Restore backup to Azure
Veeam PN for Azure
This solution is a free solution at Veeam. I use Veeam PN for more security but it is not mandatory to restore VMs in Azure.It brings new features to the Veeam solution by allowing restoration in Azure or creation of a VPN connection. It can be used for the following purposes :
- Create site-to-site VPN betweeen company office and Microsoft Azure to connect VM restored in Azure
- Create point-to-site VPN between remote computers and Microsoft Azure to connect VM restored in Azure
- Allow connection to the corporate network to a remote user via Microsoft Azure
Azure PN use Open VPN technology to connect Azure network and company network.
Site-to-Site VPN site-to-site VPN permit to establish a connection before private network and Azure Network. It is therefore easier to position internal resources in Azure and make them available to the users. Traffic available to the remote network is routed to a secure channel. Organized around a network hub, this nerwork is the core of the VPN infrastructure. He is responsible for traffic routing, encryption, authentication,… Veeam PN allows two deployment scenarios:
- Deployment of the network hub in Azure
- Deployment of the network hub on premise
The Network Hub is one of the points of the VPN tunnel, it’s necessary to create the other point. To do this, a gateway must be deployed. This Gateway is an Appliance whose function is to establish a secure connection with the Network Hub.
Point-to-Site VPN With this scenario, you can establish secure connection between computer and Azure. It’s therefore possible to allow the connection of a computer only and not of an entire network. In this scenario, it is necessary to configure on the Open VPN user’s workstation.
System Requirements
If Network Hub is installed on Azure, it requires Azure VM :
- A1 minimum – 1 core, 1,75 GB of RAM memory and 70 GB of space disk.
I If you choose to install it on on-premise, you need use VMware vSphere ESXi host 5.0 or later. It require :
- 1 GB of RAM memory, 3.9 GB of space disk for thin-provisioned disk or 16 GB of space disk for thick-provisioned disk.
You need to allow port into your firewall :
- TCP/UDP 1194, from Site Gateways to Network hub. Allows network hub to listen the connections from the site gateway.
- TCP/UDP 6179, from standalone computer to Network hub. Allows network hub to listen the connections from the standalone computer.
- HTTPS 443, from browser to Network hub or site gateway. Permit to communicate with the network hub or site Gateway portal.
- SSH 22, from client machine to Network hub or site gateway. Used as a control channel.
Deploy Network hub
We will first deploy the Network Hub. The hub is the component that provides VPN connections. All traffic in the VPN is routed through the network hub. The hub network is deployed in Microsoft Azure. From the Azure portal Azure portal () click on Create a ressource.
Search Veeam PN and click on the result.
Click on Create for create ressource.
Select the desired ressource group or create a new one. If you select an existing ressource group, this ressource must be empty. Select the Azure Region and enter the name of the Virtual machine. Configure username and password and click on Next.
You can change the size of the VM and select the storage account. If you want you can create a new one. enter the desired domain name and click on Next.
Select the desired encryption key size then configure all information for the VPN. Click on Review + Create then on Create.
Deployment is in progress…
Configure Network Hub Settings
From the Azure portal, click on Virtual Machines then on your virtual Appliance.
Copy Public IP address of your VM. Open, browser on your computer and enter https://IPAdress for access to the configuration page. Enter username and password configured when you created Appliance.
A wizard appear, click on Next. You need authenticate in Microsoft Azure Active Directory. For this action, you need click on the link (present in Azure Setup Windows) and enter the authentification code.
Click on Next then on Finish.
Configure Veeam PN Services
On the configuration portal, click on Settings then on Services. Disable point-to-Site options.
Click on VPN tab, all settings are configured. Don’t change anything.
With the Alerts tab, you can configure the desired alerts.
Click on System tab, you can Start or Stop the SSH service, configure Autostart or backup configuration.
Add new client
From the menu, click on Clients then on Add.
