Veeam Backup for Microsoft

Azure

Version 5.0
User Guide
April, 2023
© 2023 Veeam Software.

All rights reserved. All trademarks are the property of their respective owners.

No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or
translated into any language in any form by any means, without written permission from Veeam Software
(Veeam). The information contained in this document represents the current view of Veeam on the issue
discussed as of the date of publication and is subject to change without notice. Veeam shall not be liable for
technical or editorial errors or omissions contained herein. Veeam makes no warranties, express or implied, in
this document. Veeam may have patents, patent applications, trademark, copyright, or other intellectual
property rights covering the subject matter of this document. All other trademarks mentioned herein are the
property of their respective owners. Except as expressly provided in any written license agreement from Veeam,
the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other
intellectual property.

NOTE
Read the End User Software License Agreement before using the accompanying software programs. Using
any part of the software indicates that you accept the terms of the End User Software License Agreement.

2 | V eeam Backup for Microsoft Azure | User Guide

Contents
CONTACTING VEEAM SOF TWARE ................................ ................................ ........................... 7
ABOUT THIS DOCUMENT ................................ ................................ ................................ ..... 8
WELCOME TO VEEAM BACKUP FOR MICROSOFT AZURE................................ ................................ . 9
INTEGRATION WITH VEEAM BACKUP & REPLICATION ................................ ................................ .. 10
PLANNING AND P REPARATION ................................ ................................ .............................. 11
Azure Account Permissions ................................................................................................................... 12
Azure Service Account Permissions ............................................................................................. 13
Azure Repository Account Permissions ........................................................................................18
Ports .................................................................................................................................................. 20
Azure Services .................................................................................................................................... 24
Azure Resource Providers .................................................................................................................... 25
Considerations a nd Limitations ............................................................................................................ 26
LICENSING ................................ ................................ ................................ ..................... 29
Installing and Removing License ........................................................................................................... 31
Viewing License Information ............................................................................................................... 33
Revoking License Units ....................................................................................................................... 34
ARCHITECTURE OVERVIEW ................................ ................................ ................................ . 35
DEPLOY MENT ................................ ................................ ................................ ................. 39
Installing Veeam Back up for Microsoft Azure .......................................................................................40
Step 1. La unch Create Virtual Machine Wizard..............................................................................41
Step 2. Configure Azure VM Properties ....................................................................................... 43
Step 3. Select OS Disk Type ....................................................................................................... 45
Step 4. Configure Network Settings ........................................................................................... 46
Step 5. Specify Management Options ......................................................................................... 48
Step 6. Begin Installation .......................................................................................................... 50
After You Install .................................................................................................................................. 51
Uninstalling Veeam Backup for Microsoft Azure ................................................................................... 52
Remove Backed-Up Data ........................................................................................................... 53
Remove IAM Roles and Azure AD Applications ............................................................................ 54
Remove Azure Resources .......................................................................................................... 55
ACCESSING VEEAM BACK UP FOR MICROSOFT AZURE................................ ................................ ...56
CONFIGURING VEE AM BACKUP FOR MICROSOFT AZURE ................................ ............................... 59
Managing Accounts ............................................................................................................................60
Managing Service Accounts ........................................................................................................61
Managing Repository Accounts .................................................................................................. 72
Managing SMTP and SQL Server Accounts ...................................................................................81

3 | V eeam Backup for Microsoft Azure | User Guide

 Managing User Accounts ..................................................................................................................... 86
Adding User Accounts ............................................................................................................... 88
Editing User Accounts ............................................................................................................... 89
Changing User Passwords ..........................................................................................................90
Changing Default Admin Password .............................................................................................91
Enabling Multi-Factor Authentication ........................................................................................ 92
Managing Backup Repositories ............................................................................................................ 93
Adding Backup Repositories ...................................................................................................... 94
Editing Backup Repositories .....................................................................................................107
Removing Back up Repositories ................................................................................................ 108
Managing Worker Instances ............................................................................................................... 109
Managing Worker Configurations .............................................................................................. 110
Managing Worker Profiles ........................................................................................................ 118
Removing Worker Instances...................................................................................................... 125
Configuring General Settings .............................................................................................................. 126
Configuring Global Retention Settings ...................................................................................... 127
Configuring Global Notification Settings ................................................................................... 129
Replacing Security Certificates .................................................................................................. 132
Changing Time Zone ................................................................................................................ 133
Configuring SSO Settings.......................................................................................................... 134
Performing Configuration Backup ....................................................................................................... 136
Performing Snapshot-Based Configuration Backup .................................................................... 137
Performing Configuration Backup and Restore ........................................................................... 139
VIEWING AVAILABLE RESOURCES ................................ ................................ ........................ 150
PERFORMING BACKUP ................................ ................................ ................................ ...... 151
How Backup W orks ............................................................................................................................ 152
VM Back up .............................................................................................................................. 153
SQL Back up ............................................................................................................................. 157
File Share Backup .................................................................................................................... 160
Retention Policy ...................................................................................................................... 162
Performing VM Backup ...................................................................................................................... 165
Creating VM Backup P olicies .....................................................................................................166
Creating VM Snapshots Manually ..............................................................................................199
Performing SQL Backup .....................................................................................................................201
Creating SQL Backup P olicies ................................................................................................... 202
Creating SQL Backups Manually ................................................................................................ 231
Performing File Share Back up .............................................................................................................233
Creating File Share Backup Policies .......................................................................................... 234
Creating File Share Snapshots Manually ....................................................................................253

4 | V eeam Backup for Microsoft A zure | User Guide

 Managing Backup P olicies ................................................................................................................. 254
Editing Backup P olicy Settings ..................................................................................................255
Setting Backup P olicy Priority .................................................................................................. 256
Enabling and Disabling Backup P olicies .....................................................................................257
Starting and Stopping Backup P olicies ...................................................................................... 258
Exporting and Importing Backup Policies .................................................................................. 259
MANAGING BACKED -UP DATA ................................ ................................ ............................ 261
Managing VM Data ........................................................................................................................... 262
Removing Back ups and Snapshots ........................................................................................... 264
Removing Azure VM Snapshots Created Manually ..................................................................... 265
Retrieving Data from Archive ................................................................................................... 266
Managing SQL Data .......................................................................................................................... 269
Removing Back ups .................................................................................................................. 270
Removing SQL Back ups Created Manually ................................................................................. 271
Retrieving Data from Archive ....................................................................................................272
Managing File Share Data ...................................................................................................................275
Removing Snapshots ................................................................................................................277
Removing File Share Snapshots Created Ma nually .................................................................... 278
PERFORMING RESTORE ................................ ................................ ................................ .... 279
Performing VM Restore ..................................................................................................................... 280
Performing E ntire VM Restore .................................................................................................. 281
Performing Disk Restore .......................................................................................................... 295
Performing File -Level Recovery ............................................................................................... 305
Performing SQL Restore ..................................................................................................................... 313
Step 1. La unch SQL Database Restore Wizard............................................................................. 315
Step 2. Select Restore P oint ..................................................................................................... 316
Step 3. Select Azure Account .................................................................................................... 317
Step 4. Choose Restore Mode ................................................................................................... 318
Step 5. Select Azure SQL Account ............................................................................................. 319
Step 6. Specify Retrieval Settings ............................................................................................ 320
Step 7. Configure Restore Settings ............................................................................................322
Step 8. Specify Restore Reason.................................................................................................323
Step 9. Finish W orking with Wizard .......................................................................................... 324
Performing File Share Restore ............................................................................................................325
Step 1. La unch Azure Files File-Level Recovery Wizard .............................................................. 326
Step 2. Select Azure Account ....................................................................................................327
Step 3. Choose Restore Mode .................................................................................................. 328
Step 4. Specify Restore Reason................................................................................................ 329
Step 5. Start Recovery Session ................................................................................................. 330

5 | V eeam Backup for Microsoft Azure | User Guide

 Step 6. Select Restore P oint ..................................................................................................... 331
Step 7. Choose Items to Recover ...............................................................................................332
Step 8. Stop Restore Session ....................................................................................................333
REVIEWING DASHBOARD ................................ ................................ ................................ .. 334
VIEWING SESSION STATISTICS ................................ ................................ ............................ 336
COLLECTING OBJECT PR OPERTIES ................................ ................................ ....................... 337
UPDATING VEEAM BACKUP FOR MICROSOFT AZURE ................................ ................................ . 338
Checking for Updates........................................................................................................................ 339
Installing Updates ............................................................................................................................ 340
Viewing Update History .................................................................................................................... 344
GETTING TECHNICAL SUPPOR T................................ ................................ ........................... 345
APPENDIX. W ORKING IN PRIVATE ENVIRONMENTS ................................ ................................ ... 347
Configuring Network Settings for Storage Accounts ........................................................................... 348
Configuring Firewall Settings................................................................................................... 349
Creating Private Endpoints ...................................................................................................... 350
Configuring Network Settings for SQL Server ..................................................................................... 358
Configuring Firewall Settings................................................................................................... 359
Creating Private Endpoints ...................................................................................................... 360
Configuring Network Settings for SQL Ma naged Instance .................................................................... 368

6 | V eeam Backup for Microsoft Azure | User Guide

Contacting Veeam Software
At Veeam Software we value feedback from our customers. It is important not only to help you quickly with your
technical issues, but it is our mission to listen to your input and build products that incorporate your
suggestions.

Customer Support
Should you have a technical concern, suggestion or question, visit the Veeam Customer Support Portal to open a
case, search our knowledge base, reference documentation, manage your license or obtain the latest product
release.

Company Contacts
For the most up-to-date information about company contacts and office locations, visit the Veeam Contacts
Webpage.

Online Support
If you have any questions about Veeam products, you can use the following resources:

• Full documentation set: veeam.com/documentation-guides-datasheets.html

• Veeam R&D Forums: forums.veeam.com

7 | V eeam Backup for Microsoft A zure | User Guide

About This Document
This guide is designed for IT professionals who plan to use Veeam Backup for Microsoft Azure. The guide
includes system requirements, licensing information and step -by-step deployment instructions. It also provides
a comprehensive set of features to ensure easy execution of protection and disaster recovery tasks in Microsoft
Azure environments.

8 | V eeam Backup for Microsoft A zure | User Guide

Welcome to Veeam Backup for Microsoft
Azure
Veeam Backup for Microsoft Azure is a solution developed for protection and disaster recovery tasks for
Microsoft Azure environments. With Veeam Backup for Microsoft Azure, you can perform the following
operations:

• Create image-level backups and cloud-native snapshots of Azure VMs.

• Create image-level backups of Azure SQL databases.

• Create cloud-native snapshots of Azure file shares.

• Keep the backed-up data in cost-effective, long-term Microsoft Azure storage accounts.

• Restore individual files of Azure file shares, specific Azure SQL databases, entire Azure VMs, individual
virtual disks, and guest OS files and folders.

9 | V eeam Backup for Microsoft Azure | User Guide

Integration with Veeam Backup &
Replication
Microsoft Azure Plug-in for Veeam Backup & Replication extends the Veeam Backup & Replication functionality
and allows you to add Veeam Backup for Microsoft Azure appliances to the backup infrastructure. W ith
Microsoft Azure Plug-in for Veeam Backup & Replication, you can manage data protection and disaster recovery
operations from the Veeam Backup & Replication console. For more information, see the Integration with Veeam
Backup & Replication Guide.

10 | V eeam Backup for Microsoft A zure | User Guide

Planning and Preparation
Before you start using Veeam Backup for Microsoft Azure, consider the following requirements:

• Permissions that must be assigned to a service or a repository account used to perform Veeam Backup for
Microsoft Azure operations.

• Network ports that must be open to ensure proper communication of Veeam Backup for Microsoft Azure
components.

• Azure services to which Veeam Backup for Microsoft Azure must have outbound internet access .

• Azure resource providers that must be registered in subscriptions.

• Considerations and limitations that should be kept in mind before you deploy Veeam Backup for Microsoft
Azure.

11 | V eeam Backup for Microsoft A zure | User Guide

Azure Account Permissions
To allow backup appliance to perform backup and restore operations, Azure accounts added to Veeam Backup
for Microsoft Azure must have the following permissions:

• Azure service account permissions

• Azure repository account permissions

12 | V eeam Backup for Microsoft Azure | User Guide

Azure Service Account Permissions
Veeam Backup for Microsoft Azure uses service accounts to perform the following operations:

• To enumerate resources added to backup policies.

• To create snapshots and backups of Azure resources protected by policies.

• To create and manage worker instances.

• To attach virtual disks to worker instances when performing image-level backup.

• To restore Azure VMs, virtual disks, and files and folders from cloud -native snapshots and image-level
backups.

• To restore Azure SQL databases from image-level backups.

• To restore files of Azure file shares from cloud-native snapshots.

• To create and manage backup repositories, and so on.

TIP

To manage backup repositories, you can use service accounts or create specific repository accounts. For
more information on permissions required for repository accounts, see Azure Repository Account
Permissions.

Service accounts must have either the Contributor and Key Vault Crypto Officer Azure built-in roles or a custom
role assigned permissions required to get access to Azure resources that you want to protect. To learn how to
create custom roles, see Microsoft Docs.

13 | V eeam Backup for Microsoft Azure | User Guide

The following permissions are required for Azure service accounts. The dataActions list of permissions is
required only if you plan to use service accounts to manage backup repositories, and to encrypt data stored in
backup repositories using the Azure Key Vault Service.

14 | V eeam Backup for Microsoft A zure | User Guide

 {
"permissions": [
{
"actions": [
"Microsoft.Authorization/locks/Read",
"Microsoft.Authorization/roleAssignments/read",
"Microsoft.Commerce/RateCard/read",
"Microsoft.Compute/availabilitySets/read",
"Microsoft.Compute/availabilitySets/vmSizes/read",
"Microsoft.Compute/diskAccesses/delete",
"Microsoft.Compute/diskAccesses/privateEndpointConnections/read"
,
"Microsoft.Compute/diskAccesses/privateEndpointConnections/write
",
"Microsoft.Compute/diskAccesses/PrivateEndpointConnectionsApprov
al/action",
"Microsoft.Compute/diskAccesses/read",
"Microsoft.Compute/diskAccesses/write",
"Microsoft.Compute/diskEncryptionSets/read",
"Microsoft.Compute/disks/beginGetAccess/action",
"Microsoft.Compute/disks/delete",
"Microsoft.Compute/disks/endGetAccess/action",
"Microsoft.Compute/disks/read",
"Microsoft.Compute/disks/write",
"Microsoft.Compute/snapshots/beginGetAccess/action",
"Microsoft.Compute/snapshots/delete",
"Microsoft.Compute/snapshots/endGetAccess/action",
"Microsoft.Compute/snapshots/read",
"Microsoft.Compute/snapshots/write",
"Microsoft.Compute/virtualMachines/deallocate/action",
"Microsoft.Compute/virtualMachines/delete",
"Microsoft.Compute/virtualMachines/extensions/read",
"Microsoft.Compute/virtualMachines/extensions/write",
"Microsoft.Compute/virtualMachines/read",
"Microsoft.Compute/virtualMachines/runCommand/action",
"Microsoft.Compute/virtualMachines/start/action",
"Microsoft.Compute/virtualMachines/write",
"Microsoft.DevTestLab/Schedules/write",
"Microsoft.DevTestLab/Schedules/read",
"Microsoft.Insights/eventtypes/values/Read",
"Microsoft.Insights/MetricDefinitions/Read",
"Microsoft.Insights/Metrics/Read",
"Microsoft.KeyVault/vaults/deploy/action",
"Microsoft.KeyVault/vaults/keys/versions/read",
"Microsoft.KeyVault/vaults/read",
"Microsoft.Network/loadBalancers/backendAddressPools/join/action
",
"Microsoft.Network/loadBalancers/read",
"Microsoft.Network/networkInterfaces/delete",
"Microsoft.Network/networkInterfaces/join/action",
"Microsoft.Network/networkInterfaces/read",
"Microsoft.Network/networkInterfaces/write",
"Microsoft.Network/networkSecurityGroups/join/action",
"Microsoft.Network/networkSecurityGroups/read",

15 | V eeam Backup for Microsoft Azure | User Guide

 "Microsoft.Network/privateEndpoints/delete",
"Microsoft.Network/privateEndpoints/read",
"Microsoft.Network/privateEndpoints/write",
"Microsoft.Network/privateLinkServices/privateEndpointConnection
s/read",
"Microsoft.Network/privateLinkServices/privateEndpointConnection
s/write",
"Microsoft.Network/privateLinkServices/privateEndpointConnection
s/delete",
"Microsoft.Network/publicIPAddresses/delete",
"Microsoft.Network/publicIPAddresses/join/action",
"Microsoft.Network/publicIPAddresses/read",
"Microsoft.Network/publicIPAddresses/write",
"Microsoft.Network/routeTables/join/action",
"Microsoft.Network/virtualNetworks/checkIpAddressAvailability/re
ad",
"Microsoft.Network/virtualNetworks/delete",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/virtualNetworks/subnets/join/action",
"Microsoft.Network/virtualNetworks/write",
"Microsoft.Resources/subscriptions/resourceGroups/delete",
"Microsoft.Resources/subscriptions/resourceGroups/moveResources/
action",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/subscriptions/resourceGroups/write",
"Microsoft.Resources/subscriptions/resourceGroups/validateMoveRe
sources/action",
"Microsoft.ServiceBus/namespaces/delete",
"Microsoft.ServiceBus/namespaces/networkrulesets/delete",
"Microsoft.ServiceBus/namespaces/networkrulesets/read",
"Microsoft.ServiceBus/namespaces/networkrulesets/write",
"Microsoft.ServiceBus/namespaces/operationresults/read",
"Microsoft.ServiceBus/namespaces/queues/authorizationRules/ListK
eys/action",
"Microsoft.ServiceBus/namespaces/queues/authorizationRules/read"
,
"Microsoft.ServiceBus/namespaces/queues/authorizationRules/write
",
"Microsoft.ServiceBus/namespaces/queues/delete",
"Microsoft.ServiceBus/namespaces/queues/read",
"Microsoft.ServiceBus/namespaces/queues/write",
"Microsoft.ServiceBus/namespaces/read",
"Microsoft.ServiceBus/namespaces/write",
"Microsoft.ServiceBus/register/action",
"Microsoft.Sql/locations/*",
"Microsoft.Sql/managedInstances/databases/delete",
"Microsoft.Sql/managedInstances/databases/read",
"Microsoft.Sql/managedInstances/databases/write",
"Microsoft.Sql/managedInstances/encryptionProtector/read",
"Microsoft.Sql/managedInstances/read",
"Microsoft.Sql/servers/databases/azureAsyncOperation/read",
"Microsoft.Sql/servers/databases/delete",
"Microsoft.Sql/servers/databases/read",
"Microsoft.Sql/servers/databases/syncGroups/read",

16 | V eeam Backup for Microsoft Azure | User Guide

 "Microsoft.Sql/servers/databases/transparentDataEncryption/read"
,
"Microsoft.Sql/servers/databases/usages/read",
"Microsoft.Sql/servers/databases/write",
"Microsoft.Sql/servers/elasticPools/read",
"Microsoft.Sql/servers/encryptionProtector/read",
"Microsoft.Sql/servers/read",
"Microsoft.Storage/storageAccounts/blobServices/containers/read"
,
"Microsoft.Storage/storageAccounts/blobServices/containers/write
",
"Microsoft.Storage/storageAccounts/blobServices/read",
"Microsoft.Storage/storageAccounts/listKeys/action",
"Microsoft.Storage/storageAccounts/managementPolicies/write",
"Microsoft.Storage/storageAccounts/privateEndpointConnections/wr
ite",
"Microsoft.Storage/storageAccounts/PrivateEndpointConnectionsApp
roval/action",
"Microsoft.Storage/storageAccounts/read",
"Microsoft.Storage/storageAccounts/write"
],
"notActions": [],
"dataActions": [
"Microsoft.KeyVault/vaults/keys/encrypt/action",
"Microsoft.KeyVault/vaults/keys/decrypt/action",
"Microsoft.KeyVault/vaults/keys/read"
],
"notDataActions": []
}
]
}

17 | V eeam Backup for Microsoft A zure | User Guide

Azure Repository Account Permissions
Repository accounts must have either the Contributor and Key Vault Crypto Officer Azure built-in roles or a
custom role assigned permissions required to manage backup repositories residing in Azure blob containers. To
learn how to create custom roles, see Microsoft Docs.

