- Encrypt email in Outlook with Microsoft 365 - Tue, Dec 6 2022
- Restricting registration to Azure AD MFA from trusted locations with Conditional Access policy - Thu, Nov 24 2022
- Azure AD MFA with number matching and temporary access passes - Tue, Nov 22 2022
We wanted to host our own CSP infrastructure, and choosing Azure as our platform fitted in nicely with the rest of our offerings. As it happens, Veeam has put a virtual machine (VM) template into the Azure marketplace preconfigured with the CSP components.
You will need Veeam CSP licensing from your rep before you can configure the VM.
To follow me through this article, I am assuming you already have an active Azure subscription. If not, you will need to sign up for one.
From the Azure portal, go to All Resources and search for Veeam. Find Veeam Cloud Connect for Service Providers and then click on Create.
You will need to specify some settings for your VM:
- A resource group
- VM name
In addition, you'll need an:
- Administrator username
- Administrator password
On the next page, you will add your disks. I am adding a 1 TB standard HDD managed disk.
On the next page, you can add a network interface. You can leave this on the defaults for now.
Click Next to configure Management, setting Auto-Shutdown to Off.
On Guest config, I am leaving everything on default.
On the Tags page, I am adding a tag called Service and using it to tag all created resources as Veeam. This helps identify the created resources for billing.
On the summary page, you will need to enter some contact details, and then you can click on Create to begin deploying your VM.
Once the deployment is complete, click on Go to resource, and it will take you to your VM. If you click on Connect, you can start a Remote Desktop Connection to the VM.
Once logged into your VM, you need to format your data disk.
Open Disk Management, mark the disk as online, and then initialize the disk. When formatting the partition, I chose the ReFS file system and 64k clusters instead of the default.
You will notice the Welcome to Veeam Cloud Connect dialog box. This is where we need to enter our CSP license file. If you still don't have one, you can click the box to say you don't have one, and then click Next and follow the links to request one.
If you do have one, Browse to your license file and click Next.
Review the license agreement and click Next if you agree.
The Before You Start page gives you some instructions. You can familiarize yourself with these, but the deployment wizard has already completed some of them.
Open Veeam Backup & Replication. In the main window, click Backup Repositories. In the ribbon, click Add Repository.
I am naming it after the data disk logical unit number (LUN) connection it is attached to the VM on, selecting Windows Server on the next page. On the following page, we can choose the path to store our repository on. If you click Populate, it will show the disks available. Click Next.
Enter the path to your repository. I created a folder on F: to match the name of the repository I am adding.
You can accept the defaults for the rest of the wizard, including for vPower Network File System (NFS).
On the summary page, click Apply.
Now switch to the Cloud Connect section of Veeam in the menu bar on the left.
By default it installs a self-signed certificate on the cloud gateway, as your tenant computer will need to trust your Veeam CSP. I am replacing this with a certificate I have purchased.
Click on Manage Certificates.
Click on Import certificate from a file and then click on Yes in the message box about gateways.
Browse for your .pfx file and enter the password to complete the installation.
Next, we will add a tenant.
Under Tenants, on the ribbon click Add Tenant.
Enter a username for the tenant and a password, or click Generate New to have Veeam create a password for you.
On the next page, we can set how many tasks they can run concurrently and limit their bandwidth if we want to.
On the next page, we can link the tenant to a repository. Click Add to create a new cloud repository.
We can give the cloud repository a friendly name and a quota. We can also set deleted item retention on this repository. Use the drop-down list to link this to the backup repository we created earlier.
Click on Apply and Finish.
Go to Cloud Gateways and go to the properties of your Veeam CSP cloud gateway. Here you can adjust the external port, and on the networking page, you can adjust the public DNS name. This should match the name of the certificate we installed earlier.
This is enough to get us up and running and receiving backups from our tenant.
My tenant is running a single Hyper-V server with three guest machines.
Inside the Veeam console, go to Backup Infrastructure and Service Providers.
On the ribbon, click Add Service Provider.
Enter the public DNS name of your Veeam CSP. Click Next.
Enter the credentials we created for our tenant.
Review the summary information and follow the prompts to complete the Service Provider wizard.
We can now adjust our existing backup jobs to send backups to our CSP or create new jobs to go to the CSP. Take care to consider how backing up to the CSP may affect your recovery time objective (RTO) or recovery point objective (RPO).
You should protect backups sent to the CSP with an encryption password set in the advanced settings of your backup job on the Storage tab.
At this point, you have a working CSP, but of course there is much to do to take this from a proof-of-concept system running on a basic Azure VM to being able to support your client base or own internal servers in production or booting replica VMs in Azure.
For example, you can use your Azure network security group to lock down Remote Desktop Protocol (RDP) Access and limit access to port 6080 for only tenant connections. You can also set up redundancy for your VM and storage in Azure.
Subscribe to 4sysops newsletter!
You can read more about the Veeam Cloud Connect Infrastructure in the Veeam Help Center.