Select Entire site then click on Next. All of my server can use Veeam PN. I can filter and select only one computer.
Enter the desired name and the network address.
Click on download Veeam PN open virtual applicance (OVA) then click on Finsih
A veeam web site appear, click on the link for download the ova file.
Import the OVA file on the ESXi. Start the VM and copy IP Address.
Open a web browser and enter the address http://adresseIP.Replace adresseIP by the ip address of the applicance.
Enter the default credentials (root / VeeamPN) and click to Login. Enter old password and new password, click to change.
On the Initial Configuration Windows, select Site Gateway and click on Next.
From the appliance on azure, click on Download. The configuration file permit to configure client.
From the applicance on the local network (the client), click on Browse and select the file previously downloaded. Click on Finish.
The server has been connected.
On my desktop, I modify the ip configuration and enter ip address of Veeam PN client (appliance on the local network) on Gateway. Now I can ping my VeeamPN server on Azure.
Add Microsoft Azure Accounts
If you use the protected mode on Internet Explorer, you need to add the following URLs.
- https://login.live.com
- https://login.microsoftonline.com
- https://secure.aadcdn.microsoftonline-p.com
- https://auth.gfx.ms
- about:security_veeam.backup.shell.exe
From the Veeam console, click on menu then on Manage Cloud Credentials.
A new windows appear, click on Add then on Microsoft Azure compute account.
A wizard appear, click on Next.
Select Microsoft Azure and the desired Region.
Select Use the existing account then click on Add.
You can use a user with a minimal privileges, use this linkfor create the Azure AD role. Assign the role at the desired user
Enter username and password of the Azure account previously created.
If you need to restore linux machine, tick Enable direct restore of Linux-based computers. An Helper appliance he had if you tick this option. I need to restore linux so I enable this option.
Click on Add for configure new Helper applicances.
Choose the configuration of the appliance and click on OK.
Click on Apply. The deployment begin.
When it’s finish, click on Next then on Finish.
What is Azure Proxy ?
Upload (restore vm to linux with VBR) the machine disks of the VM can take a very long time specially if your internet connection is very slow. To improve the restoration time of these vms, you can deploy an Azure proxy in your backup infrastructure.
This deployment consist to add a small Virtual Machine in Microsoft Azure. With this VM, Veeam Backup & Replication transports the VM disk data to Azure (blob storage). The Veeam components installed on the Azure Virtual Machine (Azure Proxy) permit to compress and deduplicate the restored disk. So the network traffic is reduced and restore process take less time.
The deployment of this virtual machine is realized by Veeam Backup & Replication. He deploy a virtual machine with Windows Server 2012 R2 operating system.
The deployment of this virtual machine is realized by Veeam Backup & Replication. He deploy a virtual machine with Windows Server 2012 R2 operating system.
Add Azure Proxy on Veeam
From the Veeam console, select the Backup Infrastructure view and click on Backup Proxies. On the ribbon, click on Add Proxy then on
Enter the desired name for the proxy then configure Max concurrent tasks.
Add credential for the azure proxy then click on Next.
Select the location for the VM and click on Next.
Select the desired size for the VM and the storage account. Click on Next.
You can create a new ressource group or select an existing.
Configure virtual network and click on Apply.
Deployment is starting …. Click on Finish
Restore to Azure
Virtual machine can be restored to Azure. From the Veeam console, click on Home view then on Disk. Right click on the desired machine and click on Restore to Microsoft Azure
Select the location for the VM and the Azure Proxy.
Click on Edit, for each VM select the size and the storage type.
Repeat the same operation for the Name, the Ressource group and the Network.
It’s possible to scan the VM. If Malware has detected, restore can be aborted or proceeded.
Click on Finish to start recovery.
If you have error 409 (conflict) verify the size selected. He not exist on the azure region. You can also use Azure monitor to have more detail to the error.
All VM has been restored. You can use VPN connection established with Veeam PN to connect at the VM.