18 | V eeam Backup for Microsoft Azure | User Guide

The following permissions are required for Azure repository accounts. The dataActions list of permissions is
required only if you plan to encrypt data stored in a backup repository using the Azure Key Vault Service.

{
"permissions": [
{
"actions": [
"Microsoft.Authorization/roleAssignments/read",
"Microsoft.Compute/diskAccesses/delete",
"Microsoft.Compute/diskAccesses/privateEndpointConnections/read"
,
"Microsoft.Compute/diskAccesses/privateEndpointConnections/write
",
"Microsoft.Compute/diskAccesses/PrivateEndpointConnectionsApprov
al/action",
"Microsoft.Compute/diskAccesses/read",
"Microsoft.Compute/diskAccesses/write",
"Microsoft.KeyVault/vaults/deploy/action",
"Microsoft.KeyVault/vaults/keys/versions/read",
"Microsoft.KeyVault/vaults/read",
"Microsoft.Network/privateEndpoints/delete",
"Microsoft.Network/privateEndpoints/read",
"Microsoft.Network/privateEndpoints/write",
"Microsoft.Network/privateLinkServices/privateEndpointConnection
s/read",
"Microsoft.Network/privateLinkServices/privateEndpointConnection
s/write",
"Microsoft.Network/privateLinkServices/privateEndpointConnection
s/delete",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Storage/storageAccounts/blobServices/containers/read"
,
"Microsoft.Storage/storageAccounts/blobServices/containers/write
",
"Microsoft.Storage/storageAccounts/blobServices/read",
"Microsoft.Storage/storageAccounts/listKeys/action",
"Microsoft.Storage/storageAccounts/privateEndpointConnections/wr
ite",
"Microsoft.Storage/storageAccounts/PrivateEndpointConnectionsApp
roval/action",
"Microsoft.Storage/storageAccounts/read"
],
"notActions": [],
"dataActions": [
"Microsoft.KeyVault/vaults/keys/encrypt/action",
"Microsoft.KeyVault/vaults/keys/decrypt/action",
"Microsoft.KeyVault/vaults/keys/read"
],
"notDataActions": []
}
]
}

19 | V eeam Backup for Microsoft Azure | User Guide

Ports
The following network ports must be open to ensure proper communication of components in the Veeam
Backup for Microsoft Azure architecture.

From To P rotocol P ort Description

Workstation web Backup appliance TCP 443 Required to access the Web UI
browser component from a user
workstation.

Required to communicate with the

REST API service running on the
backup appliance.

Worker instance TCP 443 Required to access the Veeam File

Level Recovery browser running on
a worker instance during the file-
level recovery process.

Backup Veeam Update Notification TCP 443 Required to download information

appliance Server on available product updates.
(repository.veeam.com)

Ubuntu Security Update HTTP 80 Required to get OS security

repository updates.
(security.ubuntu.com)

Ubuntu NTP Server UDP 123 Required to run a time sync service
(ntp.ubuntu.com) for Linux VMs.

Note: This connection is required

only if you updated Veeam Backup
for Microsoft Azure from the Web
UI.

Ubuntu Archive repository HTTP 80 Required to get APT updates when

(azure.archive.ubuntu.com) updating the backup appliance
manually using the terminal.

APT repository of HTTP 80

PostgreSQL packages
(apt.postgresql.org)

DotNetCore Update TCP 443 Required to get .NET updates.

Repository
(packages.microsoft.com)

20 | V eeam Backup for Microsoft Azure | User Guide

 From To P rotocol P ort Description

SMTP server TCP 25 Required to send email

notifications.

Note: The TCP 25 port is the port

that is most commonly used by
SMTP servers.

Azure AD TCP 443 Required to add service and

repository accounts.

Azure Resource Manager TCP 443 Note: If you use Azure

Government, add a DNS name or an
IP address of Microsoft Graph API
(graph.microsoft.net) to the
security rule. Otherwise, Veeam
Backup for Microsoft Azure will not
be able to add service and
repository accounts.

Azure Storage TCP 443 Required to communicate with

Azure storage accounts.

ServiceBus service TCP 443 Required to communicate with user

workstations.

Azure Key Vault TCP 443 Required to encrypt backup

repositories using cryptographic
keys.

Azure Virtual Network HTTPS 443 Required to verify MD5 keys of

Volume Shadow Copy Service
binary files.

Note: This connection is required to

back up Azure resources that
operate in private environment
only.

Azure VMs Backup appliance TCP 443 Required to communicate with

Windows-based Azure VMs with
enabled guest processing option.
ServiceBus service TCP/AMQP 443 For more information, see
Performing Backup.
Azure Storage TCP 443

Worker instances Ubuntu Security Update HTTP 80 Required to get OS security

repository updates.
(security.ubuntu.com)

21 | V eeam Backup for Microsoft Azure | User Guide

 From To P rotocol P ort Description

Ubuntu Archive repository HTTP 80 Required to get APT updates.

(azure.archive.ubuntu.com)

ServiceBus service TCP/AMQP 443 Required to communicate with

Windows-based Azure VMs with
enabled guest processing option.
For more information, see
Performing Backup.

SQL Servers TCP 1433, Required to connect to SQL

11000- Servers.
11999
Note: The usage of the specified
TCP ports depends on the
networking settings of SQL
Servers. If the Red irect option is
selected, port 1433 is used to
establish only the first connection.
If the P roxy option is selected, port
1433 is used to establish all
connections by default. For more
information on networking settings
of SQL Servers, see Microsoft Docs.

Azure SQL Managed TCP 3342 Required to connect to Azure SQL

Instances Managed Instances using public
endpoints.

TCP 1433, Required to connect to Azure SQL

11000- Managed Instances using private
11999 endpoints.

Note: The usage of the specified

TCP ports depends on the
networking settings of SQL
Servers. If the Red irect option is
selected, port 1433 is used to
establish only the first connection.
If the P roxy option is selected, port
1433 is used to establish all
connections by default. For more
information on networking settings
of SQL Servers, see Microsoft Docs.

Azure Storage TCP 443 Required to download worker

binary files from Veeam storage
accounts.

22 | V eeam Backup for Microsoft A zure | User Guide

 From To P rotocol P ort Description

ServiceBus Worker instances TCP/AMQP 443 Required to perform image-level

service backup and restore operations.

Backup appliance TCP/AMQP 443 Required to communicate with

Windows-based Azure VMs with
enabled guest processing option.
For more information, see
Performing Backup.

23 | V eeam Backup for Microsoft A zure | User Guide

Azure Services
The backup appliance and worker instances must have outbound network access to the following Microsoft
Azure services.

NOTE

If you plan to back up Azure resources that operate in private environment, consider that the backup
appliance and worker instances must have access to all the listed services as well.

• Azure Active Directory

• Azure Resource Manager

• Azure Storage Accounts

• Azure Cost Management

• Azure Instance Metadata Service (AzurePlatformIMDS)

• Microsoft Identity Platform

• Azure Ubuntu Repository

• Azure Service Bus

• Azure Key Vault

• Azure Virtual Network (for Azure resources that operate in private environment only)

24 | V eeam Backup for Microsoft Azure | User Guide

Azure Resource Providers
To perform operations, Veeam Backup for Microsoft Azure requires the following providers to be registered in
your subscriptions:

• Microsoft.Authorization

• Microsoft.Commerce

• Microsoft.Compute

• Microsoft.DevTestLab

• Microsoft.KeyVault

• Microsoft.Network

• Microsoft.Resources

• Microsoft.ServiceBus

• Microsoft.Storage

• Microsoft.Sql

• Microsoft.ManagedServices

For more information on Azure resource providers, see Microsoft Docs.

25 | V eeam Backup for Microsoft A zure | User Guide

Considerations and Limitations
When you plan to deploy and configure Veeam Backup for Microsoft Azure, keep in mind the following
limitations and considerations.

Hardware

Comp onent Recommended Azure VM size

• Standard_B2s with 2 CPUs and 4 GB RAM

Backup appliance
• Standard_B2ms with 2 CPUs and 8 GB RAM

• Standard_F2s_v2 with 2 CPUs and 4 GB RAM for regular backup

Workers
• Standard_E2_v5 with 2 CPUs and 16 GB RAM for archived backup

For more information on Azure VM sizes, see Microsoft Docs.

Software
To access Veeam Backup for Microsoft Azure, use Microsoft Edge (latest version), Mozilla Firefox (latest version)
or Google Chrome (latest version). Internet Explorer is not supported.

Security Certificates
Veeam Backup for Microsoft Azure supports certificates in the formats .PFX and .P12.

Backup Repositories
Before you start managing backup repositories, consider the following:

• Veeam Backup for Microsoft Azure does not support creation of backup repositories in storage accounts
with the Azure Data Lake Storage Gen2 capabilities.

• Veeam Backup for Microsoft Azure does not support creation of backup repositories in stor age accounts
with the blob soft delete option enabled.

• Veeam Backup for Microsoft Azure does not support creation of archive repositories in storage accounts
with the Zone-redundant storage (ZRS), Geo-zone-redundant storage (GZRS) or Read-access geo-zone-
redundant storage (RA-GZRS) redundancy option enabled.

Network Settings for Worker Instances

Before you start adding worker configurations, consider the following:

• A service endpoint (routing) for the Microsoft.Storage service must be configured for virtual networks to
which workers will be connected. To learn how to configure virtual network service endpoints, see
Microsoft Docs.

• A subnet to which workers will be connected must have at least one free IP address in the subnet range —
Veeam Backup for Microsoft Azure will be able to launch and simultaneously run as many workers as many
free IP addresses there are in the subnet range.

26 | V eeam Backup for Microsoft Azure | User Guide

 • By default, workers use public endpoints to connect to Azure SQL Managed Instances through the port
3342. If a worker tries to connect to an Azure SQL Managed Instance and public endpoints are disabled for
this instance, the worker will use a private endpoint to connect to the instance through the port 1433
instead. However, for the worker to be able to establish the connection, virtual networks to which the
worker and the Azure SQL Managed Instance are connected must be peered in the Microsoft Azure portal.
To learn how to peer virtual networks, see Microsoft Docs.

For more information on worker configurations, see Configuring Workers.

Backup
Before you start protecting Azure resources, consider the following:

• Due to Microsoft Azure limitations, Veeam Backup for Microsoft Azure does not support backup of Azure
VMs with Azure ultra disks. For more information on Azure ultra disks, see Microsoft Docs.

• Veeam Backup for Microsoft Azure supports backup of Azure VMs with trusted launch enabled. However,
you will only be able to perform disk restore and file-level restore for this type of VMs. For more
information on trusted launch, see Microsoft Docs.

• Due to Microsoft Azure limitations, Veeam Backup for Microsoft Azure does not support backup of NFS
Azure file shares. For more information on Azure file share snapshots, see Microsoft Docs.

• When Veeam Backup for Microsoft Azure backs up Azure VMs with IPv6 addresses assigned, it does not
save the addresses. That is why if you plan to restore these VMs, you will have to assign IPv6 addresses to
the restored VMs manually in the Microsoft Azure portal after the restore process completes.

• Veeam Backup for Microsoft Azure does not support backup of databases hosted by Azure Arc -enabled
SQL Managed Instances and SQL Servers on Azure Arc-enabled servers.

• Veeam Backup for Microsoft Azure uses BACPAC files to back up SQL databases. BACPAC export of
databases with external references is not supported. That is why if a SQL database was migrated to an
Azure SQL Database Server or Azure SQL Managed Instance, make sure to clear legacy references,
orphaned database users and credentials set up with authentication types not supported by Azure SQL, to
avoid BACPAC export errors.

• If you delete a file share from Microsoft Azure, the snapshots of this file share will be deleted as well. To
protect your snapshots from accidental deletion, you can use the file share soft delete option. For more
information on the soft delete option for Azure file shares, see Microsoft Docs.

Restore
Before you start restoring Azure resources, consider the following:

• When restoring virtual disks of an Azure VM to a new location from a cloud-native snapshot or image-level
backup, Veeam Backup for Microsoft Azure does not attach the restored virtual disks to any Azure VM —
the disks are placed to the specified location as standalone virtual disks.

• Restore of files and folders is supported for the following file systems only: FAT, FAT32, NTFS, ext2, ext3,
ext4, XFS, Btrfs.

• Veeam Backup for Microsoft Azure supports file-level recovery for Microsoft Windows basic volumes only.
If you use Windows Storage Spaces to store data, restore an entire Azure VM to get access to your files
and folders. For more information on Storage Spaces, see Microsoft Docs.

• Veeam Backup for Microsoft Azure does not support entire VM restore of Azure VMs with trusted launch
enabled. For more information on trusted launch, see Microsoft Docs.

27 | V eeam Backup for Microsoft Azure | User Guide

Azure Disk Encryption
Azure Disk Encryption is supported with the following limitations:

• Backup and restore operations are supported within one Azure region only. If you choose to back up or
restore your data to another region, you must first migrate to the target region all Azure key vaults,
cryptographic keys and secrets used to encrypt the source Azure resources, as described in Microsoft Docs.

• File-level recovery is not supported for VMs whose virtual disks are encrypted using Azure Disk
Encryption.

For more information on Azure Disk Encryption, see Microsoft Docs.

28 | V eeam Backup for Microsoft Azure | User Guide

Licensing
Veeam Backup for Microsoft Azure is licensed per protected instance. An instance is defined as a single Azure
resource — an Azure VM, Azure SQL Server or Azure file share:

• An Azure VM is considered to be protected if it has a restore point (snapshot or backup) created by a

backup policy during the past 31 days.

• An Azure SQL Server is considered to be protected if at least one database located on the server has a
backup created by a backup policy during the past 31 days.

• An Azure file share is considered to be protected if it has a snapshot created by a backup policy during the
past 31 days.

Each protected instance consumes 1 license unit. However, if an instance has only manually created snapshots
or backups, it does not consume any license units.

NOTE

If an instance has not been backed up within the past 31 days, Veeam Backup for Microsoft Azure
automatically revokes the license unit from the instance. If you need to ma nually revoke a license unit,
follow the instructions provided in section Revoking License Units.

Product Editions
Veeam Backup for Microsoft Azure is available in 2 editions:

• Free

Veeam Backup for Microsoft Azure operating in the Free edition allows you to protect up to 10 instances
free of charge. Note that this edition does not support indexing of Azure file shares.

TIP

If you previously had the Free edition installed for evaluation and testing purposes and want to switch to
any of the commercial editions without reconfiguring the backup infrastructure, follow the steps described
in this Veeam KB article.

• BY OL (Bring Your Own License)

Veeam Backup for Microsoft Azure operating in the BYOL edition allows you to protect the number of
instances equivalent to the number of units specified in your license.

Veeam Backup for Microsoft Azure BYOL edition can be licensed using either the Veeam Universal License
(VUL) or a separate product license that can be obtained by contacting a Veeam sales representative at
Sales Inquiry.

When the license expires, Veeam Backup for Microsoft Azure offers a grace period to ensure a smooth
license update and to provide sufficient time to install a new license file. The duration of the grace period
is 31 days after the expiration of the license. During this period, you can perform all types of data
protection and disaster recovery operations. After the grace period is over, Veeam Backup for Microsoft
Azure stops processing all instances and disables all scheduled backup policies. You must update your
license before the end of the grace period.

For details on how to install the license on the backup appliance, see Installing and Removing License.

29 | V eeam Backup for Microsoft Azure | User Guide

 NOTE

Veeam Backup & Replication licensing is applied to Veeam Backup for Microsoft Azure appliances
managed by standalone Veeam Backup & Replication servers. For more information, see the Integration
with Veeam Backup & Replication Guide.

30 | V eeam Backup for Microsoft Azure | User Guide

Installing and Removing License
NOTE

This section applies only to the BYOL edition of Veeam Backup for Microsoft Azure.

Installing License
To install or update a license installed on the backup appliance, do the following:

1. Switch to the Configuration page.

2. Navigate to Licensing > License Info.

3. Click Install License.

4. In the Install License window, click Browse to browse to a license file, and then click Install.

IMP ORTANT

If your backup appliance is connected to a standalone Veeam Backup & Replication server, you can manage
the license only using the Veeam Backup & Replication console. For more information, see Integration with
Veeam Backup & Replication Guide.

Removing License
To remove a license installed on the backup appliance if you no longer need it, do the following:

1. Switch to the Configuration page.

2. Navigate to Licensing > License Info.

31 | V eeam Backup for Microsoft Azure | User Guide

 3. Click Remove License.

After you remove a license, Veeam Backup for Microsoft Azure will automatically switch back to the Free
edition. In this case, according to the FIFO (first-in first-out) queue, only the first 10 instances registered in the
configuration database will remain protected. You can revoke license units from these instances as described in
section Revoking License Units.

IMP ORTANT

If your backup appliance is connected to a standalone Veeam Backup & Replication server and has the
BYOL edition installed, you can remove the license and switch to the Free edition only using the
Veeam Backup & Replication console.

32 | V eeam Backup for Microsoft A zure | User Guide

Viewing License Information
To view details on the license that is currently installed on the backup appliance, do the following:

1. Switch to the Configuration page.

2. Navigate to Licensing > License Info.

The License Info tab provides general information on the Veeam Backup for Microsoft Azure license:

• Sta tus — the license status. The status depends on the license edition, the number of days remaining until
license expiration and the number of days remaining in the grace period (if any).

• E x piration Date — the date when the license will expire.

• Licensed to — the name of an organization to which the license was issued.

• Sup port ID — the unique identification number of the support contract (required for contacting the Veeam
Customer Support Team).

• Ty p e — the license edition ( Free, Subscription).

NOTE

Subscription is the name of the BYOL license in Veeam Backup for Microsoft Azure.

• Instances — the total number of license units included in the license file and the number of units
consumed by protected resources.

Each instance that has a restore point created in the past 31 days is considered to be protected and
consumes one license unit. To view the list of instances that consume license units, switch to the License
Usa ge tab.

33 | V eeam Backup for Microsoft A zure | User Guide

Revoking License Units
By default, Veeam Backup for Microsoft Azure automatically revokes a license unit from a protected instance if
no new restore points have been created by the backup policy during the past 31 days. However, you can
manually revoke license units from protected instances — this can be helpful, for example, if you remove a
number of instances from a backup policy and do not want to protect them anymore.

To revoke a license unit from an instance, do the following:

1. Switch to the Configuration page.

2. Navigate to Licensing > License Usage.

3. Select the instance that you no longer want to protect.

4. Click Revoke License.

34 | V eeam Backup for Microsoft Azure | User Guide

Architecture Overview
The Veeam Backup for Microsoft Azure architecture includes the following components:

• Backup appliance

• Backup repositories

• Worker instances

Backup Appliance
The backup appliance is a Linux-based Azure VM where Veeam Backup for Microsoft Azure is installed. The
backup appliance performs the following administrative activities:

• Manages architecture components.

• Coordinates snapshot creation, backup and recovery tasks.

• Controls backup policy scheduling.

• Generates daily reports and email notifications.

Backup Appliance Components

The backup appliance uses the following components:

• Ba ckup service — coordinates data protection and disaster recovery operations.

• Configuration database — stores data on the existing backup policies, worker instance configurations,
connected Microsoft Azure accounts and so on, as well as information on the available and protected
resources collected from Microsoft Azure.

• Configuration restore service — allows users to restore the configuration of the backup appliance and
migrate the Veeam Backup for Microsoft Azure configuration from one backup appliance to another
backup appliance in Microsoft Azure.

• W eb UI — provides a web interface that allows users to access the Veeam Backup for Microsoft Azure
functionality.

• Up dater service — allows Veeam Backup for Microsoft Azure to check and install product and package
updates.

• RE ST API service — allows users to perform operations with Veeam Backup for Microsoft Azure entities
using HTTP requests and standard HTTP methods. For details, see the Veeam Backup for Microsoft Azure
REST API Reference.

