PRA with Azure

PRA with Azure

Veeam PN for Azure

This solution is a free solution at Veeam. I use Veeam PN for more security but it is not mandatory to restore VMs in Azure.It brings new features to the Veeam solution by allowing restoration in Azure or creation of a VPN connection. It can be used for the following purposes :

  • Create site-to-site VPN betweeen company office and Microsoft Azure to connect VM restored in Azure
  • Create point-to-site VPN between remote computers and Microsoft Azure to connect VM restored in Azure
  • Allow connection to the corporate network to a remote user via Microsoft Azure

Azure PN use Open VPN technology to connect Azure network and company network.

Site-to-Site VPN site-to-site VPN permit to establish a connection before private network and Azure Network. It is therefore easier to position internal resources in Azure and make them available to the users. Traffic available to the remote network is routed to a secure channel. Organized around a network hub, this nerwork is the core of the VPN infrastructure. He is responsible for traffic routing, encryption, authentication,… Veeam PN allows two deployment scenarios:

  • Deployment of the network hub in Azure
  • Deployment of the network hub on premise

The Network Hub is one of the points of the VPN tunnel, it’s necessary to create the other point. To do this, a gateway must be deployed. This Gateway is an Appliance whose function is to establish a secure connection with the Network Hub.

Point-to-Site VPN With this scenario, you can establish secure connection between computer and Azure. It’s therefore possible to allow the connection of a computer only and not of an entire network. In this scenario, it is necessary to configure on the Open VPN user’s workstation.

System Requirements

If Network Hub is installed on Azure, it requires Azure VM :

  • A1 minimum – 1 core, 1,75 GB of RAM memory and 70 GB of space disk.

I If you choose to install it on on-premise, you need use VMware vSphere ESXi host 5.0 or later. It require :

  • 1 GB of RAM memory, 3.9 GB of space disk for thin-provisioned disk or 16 GB of space disk for thick-provisioned disk.

You need to allow port into your firewall :

  • TCP/UDP 1194, from Site Gateways to Network hub. Allows network hub to listen the connections from the site gateway.
  • TCP/UDP 6179, from standalone computer to Network hub. Allows network hub to listen the connections from the standalone computer.
  • HTTPS 443, from browser to Network hub or site gateway. Permit to communicate with the network hub or site Gateway portal.
  • SSH 22, from client machine to Network hub or site gateway. Used as a control channel.

Deploy Network hub

We will first deploy the Network Hub. The hub is the component that provides VPN connections. All traffic in the VPN is routed through the network hub. The hub network is deployed in Microsoft Azure. From the Azure portal Azure portal () click on Create a ressource.

Create ressource on Azure

Search Veeam PN and click on the result.

PRA with Azure - install Veeam PN

Click on Create for create ressource.

Create ressource for Veeam PN

Select the desired ressource group or create a new one. If you select an existing ressource group, this ressource must be empty. Select the Azure Region and enter the name of the Virtual machine. Configure username and password and click on Next.

configure vm configuration

You can change the size of the VM and select the storage account. If you want you can create a new one. enter the desired domain name and click on Next.

Configure vpn settings

Select the desired encryption key size then configure all information for the VPN. Click on Review + Create then on Create.

Select the key size
Configure VPN information

Deployment is in progress…

Deployment is in progress

Configure Network Hub Settings

From the Azure portal, click on Virtual Machines then on your virtual Appliance.

access to your virtual appliance

Copy Public IP address of your VM. Open, browser on your computer and enter https://IPAdress for access to the configuration page. Enter username and password configured when you created Appliance.

Connect to Veeam PN
access to Veeam pn

A wizard appear, click on Next. You need authenticate in Microsoft Azure Active Directory. For this action, you need click on the link (present in Azure Setup Windows) and enter the authentification code.

authentification with veeam pn
authentification with Azure AD

Click on Next then on Finish.

Configure authentification

Configure Veeam PN Services

On the configuration portal, click on Settings then on Services. Disable point-to-Site options.

disable Point to site

Click on VPN tab, all settings are configured. Don’t change anything.

view configuration of the vpn

With the Alerts tab, you can configure the desired alerts.

Configure alerts
Configure action

Click on System tab, you can Start or Stop the SSH service, configure Autostart or backup configuration.

Configure System tab

Add new client

From the menu, click on Clients then on Add.

add new client on veeam pn

Select Entire site then click on Next. All of my server can use Veeam PN. I can filter and select only one computer.

Select Entire site

Enter the desired name and the network address.

Configure site

Click on download Veeam PN open virtual applicance (OVA) then click on Finsih

Download OVA

A veeam web site appear, click on the link for download the ova file.

