tier-subnet" # Public IP: Create new / Use existing / None # Network Security Group: "web-nsg" # Step 7: Restore Reason # Reason: "DR test - quarterly validation" # Click: Finish to start restore # Monitor: Session Logs for progress ``` ## Performing File-Level Recovery Recover individual files and folders from VM backups using the browser-based file-level recovery interface. ```bash # File-Level Recovery (via Web UI): # Navigate to: Protected Data > Virtual Machines > Select VM > Restore > File-Level Recovery # Step 1: Restore Point Selection # Select snapshot or backup restore point # Note: Archive backups must be retrieved first # Step 2: Recovery Settings # Worker Instance Region: Auto-select or specify # Worker Configuration: Default or custom profile # Step 3: Start Recovery Session # Click: Start Session # Wait for worker instance deployment (2-5 minutes) # Step 4: File Browser Interface # Browser opens automatically to file recovery portal # Navigate directory structure: # /C:/Users/admin/Documents/ # /D:/Data/Application/ # Recovery Options: # - Download: Save files to local machine # - Restore to Original: Write back to source VM (Windows 2016+, Linux with systemd) # Supported File Systems: # FAT, FAT32, NTFS, ext2, ext3, ext4, XFS, Btrfs # Step 5: Stop Recovery Session # Important: Stop session when complete to release worker instance # Navigate to: Sessions > Active Sessions > Stop ``` ## Restoring Azure SQL Databases Restore Azure SQL databases from backups to original SQL servers or new locations with point-in-time recovery options. ```bash # SQL Database Restore (via Web UI): # Navigate to: Protected Data > Azure SQL > Select Database > Restore # Via VBR Console: # Home > Backups > External Repository > Expand Policy > Select DB # Right-click > Restore to Microsoft Azure SQL # Step 1: Database Selection # Source Database: "production-db" # Restore Point: Select from available backups # Step 2: Restore Mode # - Restore to original location # - Restore to new location # Step 3: Target Configuration (new location) # Subscription: "Production-Subscription" # SQL Server: "sql-server-prod.database.windows.net" # Database Name: "production-db-restored" # Service Tier: S3 Standard / P1 Premium / etc. # Step 4: Elastic Pool (optional) # Add to elastic pool: Yes/No # Pool: "prod-elastic-pool" # Step 5: Restore Reason # Reason: "Data corruption recovery" # Click: Restore to initiate # Monitor progress in Session Logs # Supported SQL Database Types: # - Azure SQL Database (Single Database) # - Azure SQL Managed Instance ``` ## Configuring Worker Instances Worker instances are temporary Azure VMs that process backup and restore workloads, automatically deployed based on configurations. ```bash # Worker Configuration (via Web UI): # Navigate to: Configuration > Workers > Configurations > Add # Network Configuration: # Region: "East US" # Virtual Network: "backup-vnet" # Subnet: "worker-subnet" # Network Security Group: "worker-nsg" (optional) # Worker Profile Settings: # Navigate to: Configuration > Workers > Profiles > Add # Profile Configuration: # Name: "high-performance" # VM Size: "Standard_E4_v5" (4 vCPU, 32 GB RAM) # Use for: Large VM backups, archive operations # Default Worker Sizes by Operation: # Image-level backup: Standard_F2s_v2 (2 vCPU, 4 GB) # Archive operations: Standard_E2_v5 (2 vCPU, 16 GB) # File indexing: Standard_F2s_v2 (2 vCPU, 4 GB) # Worker Lifecycle: # - Auto-deployed when backup/restore starts # - Runs for duration of operation # - Auto-terminated when complete # - One worker per resource being processed ``` ## Backing Up Virtual Network Configurations Protect Azure virtual network configurations including VNets, subnets, NSGs, route tables, and peering connections. ```bash # VNet Backup Policy (via Web UI): # Navigate to: Policies > Add > Virtual Networks # Step 1: Policy Info # Name: "network-config-backup" # Description: "Weekly network configuration backup" # Step 2: Sources # Service Account: Select with VNet permissions # Subscriptions: Select subscriptions to protect # Protected Components: # - Virtual Networks # - Subnets # - IP Configurations # - Network Security Groups # - Route Tables # - Network Interfaces # - Virtual Network Peerings # Step 3: Schedule # Run: Weekly on Sunday at 02:00 # Retention: 12 restore points # VNet backups stored in Veeam appliance database # Use for DR scenarios requiring network rebuild ``` ## Restoring Virtual Network Configurations Restore entire virtual network configurations or individual components from VNet backups. ```bash # VNet Restore (via Web UI): # Navigate to: Protected Data > Virtual Networks > Select Configuration > Restore # Restore Types: # 1. Entire Virtual Network Restore # - Restores complete VNet with all components # - Original or new location # 2. Granular Component Restore # - Select specific NSGs, route tables, subnets # - Apply to existing or new VNets # Restore Wizard Steps: # Step 1: Select restore point # Step 2: Choose service account # Step 3: Select restore mode # - Original location (update existing) # - New location (create new resources) # Step 4: Zone mapping (if cross-region) # Step 5: Specify restore reason # Step 6: Review and execute # Compare Configurations: # Navigate to: Protected Data > Virtual Networks > Compare # Select two restore points to view differences ``` ## Managing Backup Policy Operations Control backup policy execution with start, stop, enable, and disable operations. ```bash # Policy Management (via Web UI): # Navigate to: Policies > Select Policy # Start Policy Manually: # Click: Start # Options: Run all schedules / Run specific schedule # Stop Running Policy: # Click: Stop # Confirm termination of active sessions # Enable/Disable Policy: # Right-click > Enable/Disable # Disabled policies retain configuration but don't run # Edit Policy: # Click: Edit # Modify sources, schedules, targets, settings # Save changes # Delete Policy: # Right-click > Delete # Warning: Does not delete existing backups # Export/Import Policies: # Export: Policies > Select > Export (JSON format) # Import: Policies > Import > Select JSON file # Via VBR Console: # Home > Jobs > Backup > Select Azure Policy # Right-click for Start/Stop/Enable/Disable options ``` ## Cosmos DB Backup and Restore Protect Cosmos DB accounts using native Azure continuous backup or Veeam repository backups for PostgreSQL and MongoDB APIs. ```bash # Cosmos DB Backup Policy (via Web UI): # Navigate to: Policies > Add > Cosmos DB # Backup Methods: # 1. Point-in-time Restore (Native Azure) # - Uses Azure continuous backup feature # - 7-30 day retention (Azure-managed) # - Granular timestamp recovery # 2. Repository Backup (Veeam) # - Cosmos DB for PostgreSQL # - Cosmos DB for MongoDB # - Stored as dump files in Veeam format # Policy Configuration: # Name: "cosmosdb-backup-policy" # Service Account: Account with Cosmos DB permissions # Accounts: Select Cosmos DB accounts by region/tag # Schedule: Daily at 01:00 # Retention: 14 restore points # Cosmos DB Restore (via Web UI): # Navigate to: Protected Data > Cosmos DB > Select Account > Restore # Restore Options: # - Point-in-time restore (from Azure continuous backup) # - Repository restore (from Veeam backup) # - Original or new account ``` ## Summary Veeam Backup for Microsoft Azure provides enterprise-grade data protection for Azure workloads through a unified management interface accessible via the Veeam Backup & Replication console or the backup appliance Web UI. The solution supports comprehensive backup scenarios including VM image-level backups with application-aware processing, Azure SQL database protection, Cosmos DB account backup, file share snapshots, and virtual network configuration preservation. Key capabilities include tiered storage with automatic archiving, backup encryption with immutability for ransomware protection, and flexible restore options ranging from full VM recovery to granular file-level restoration. Integration patterns center on deploying backup appliances within target Azure subscriptions, configuring service accounts with appropriate Azure RBAC permissions, and establishing backup repositories in Azure Blob Storage. Organizations typically implement backup policies aligned with RPO/RTO requirements using daily, weekly, monthly, and yearly schedules with corresponding retention periods. Cross-region disaster recovery is supported through repository-based backups, while instant recovery enables rapid restoration to on-premises VMware, Hyper-V, or Nutanix environments. The worker instance architecture ensures efficient data transfer by processing workloads in the same Azure region as source resources, minimizing egress costs and maximizing backup performance.