Backup Repositories
A backup repository is a folder in a blob container where Veeam Backup for Microsoft Azure stores image -level
backups of Azure VMs and backups of Azure SQL databases.

To communicate with a backup repository, Veeam Backup for Microsoft Azure uses Veeam Data Mover — the
service that runs on a worker instance and that is responsible for data processing and transfer. When a backup
policy addresses the backup repository, the Veeam Data Mover establishes a connection with the repository to
enable data transfer.

35 | V eeam Backup for Microsoft Azure | User Guide

 IMP ORTANT

Backups are stored in backup repositories in the native Veeam format and must be modified neither
manually nor by 3rd party tools. Otherwise, Veeam Backup for Microsoft Azure may fail to restore the
backed-up data.

Encryption on Repositories
For enhanced data security, Veeam Backup for Microsoft Azure allows you to enable encryption at the repository
level. Veeam Backup for Microsoft Azure uses the same encryption standards as Veeam Backup & Replication to
encrypt backups stored in backup repositories. To learn what encryption standards Veeam Backup & Replication
uses to encrypt its data, see the Encryption Standards section of the Veeam Backup & Replication User Guide.

To learn how to enable encryption at the repository level, configure the repository settings as described in
section Adding Backup Repositories, and choose whether you want to encrypt data using a password or using an
Azure Key Vault cryptographic key.

Limitations for Repositories

To use a blob container as a target location for backups, you must connect to an Azure storage account in which
this blob container resides, as described in section Adding Backup Repositories.

Veeam Backup for Microsoft Azure supports the following types of Azure storage accounts:

Storage Account Type Sup ported Performance Tiers Sup ported Access Tiers

General-purpose V2 Standard Hot, Cool, Archive

BlobStorage Standard Hot, Cool, Archive

IMP ORTANT

Consider the following limitations for storage accounts:

• Veeam Backup for Microsoft Azure does not support creation of backup repositories in storage
accounts with enabled blob soft delete option.
• Veeam Backup for Microsoft Azure does not support archive tiering of storage accounts with
enabled zone data redundancy (ZRS, GZRS, RA-GZRS) option.

Worker Instances
A worker instance is an auxiliary Linux-based virtual machine that is responsible for the interaction between the
backup appliance and other components of the Veeam Backup for Microsoft Azure architecture. Worker
instances process backup workload and distribute backup traffic when transferring data to backup repositories.

36 | V eeam Backup for Microsoft Azure | User Guide

Veeam Backup for Microsoft Azure automatically launches worker instances to process Azure VMs and Azure
SQL databases when performing a backup or restore operation, and keeps the instances running for the duration
of the operation. Veeam Backup for Microsoft Azure launches one worker instance per each Azure resource
specified in a backup policy or restore task. To minimize cross-region traffic charges and to speed up the data
transfer, depending on the performed operation, Veeam Backup for Microsoft Azure launches worker instances
in the following locations:

Op eration W orker Instance Location Default Worker Instance Size

Creating image-level Azure region in which a processed Azure Standard_F2s_v2, 2 CPU, 4 GB RAM
backups of Azure VMs VM resides

Creating backups of Azure region in which a SQL Server

Azure SQL databases hosting the processed database resides

Azure file share indexing Azure region in which a processed file

share resides

Creating archived image- Azure region in which an archive backup Standard_E2_v5, 2 CPU 16 GB RAM
level backups of Azure repository storing backed-up data resides
VMs

Creating archived image- Azure region in which an archive backup

level backups of Azure repository storing backed-up data resides
SQL databases

Performing health check Azure region in which a target backup Standard_F2s_v2, 2 CPU, 4 GB RAM
for created restore repository resides
points

Applying retention policy Azure region in which a backup repository

settings to created with backed-up data resides
restore points

Restoring Azure VMs and Azure region in which the restored Azure
Azure SQL databases VM or SQL Server hosting the restored
database resides

Restoring individual Azure region in which the restored virtual

virtual disks of Azure disk resides
VMs

File-level restore from Azure region in which a cloud-native

cloud-native snapshots snapshot resides

File-level restore from Azure region in which a backup repository

image-level backups storing backed-up data resides

37 | V eeam Backup for Microsoft Azure | User Guide

Worker instances are launched based on worker configurations and profiles. For more information, see Managing
Worker Instances.

Worker Instance Components

A worker instance uses the following services:

• Veeam Data Mover — the service that performs data processing tasks. During backup, the Veeam Data
Mover service retrieves source data to backup repositories. During restore, the Veeam Data Mover
transfers backed-up data from backup repositories to the target location.

• File-level recovery browser — the web service that allows you to find and save files and folders of a
backed-up Azure VM to a local machine. The File-level recovery browser is installed automatically on
every worker instance that is launched for file-level recovery.

For more information on recovering files of Azure VMs using the File-level recovery browser, see
Performing File-Level Recovery.

NOTE

By design, Veeam Backup for Microsoft Azure installs the unattended-upgrades package on every
launched worker instance. This package automatically sends requests to the Ubuntu Security Update
repository (security.ubuntu.com) to get and install security updates on the worker instance. To reconfigure
or disable these updates, open a support case.

Security Certificates for Worker Instances

Veeam Backup for Microsoft Azure uses self-signed TLS certificates to establish secure communication between
the web browser on a user workstation and the File-level recovery browser running on a worker instance during
the file-level recovery process. A self-signed certificate is generated automatically on the worker instance when
the recovery session starts.

Requirements for Worker Instances

By default, Veeam Backup for Microsoft Azure creates a new network configuration for each Azure region in
which it launches worker instances. However, you can add custom worker configurations to provide network
settings that will be used to launch worker instances in a specific reg ion. In this case, for every Azure region
where worker instances will be launched, you must specify a virtual network and a subnet to which the worker
instances must be connected. You can also specify a security group that will be associated with the specified
subnet. To learn how to configure network settings for worker instances, see Adding Worker Configuration.

38 | V eeam Backup for Microsoft Azure | User Guide

Deployment
Veeam Backup for Microsoft Azure comes as an image of a Linux-based VM that you can deploy from Microsoft
Azure Marketplace.

39 | V eeam Backup for Microsoft Azure | User Guide

Installing Veeam Backup for Microsoft
Azure
To install Veeam Backup for Microsoft Azure, do the following:

1. Launch the Create Virtual Machine wizard.

2. Configure properties of the Azure VM where Veeam Backup for Microsoft Azure will be installed .

3. Select the type of the OS disk that will be attached to the Azure VM.

4. Configure network settings for the backup appliance.

5. Specify management options for the appliance.

6. Start the installation process.

40 | V eeam Backup for Microsoft Azure | User Guide

Step 1. Launch Create Virtual Machine Wizard
To launch the Create a virtual machine wizard, do the following:

1. Sign in to the Microsoft Azure Marketplace portal using credentials of the Microsoft Azure account that
you plan to use to install Veeam Backup for Microsoft Azure.

2. In the Sea rch Marketplace field, enter Veeam Backup for Microsoft Azure and click the Sea rch icon.

3. In the list of search results, select the necessary product edition and click Get It Now.

For more information on product editions, see Licensing.

4. In the Create this app in Azure window, do the following:

a. Check the contact name, email and phone number of the person responsible for the account used to
log in to Microsoft Azure. You can add any missing information if required.

b. Click Continue.

41 | V eeam Backup for Microsoft A zure | User Guide

 5. Back to the Microsoft Azure portal, click Create.

42 | V eeam Backup for Microsoft Azure | User Guide

Step 2. Configure Azure VM Properties
At the Ba sics step of the Create a virtual machine wizard, do the following:

1. From the Sub scription drop-down list, select a Microsoft Azure subscription that will be used to manage
costs of the backup appliance.

For a subscription to be displayed in the Sub scription list, it must be created and assigned to the tenant as
described in Microsoft Docs.

2. From the Resource group drop-down list, select a resource group that will hold resources related to the
backup appliance.

You can either use an existing resource group or create a new one. For more information on creating and
managing resource groups, see Microsoft Docs.

3. In the Virtual machine name field, enter a name for the backup appliance.

4. From the Reg ion drop-down list, select a Microsoft Azure region where the backup appliance will operate.

For more information on the Azure regions, see Microsoft Docs.

NOTE

Regardless of the region you select, you will be able to manage Azure VMs that operate in other Microsoft
Azure regions as well.

5. From the Ava ilability options drop-down list, choose whether you want to require any infrastructure
redundancy to achieve high availability:

o Select the Ava ilability set option to include the backup appliance in an availability set. You can either
use an existing availability set or create a new one.

Availability sets allow you to distribute VMs across multiple physical hardware resources.

o Select the Ava ilability zone option to place the backup appliance in an availability zone within the
selected Microsoft Azure region.

Availability zones allow you to distribute VMs across multiple unique physical locations and to protect
your data from datacenter failures. Each Microsoft Azure region contains 3 availability zones. If one or
more datacenters in one zone malfunctions, your Azure resources will become instantly available in
another zone.

For more information on availability options for VMs in Azure, see Microsoft Docs.

6. From the Image drop-down list, select Veeam Backup for Microsoft Azure .

7. Make sure the Azure Spot Instance option is disabled.

The Spot VMs functionality allows Azure to redistribute the currently unused storage capacity between
different Azure resources. It is not recommended that you set the Azure Spot Instance to Yes since this
may cause a performance malfunction of the backup appliance.

For more information on using Spot VMs in Azure, Microsoft Docs.

8. In the Size section, choose a size for the backup appliance. The recommended hardware minimum for an
Azure VM running Veeam Backup for Microsoft Azure is 2 vCPU and 4 GB RAM.

For more information on sizes for VMs in Azure, see Microsoft Docs.

43 | V eeam Backup for Microsoft Azure | User Guide

 9. In the Ad ministrator account section:

a. Set the Authentication type option to Password .

b. In the Username and P a ssword fields, specify credentials for the Default Admin account that you will
use for your first login to Veeam Backup for Microsoft Azure.

IMP ORTANT

Do not use veeamazure and veeamflr as the user name — otherwise, you will not be able to access the
backup appliance after installation. These names are reserved by Veeam Backup for Microsoft Azure.

10. Click Nex t : Disks >.

44 | V eeam Backup for Microsoft Azure | User Guide

Step 3. Select OS Disk Type
At the Disks step of the Create a virtual machine wizard, do the following:

1. From the OS d isk type drop-down list, select a type of the Azure managed disk that will be attached to the
backup appliance.

It is recommended that you use Premium SSD to ensure better performance of the disk. For more
information on available Azure managed disk types, see Microsoft Docs.

2. From the E ncryption type drop-down list, choose whether you want to use a default platform-managed
key or a customer-managed key to encrypt Veeam Backup for Microsoft Azure data.

o Select the E ncryption on at-rest with a p latform-managed key option to use the default type of
encryption.

o Select the E ncryption on at-rest with a customer-managed key option to specify your own key. This
ensures better control of your keys and data, but has a number of restrictions. For a customer-
managed encryption key to be displayed in the Disk encryption set list, it must be created in the
Microsoft Azure portal as described in Microsoft Docs.

3. Other options on the Disks page are preconfigured by Veeam Backup for Microsoft Azure and cannot be
changed. Click Nex t : Networking >.

45 | V eeam Backup for Microsoft Azure | User Guide

Step 4. Configure Network Settings
At the Networking step of the Create a virtual machine wizard, do the following:

1. From the Virtual network drop-down list, select a virtual network to which you want to connect the
backup appliance.

You can either use an existing virtual network or create a new one. For more information on building
networks in Microsoft Azure, see Microsoft Docs.

2. From the Sub net drop-down list, select a subnet to which you want to connect the backup appliance.

Subnets allow you to segment virtual networks and distribute the address space among Azure resources.
You can either use an existing subnet or add a new one. For more information on managing subnets in
Microsoft Azure, see Microsoft Docs.

3. From the P ub lic IP drop-down list, select a public IP address that will be associated with the backup
appliance.

Public IP addresses allows Azure VMs to communicate to the Internet and public-facing Azure services.
You can either use an existing public IP address or add a new one. For more information on assigning
public IP address to Azure resources, see Microsoft Docs.

4. From the Configure network security group drop-down list, select a security group that will be associated
with the specified subnet.
Security groups are used to filter network inbound traffic to and outbound traffic from Azure resources.
Each security group contains a set of rules that control the traffic. You can either use an existing security
group or create a new one. For more information on configuring security group rules, see Microsoft Docs.

IMP ORTANT

Consider that security rules configured in the selected network security group must allow direct network
traffic to Azure resources. Proxy redirect and setting a proxy in the Veeam Backup for Microsoft Azure
configuration are not supported.

5. Make sure that the P la ce this virtual machine behind an existing load balancing solution option is disabled.

Load balancers allow you to distribute traffic load among several VMs, but since there is only one VM
running Veeam Backup for Microsoft Azure, no load balancing is required. It is not recommended that you
set the P lace this virtual machine behind an existing load balancing solution option to Yes since this may
cause an unpredictable performance malfunction of the VM running Veeam Backup for Microsoft Azure.
For more information on using load balancers in Microsoft Azure, see Microsoft Docs.

46 | V eeam Backup for Microsoft Azure | User Guide

 6. Other options on the Networking page are preconfigured by Veeam Backup for Microsoft Azure and
cannot be changed. Click Review + create .

47 | V eeam Backup for Microsoft Azure | User Guide

Step 5. Specify Management Options
At the Ma nagement step of the Create a virtual machine wizard, do the following:

1. Use the Boot diagnostics option to choose whether you want to capture the console output and
screenshots of the backup appliance. This may help you troubleshoot server malfunction issues.

For more information on how to use boot diagnostics in Microsoft Azure, see Microsoft Docs.

2. Use the OS g uest diagnostics option to choose whether you want to collect capacity-related guest OS
metrics. This may also help you troubleshoot server malfunction issues.

3. From the Diagnostics storage account drop-down list, select a storage account that will be used to keep
the collected diagnostic information. You can either use an existing storage account or create a new one.

To learn how to create Azure storage accounts, see Microsoft Docs.

4. Use the Sy stem assigned managed identity option to choose whether you want to grant the identity
access to the backup appliance. Managed identities ensure protected access to Azure resources.

To learn how to use managed identities, see Microsoft Docs.

5. Make sure the E na ble auto-shutdown check box is not selected. If you enable the auto-shutdown setting,
this may cause an unpredictable performance malfunction of the backup appliance.

48 | V eeam Backup for Microsoft Azure | User Guide

 6. Click Review + create.

49 | V eeam Backup for Microsoft Azure | User Guide

Step 6. Begin Installation
At the Review + create step of the Create a virtual machine wizard, review summary information and click Create
to begin installation.

TIP

If you want to specify advanced configuration settings, deploy additional extensions, pass custom scripts
and assign tags to the backup appliance, navigate to the Ad vanced and Ta gs pages. Follow the instructions
provided in the wizard to configure the remaining options.

50 | V eeam Backup for Microsoft Azure | User Guide

After You Install
To start working with Veeam Backup for Microsoft Azure, you must perform the initial configuration of the
backup appliance:

1. In a web browser, navigate to the Veeam Backup for Microsoft Azure web address.

The address consists of a public IPv4 address or DNS hostname of the backup appliance. Note that the
website is available over HTTPS only.

IMP ORTANT

Internet Explorer is not supported. To access Veeam Backup for Microsoft Azure, use Microsoft Edge
(latest version), Mozilla Firefox (latest version) or Google Chrome (latest version).

2. In the Username and P a ssword fields, specify credentials of the Administrator account that was created
during product installation. In future, you can add other users to grant access to Veeam Backup for
Microsoft Azure. For more information, see Adding User Accounts.

3. Read and accept the Veeam license agreement, Veeam licensing policy, 3rd party components and
software license agreements. If you reject the agreements, you will not be able to continue installation.

NOTE

To increase the security of the Administrator account, it is recommended that you enable multi-factor
authentication (MFA) for the account after you first log in to Veeam Backup for Microsoft Azure. To learn
how to enable MFA, see Enabling Multi-Factor Authentication.

4. [Optional] Generate a new certificate for Veeam Backup for Microsoft Azure, as described in Replacing
Web Certificate.

Consider that after you complete the initial configuration, Veeam Backup for Microsoft Azure will automatically
check if any Veeam and Ubuntu updates are available and install these updates on the backup appliance.

51 | V eeam Backup for Microsoft Azure | User Guide

Uninstalling Veeam Backup for Microsoft
Azure
Veeam Backup for Microsoft Azure creates a number of resources while operating in Microsoft Azure, and these
resources are not removed from Microsoft Azure automatically when you uninstall the solution. That is why you
need to perform the following steps to uninstall Veeam Backup for Microsoft Azure:

1. Remove backed-up data.

2. Remove IAM roles and Azure AD applications used by Veeam Backup for Microsoft Azure to access Azure
resources.

3. Remove Microsoft Azure resources created by Veeam Backup for Microsoft Azure.

IMP ORTANT

Before you uninstall the solution, remove all worker instances and created worker configurations as
described in section Managing Worker Instances.

52 | V eeam Backup for Microsoft A zure | User Guide

Remove Backed-Up Data
When you remove the backup appliance and all resources associated with it, backups and snapshots created by
this backup appliance are not removed from your Azure account automatically. You can later import the created
image-level backups of Azure VMs and backups of Azure SQL databases to a new backup appliance as described
in section Adding Backup Repositories.

If you do not want to keep the backed-up data, remove it manually as described in section Managing Backed-Up
Data before you uninstall the solution. Alternatively, you can remove the data using the Microsoft Azure portal.

NOTE

Consider that snapshots of Azure file shares and Azure VMs with unmanaged disks created by the Veeam
backup service have no specific tags assigned. The snapshots cannot be distinguished from other snapshots
of Azure file shares and Azure VMs with unmanaged disks created in Microsoft Azure. That is why we
recommend to delete these snapshots from the Veeam Backup for Microsoft Azure Web UI before you
uninstall the solution.

To remove the backup data using the Microsoft Azure portal, do the following:

1. Sign in to the Microsoft Azure portal using credentials of the Microsoft Azure account that you used to
install Veeam Backup for Microsoft Azure.

2. Navigate to Resource groups and click the resource group to which the backed-up data belong.

3. Remove the backed-up data:

o To remove backups, click a storage account where the backup repository storing the backed -up data
resides. Navigate to Containers and select a container where the backups are stored. Select a check
box next to the Veeam folder and click Delete.

o To remove cloud-native snapshots, select check boxes next to the necessary snapshots. In the Delete
Resources window, type Yes to confirm the action and click Delete.

IMP ORTANT

If the Azure VM running Veeam Backup for Microsoft Azure resides in a resource group that contains more
than one backup appliance, it is recommended that you first remove snapshots and backups created by this
backup appliance, as described in section Managing Backed-Up Data. Otherwise, you will not be able to
identify snapshots created by the removed backup appliance.

53 | V eeam Backup for Microsoft Azure | User Guide

Remove IAM Roles and Azure AD Applications
IMP ORTANT

Do not remove IAM roles and Azure AD applications if they are still used by other backup appliances.

To remove IAM roles and Azure AD applications created by Veeam Backup for Microsoft Azure, do the following:

1. Sign in to the Microsoft Azure portal using credentials of the Microsoft Azure account that you us ed to
install Veeam Backup for Microsoft Azure.

2. Navigate to Azure Active Directory > Ap p registrations.

a. On the All applications tab, click Ap p lication (client) ID starts with and enter an application ID in the
search field.

TIP

If you do not know the ID of an AD application created by Veeam Backup for Microsoft Azure, navigate to
Accounts, switch to the Azure Accounts or Rep ository Accounts tab, select the necessary account and click
E d it. At the account type step of the opened wizard, select the Sp ecify existing account option and click
Nex t. Then, navigate to the Ap p lication ID field and copy the ID to the clipboard.

b. On the application page, click Delete.

In the Delete app registration window, click Delete to confirm the action.

3. Navigate to Sub scriptions and click the subscription that manages costs of the backup appliance.

On the subscription page, do the following:

a. Navigate to Access control (IAM) > Roles.

b. Select check boxes next to the Veeam Service Account and Veeam Repository Account roles and click
Remove.