Download ova file

Import the OVA file on the ESXi. Start the VM and copy IP Address.

Import ova file

Open a web browser and enter the address http://adresseIP.Replace adresseIP by the ip address of the applicance.

Connect it to Veeam PN

Enter the default credentials (root / VeeamPN) and click to Login. Enter old password and new password, click to change.

Connect to Veeam Pn

On the Initial Configuration Windows, select Site Gateway and click on Next.

Select Site gateway

From the appliance on azure, click on Download. The configuration file permit to configure client.

Download configureation file

From the applicance on the local network (the client), click on Browse and select the file previously downloaded. Click on Finish.

Select the configuration file

The server has been connected.

server has beeen connected

On my desktop, I modify the ip configuration and enter ip address of Veeam PN client (appliance on the local network) on Gateway. Now I can ping my VeeamPN server on Azure.

Configure vpn

Add Microsoft Azure Accounts

If you use the protected mode on Internet Explorer, you need to add the following URLs.

  • https://login.live.com
  • https://login.microsoftonline.com
  • https://secure.aadcdn.microsoftonline-p.com
  • https://auth.gfx.ms
  • about:security_veeam.backup.shell.exe

From the Veeam console, click on menu then on Manage Cloud Credentials.

Add Manage Cloud Credentials

A new windows appear, click on Add then on Microsoft Azure compute account.

Create Microsoft Azure Account

A wizard appear, click on Next.

A wizard appear

Select Microsoft Azure and the desired Region.

Seelct the desired region

Select Use the existing account then click on Add.

Add new azure Ad account

You can use a user with a minimal privileges, use this linkfor create the Azure AD role. Assign the role at the desired user

Enter username and password of the Azure account previously created.

Enter account username

If you need to restore linux machine, tick Enable direct restore of Linux-based computers. An Helper appliance he had if you tick this option. I need to restore linux so I enable this option.

Enable option for linux support

Click on Add for configure new Helper applicances.

Add new Helper Appliance

Choose the configuration of the appliance and click on OK.

Configuration of the appliance

Click on Apply. The deployment begin.

Deploy appliance

When it’s finish, click on Next then on Finish.

Deployment is finish

What is Azure Proxy ?

Upload (restore vm to linux with VBR) the machine disks of the VM can take a very long time specially if your internet connection is very slow. To improve the restoration time of these vms, you can deploy an Azure proxy in your backup infrastructure.

This deployment consist to add a small Virtual Machine in Microsoft Azure. With this VM, Veeam Backup & Replication transports the VM disk data to Azure (blob storage). The Veeam components installed on the Azure Virtual Machine (Azure Proxy) permit to compress and deduplicate the restored disk. So the network traffic is reduced and restore process take less time.

The deployment of this virtual machine is realized by Veeam Backup & Replication. He deploy a virtual machine with Windows Server 2012 R2 operating system.

The deployment of this virtual machine is realized by Veeam Backup & Replication. He deploy a virtual machine with Windows Server 2012 R2 operating system.

Add Azure Proxy on Veeam

From the Veeam console, select the Backup Infrastructure view and click on Backup Proxies. On the ribbon, click on Add Proxy then on

Add Azure Proxy

Enter the desired name for the proxy then configure Max concurrent tasks.

Azure proxy for veeam

Add credential for the azure proxy then click on Next.

Credential for azure proxy vm

Select the location for the VM and click on Next.

Select location for the vm

Select the desired size for the VM and the storage account. Click on Next.

Select the size of the vm

You can create a new ressource group or select an existing.

Select the ressource group

Configure virtual network and click on Apply.

Configure virtual network

Deployment is starting …. Click on Finish

VM is deployed

Restore to Azure

Virtual machine can be restored to Azure. From the Veeam console, click on Home view then on Disk. Right click on the desired machine and click on Restore to Microsoft Azure

Restore to Azure

Select the location for the VM and the Azure Proxy.

Select the location and the azure proxy

Click on Edit, for each VM select the size and the storage type.

Select the size and storage type

Repeat the same operation for the Name, the Ressource group and the Network.

Configure name and storage type
Configure network

It’s possible to scan the VM. If Malware has detected, restore can be aborted or proceeded.

Scan anti malware

Click on Finish to start recovery.

Click on Finish to start recovery
Recover is in progress

If you have error 409 (conflict) verify the size selected. He not exist on the azure region. You can also use Azure monitor to have more detail to the error.

All VM has been restored. You can use VPN connection established with Veeam PN to connect at the VM.

Restore VM with Veeam

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.