54 | V eeam Backup for Microsoft Azure | User Guide

Remove Azure Resources
To remove the backup appliance and all resources created by Veeam Backup for Microsoft Azure, perform the
following steps:

1. Sign in to the Microsoft Azure portal using credentials of the Microsoft Azure account that you used to
install Veeam Backup for Microsoft Azure.

2. Navigate to Resource groups and click the resource group to which the backup appliance belongs. The
resource group page will open.

3. Remove the Azure VM running Veeam Backup for Microsoft Azure and all resources associated with this
Azure VM. To do that:

a. In the Resources section, enter the name of the backup appliance in the search field.

b. In the Resources list, select check boxes next to the resources of the Virtual machine, Network
interface, Public IP address and Disk types, and click Delete.
In the Delete Resources window, type Yes to confirm the action and click Delete.

4. Remove storage accounts and Service Bus namespaces created by Veeam Backup for Microsoft Azure. To
do that:

a. In the Resources section, enter veeam in the search field.

b. In the Resources list, select check boxes next to the resources of the Storage account and Service Bus
namespace types, and click Delete.
In the Delete Resources window, type Yes to confirm the action and click Delete.

TIP

You can filter resources by the Veeam backup appliance ID tag . To find all resources associated with the
backup appliance, navigate to the Overview page of the backup appliance and click the Veeam backup
appliance ID tag .

55 | V eeam Backup for Microsoft Azure | User Guide

Accessing Veeam Backup for Microsoft
Azure
To access Veeam Backup for Microsoft Azure, in a web browser, navigate to the Veeam Backup for Microsoft
Azure web address. The address consists of a public IPv4 address or DNS hostname of the backup appliance.
Note that the website is available over HTTPS only.

IMP ORTANT

Internet Explorer is not supported. To access Veeam Backup for Microsoft Azure, use Microsoft Edge
(latest version), Mozilla Firefox (latest version) or Google Chrome (latest version).

You can access Veeam Backup for Microsoft Azure using a local user account or a user account of an external
identity provider. To learn how to add user accounts to Veeam Backup for Microsoft Azure, see Managing User
Accounts.

NOTE

The web browser may display a warning notifying that the connection is untrusted. To eliminate the
warning, you can replace the TLS certificate that is currently used to secure traffic between the browser
and the backup appliance with a trusted TLS certificate. To learn how to replace certificates, see Working
with Certificates.

Logging In Using Local User Account

To log in using credentials of a Veeam Backup for Microsoft Azure user account, do the following:

1. In the Username and P a ssword fields, specify credentials of an authorized user account.
If you log in for the first time, use credentials of the Administrator account that was created during
product installation. In future, you can add other user accounts to grant access to Veeam Backup for
Microsoft Azure. For more information, see Managing User Accounts.

TIP

If you do not remember the password, you can reset it. To do that, click the Forgot password? link and
follow the instructions provided in the P a ssword Reset window.

2. Select the Rema in logged in check box to stay logged in for 24 hours. Otherwise, you will remain logged in
for 1 hour.

56 | V eeam Backup for Microsoft Azure | User Guide

 3. Click Log in.

If multi-factor authentication (MFA) is enabled for the user, Veeam Backup for Microsoft Azure will
prompt you to enter a code to verify the user identity. In the Verification code field, enter the temporary
six-digit code generated by the authentication application running on your trusted device. Then, click Log
in.

Logging In Using Identity Provider User Account

IMP ORTANT

To access Veeam Backup for Microsoft Azure under a user account of your identity provider, you must first
configure single sign-on settings and then add the identity provider user account to Veeam Backup for
Microsoft Azure.

To log in using an identity provider, do the following:

1. Click Log in with Single Sign-On. You will be redirected to your identity provider portal.

57 | V eeam Backup for Microsoft Azure | User Guide

 2. If you have not logged in yet, log in to the identity provider portal. You will be redirected to the Veeam
Ba ckup for Microsoft Azure Overview page as an authorized user.

Logging Out
To log out, at the top right corner of the Veeam Backup for Microsoft Azure window, click the user name and
then click Log Out.

58 | V eeam Backup for Microsoft Azure | User Guide

Configuring Veeam Backup for Microsoft
Azure
To start working with Veeam Backup for Microsoft Azure, perform a number of steps for its configuration:

1. Add Azure accounts to get access to Azure services and resources.

2. [Optional] Add user accounts to control access to Veeam Backup for Microsoft Azure.

3. [Optional] Add backup repositories.

4. [Optional] Create worker configurations.

5. [Optional] Configure global retention, email notification and single-sign-on settings.

NOTE

Even after you add accounts that manage your Azure resources and configure all the necessary settings,
Veeam Backup for Microsoft Azure will populate neither the list of Azure VMs nor the list of Azure SQL
databases nor the list of Azure file shares on the Resources tab — unless you create backup policies and
specify regions where the Azure resources belong, as described in section Performing Backup.

59 | V eeam Backup for Microsoft Azure | User Guide

Managing Accounts
To perform data protection and disaster recovery operations, and to add objects to Veeam Backup for Microsoft
Azure, you must first create the following types of accounts:

• Service accounts — to get access to Azure resources that you want to protect.

• Repository accounts — to manage backup repositories assigned to folders in blob containers.

• SMTP and SQL Server Accounts — to authenticate against SMTP and Azure SQL Servers.

60 | V eeam Backup for Microsoft Azure | User Guide

Managing Service Accounts
For each data protection and disaster recovery operation performed for an Azure resource, you must specify a
service account that has access to the resource and a set of permissions that determine what operations are
allowed for the resource.

Particularly, Veeam Backup for Microsoft Azure uses service accounts to perform the following tasks:

• To synchronize the Microsoft Azure environment data with the configuration data stored on the backup
appliance.

• To access blob containers used as target locations for backed-up data.

• To create and remove snapshots of Azure VM.

• To create and remove snapshots of Azure file shares.

Adding Azure Service Accounts

To add a new service account, do the following:

1. Launch the Add Azure Account wizard.

2. Specify an account name and description.

3. Select a service account type.

4. Select a service provider.

5. Finish working with the wizard.

61 | V eeam Backup for Microsoft Azure | User Guide

Step 1. Launch Add Azure Account Wizard
To launch the Ad d Azure Account wizard, do the following:

1. Switch to the Configuration page.

2. Navigate to Accounts > Azure Accounts.

3. Click Ad d .

62 | V eeam Backup for Microsoft Azure | User Guide

Step 2. Specify Account Info
At the Account Info step of the wizard, use the Na me and Description fields to enter a name for the new account
and to provide a description for future reference. The maximum length of the name is 255 characters.

63 | V eeam Backup for Microsoft Azure | User Guide

Step 3. Select Service Account Type
At the Service Account Type step of the wizard, choose whether you want to connect to Azure Active Directory
using an existing or a newly created service account.

Creating Service Account Automatically

[This step applies only if you have selected the Create service account automatically option at the Select Service
Account Type step of the wizard]

When you choose to create a service account automatically, Veeam Backup for Microsoft Azure creates a new
Azure AD application in your Microsoft Azure Active Directory. To create the Azure AD application, Veeam
Backup for Microsoft Azure uses the Microsoft Azure Cross-platform Command Line Interface (Azure CLI). To
authenticate to the Azure CLI, you must provide a single-use verification code.

64 | V eeam Backup for Microsoft Azure | User Guide

 IMP ORTANT

Consider the following:

• The Microsoft Azure account that you use to access the Azure CLI must have the
Microsoft.Authorization/*/Write permissions specified in the subscription associated with the backup
appliance. For more information on managing role permissions and security in Microsoft Azure, see
Microsoft Docs.
• If you have disabled the Users can register applications option in the Microsoft Azure portal, make
sure that the newly created Azure AD application has the Application Developer, Application
Administrator or Global Administrator role assigned. For more information on role permissions in
Azure Active Directory, see Microsoft Docs.
• When registering new Azure AD applications, Veeam Backup for Microsoft Azure also creates client
secrets that will be further used to authorize access to Microsoft Azure (one client secret for each
Azure AD application). The lifetime of a client secret is limited to one year. To view the expiration
date of a client secret, navigate to Azure Accounts. To renew a client secret that is about to expire,
follow the instructions provided in section Editing Azure Service Account.

At the Log on to Microsoft Azure step of the wizard, do the following:

1. Click Cop y code to clipboard.

2. Click https://microsoft.com/devicelogin.

3. On the Microsoft Azure device authentication page, do the following:

a. Paste the code that you have copied and click Nex t.

b. Select an account that will be used to access the Azure CLI. The account must be assigned either the
User Access Administrator or the Owner role.

IMP ORTANT

Using a personal Microsoft account is not recommended — use a work account instead.

65 | V eeam Backup for Microsoft Azure | User Guide

 4. Back to the Ad d Azure Account wizard, check whether any errors occurred during the authentication
process and click Nex t.

Specifying Existing Service Account

[This step applies only if you have selected the Sp ecify existing service account option at the Select Service
Account Type step of the wizard]

When you specify an existing service account, Veeam Backup for Microsoft Azure connects to an existing Azure
AD application that grants access to your Azure resources. For Veeam Backup for Microsoft Azure to be able to
connect to the Azure AD application, it must be created in Microsoft Azure as described in Microsoft Docs.

At the Service Account step of the wizard, specify an existing service account that grants access to your Azure
resources:

1. In the Ap p lication ID field, enter the application identifier. You can find the identifier in the application
settings of your Azure Active Directory. For more information, see Microsoft Docs.

The specified Azure AD application must have either a custom role or the Contributor and Key Vault
Crypto Officer Azure built-in roles assigned. If the AD application has a custom role assigned, make sure
the role is granted the permissions required to perform backup and restore operations. To learn how to
create custom roles, see Microsoft Docs.

TIP

If you have ever created a new service account using the Create service account automatically option, you
can also assign to the specified Azure AD application the Veeam Service Account role that has been created
in Microsoft Azure environment automatically by Veeam Backup for Microsoft Azure. To learn how to
assign Azure roles, see Microsoft Docs.

66 | V eeam Backup for Microsoft Azure | User Guide

 2. Select an application authentication type:

o Select the Client (application) secret option to use a client secret created in the specified Azure AD
application. In the Secret field, enter the value of the secret. To learn how to create client secrets, see
Microsoft Docs.

o Select the Certificate option to use a certificate uploaded to the specified Azure AD application. In the
Security certificate field, click Select File to locate the certificate. Then, provide a password used to
encrypt the certificate in the Certificate password field. To learn how to upload certificates to Azure
AD applications, see Microsoft Docs.

IMP ORTANT

Veeam Backup for Microsoft Azure supports certificates only in the formats .PFX and .P12.

3. In the Tena nt ID field, enter the tenant ID of the specified Azure AD application.

You can find the tenant ID in the application settings of your Azure Active Directory. For more information,
see Microsoft Docs.

67 | V eeam Backup for Microsoft Azure | User Guide

Step 4. Select Active Directory Group
[This step applies only if you have selected the Creating service account automatically option at the Select
Service Account Type step of the wizard]

At the Active Directory step of the wizard, add your Azure AD application to an Azure Active Directory group to
be able to back up Azure resources as a group:

1. Select the Ad d specified application to this AD group check box.

2. From the list of available groups, select the necessary group.

For a group to be displayed in the list, it must be created in the Microsoft Azure portal as described in
Microsoft Docs.

NOTE

Adding service accounts to AD groups allows users to limit access of the service accounts only to specific
Azure subscriptions.

68 | V eeam Backup for Microsoft Azure | User Guide

Step 5. Finish Working with Wizard
At the Summary step of the wizard, review configuration information and click Finish.

Editing Azure Service Account

For each service account, you can modify settings configured while adding the account:

1. Switch to the Configuration page.

2. Navigate to Accounts > Azure Account.

3. Select the service account and click E d it.

4. Complete the E d it Azure Account wizard.

a. To provide a new name and description for the account, follow the instructions provided in section
Adding Azure Service Account (step 2).

b. To renew the client secret of the currently used Azure AD application or to connect to another service
principal, select either the Renew application or Sp ecify existing service account option at the Service
Account Type step of the wizard and follow the instructions provided in section Adding Azure Service
Account (step 3).

If you do not plan to change the settings of the Azure AD application, select the Don't change current
service account settings option.

c. [This step applies only if you have selected the Renew application or Sp ecify existing service account
option]. To add your Azure AD application to a Microsoft Azure Active Directory resource group,
follow the instructions provided in section Adding Azure Service Account (step 4).

69 | V eeam Backup for Microsoft Azure | User Guide

 d. At the Summary step of the wizard, review configuration information and click Finish.

Removing Azure Service Account

Veeam Backup for Microsoft Azure allows you to permanently remove a service account from the configuration
database if you no longer need it:

1. Switch to the Configuration page.

2. Navigate to Accounts > Azure Account.

3. Select the Azure service account and click Remove.

70 | V eeam Backup for Microsoft Azure | User Guide

 NOTE

You cannot remove a service account that is used by any backup policy, or if Veeam Backup for Microsoft
Azure still uses this account to access any of the existing backup repositories. Disable and remove all the
related policies, remove all the related backup repositories — and then try removing the account again.

71 | V eeam Backup for Microsoft A zure | User Guide

Managing Repository Accounts
Veeam Backup for Microsoft Azure allows you to configure repository accounts that will be used to manage
backup repositories. As opposed to Azure service accounts, repository accounts have granular permissions to
provide access to Azure blob containers.

TIP

You can use your service account to manage repositories. To do that, specify the necessary service account
as a repository one in the Add Repository wizard. However, service accounts are not displayed on the
Rep ository Accounts tab.

Adding Repository Accounts

To add a new repository account, do the following:

1. Launch the Add Repository Account wizard.

2. Specify an account name and description.

3. Select a repository account type.

4. Finish working with the wizard.

72 | V eeam Backup for Microsoft Azure | User Guide

Step 1. Launch Add Repository Account Wizard
To launch the Ad d Repository Account wizard, do the following:

1. Switch to the Configuration page.

2. Navigate to Accounts > Repository Accounts.

3. Click Ad d .

73 | V eeam Backup for Microsoft Azure | User Guide

Step 2. Specify Account Info
At the Account Info step of the wizard, use the Na me and Description fields to enter a name for the new account
and to provide a description for future reference. The maximum length of the name is 255 characters.

74 | V eeam Backup for Microsoft Azure | User Guide

Step 3. Select Repository Account Type
At the Rep ository Account Type step of the wizard, choose whether you want to connect to Azure Active
Directory using an existing or a newly created repository account.

Creating Repository Account Automatically

[This step applies only if you have selected the Create repository account automatically option at the Select
Rep ository Account Type step of the wizard]

When you choose to create a repository account automatically, Veeam Backup for Microsoft Azure creates a new
Azure AD application in your Microsoft Azure Active Directory. To create the Azure AD application, Veeam
Backup for Microsoft Azure uses the Microsoft Azure Cross-platform Command Line Interface (Azure CLI). To
authenticate to the Azure CLI, you must provide a single-use verification code.

IMP ORTANT
• The Microsoft azure account which you used to access the Azure CLI must have the
Microsoft.Authorization/*/Write permissions assigned in the subscription associated with the backup
appliance. For more information on managing role permissions and security in Microsoft Azure, see
Microsoft Docs.
• If you have disabled the Users can register applications option in the Microsoft Azure portal, make
sure that the service account has the Application Developer, Application Administrator or Global
Administrator role. For more information on role permissions in Azure Active Directory, see
Microsoft Docs.

75 | V eeam Backup for Microsoft Azure | User Guide

At the Log on to Microsoft Azure step of the wizard, do the following:

1. Click Cop y code to clipboard.

2. Click https://microsoft.com/devicelogin.

3. On the Microsoft Azure device authentication page, do the following:

a. Paste the code that you have copied and click Nex t.

b. Select an account that will be used to access the Azure CLI. The account must be assigned either the
User Access Administrator or the Owner role.

IMP ORTANT

Using a personal Microsoft account is not recommended — use a work account instead.

4. Back to the Ad d Azure Account wizard, check whether any errors occurred during the authentication
process.

Specifying Existing Repository Account

[This step applies only if you have selected the Sp ecify existing repository account option at the Select
Rep ository Account Type step of the wizard]

76 | V eeam Backup for Microsoft Azure | User Guide

When you specify an existing repository account, Veeam Backup for Microsoft Azure connects to an existing
Azure AD application that grants access to your Azure resources. For Veeam Backup for Microsoft Azure to be
able to connect to the Azure AD application, it must be created in the Microsoft Azure portal as described in
Microsoft Docs.

At the Service Account step of the wizard, specify an existing service account that grants access to your Azure
resources:

1. In the Ap p lication ID field, enter the application identifier. You can find the identifier in the application
settings of your Azure Active Directory. For more information, see Microsoft Docs.

The specified Azure AD application must have either a custom role or the Contributor and Key Vault
Crypto Officer Azure built-in roles assigned. If the AD application has a custom role assigned, make sure
the role is granted the permissions required to manage backup repositories. To learn how to create custom
roles, see Microsoft Docs.

TIP

If you have ever created a new service account using the Create repository account automatically option,
you can also assign to the specified Azure AD application the Veeam Repository Account role that has been
created in Microsoft Azure environment automatically by Veeam Backup for Microsoft Azure. To learn how
to assign Azure roles, see Microsoft Docs.

2. Select an application authentication type:

o Select the Client (application) secret option to use a client secret created in the specified Azure AD
application. In the Secret field, enter the value of the secret. To learn how to create client secrets, see
Microsoft Docs.

o Select the Certificate option to use a certificate uploaded to the specified Azure AD application. In the
Security certificate field, click Select File to locate the certificate. Then, provide a password used to
encrypt the certificate in the Certificate password field. To learn how to upload certificates to Azure
AD applications, see Microsoft Docs.

IMP ORTANT

Veeam Backup for Microsoft Azure supports certificates only in the formats .PFX and .P12.

77 | V eeam Backup for Microsoft Azure | User Guide

 3. In the Tena nt ID field, enter the tenant ID of the specified Azure AD application.

You can find the tenant ID in the application settings of your Azure Active Directory. For more information,
see Microsoft Docs.

78 | V eeam Backup for Microsoft Azure | User Guide

Step 4. Finish Working with Wizard
At the Summary step of the wizard, review configuration information and click Finish.

Editing Repository Accounts

For each repository account, you can modify settings configured while adding the account:

1. Switch to the Configuration page.

2. Navigate to Accounts > Repository Accounts.

3. Select the repository account and click E d it.

4. Complete the E d it Repository Account wizard.

a. To provide a new name and description for the account, follow the instructions provided in section
Adding Repository Accounts (step 2).

b. To renew the current Azure AD application or to specify another existing repository account, follow
the instructions provided in section Adding Repository Accounts (step 3).

If you do not plan to update or change the Azure AD application, select the Don't change current
service account settings option.

79 | V eeam Backup for Microsoft Azure | User Guide

 c. At the Summary step of the wizard, review configuration information and click Finish to confirm the
changes.

Removing Repository Accounts

Veeam Backup for Microsoft Azure allows you to permanently remove a repository account from the
configuration database if you no longer need it:

1. Switch to the Configuration page.

2. Navigate to Accounts > Repository Accounts.

3. Select the repository account and click Remove.

NOTE

You cannot remove a repository account if Veeam Backup for Microsoft Azure still uses this account to
access any of the existing backup repositories. Remove all the related backup repositories and then try
removing the account again.

80 | V eeam Backup for Microsoft Azure | User Guide

Managing SMTP and SQL Server Accounts
To allow Veeam Backup for Microsoft Azure to authenticate against protected Azure SQL Servers and SMTP
servers used for sending email notifications, you must specify credentials that will be used to access t he servers.

Adding Accounts
To add an account that will be used to connect to an SMTP server or a SQL Server, do the following:

1. Launch the Add Account wizard.

2. Specify an account name and description.

3. Specify credentials and a type for the account.

4. Finish working with the wizard.

81 | V eeam Backup for Microsoft Azure | User Guide

Step 1. Launch Add Account Wizard
To launch the Ad d Account wizard, do the following:

1. Switch to the Configuration page.

2. Navigate to Accounts > Accounts.

3. Click Ad d .

82 | V eeam Backup for Microsoft Azure | User Guide

Step 2. Specify Account Info
At the Account Info step of the wizard, use the Na me and Description fields to enter a name for the new account
and to provide a description for future reference. The maximum length of the name is 255 characters.

83 | V eeam Backup for Microsoft Azure | User Guide

Step 3. Specify Credentials
At the Account step of the wizard, choose whether the account will be used to connect to an SMTP server or an
Azure SQL Server, and specify credentials of a user account that will be used to authenticate against the server.

IMP ORTANT

If you select the Azure SQL server account type, you must specify credentials of a SQL Server Admin
account. Azure Active Directory authentication is not supported.

84 | V eeam Backup for Microsoft Azure | User Guide

Step 4. Finish Working with Wizard
At the Summary step of the wizard, review configuration information and click Finish.

Editing Accounts
For each SMTP and Azure SQL account, you can modify settings configured while creating the account:

1. Switch to the Configuration page.

2. Navigate to Accounts > Accounts.

3. Select the account and click E d it.

4. Complete the E d it Account wizard.

a. To provide a new name and description for the account, follow the instructions provided in section
Adding Accounts (step 2).

b. To provide a new user name and password for the account, follow the instructions provided in section
Adding Accounts (step 3).

c. At the Summary step of the wizard, review configuration information and click Finish.

85 | V eeam Backup for Microsoft Azure | User Guide

Managing User Accounts
Veeam Backup for Microsoft Azure controls access to its functionality with the help of user roles. A role defines
what operations users can perform and what range of data is available to them in the Veeam Backup for
Microsoft Azure UI.

There are 3 user roles that you can assign to users working with Veeam Backup for Microsof t Azure:

• P ortal Administrator — can perform all configuration actions, and can also act as a Portal Operator and
Restore Operator.

• P ortal Operator — can create, edit and start backup policies, manage the protected data, perform all
restore operations and view session statistics.

• Restore Operator — can only perform restore operations and view session statistics.

IMP ORTANT

The list of portal users may display user accounts with the Company Administrator role assigned — these
accounts are intended to be used for the integration of Veeam Backup for Microsoft Azure and Veeam
Service Provider Console, and are created using the Veeam Service Provider Console plug-in. It is not
recommended that you perform any actions with these users.

The following table describes the functionality available to users with different roles in the Veeam Backup for
Microsoft Azure UI.

P ortal
Ta b Functionality P ortal Operator Restore Operator
Ad ministrator

Overview Dashboard Full Full N/A

Resources Infrastructure Full Full N/A

P olicies Backup policies Full Full N/A

P rotected Restore Full Full Full

Da ta

File-level restore Full Full Full

Remove Full Full N/A

Session Log Session logs Full Full Full

Stop session execution Full Full Full

Configuration

86 | V eeam Backup for Microsoft Azure | User Guide

 P ortal
Ta b Functionality P ortal Operator Restore Operator
Ad ministrator

Accounts Azure service and repository Full N/A N/A

accounts, SQL Server and
SMTP accounts, portal users

Repositories Backup repositories Full N/A N/A

W orkers Worker instances Full N/A N/A

Settings General settings Full N/A N/A

Licensing Licensing Full N/A N/A

Sup port Updates and logs Full N/A N/A

Information

87 | V eeam Backup for Microsoft Azure | User Guide

Adding User Accounts
To manage access to Veeam Backup for Microsoft Azure, you can create local user accounts or add user accounts
of your identity provider. To be able to retrieve user identities from the identity provider, you must first
configure single sign-on settings.

To add a Veeam Backup for Microsoft Azure user account, do the following:

1. Switch to the Configuration page.

2. Navigate to Accounts > P ortal Users.

3. Click Ad d .

4. Complete the Ad d User wizard.

a. At the Ty p e step of the wizard, choose whether you want to create a new Veeam Backup for Microsoft
Azure user or to retrieve a user identity from your identity provider.

b. At the Na me step of the wizard, specify a name and description for the user account.

The maximum length of the account name is 32 characters. An account name can contain only
lowercase and uppercase Latin letters, numeric characters, underscores and dashes. A description can
contain only lowercase and uppercase Latin letters, numeric characters, dots, commas and spaces.

IMP ORTANT

If you have selected the Id entity Provider account option at step 4a, the name specified for a user account
must match the value of an attribute that the identity provider will send to Veeam Backup for Microsoft
Azure to authenticate the user. For more information, see Configuring SSO Settings.

c. At the Account Settings step of the wizard, select a role for the user account. For more information on
user roles, see Managing User Accounts.

If you have selected the Veeam Backup for Microsoft Azure account option at step 4a, specify a
password for the new Veeam Backup for Microsoft Azure user account.

d. At the Summary step of the wizard, review summary information and click Finish.

88 | V eeam Backup for Microsoft Azure | User Guide

Editing User Accounts
For each user account, you can modify settings configured while adding the account:

1. Switch to the Configuration page.

2. Navigate to Accounts > P ortal Users.

3. Select the account and click E d it.

4. Complete the E d it User wizard:

a. At the Na me step, provide a new description for the account.

b. At the Account Settings step, choose a new role for the account.

c. At the Summary step, review summary information and click Finish to confirm the changes.

89 | V eeam Backup for Microsoft Azure | User Guide

Changing User Passwords
For Veeam Backup for Microsoft Azure user accounts, you can change the password specified while creating the
account.

NOTE

Consider the following:

• The Cha nge Password option is disabled for the Default Admin account. To learn how to change the
password of this account, see Changing Default Admin Password.
• You cannot change passwords of user accounts whose user identities were obtained from an identity
provider.

To change the password, do the following:

1. Switch to the Configuration page.

2. Navigate to Accounts > P ortal Users.

3. Select the user account and click Cha nge Password.

4. In the Cha nge Password window, enter the currently used password, enter and confirm a new password,
and then click OK.

TIP

You can change a password of a user that is currently logged in as described in section Changing Default
Admin Password.

90 | V eeam Backup for Microsoft Azure | User Guide

Changing Default Admin Password
To change the password of the Default Admin account:

1. Log in to Veeam Backup for Microsoft Azure using credentials of the Default Admin account.

2. At the top right corner, click the user name and select Cha nge Password.

3. In the Cha nge Password window, enter the currently used password, enter and confirm a new password,
and click OK.

91 | V eeam Backup for Microsoft Azure | User Guide

Enabling Multi-Factor Authentication
Multi-factor authentication (MFA) in Veeam Backup for Microsoft Azure is based on the Time-based One-Time
Password (TOTP) method that requires the user to verify their identity by providing a temporary six -digit code
generated by an authentication application running on a trusted device.

IMP ORTANT

You cannot enable MFA for a user account whose user identity was obtained from an identity provider.

To enable MFA for a user account, do the following:

1. Switch to the Configuration page.

2. Navigate to Accounts > P ortal Users.

3. Select the account and click E na ble MFA.

4. Follow the instructions provided in the E na bling MFA window:

a. Install a supported authentication application on a trusted device. To view the list of authentication
applications supported by Veeam Backup for Microsoft Azure, click See a list of compatible
a p plications.

You can use any application that supports the TOTP protocol.

b. Scan the displayed QR code using the camera of the trusted device.

You can also provide a secret code that you can find in the Alternatively, type in the secret code field
if you do not want to scan the QR code.

c. Enter a verification code sent by the authentication application.

d. Click OK.

92 | V eeam Backup for Microsoft Azure | User Guide

Managing Backup Repositories
Veeam Backup for Microsoft Azure uses blob containers as target locations for image-level backups of Azure
VMs and Azure SQL databases. To store backups in blob containers, configure backup repositories. A repository
is a specific folder created by Veeam Backup for Microsoft Azure in a blob container .

IMP ORTANT

A backup repository must not be managed by multiple backup appliances simultaneously. Retention
sessions running on different backup appliances may corrupt backups stored in the repository, which may
result in unpredictable data loss.

93 | V eeam Backup for Microsoft Azure | User Guide

Adding Backup Repositories
To add a new backup repository, do the following:

1. Launch the Add Repository wizard.

2. Specify a repository name and description.

3. Configure repository settings.

4. Enable encryption for the backup repository.

5. Configure load options for the backup repository.

6. Finish working with the wizard.

94 | V eeam Backup for Microsoft Azure | User Guide

Step 1. Launch Add Repository Wizard
To launch the Ad d Repository wizard, do the following:

1. Switch to the Configuration page.

2. Navigate to Rep ositories.

3. Click Ad d .

95 | V eeam Backup for Microsoft Azure | User Guide

Step 2. Specify Repository Name
At the Na me step of the wizard, use the Na me and Description fields to enter a name for the new backup
repository and to provide a description for future reference. The maximum length of the name is 125 characters.
The following characters are not supported: * : / \ ? " < > | ! @ # $ % ^ &.

96 | V eeam Backup for Microsoft Azure | User Guide

Step 3. Configure Repository Settings
At the Container step of the wizard, select an Azure account that will be used to access the created repository,
specify a location where the repository will be created, and configure immutability settings for the repository.

Specifying Azure Account

In the Account section, select an Azure account whose permissions Veeam Backup for Microsoft Azure will use
to create the new repository in the target Azure blob container and further to access the repository when
performing data protection and recovery tasks. It is recommended that you check whether the selected Azure
account has all the required permissions to perform the operation. For more information on permissions
required for the Azure account, see Azure Account Permissions.

For an account to be displayed in the Account list, it must be added to Veeam Backup for Microsoft Azure as
described in section Adding Azure Service Account or Adding Repository Accounts. If you have not added the
necessary repository account to Veeam Backup for Microsoft Azure beforehand, you can do it without closing
the Ad d Repository wizard. To add an account, click Ad d and complete the Ad d Repository Account wizard.

Choosing Repository Location

In the Loca tion section, do the following:

1. Specify a storage account where the target blob container resides. To do that, click Sp ecify storage
a ccount and select the necessary storage account in the Select storage account window. Veeam Backup
for Microsoft Azure will use the account to access the backup repository.

For a storage account to be displayed in the list of available accounts, it must be created in the Microsoft
Azure portal as described in Microsoft Docs.

IMP ORTANT

Consider the following:

• Veeam Backup for Microsoft Azure does not support creation of backup repositories in storage
accounts with the blob soft delete option enabled.
• Veeam Backup for Microsoft Azure does not support creation of backup repositories in storage
accounts with the Geo-zone-redundant storage (GZRS) or Read-access geo-zone-redundant storage
(RA-GZRS) redundancy option enabled.
• Veeam Backup for Microsoft Azure does not support creation of archive repositories in storage
accounts with the Zone-redundant storage (ZRS) redundancy option enabled.

2. Choose a blob container that will be used as a target location for backups of Azure resources. To do that,
click Not specified and select the necessary blob container in the Select container window.

For a container to be displayed in the Container list, it must be created for the selected storage account in
the Microsoft Azure portal as described in Microsoft Docs.

3. Choose whether you want to use an existing folder inside the selected blob container or to create a new
one to group backup files stored in the container.

o To create a new folder, select the Create new folder option and specify a name for the folder. The
maximum length of the name is 256 characters; the slash (/) and backslash ( \) characters are not
supported.

97 | V eeam Backup for Microsoft Azure | User Guide

 o To use an existing folder, select the Use existing folder option and click Select folder. In the Select
folder window, select the necessary folder and click Ap p ly.

For a folder to be displayed in the Fold er list, it must be created by any backup appliance as a
repository (either existing or already removed from the backup infrastructure) in the selected blob
container.

IMP ORTANT

If you select an existing folder for storing backup files, consider the following:

• The created backup repository will have the storage tier that has been specified when creating the
folder. You cannot change the storage tier for the repository.
• If encryption is enabled for the selected folder at the repository level, you must provide a password
or an encryption key for this folder at step 4 of the wizard.
• If the selected folder already contains backups created by the Veeam backup service, Veeam Backup
for Microsoft Azure will import the backup data to the configuration database. You can use this data
to perform all disaster recovery operations described in section Performing Restore.
By default, Veeam Backup for Microsoft Azure applies retention settings saved in the backup
metadata to the imported backups. However, if the selected folder contains backups of resources
that you plan to protect by a backup policy with the created repository specified as a backup target,
Veeam Backup for Microsoft Azure will rewrite the saved retention settings and will apply to the
imported backups new retention settings configured for that backup policy.

4. [This step applies only if you have selected the Create new folder option] In the Storage class section,
choose whether you want to specify a tier for the repository manually, or to instruct Veeam Backup for
Microsoft Azure to create 3 separate repositories for the Hot, Cool and Archive access tiers automatically.

If you select the Choose your tier option, you must specify the access tier type that will be used to manage
the costs of storing backed-up data.

o Select the Hot tier if you plan to access the backed-up data frequently.

o Select the Cool tier if you plan to store the backed-up data for at least 30 days and do not plan to
access it frequently.

o Select the Archive tier if you plan to store the backed-up data for at least 180 days.

Note that to restore data from an archive, you will first need to retrieve data from it. For more
information on how to retrieve the data, see Retrieving Data from Archive.

o Select the Inferred tier if you plan to use the same access tier as specified for the storage account
where the selected repository resides.

For more information on access tiers for blob storage accounts, see Microsoft Docs.

IMP ORTANT

If you select the Archive tier for a backup repository, consider the following:

• Veeam Backup for Microsoft Azure supports only the following storage account data redundancy
options: locally redundant storage (LRS), geo-redundant storage (GRS), read-access geo-redundant
storage (RA-GRS).
• The archive tier is not available in specific Azure regions. For more information, see Microsoft Docs.

98 | V eeam Backup for Microsoft Azure | User Guide

Reviewing Immutability Settings
Veeam Backup for Microsoft Azure allows you to protect backups stored in the repository from being lost as a
result of malware, ransomware or any other malicious actions. To do that, you can create repositories with
immutability enabled. For more information on immutability, see How Immutability Works.

If you plan to enable immutability settings for the created repository, make sure that:

• Either version-level immutability support or blob versioning is enabled for the specified storage account,
and the default time-based retention policy is not configured for the account.

• Version-level immutability support is enabled for the specified blob container.

NOTE

For security reasons, it is recommended that you have a dedicated Microsoft Azure subscription that will
manage Azure storage accounts in which immutable backup files will be stored. To do that, specify an
Azure account associated with the necessary subscription as described in section Specifying Azure Account,
and then choose an Azure storage account and Azure blob container that meet the immutability
requirements.

As soon as you select a blob container, Veeam Backup for Microsoft Azure verifies the settings configured for
the storage account and blob container, and displays the following information in the Immutability section:

• If the storage account and the container meet the immutability requirements, Veeam Backup for Microsoft
Azure automatically selects the Ba ckups stored in this repository will be immutable check box. In this
case, the repository will be created with immutability enabled.

99 | V eeam Backup for Microsoft Azure | User Guide

 • If the storage account or the container does not meet the immutability requirements, Veeam Backup for
Microsoft Azure automatically clears the Ba ckups stored in this repository will be immutable check box. In
this case, the repository will be created with immutability disabled.

How Immutability Works

Veeam Backup for Microsoft Azure allows you to protect data stored in backup repositories from deletion by
making the data temporarily immutable. To do that, Veeam Backup for Microsoft Azure uses Immutable storage
for Azure Blob Storage — once imposed, Immutable storage prevents objects from being deleted or overwritten
for a specific immutability period. The immutability period is set based on the retention policy configured in the
backup policy settings.

Considerations and Limitations

Consider that you cannot perform the following operations with image-level backups and archived backups
stored in repositories with immutability enabled:

• You cannot remove data manually using the Veeam Backup for Microsoft Azure Web UI, as described in
sections Removing VM Backups and Snapshots and Removing SQL Backups.

• You can neither remove data from Microsoft Azure using any cloud service provider tools nor request the
technical support department to do it for you — none of the protected objects can be overwritten or
deleted by any user, including the Global Administrator in your Azure Active Directory.

100 | V eeam Backup for Microsoft Azure | User Guide

Block Generation
If you choose a repository with immutability settings enabled as the target location for image -level backups,
Veeam Backup for Microsoft Azure creates an immutable backup chain in the repository instead of a regular
backup chain. Immutable backup chains are built the same way as standard and archive backup chains, which
means that each immutability chain is composed of a set of backups produced during a sequence of backup
sessions, and that the same retention policies apply to these chains. The only difference is that files in
immutable backup chains can be neither removed nor modified until the immutability period is over. Therefore,
every time Veeam Backup for Microsoft Azure creates a new incremental backup containing modified data
blocks, the retention period of the dependent unchanged data blocks (in the preceding incremental and full
backups) is supposed to be extended. This can cause a substantial increase in I/O operations and associated
costs incurred by Microsoft Azure.

To reduce the number of requests to the repository, thus to save traffic and to reduce transaction costs, Veeam
Backup for Microsoft Azure leverages the Block Generation mechanism. A generation is a period of up to 10 da ys
that extends the retention period configured for backups in the immutable backup chain. This means that the
retention period is not explicitly extended for each dependent data block every time Veeam Backup for
Microsoft Azure creates a new incremental backup in the chain within one generation (during these 10 days).

Block Generation works in the following way:

1. During the first backup session, Veeam Backup for Microsoft Azure creates a full backup in a backup
repository and adds 10 days to its retention period. The full backup becomes a starting point in the first
generation of the immutable backup chain.

2. During subsequent backup sessions, Veeam Backup for Microsoft Azure copies only those data blocks that
have changed since the previous backup session, and stores these data blocks to incremental backups in
the backup repository. The content of each incremental backup depends on the content of the full backup
and the preceding incremental backups in the immutable backup chain. Veeam Backup for Microsoft Azure
adds <10 - N> days to the retention period of these backups, where N is the number of days since the first
backup in the generation was created.

As a result, all backups within one generation will have the same retention date, and will not be removed
by the retention policy before this date.

3. On the 11th day a new block generation period is initiated. Veeam Backup for Microsoft Azure creates a
new incremental backup and adds 10 days to its retention period. This backup becomes a starting point in
the second generation of the immutable backup chain. The new generation is automatically applied to all
dependent data blocks from the preceding backups.

4. Veeam Backup for Microsoft Azure repeats step 2 for the second generation.

5. Veeam Backup for Microsoft Azure continues keeping dependent data blocks immutable by applying new
generations to these blocks, thus continuously extending their retention period.

Consider the following example. You want a backup policy to create image-level backups of your critical
workloads once a day starting from March 1, and to keep the backed -up data immutable for 5 days. In this case,
you do the following:

1. In the policy target settings, you set the E na ble backups toggle to On, and select a backup repository with
immutability enabled as the target location for the created backups.

2. In the daily scheduling settings, you select an hour when backups will be created (for example, 7:00 AM),
and specify the number of days for which Veeam Backup for Microsoft Azure will retain the created
backups ( 5 days).

101 | V eeam Backup for Microsoft Azure | User Guide

According to the specified scheduling settings, Veeam Backup for Microsoft Azure will create image -level
backups in the following way:

1. On March 1, a backup session will start at 7:00 AM to create the full backup in the immutable backup
chain. Veeam Backup for Microsoft Azure will add 10 days to the retention period specified in the backup
policy settings. Thus, the retention period of the backup will be prolonged to 15 days, and the expiration
date will become March 16.

2. On March 2, Veeam Backup for Microsoft Azure will create a new incremental backup at 7:00 AM and add
9 days to the retention period specified in the backup policy settings. Thus, the retention period of the
incremental backup will be prolonged to 14 days, and the retention date will become March 16.

3. On March 3-10, Veeam Backup for Microsoft Azure will continue creating incremental backups and
extending their retention period so that the retention date will still remain March 16.

4. On March 11, Veeam Backup for Microsoft Azure will create a new backup at 7:00 AM. During the backup
session, Veeam Backup for Microsoft Azure will initiate a new block generation period, and apply the new
generation to the newly created backup and all dependent data blocks . The retention period of this
backup will be prolonged to 15 days, and the immutability expiration date will become March 26.

Then, all data blocks of the preceding backups whose retention period has not been extended will be
removed by a retention session due to the immutability period expiration.

102 | V eeam Backup for Microsoft Azure | User Guide

Step 4. Enable Data Encryption
At the E ncryption step of the wizard, choose whether you want to encrypt backups stored in the selected blob
container.

NOTE

If you have selected an existing folder at the Container step of the wizard, you cannot change the
encryption settings while adding the repository. If encryption is enabled for this folder at the repository
level, you must provide the currently used password or an encryption key to let Veeam Backup for
Microsoft Azure access this folder and add it as a backup repository. You will be able to edit the repository
settings later as described in section Editing Backup Repositories.

To enable encryption for the backup repository, do the following:

1. Click E d it Encryption Settings.

2. In the E ncryption settings window, set the E na ble encryption toggle to On.

IMP ORTANT

After you create a repository with encryption enabled, you will not be able to disable encryption for this
repository. However, you will still be able to change the encryption settings as described in section Editing
Backup Repositories.

3. Choose whether you want to use a password or an Azure Key Vault cryptographic key to encrypt the
backed-up data.

o To use password encryption, select the Use password encryption option and specify a password that
will be used to encrypt data.

o To encrypt data using an Azure Key Vault cryptographic key, select the Use Azure Key Vault
encryption key option, choose an Azure Key Vault where the cryptographic key is stored, and then
choose the necessary key.

For an Azure vault to be displayed in the list of available vaults, it must be created in Microsoft Azure
as described in Microsoft Docs. For a cryptographic key to be displayed in the list of available
encryption keys, it must be created in Microsoft Azure as described in Microsoft Docs.

103 | V eeam Backup for Microsoft Azure | User Guide

 IMP ORTANT

If you want to use an Azure Key Vault cryptographic key for encryption at the repository level, consider the
following:

• Do not disable cryptographic keys specified in the repository settings. Otherwise, Veeam Backup for
Microsoft Azure will not be able to encrypt data, and backup policies that store backups in these
repositories will fail to complete successfully.
• Do not delete cryptographic keys specified in the repository settings. Otherwise, Veeam Backup for
Microsoft Azure will not be able to decrypt data stored in these repositories.
If a cryptographic key is scheduled for deletion, it will acquire the Pending deletion state. In this
case, Veeam Backup for Microsoft Azure will raise a warning, and, during the following 7 days, you
must either change the encryption settings for the backup repository in Veeam Backup for Microsoft
Azure or cancel the key deletion.

104 | V eeam Backup for Microsoft Azure | User Guide

Step 5. Configure Load Options
While backing up Azure resources, Veeam Backup for Microsoft Azure launches worker instances responsible for
processing and transfer of backed-up data to backup repositories. When a backup policy addresses a backup
repository, worker instances establish connections with the repository to retrieve data. To learn how Veeam
Backup for Microsoft Azure performs backup operations, see How Backup Works.

Too many connections to a repository at a time may cause performance issues due to Microsoft Azure ingress
limits for storage accounts. To avoid these issues, you can limit the numb er of concurrent connections of worker
instances at the Op tions step of the wizard. To do that, select the Limit concurrent backup tasks to check box
and specify the maximum number of tasks that can be simultaneously processed when addressing the
repository.

The number of concurrent tasks limits connections to the backup repository and, therefore, defines how many
workers can be launched to process Azure resources whose backups will be stored in this repository. Consider
that if the number of concurrent tasks is less than the maximum number of workers that Veeam Backup for
Microsoft Azure is allowed to launch and use simultaneously to process Azure resources during backup
operations, Veeam Backup for Microsoft Azure will only launch as many worker instances as many concurrent
tasks are specified. To learn how to set the maximum number of worker instances, see Adding Worker Profiles.

NOTE

Veeam Backup for Microsoft Azure also launches worker instances during retention and restore operations.
However, the specified limit of concurrent tasks does not apply to these operations.

105 | V eeam Backup for Microsoft Azure | User Guide

Step 6. Finish Working with Wizard
At the Summary step of the wizard, review summary information, choose whether you want to proceed to the
Session Log tab to track the progress of repository creation, and click Finish.

106 | V eeam Backup for Microsoft Azure | User Guide

Editing Backup Repositories
For each backup repository, you can modify settings specified while adding the repository to Veeam Backup for
Microsoft Azure:

1. Switch to the Configuration page.

2. Navigate to Rep ositories.

3. Select the repository and click E d it.

4. Complete the E d it Repository wizard.

a. To provide a new name and description for the repository, follow the instructions provided in section
Adding Backup Repositories (step 2).

b. To enable data encryption or change the configured encryption settings, follow the instructions
provided in section Adding Backup Repositories (step 4).

c. To change the configured load settings for the repository, follow the instructions provided in section
Adding Backup Repositories (step 5).

d. At the Summary step of the wizard, review summary information, choose whether you want to
proceed to the Session Log tab to track the progress of modifying the backup repository settings, and
click Finish to confirm the changes.

107 | V eeam Backup for Microsoft Azure | User Guide

Removing Backup Repositories
Veeam Backup for Microsoft Azure allows you to permanently remove backup repositories if you no longer need
them. When you remove a backup repository, Veeam Backup for Microsoft Azure unassigns the repository from
the folder in the target blob container so that the folder is no longer used as a repositor y.

NOTE

Even though the folder is no longer used as a repository, Veeam Backup for Microsoft Azure preserves all
backups previously stored in the repository and keeps these backups in Microsoft Azure. You can assign the
folder to a new backup repository so that Veeam Backup for Microsoft Azure imports the backed-up data to
the configuration database. In this case, you will be able to perform all disaster recovery operations
described in section Performing Restore.

If you no longer need the backed-up data, you can remove it as described in section Managing Backed-Up
Data.

To remove a backup repository from Veeam Backup for Microsoft Azure, do the following:

1. Switch to the Configuration page.

2. Navigate to Rep ositories.

3. Select the repository and click Remove.

NOTE

You cannot remove a backup repository that is used by any backup policy or by a scheduled configuration
backup. Modify the settings of all the related policies to remove references to the repository, and then try
removing the repository again.

108 | V eeam Backup for Microsoft Azure | User Guide

Managing Worker Instances
To perform most data protection and disaster recovery operations (such as creating image -level backups in
backup repositories and restoring backed-up data), Veeam Backup for Microsoft Azure uses worker instances.

Each worker instance is launched in a specific Azure region and keeps running for the duration of the backup or
restore process. For more information on regions in which Veeam Backup for Microsoft Azure launches worker
instances, see Architecture Overview.

109 | V eeam Backup for Microsoft Azure | User Guide

Managing Worker Configurations
A configuration is a group of network settings that Veeam Backup for Microsoft Azure uses to launch worker
instances in a specific Azure region to perform data protection and disaster recovery operations. Veeam Backup
for Microsoft Azure launches one worker instance per each Azure resource added to a backup policy or restore
task.

By default, Veeam Backup for Microsoft Azure creates a new network configuration for each Azure region in
which it launches worker instances. However, you can add custom worker configurations to provide network
settings that will be used to launch worker instances in a specific region.

IMP ORTANT

By default, all worker instances launched by Veeam Backup for Microsoft Azure access protected Azure
resources through public virtual networks. If you want worker instances to process resources that reside in
private virtual networks, set the P rivate network deployment toggle to On. Veeam Backup for Microsoft
Azure will automatically configure worker settings to allow private network access; however, you will also
need to perform a number of configuration steps manually as described in section Working in Private
Environment.

Consider that to let Veeam Backup for Microsoft Azure perform tasks in private environments, Azure
Service Bus must be upgraded to the Premium tier. For more information on Azure Service Bus tiers, see
Microsoft Docs.

NOTE

You can tell worker instances from other Azure VMs running in your environment — all worker instances
launched by Veeam Backup for Microsoft Azure will have the word VBA and a GUID in their names, and the
Veeam backup appliance ID tag.

Adding Worker Configurations

To add a new worker configuration, do the following:

1. Launch the Add Worker Network Configuration wizard.

2. Specify general settings for the worker configuration.

3. Specify network settings for the worker configuration.

4. Finish working with the wizard.

110 | V eeam Backup for Microsoft Azure | User Guide

Step 1. Launch Add Worker Network Configuration Wizard
To launch the Ad d Worker Network Configuration wizard, do the following:

1. Switch to the Configuration page.

2. Navigate to W ork ers > Network.

3. Click Ad d .

111 | V eeam Backup for Microsoft A zure | User Guide

Step 2. Specify General Settings
At the General step of the wizard, select an Azure region where new worker instances will operate. For more
information on Azure regions in which Veeam Backup for Microsoft Azure launches worker instances to perform
operations, see Architecture Overview.

112 | V eeam Backup for Microsoft Azure | User Guide

Step 3. Specify Network Settings
At the Network step of the wizard, do the following:

1. Select a network and subnet to which you want to connect worker instances created based on the new
worker configuration. You can either use an existing virtual network or create a new one.

To create a new network:

a. Click Ad d .

b. In the Create Network window, specify names and ranges of IP addresses for the new virtual network
and the new subnet, and click OK.

To specify IP address ranges, use the CIDR (Classless Inter-Domain Routing) notation. For more
information on building networks in Microsoft Azure, see Microsoft Docs.

IMP ORTANT
• The specified subnet address range must have at least one free IP address — Veeam Backup for
Microsoft Azure will launch and simultaneously run as many worker instances as many free IP
addresses there are in the subnet range.
• It is recommended to configure a service endpoint (routing) to the Microsoft.Storage service. The
virtual network settings can be specified in the Microsoft Azure portal. For more information on
virtual network service endpoints, see Microsoft Docs.

2. Select a security group that will be associated with the specified subnet.

For a group to be displayed in the Network Security Group list, it must be created beforehand as described
in Microsoft Docs.

IMP ORTANT

If you want worker instances created based on the new worker configuration to process resources that
reside in private virtual networks, the selected security group must allow access to storage accounts and
Service Bus namespaces created by Veeam Backup for Microsoft Azure. You can tell these resources from
other Azure resources by the word veeam and the GUID of the backup appliance in their names.

3. Choose whether you want Veeam Backup for Microsoft Azure to assign public IP addresses to workers
used for file-level recovery operations.

113 | V eeam Backup for Microsoft Azure | User Guide

114 | V eeam Backup for Microsoft Azure | User Guide
Step 4. Finish Working with Wizard
At the Summary step of the wizard, review summary information and click Finish.

Editing Worker Configurations

For each worker configuration, you can modify settings specified while adding the worker configuration to
Veeam Backup for Microsoft Azure:

1. Switch to the Configuration page.

2. Navigate to W ork ers > Network.

3. Select the worker configuration and click E d it.

4. Complete the E d it W orker Network Configuration wizard:

a. To modify the virtual network and subnet to which the related worker instances are connected, and to
change the security group associated with the specified subnet, follow the instructions provided in
section Adding Worker Configurations (step 3).

b. At the Summary step of the wizard, review configuration information and click Finish to confirm the
changes.

115 | V eeam Backup for Microsoft Azure | User Guide

 NOTE

If there are any worker instances created based on the selected configuration that are currently involved in
a backup or restore process, the changes will be applied only when the process completes.

Removing Worker Configurations

Veeam Backup for Microsoft Azure allows you to permanently remove worker configurations if you no longer
need them. When you remove a worker configuration, Veeam Backup for Microsoft Azure does not remove
currently running worker instances that have been created based on this configuration — these instances are
removed only when the related operations complete.

To remove a worker configuration from Veeam Backup for Microsoft Azure, do the following:

1. Switch to the Configuration page.

2. Navigate to W ork ers > Network.

3. Select the worker configuration and click Remove.

116 | V eeam Backup for Microsoft Azure | User Guide

 NOTE

If there are any worker instances created based on the selected configuration that are currently involved in
a backup or restore process, these instances will be removed only when the process completes.

117 | V eeam Backup for Microsoft Azure | User Guide

Managing Worker Profiles
A profile is the VM size of a worker instance that Veeam Backup for Microsoft Azure launches in a specific Azure
region to perform a backup, restore, health check, indexing or archive operation. Veeam Backup for Microsoft
Azure launches one worker instance per each Azure resource added to a backup policy or restore task. The
profile of each launched worker instance is selected based on the performed operation and either the total size
of virtual disks attached to the processed Azure VM or the total size of the processed Azure SQL database.

There are 4 types of worker profiles in Veeam Backup for Microsoft Azure:

• Sma ll — a profile that Veeam Backup for Microsoft Azure uses for creating image-level backups and
restoring data if the total disk size of the processed Azure VM or the total size of the processed Azure SQL
database is less than 100 GB. This profile is also used to launch worker instances for file-level recovery,
backup retention, file share indexing and health check operations.

• Med ium — a profile that Veeam Backup for Microsoft Azure uses for creating image-level backups and
restoring data if the total disk size of the processed Azure VM or the total size of the processed Azure SQL
database is more than 100 GB but less than 1 TB.

• La rge — a profile that Veeam Backup for Microsoft Azure uses for creating image-level backups and
restoring data if the total disk size of the processed Azure VM or the total size of the processed Azure SQL
database is more than 1 TB.

• Archiving — a profile that Veeam Backup for Microsoft Azure uses for creating archived backups.

Out of the box, Veeam Backup for Microsoft Azure comes with the default set of worker profiles where the small
profile is Standard_F2s_v2, the medium profile is Standard_F4s_v2, the large profile is Standard_F8s_v2, and the
archiving profile is Standard_E2_v5. However, to boost operational performance, you can add custom sets of
worker profiles to specify VM sizes of worker instances that will operate in different regions.

NOTE

If the worker configuration was created automatically by Veeam Backup for Microsoft Azure, the default
profile for all operations is Standard_F2s_v2.

Adding Worker Profiles

To add a new custom set of worker profiles for one or more regions, do the following:

1. Launch the Add Worker Profiles wizard.

2. Choose the necessary regions.

3. Choose the profiles for worker instances in these regions.

4. Finish working with the wizard.

118 | V eeam Backup for Microsoft Azure | User Guide

Step 1. Launch Add Worker Profiles Wizard
To launch the Ad d Worker Profiles wizard, do the following:

1. Switch to the Configuration page.

2. Navigate to W ork ers > P rofile.

3. Click Ad d .

119 | V eeam Backup for Microsoft Azure | User Guide

Step 2. Choose Regions
At the Reg ions step of the wizard, select regions for which you want to specify worker profiles.

120 | V eeam Backup for Microsoft Azure | User Guide

Step 3. Choose Worker Profiles
By default, Veeam Backup for Microsoft Azure launches minimum 1 and maximum 5 worker instances depending
on the number of Azure resources processed while performing a backup or restore operation. Each worker
instance can process only one Azure VM or SQL database at a time. If the number of VMs and databases that
must be processed exceeds the maximum number of worker instances specified in the worker configuration, the
VMs and databases exceeding this limit are queued.

At the W ork er Profiles step of the wizard, you can modify the default number of worker instances to reduce the
amount of processing time, and choose profiles that will be used to launch worker instances in the selected
regions to boost operational performance.

1. In the Ba ckup operations section, click E d it Settings.

2. In the Choose worker configuration window, do the following:

a. In the Minimum workers field, specify the number of workers that Veeam Backup for Microsoft Azure
will launch in the selected regions after you finish working with the wizard.

b. In the Ma x imum workers field, specify the maximum number of workers that Veeam Backup for
Microsoft Azure can launch and use simultaneously to process Azure resources in the selected regions
during backup and restore operations.

TIP

After a backup or restore operation completes, Veeam Backup for Microsoft Azure keeps the minimum
number of worker instances running for 10 minutes and then deallocates them; the other instances are
automatically removed from the backup infrastructure. To optimize infrastructure costs, set the minimum
number of worker instances to 0.

c. Use the Simple configuration and Ad vanced configuration options to choose whether you want to use
one single VM size for all worker instances that will be launched in the s elected regions to perform
backup and restore operations, or to specify a small, medium and large profile for the instances.

To help you choose VM sizes, tables in the Select Virtual Machine Size windows will provide
information on the number of vCPU cores and the amount of system RAM for each available VM size.
For the full description of Azure VM sizes, see Microsoft Docs.

d. To save changes made to the worker profiles, click Ap p ly.

121 | V eeam Backup for Microsoft Azure | User Guide

 3. In the Archive operations section, click the link in the Default profile field to specify a VM size for worker
instances that will be launched in the selected regions to perform archive operations.

To help you choose the VM size, the table in the Select Virtual Machine Size window will provide
information on the number of vCPU cores and the amount of system RAM for each available VM size. For
the full description of Azure VM sizes, see Microsoft Docs.

122 | V eeam Backup for Microsoft A zure | User Guide

Step 4. Finish Working with Wizard
At the Summary step of the wizard, review summary information and click Finish.

As soon as you click Finish, Veeam Backup for Microsoft Azure will create a separate set of worker profiles for
each of the selected regions.

Editing Worker Profiles

For each set of worker profiles created for an Azure region, you can modify settings specified while creating the
profile set:

1. Switch to the Configuration page.

2. Navigate to W ork ers > P rofile.

3. Select the profile set and click E d it.

4. Complete the E d it W orker Profiles wizard:

a. To change profiles that will be used to launch workers in the selected region, follow the instructions
provided in section Adding Worker Profiles (step 3).

b. At the Summary step of the wizard, review configuration information and click Finish to confirm the
changes.

123 | V eeam Backup for Microsoft A zure | User Guide

 NOTE

If there are any worker instances that are currently involved in a backup, restore or archive process in the
selected region, the changes will be applied only when the process completes.

Removing Worker Profiles

Veeam Backup for Microsoft Azure allows you to permanently remove sets of worker profiles if you no longer
need them. When you remove a profile set, Veeam Backup for Microsoft Azure does not remove currently
running worker instances that have been created based on this set — these instances are removed only when the
related operations complete.

To remove a profile set from Veeam Backup for Microsoft Azure, do the following:

1. Switch to the Configuration page.

2. Navigate to W ork ers > P rofile.

3. Select the profile set and click Remove.

124 | V eeam Backup for Microsoft Azure | User Guide

Removing Worker Instances
Veeam Backup for Microsoft Azure allows you to permanently remove worker instances created based on worker
configurations and profiles if you no longer need them.

To remove a worker instance from Veeam Backup for Microsoft Azure, do the following:

1. Switch to the Configuration page.

2. Navigate to W ork ers > Instances.

3. Select the worker instance and click Remove.

NOTE

If the selected worker instance is currently involved in a backup or restore process, it will be removed only
when the process completes.

125 | V eeam Backup for Microsoft A zure | User Guide

Configuring General Settings
Veeam Backup for Microsoft Azure allows you to configure general settings that are applied to all performed
operations and deployed architecture components:

• Define for how long obsolete snapshots and session records will be retained .

• Configure notification settings for automated delivery of reports.

• Provide certificates to secure connections between Veeam Backup for Microsoft Azure architecture
components.

• Change the time zone set on the backup appliance.

• Configure single sign-on settings to retrieve user identities from an identity provider.

126 | V eeam Backup for Microsoft A zure | User Guide

Configuring Global Retention Settings
You can configure global retention settings to specify for how long the following data will be retained in the
configuration database:

• Obsolete snapshots and replicas

• Session records

Configuring Retention Settings for Obsolete Snapshots

If an Azure resource (whether it is an Azure VM or an Azure file share) is no longer processed by a backup policy
(for example, it was removed from the backup policy or the backup policy no longer exists), its cloud -native
snapshots become obsolete. Retention policy settings configured when creating backup policies do not apply to
obsolete snapshots — these snapshots are removed from the configuration database according to their own
retention settings.

NOTE

Global retention settings apply to all cloud-native snapshots created by the Veeam backup service. If an
Azure resource is still processed by a backup policy, but some of its cloud-native snapshots are older than
the number of days (or months) specified in the global retention settings, these cloud -native snapshots
will be removed from the configuration database.

To configure retention settings for obsolete snapshots, do the following:

1. Switch to the Configuration page.

2. Navigate to Settings > Retention.

3. In the Ob solete snapshots retention section, select either of the following options:

o Select the Never option if you do not want Veeam Backup for Microsoft Azure to remove obsolete
snapshots.

o Select the After option if you want to specify the number of days, months or years during which
Veeam Backup for Microsoft Azure will keep obsolete snapshots in the configuration database.The
number must be between 90 and 36135 for days, between 3 and 1188 for months and between 3 and
99 for years.

If you select this option, Veeam Backup for Microsoft Azure will remove obsolete instance snapshots
from the configuration database as soon as the specified period of time is over.

4. Click Sa ve.

NOTE

When Veeam Backup for Microsoft Azure removes an obsolete snapshot from the configuration database, it
also removes the snapshot from Microsoft Azure Storage.

127 | V eeam Backup for Microsoft Azure | User Guide

Configuring Retention Settings for Session Records
Veeam Backup for Microsoft Azure stores records for the login activity and all sessions of performed data
protection and disaster recovery operations in the configuration database on the additional data disk attached
to the backup appliance. The default retention period for the login activity records equals 3 months and cannot
be modified. The session records are removed from the configuration database according to specific retention
settings.

To configure retention settings for session records, do the following:

1. In the Session retention section, select either of the following options:

o Select the Keep a ll sessions option if you do not want Veeam Backup for Microsoft Azure to remove
session records.

o Select the Keep only last option if you want to specify the number of days, months or years during
which Veeam Backup for Microsoft Azure will keep session records in the configuration database.

If you select this option, Veeam Backup for Microsoft Azure will remove all session records that are
older than the specified time limit.

2. Click Sa ve.

IMP ORTANT

Retaining all session records in the configuration database may overload the data disk. By default, the disk
comes with 32 GB of storage capacity. If you choose not to remove sessions records at all, consider
increasing the disk space to avoid runtime problems.

128 | V eeam Backup for Microsoft A zure | User Guide

Configuring Global Notification Settings
You can specify email notification settings for automated delivery of backup policy results and daily reports.
Every daily report contains cumulative statistics for all backup policy and snapshot retention sessions run within
the past 24-hour period.

To connect a mail server that will be used for sending email notifications, do the following:

1. Switch to the Configuration page.

2. Navigate to Settings > Email.

3. Select the E na ble email notifications check box.

4. Click the link in the E ma il server field and configure mail server settings.

5. In the From field, enter an email address of the notification sender. This email address will b e displayed in
the From field of notifications.

6. In the To field, enter an email address of a recipient. Use a semicolon to separate multiple recipient
addresses. Do not use spaces after semicolons between the specified email addresses.

For each particular policy, you can configure specific notification settings. For more information on backup
policies, see Performing Backup.

NOTE

If you specify the same email recipient in both backup policy notification and global notification settings,
Veeam Backup for Microsoft Azure will override the configured global notification settings and will send
each notification to this recipient only once to avoid notification duplicates.

7. In the Sub ject field, specify a subject for notifications. You can use the following runtime variables:

o %JobName% — a backup policy name.

o %JobResult% — a backup policy result.

o %ObjectCount% — the number of Azure resources in a backup policy.

o %Issues% — the number of Azure resources in a backup policy that encountered any issues (errors and
warnings) while being processed.

The default subject for email notifications is: [%JobResult%] %JobName% (%ObjectCount% instances)
%Issues%.

8. In the Notify me immediately about section, choose whether you want to receive email notifications in
case backup policies complete successfully, complete with warnings or complete with errors.

9. To receive daily reports, select the Send daily report at check box and specify the exact time when the
reports will be sent.

10. Click Sa ve.

TIP

Veeam Backup for Microsoft Azure allows you to send a test message to check whether you have
configured all settings correctly. To do that, click Send Test E-mail. A test message will be sent to the
specified email address.

129 | V eeam Backup for Microsoft A zure | User Guide

Configuring Mail Server Settings
To configure mail server settings, choose whether you want to employ Basic (SMTP) or Modern (OAuth 2.0)
authentication for your mail server.

Using Basic Authentication

To employ the Basic authentication to connect to your mail server, in the E ma il Server Settings window:

1. From the Authentication drop-down list, select Basic.

2. In the Ma il server name or address field, enter a DNS name or an IP address of the SMTP server. All email
notifications (including test messages) will be sent by this SMTP server.

3. In the P ort field, specify a communication port for SMTP traffic. The default SMTP port is 25.

4. In the Timeout field, specify a connection timeout for responses from the SMTP server.

5. For an SMTP server with SSL/TLS support, select the Connect using SSL check box to enable SSL data
encryption.

6. If your SMTP server requires authentication, select the This server requires a uthentication check box and
choose an account that will be used when authenticating against the SMTP server from the Connect as
drop-down list.

For an account to be displayed in the list of available accounts, it must b e added to Veeam Backup for
Microsoft Azure as described in section Adding Accounts. If you have not added an account beforehand,
click Ad d and complete the Ad d Account wizard.

7. Click Sa ve.

Using Modern Authentication

To employ the Modern authentication to connect to your mail server:

1. In E ma il Server Settings window, copy the URL from the Red irect URL field.

2. For Veeam Backup for Microsoft Azure to be able to use OAuth 2.0 to access Google Cloud or Microsoft
Azure APIs, register a new client application either in the Google Cloud Console or in the Microsoft Azure
portal.

When registering the application, make sure that the redirect URI specified for the application matches the
URL copied from the Veeam Backup for Microsoft Azure Web UI.

3. Back to the Veeam Backup for Microsoft Azure Web UI, do the following in the E mail Server Settings
window:

a. From the Authentication drop-down list, select Modern.

b. Use the Ma il server drop-down list to choose whether the server that you want to use to send email
notifications is a Google or Microsoft mail server.

c. In the Ap p lication client ID and Client secret fields, provide the Client ID and Client secret created for
the application as described in Google Cloud documentation or Microsoft Docs.

d. [Applies only if you have selected the Microsoft option] In the Tena nt ID field, provide the ID of an
Azure AD tenant in which the application has been registered.

130 | V eeam Backup for Microsoft Azure | User Guide

 e. Click Authorize. You will be redirected to the authorization page. Sign in using a Google or Microsoft
Azure account to validate the configured settings.

131 | V eeam Backup for Microsoft Azure | User Guide

Replacing Security Certificates
To establish secure data communications between the backup appliance and web browsers running on user
workstations, Veeam Backup for Microsoft Azure uses Transport Layer Security (TLS) certificates.

When you install Veeam Backup for Microsoft Azure, it automatically generates a default self -signed certificate.
You can replace this default certificate with your own self-signed certificate or with a certificate obtained from a
Certificate Authority (CA). To replace the currently used TLS certificate, do the following:

1. Switch to the Configuration page.

2. Navigate to Settings > Certificates.

3. Click Rep lace Web Certificate.

4. Complete the New W eb Server Certificate (HTTPS) wizard:

a. At the Certificate type step of the wizard, do the following:

▪ Select the Create a new certificate automatically option if you want to replace the existing
certificate with a new self-signed certificate automatically generated by Veeam Backup for
Microsoft Azure.

▪ Select the Up load certificate option if you want to upload a certificate that you obtained from a
CA or generated using a 3rd party tool.

b. [This step applies only if you have selected the Up load certificate option] At the Up load certificate
step of the wizard, browse to the certificate that you want to install, and provide a password for the
certificate file if required.

NOTE

Only .PFX and .P12 files are supported.

c. At the Summary step of the wizard, review summary information and click Finish.

132 | V eeam Backup for Microsoft A zure | User Guide

Changing Time Zone
Veeam Backup for Microsoft Azure runs daily reports and performs all data protection and disaster recovery
operations according to the time zone set on the backup appliance.

IMP ORTANT

If Daylight Saving Time (DST) is used in the time zone set on the backup appliance, consider the following:

• When DST starts (clocks are set one hour forward), all policy sessions scheduled to launch at the
skipped hour on this day do not run. You can run the policies manually as described in Starting and
Stopping Backup Policies.
• When DST ends (clocks are set one hour back), all policy sessions scheduled to launch at the
duplicated hour on this day run only once.

Since the backup appliance is deployed on an Azure VM in Microsoft Azure, the time zone is set to Coordinated
Universal Time (UTC) by default. However, you can change the time zone if required. For example, you may
want the time on the backup appliance to match the time on the workstation from which you access Veeam
Backup for Microsoft Azure.

To change the time zone set on the backup appliance:

1. Switch to the Configuration page.

2. Navigate to Settings > Time Zone.

3. Select the necessary time zone from the Time zone drop-down list.

4. Click Sa ve.

NOTE

It is not recommended that you change the time zone if any backup policy is currently running. Wait for all
the running policies to complete or stop them manually — and then try changing the time zone again.

133 | V eeam Backup for Microsoft A zure | User Guide

Configuring SSO Settings
Veeam Backup for Microsoft Azure supports single sign-on (SSO) authentication based on the SAML 2.0
protocol. SSO authentication scheme allows a user to log in to different software systems with the same
credentials using the identity provider service.

To configure SSO settings for Veeam Backup for Microsoft Azure, complete the following steps:

1. Switch to the Configuration page.

2. Navigate to Settings > Identity Provider.

3. In the Id entity provider configuration section, import identity provider settings from a file obtained from
your identity provider:

a. Click Up load Metadata.

b. In the Up load Identity Provider Configuration window, click Browse to locate the file with the identity
provider settings.

c. Click Up load.

4. Forward the service provider authentication settings to the identity provider — to obtain the settings, click
Download in the Ap p lication configuration section. Veeam Backup for Microsoft Azure will download a
metadata file with the service provider authentication settings to your local machine.

Alternatively, you can copy the service provider settings manually:

a. Click Cop y Link in the SP entity ID / issuer field.

b. Click Cop y Link in the Assertion consumer URL field.

TIP

If you want to sign and encrypt authentication requests sent from Veeam Backup for Microsoft Azure to the
identity provider, select a certificate with a private key that will be used to sign and encrypt the requests:

1. In the Ap p lication configuration section, click Select in the Certificate field.

2. In the Up load Security Certificate window, click Browse to locate the certificate file. In the P a ssword
field, specify a password used to open the file.
3. Click Up load.

After you configure SSO settings, you can add user accounts that will be able to log in to Veeam Backup for
Microsoft Azure using single sign-on. For more information, see Adding User Accounts.

134 | V eeam Backup for Microsoft Azure | User Guide

 IMP ORTANT

To authenticate a user whose identity has been received from the identity provider, Veeam Backup for
Microsoft Azure redirects the user to the identity provider portal. After the user logs in to the portal, the
identity provider sends a SAML authentication response to Veeam Backup for Microsoft Azure. The SAML
response must contain an attribute whose value will be used by Veeam Backup for Microsoft Azure to
identify the user. The attribute value must match the user name that you specify when creating the user
account.

For the identity provider to send the required attribute in the SAML authentication response, you must
create a claim rule on the identity provider side and specify username as the outgoing claim type (if you
use Active Directory Federation Service) or the option claim name (if you use Azure Active Directory).

135 | V eeam Backup for Microsoft A zure | User Guide

Performing Configuration Backup
You can back up the entire backup appliance using the snapshot-based configuration backup functionality and
back up the configuration database using the inbuilt configuration backup functionality.

It is recommended that you regularly perform configuration backup for every backup appliance present in
Microsoft Azure. Periodic configuration backups reduce the risk of data loss and minimize the administrative
overhead costs in case any problems with the backup appliances occur.

136 | V eeam Backup for Microsoft A zure | User Guide

Performing Snapshot-Based Configuration
Backup
You can instruct Veeam Backup for Microsoft Azure to automatically create snapshots of the backup appliance .
You can then use these snapshots to restore the entire backup appliance to another Azure VM, as described in
this Veeam KB article.

To configure the auto-backup settings, do the following:

1. Switch to the Configuration page.

2. Navigate to Settings > Configuration Backup.

3. Switch to the Sna p shot-Based tab.

4. Set the E na ble snapshot backup toggle to On.

5. In the Configure the snapshot settings and schedule section, do the following:

a. In the Restore points to keep field, specify the number of snapshots that you want to keep in the
snapshot chain.

If the snapshot limit is exceeded, Veeam Backup for Microsoft Azure removes the earliest snapshot
from the chain. For more information, see Retention Policy for Snapshots.

b. In the Schedule section, choose whether you want to create snapshots daily, monthly or periodically:

▪ Select the Da ily at this time option if you want Veeam Backup for Microsoft Azure to create
snapshots once a day on defined days. You can choose whether snapshots must be created every
day, on weekdays (Monday through Friday) or on specific days.

▪ Select the Monthly at this time option if you want Veeam Backup for Microsoft Azure to create
snapshots once a month on a defined day.

▪ Select the P eriodically every option if you want Veeam Backup for Microsoft Azure to create
snapshots repeatedly throughout a day with a specific time interval. You can choose whether
snapshots must be created every several hours or minutes. You can also instruct Veeam Backup
for Microsoft Azure to create snapshots continuously, one after another.

TIP

If you choose to create snapshots once every several hours, you can also specify a time shift to postpone
the snapshot creation by a defined amount of time (in minutes) in the specified interval. To do that, use the
Sta rt time within an hour field.

137 | V eeam Backup for Microsoft Azure | User Guide

 6. Click Sa ve.

138 | V eeam Backup for Microsoft Azure | User Guide

Performing Configuration Backup and Restore
You can back up the configuration database that stores data collected from Veeam Backup for Microsoft Azure
for the existing backup policies, protected Azure resources, launched worker instances, logge d session records
and so on. If the backup appliance goes down for some reason, you can reinstall it and quickly restore its
configuration from a configuration backup. You can also use a configuration backup to migrate the configuration
of one backup appliance to another backup appliance in Microsoft Azure.

You can run configuration backup manually on demand, or instruct Veeam Backup for Microsoft Azure to do it
automatically on a regular basis.

Performing Manual Configuration Backup

While performing configuration backup, Veeam Backup for Microsoft Azure exports data from the configuration
database and saves it to a backup file in a backup repository. To back up the configuration database of the
backup appliance manually, do the following:

1. Switch to the Configuration page.

2. Navigate to Settings > Configuration Backup.

3. In the Overview section, click Ta k e Backup Now.

4. In the Create Manual Backup window, select a repository where the configuration backup will be stored,
and click Create.

For a backup repository to be displayed in the Rep ository list, it must be added to Veeam Backup for
Microsoft Azure as described in section Adding Backup Repositories. The Rep ository list shows only
backup repositories that have encryption enabled and immutability disabled.

As soon as you click Create, Veeam Backup for Microsoft Azure will start creating a new backup in the selected
repository. To track the progress, click Go to Sessions in the Session Info window to proceed to the Session Log
tab.

139 | V eeam Backup for Microsoft A zure | User Guide

Performing Scheduled Configuration Backup
While performing configuration backup, Veeam Backup for Microsoft Azure exports data from the configuration
database and saves it to a backup file in a backup repository. To instruct Veeam Backup for Microsoft Azure to
back up the configuration database of the backup appliance automatically by schedule, do the following:

1. Switch to the Configuration page.

2. Navigate to Settings > Configuration Backup.

3. In the Ba ckup schedule section, set the E na ble scheduling toggle to On.

4. Click Choose in the Rep ository field, and use the list of available repositories in the Choose Repository
window to select a repository where configuration backups will be stored.

For a backup repository to be displayed in the list of available repositories, it must be added to Veeam
Backup for Microsoft Azure as described in section Adding Backup Repositories. The list shows only
backup repositories that have encryption enabled and immutability disabled.

5. In the Keep restore points for field, specify the number of days for which you want to keep restore points
in a backup chain in the selected backup repository.

If a restore point is older than the specified time limit, Veeam Backup for Microsoft Azure removes the
restore point from the chain. For more information, see Retention Policy for Backups.

6. In the Create daily backup at field, choose whether configuration backups will be created every day, on
weekdays (Monday through Friday), or on specific days.

7. Click Sa ve.

140 | V eeam Backup for Microsoft Azure | User Guide

Exporting Configuration Backup Data
Once Veeam Backup for Microsoft Azure creates a successful configuration backup, you can export the
configuration backup file and use it to restore configuration data on another backup appliance.

To export the configuration backup file, do the following:

1. Switch to the Configuration page.

2. Navigate to Settings > Configuration Backup.

3. Use either of the following options:

o To export the last successful configuration backup:

i. In the Overview section, click E x p ort Last Backup.

ii. In the E x port Last Backup window, specify a password that will be used to encrypt the exported
file, provide a hint for the specified password, and click E x port.

o To export a specific configuration backup file:

i. In the Configuration restore section, click Ava ilable Restore Points.

ii. In the Ava ilable Restore P oints window, select the necessary backup and click E x p ort Backup.

iii. In the E x port Backup window, specify a password that will be used to encrypt the exported file,
provide a hint for the specified password, and click E x p ort.

As soon as you click E x port, Veeam Backup for Microsoft Azure will save the exported backup file to the default
download directory on the local machine.

141 | V eeam Backup for Microsoft Azure | User Guide

Restoring Configuration Data
Veeam Backup for Microsoft Azure offers restore of the configuration database that can be helpful in the
following situations:

• The configuration database got corrupted, and you want to recover data from a configuration backup.

• You want to roll back the configuration database to a specific point in time.

• The backup appliance got corrupted, and you want to recover its configuration from a configuration
backup.

• The backup appliance went down, and you want to apply its configuration to a new backup appliance.

IMP ORTANT

Before you start the restore process, stop all policies that are currently running.

To restore the configuration database, do the following:

1. Launch the Configuration Restore wizard.

2. Choose a backup file.

3. Review the backup file info.

4. Choose restore options.

5. Track the restore progress.

6. View the results of verification steps.

7. Finish working with the wizard.

NOTE

After Veeam Backup for Microsoft Azure performs configuration restore, it rescans the whole infrastructure
to detect obsolete snapshots. These snapshots are then removed from the configuration database
according to the specified global retention settings.

142 | V eeam Backup for Microsoft Azure | User Guide

Step 1. Launch Configuration Restore Wizard
To launch the Configuration Restore wizard, do the following:

1. Switch to the Configuration page.

2. Navigate to Settings > Configuration Backup.

3. In the Configuration restore section, click Restore.

143 | V eeam Backup for Microsoft Azure | User Guide

Step 2. Choose Backup File
At the Ba ckup File step of the wizard, choose whether you want to use an exported backup file or a backup file
stored in a backup repository:

• If you want to use a file stored in a backup repository, select the Use backup file from repository option
and do the following:

a. Click Choose in the Rep ository field, and use the list of available repositories in the Choose repository
window to select the repository where the necessary configuration backup file is stored.

For a backup repository to be displayed in the Rep ository list, it must be added to Veeam Backup for
Microsoft Azure as described in section Adding Backup Repositories. The list shows only backup
repositories that have encryption enabled and immutability disabled.

b. Click Choose in the Ba ckup file field, and select the necessary file in the Choose backup file window.

• If you want to use a file that was exported from this or another backup appliance, select the Use imported
b a ckup file option and do the following:

a. Click Choose in the Ba ckup file field.

b. In the Imp ort backup file window, browse to the necessary backup file, provide the password that was
used to encrypt the file, and click Import.

IMP ORTANT

The size of an uploaded backup file must not exceed 10 GB. To upload a file of a bigger size, open a
support case.

144 | V eeam Backup for Microsoft Azure | User Guide

Step 3. Review Backup File Info
Veeam Backup for Microsoft Azure will analyze the content of the selected b ackup file and display the following
information:

• File information — the date and time when the backup file was created.

• Product information — the version of Veeam Backup for Microsoft Azure that was installed on the initial
backup appliance and the version of the File-level recovery service that was running on the appliance.

IMP ORTANT

Consider that if the current version of Veeam Backup for Microsoft Azure installed on the backup appliance
is later than the version saved in the configuration backup file, the configuration restore operation will not
downgrade the backup appliance version.

• Product configuration — configuration data saved in the file (such as the number of configured backup
policies, added user accounts, created backup repositories, logged session records and so on).

At the File Content step of the wizard, review the provided information and click Nex t to confirm that you want
to use the selected file to restore the configuration data.

145 | V eeam Backup for Microsoft Azure | User Guide

Step 4. Choose Restore Options
By default, Veeam Backup for Microsoft Azure restores only configuration data for the existing architecture
components, created backup policies and configured global settings. At the Restore Options step of the wizard,
you can choose whether you want to restore session logs and user accounts of the initial backup appliance as
well.

IMP ORTANT

After you click Restore, the restore process will start. You will not be able to halt the process or edit the
restore settings.

146 | V eeam Backup for Microsoft Azure | User Guide

Step 5. Track Restore Progress
Veeam Backup for Microsoft Azure will display the results of every step performed while executing the
configuration restore. At the Restore step of the wizard, wait for the restore process to complete and click Nex t.

147 | V eeam Backup for Microsoft Azure | User Guide

Step 6. View Configuration Check Results
After the restore process is over, Veeam Backup for Microsoft Azure will run a number of verification checks to
confirm that the configuration data has been restored successfully. At the Configuration Check step of the
wizard, wait for the verification checks to complete and click Nex t.

TIP

If Veeam Backup for Microsoft Azure encounters an issue while performing a verification check, the Result
column will display a description of the issue, and the Action column will provide instructions on how to
resolve it. After you resolve the issue, click Recheck to ensure the backup appliance is now fully functional.

148 | V eeam Backup for Microsoft Azure | User Guide

Step 7. Finish Working with Wizard
At the Restore Result step of the wizard, click Finish to finalize the process of configuration data restore.

149 | V eeam Backup for Microsoft Azure | User Guide

Viewing Available Resources
After you create a backup policy to protect a specific type of Azure resources (Azure VMs, Azure SQL databases
or Azure file shares), Veeam Backup for Microsoft Azure rescans Azure regions specified in the policy settings
and populates the resource list on the Resources tab with all resources of that type residing in these regions. If a
region is no longer specified in any backup policy, Veeam Backup for Microsoft Azure removes res ources residing
in the region from the list of available resources.

The Resources tab displays Azure resources that can be protected by Veeam Backup for Microsoft Azure. Each
resource is represented with a set of properties, such as:

• Virtual Machine or Azure SQL or File Share — the name of the resource.

• P olicy — the name of the backup policy that protects the resource (if any).

• Reg ion — the region in which the resource resides.

• Restore Points — the number of restore points created for the resource (if any).

• La st Backup — the date and time of the most recent backup policy (if any).

On the Resources tab, you can also perform the following actions:

• Manually create image-level backups of Azure SQL databases. For more information, see Performing SQL
Backup.

• Manually create cloud-native snapshots of Azure VMs and Azure file shares. For more information, see
sections Performing VM Backup and Performing File Share Backup.

150 | V eeam Backup for Microsoft Azure | User Guide

Performing Backup
With Veeam Backup for Microsoft Azure, you can protect data in the following ways:

• Create cloud-native snapshots of Azure VMs

A cloud-native snapshot includes point-in-time snapshots of virtual disks attached to the processed Azure
VM. Snapshots of virtual disks are taken using native Microsoft Azure capabilities.

• Create image-level backups of Azure VMs

In addition to cloud-native snapshots, you can protect your Azure VMs with image-level backups. An
image-level backup captures the whole image of the processed Azure VM (including OS data, application
data and so on) at a specific point in time. The backup is saved as multiple files to a backup repository in
the native Veeam format.

• Create image-level backups of Azure SQL databases

An image-level backup of an Azure SQL database captures the whole image of the processed database
(including tables, constraints, indexes and actual data) at a specific point of time. The backup is saved as
multiple files to a backup repository in the native Veeam format.

• Create cloud-native snapshots of Azure file shares

A cloud-native snapshot includes point-in-time snapshots of base files, metadata and files in the system
properties of the processed Azure file share. Snapshots of these files are taken using native Microsoft
Azure capabilities.

NOTE

Consider that if you delete a file share from Microsoft Azure, the snapshots of this file share will be deleted
as well. To protect your snapshots from accidental deletion, you can use the file share soft delete option.
For more information on the soft delete option for Azure file shares, see Microsoft Docs.

To schedule data protection tasks to run automatically, create backup policies. For Azure VMs and Azure file
shares residing in any of the regions added to the backup policies, you can also take cloud -native snapshots
manually when needed — for more information, see Creating VM Snapshots Manually and Creating File Share
Snapshots Manually. For Azure SQL databases, you can also perform backups manually when needed — for more
information, see Creating SQL Backups Manually.

151 | V eeam Backup for Microsoft Azure | User Guide

How Backup Works
Veeam Backup for Microsoft Azure does not install agent software inside instances to retrieve data. To back up
resource data, Veeam Backup for Microsoft Azure uses native Microsoft Azure capabilities. During every backup
session, Veeam Backup for Microsoft Azure creates a cloud-native snapshot (for an Azure VM or an Azure file
share) or a BACPAC file (for an Azure SQL database) for each Azure resource added to a backup policy. The
cloud-native snapshot is further used to create an image-level backup of the Azure VM, and the BACPAC file is
used to create an image-level backup of the Azure SQL database.

152 | V eeam Backup for Microsoft A zure | User Guide

VM Backup
Veeam Backup for Microsoft Azure performs VM backup in the following way:

1. Veeam Backup for Microsoft Azure creates snapshots of virtual disks that are attached to the processed
Azure VM.

Disk snapshots are assigned Azure tags upon creation. Keys and values of Azure tags contain encrypted
metadata that helps Veeam Backup for Microsoft Azure identify the related disk snapshots and treat them
as a single unit — a cloud-native snapshot.

2. If you enable image-level backup for the backup policy, Veeam Backup for Microsoft Azure performs the
following operations:

a. Launches a worker instance in an Azure region in which a processed Azure VM resides.

By default, Veeam Backup for Microsoft Azure launches worker instances using automatically created
virtual network. However, you can add specific worker configurations. For more information, see
Managing Worker Instances.

b. Reads data from a cloud-native snapshot, transfers the data to a backup repository and stores it in the
native Veeam format.

To reduce the amount of data read from snapshot, Veeam Backup for Microsoft Azure uses the
changed block tracking (CBT) mechanism: during incremental backup sessions, Veeam Backup for
Microsoft Azure compares the new cloud-native snapshot with the previous one and reads only those
data blocks that have changed since the previous backup session. For more information, see Changed
Block Tracking.

NOTE

Veeam Backup for Microsoft Azure encrypts and compresses data saved to backup repositories. For more
information on data encryption, see Architecture Overview.

c. Deallocates the worker instance when the backup session completes.

3. If you enable the backup archiving mechanism, Veeam Backup for Microsoft Azure performs the following
operations:

a. Launches a worker instance in an Azure region in which a backup repository storing backed-up data
resides.

b. Retrieves data from the backup repository and transfers it to the target archive repository.

c. Deallocates the worker instance when the archive session completes.

Veeam Backup for Microsoft Azure stores the backed-up data depending on the type of the virtual disk attached
to the protected Azure VM:

• Snapshots created for managed virtual disks are saved to the resource group to which the Azure VM
belongs.

• Snapshots created for unmanaged virtual disks are saved to the Azure storage account where the Azure
VM resides.

• Backups created for managed and unmanaged virtual disks are saved to the target repository.

For more information on Azure virtual disk types, see Microsoft Docs.

153 | V eeam Backup for Microsoft A zure | User Guide

Snapshot Chain
During every backup session, Veeam Backup for Microsoft Azure creates a cloud -native snapshot of each Azure
VM added to a backup policy. The cloud-native snapshot itself is a collection of point-in-time snapshots of
virtual disks that Veeam Backup for Microsoft Azure creates using native Microsoft Azure capabilities.

A sequence of cloud-native snapshots created during a set of backup sessions makes up a snapshot chain.
Veeam Backup for Microsoft Azure builds the snapshot chain in the following way:

1. During the first backup session, Veeam Backup for Microsoft Azure creates a snapshot of all Azure VM data
and saves it in the Azure region where the processed Azure VM resides. This snapshot becomes a starting
point in the snapshot chain.

The creation of the first snapshot may take significant time to complete since Veeam Backup for Microsoft
Azure copies the whole image of the Azure VM.

2. During subsequent backup sessions, Veeam Backup for Microsoft Azure creates snapshots with only those
data blocks that have changed since the previous backup session.

The creation of subsequent snapshots typically takes less time to complete, compared to the first
snapshot in the chain. Note, however, that the completion time still depends on the amount of processed
data.

For more information on how incremental snapshots work, see Microsoft Docs.

Each cloud-native snapshot in the snapshot chain contains metadata. Metadata includes information about the
protected Azure VM, the backup policy that created the snapshot, and the number of snapshots in the chain.
Veeam Backup for Microsoft Azure uses metadata to identify outdated snapshots, to load the conf iguration of
source Azure VMs during recovery operations, and so on.

Cloud-native snapshots act as independent restore points for backed -up Azure VMs. If you remove any
snapshot, it will not break the snapshot chain — you will still be able to roll back your data to any existing
restore point.

The number of cloud-native snapshots kept in the snapshot chain is defined by retention policy settings. For
more information, see Retention Policy for Snapshots.

Backup Chain
If you enable image-level backups for a backup policy, Veeam Backup for Microsoft Azure creates a new backup
in a backup repository during every backup session. A sequence of backups created during a set of backup
sessions makes up a backup chain.

The backup chain includes backups of the following types:

• Full — a full backup stores a copy of the full Azure VM image.

• Incremental — incremental backups store incremental changes of the Azure VM image.

To create a backup chain for an Azure VM protected by a backup policy, Veeam Backup for Microsoft Azure
implements the forever forward incremental backup method:

1. During the first backup session, Veeam Backup for Microsoft Azure copies the full Azure VM image and
creates a full backup in a backup repository. The full backup becomes a starting point in the backup chain.

154 | V eeam Backup for Microsoft Azure | User Guide

 2. During subsequent backup sessions, Veeam Backup for Microsoft Azure copies only those data blocks that
have changed since the previous backup session, and stores these data blocks to incremental backups in
the backup repository. The content of each incremental backup depends on the content of the full backup
and the preceding incremental backups in the backup chain.

Full and incremental backups act as restore points for backed -up Azure VMs that let you roll back your data to
the necessary state. To recover an Azure VM to a specific point in time, the chain of backups created for the VM
must contain a full backup and a set of incremental backups dependent on the full backup.

If some backup in the backup chain is missing, you will not be able to roll back to the necessary state. For this
reason, you must not delete individual backups from the backup repository manually. Instead, you must specify
retention policy settings that will let you maintain the necessary number of backups in the backup repository.
For more information, see Retention Policy for Backups.

Changed Block Tracking

The changed block tracking (CBT) mechanism allows Veeam Backup for Microsoft Azure to red uce the amount of
data read from processed virtual disks, and to increase the speed and efficiency of incremental backups:

• During a full backup session, Veeam Backup for Microsoft Azure reads only written data blocks, while
unallocated data blocks are filtered out.

• During an incremental backup session, Veeam Backup for Microsoft Azure reads only those data blocks
that have changed since the previous backup session.

To detect unallocated and changed data blocks, CBT relies on Azure Compute APIs.

• During the first (full) backup session, Veeam Backup for Microsoft Azure creates a cloud -native snapshot
of an Azure VM. To do that, Veeam Backup for Microsoft Azure sends API requests to access the content of
the snapshot and to detect unallocated data blocks.

• During subsequent sessions, new cloud-native snapshots are created. Veeam Backup for Microsoft Azure
sends API requests to access and to compare the content of the snapshot created during the previous
backup session and the snapshot created during the current backup session. This allows Veeam Backup for
Microsoft Azure to detect data blocks that have changed since the previous backup session.

To allow the CBT mechanism to be used when processing Azure VM data by a backup policy, the number of
snapshots to keep in a snapshot chain must be enough to ensure that the cloud -native snapshot created during
the previous backup session has not been removed from the chain by the retention policy before the next
backup session runs. For more information on configuring snapshot retention settings, see Creating Backup
Policies.

155 | V eeam Backup for Microsoft A zure | User Guide

Consider the following example. You want a backup policy to daily create both image-level backups and cloud-
native snapshots: cloud-native snapshots must be created at 7:00 AM, 9:00 AM, 11:00 AM 1:00 PM, 3:00 PM
and 5:00 PM; image-level backups must be created at 7:00 AM and 5:00 PM. In this case, you mus t set the
Sna pshots to k eep value to 5. Veeam Backup for Microsoft Azure will run the backup policy the following way:

1. At 7:00 AM, a backup session will create a cloud-native snapshot, and then use this snapshot to create a
full image-level backup.

2. From 9:00 AM to 3:00 PM, backup sessions will create only cloud -native snapshots.

3. After a backup session runs at 5:00 PM, the first cloud-native snapshot will be still present in the
snapshot chain and can be further used to create an incremental backup.

Archive Backup Chain

If you enable backup archiving for a backup policy, Veeam Backup for Microsoft Azure creates a new backup in
an archive repository during every archive session. A sequence of backups created during a set of archive
sessions makes up an archive backup chain.

The archive backup chain includes backups of the following types:

• Full — a full archive backup stores a copy of the full Azure VM image.

• Incremental — incremental archive backups store incremental changes of the Azure VM image.

To create an archive backup chain for an Azure VM protected by a backup policy, Veeam Backup for Microsoft
Azure implements the forever forward incremental backup method:

1. During the first archive session, Veeam Backup for Microsoft Azure detects backed -up data that is stored
in the full backup and all incremental backups existing in the backup chain, creates a full archive backup
with all the data, and copies this backup to the archive repository. The full archive backup becomes a
starting point in the archive chain.

2. During subsequent archive sessions, Veeam Backup for Microsoft Azure checks the backup chain to detect
data blocks that have changed since the previous archive session, creates incremental archive backups
with only those changed blocks, and copies these backups to the archive repository. The content of each
incremental archive backup depends on the content of the full archive back up and the preceding
incremental archive backups in the archive backup chain.

Full and incremental archive backups act as restore points for backed -up Azure VMs that let you roll back your
data to the necessary state. To recover an Azure VM to a specific point in time, the chain of backups created for
the VM must contain a full archive backup and a set of incremental archive backups.

If some backup in the archive backup chain is missing, you will not be able to roll back to the necessary state.
For this reason, you must not delete individual backups from the archive repository manually. Instead, you must
specify retention policy settings that will let you maintain the necessary number of backups in the archive
repository. For more information, see Retention Policy for Archived Backups.

156 | V eeam Backup for Microsoft A zure | User Guide

SQL Backup
When processing an Azure SQL database added to a backup policy, Veeam Backup for Microsoft Azure can create
a restore point of the database and transfer the point directly to a backup repository, or Veeam Backup for
Microsoft Azure can copy the database to a staging server first, create a restore point and then transfer it to a
repository. In the latter case, Veeam Backup for Microsoft Azure also processes all transaction logs of the c opied
database to create a transactionally consistent backup. This guarantees the consistency of the database state
during recovery but can increase costs associated with cross-region data transfer.

Veeam Backup for Microsoft Azure performs SQL backup in the following way:

1. [Applies when performing backup using a staging server] Depending on the type of the processed Azure
SQL database, Veeam Backup for Microsoft Azure does the following:

o For an Azure SQL Database residing on a SQL Server — creates a copy of the source database on the
staging server using the Azure REST API.

o For a database residing on an Azure SQL Managed Instance — creates a copy of the source database on
the staging server using point-in-time restore (PITR) from the point made 10 minutes ago. For more
information on Azure point-in-time restore, see Microsoft Docs.

For more information on the Azure SQL family of SQL Server database engine products, see Microsoft
Docs.

2. Launches a worker instance in an Azure region where the staging server or the source database is located.

By default, Veeam Backup for Microsoft Azure launches worker instances with the same network
configurations as those specified for the processed Azure SQL databases. However, you can add specific
worker configurations. For more information, see Managing Worker Instances.

3. Exports the database schema, indexes and constraints to a BACPAC file. For more information on BACPAC
files, see Microsoft Docs.

IMP ORTANT

BACPAC export of databases with external references is not supported. If a SQL database was migrated to
an Azure SQL Database Server or Azure SQL Managed Instance, make sure to clear legacy references,
orphaned database users and credentials set up with authentication types not supported by Azure SQL, to
avoid BACPAC export errors.

4. Reads data from the exported BACPAC file on the worker instance, transfers the data to a backup
repository and stores it in the native Veeam format.

5. [Applies when performing backup using a staging server] Removes the copy of the source database from
the staging server.

6. Deallocates the worker instance when the backup session completes.

7. If you enable the backup archiving mechanism, Veeam Backup for Microsoft Azure performs the following
operations:

a. Launches a worker instance in an Azure region in which a backup repository storing backed -up data
resides.

b. Retrieves data from the backup repository and transfers it to the target archive r epository.

c. Deallocates the worker instance when the archive session completes.

157 | V eeam Backup for Microsoft Azure | User Guide

Backup Chain
During every backup session, Veeam Backup for Microsoft Azure creates a new backup for each Azure SQL
database added to a backup policy. A sequence of backups created during a set of backup sessions makes up a
backup chain.

The backup chain includes backups of the following types:

• Full — a full backup stores a copy of the full Azure SQL database image.

• Incremental — incremental backups store incremental changes of the Azure SQL database images.

To create a backup chain for an Azure SQL database protected by a backup policy, Veeam Backup for Microsoft
Azure implements the forever forward incremental backup method:

1. During the first backup session, Veeam Backup for Microsoft Azure copies the full Azure SQL database
image and creates a full backup in a backup repository. The full backup becomes a starting point in the
backup chain.

2. During subsequent backup sessions, Veeam Backup for Microsoft Azure copies only those data blocks that
have changed since the previous backup session and stores these data blocks to incremental backups in
the backup repository. The content of each incremental backup depends on the content of the full backup
and the preceding incremental backups in the backup chain.

Full and incremental backups act as restore points for backed -up Azure SQL databases that let you roll back
your data to the necessary state. To recover an Azure SQL database to a specific point in time, the chain of
backups created for the database must contain a full backup and a set of incremental backups dependent on the
full backup.

If some backup in the backup chain is missing, you will not be able to roll back to the necessary state. For this
reason, you must not delete individual backups from the backup repository manually. Instead, you must specify
retention policy settings that will let you maintain the necessary number of backups in the backup repository.
For more information, see Retention Policy for Backups.

Archive Backup Chain

If you enable backup archiving for a backup policy, Veeam Backup for Microsoft Azure creates a new backup in
an archive repository during every archive session. A sequence of backups created during a se t of archive
sessions makes up an archive backup chain.

The archive backup chain includes backups of the following types:

• Full — a full archive backup stores a copy of the full Azure SQL database image.

• Incremental — incremental archive backups store incremental changes of the Azure SQL database image.

158 | V eeam Backup for Microsoft Azure | User Guide

To create an archive backup chain for an Azure SQL database protected by a backup policy, Veeam Backup for
Microsoft Azure implements the forever forward incremental backup method:

1. During the first archive session, Veeam Backup for Microsoft Azure detects backed -up data that is stored
in the full backup and all incremental backups existing in the backup chain, creates a full archive backup
with all the data, and copies this backup to the archive repository. The full archive backup becomes a
starting point in the archive chain.

2. During subsequent archive sessions, Veeam Backup for Microsoft Azure checks the backup chain to detect
data blocks that have changed since the previous archive session, creates incremental archive backups
with only those changed blocks, and copies these backups to the archive repository. The content of each
incremental archive backup depends on the content of the full archive backup and the preceding
incremental archive backups in the archive backup chain.

Full and incremental archive backups act as restore points for backed -up Azure SQL databases that let you roll
back your data to the necessary state. To recover an Azure SQL database to a specific point in time, the chain of
backups created for the database must contain a full archive backup and a set of incremental archive backups.

If some backup in the archive backup chain is missing, you will not be able to roll back to the necessary state.
For this reason, you must not delete individual backups from the archive repository manually. Instead, you must
specify retention policy settings that will let you maintain the necessary number of backups in the archive
repository. For more information, see Retention Policy for Archived Backups.

159 | V eeam Backup for Microsoft A zure | User Guide

File Share Backup
Veeam Backup for Microsoft Azure performs file share backup in the following way:

1. Creates a share snapshot of the processed Azure file share using Microsoft Azure native capabilities.

NOTE

Due to Microsoft Azure limitations, the maximum number of snapshots to keep for one file share is 200.

2. If you enable file share indexing, Veeam Backup for Microsoft Azure performs the following operations:

a. Launches a worker instance in an Azure region in which the processed file share resides.

b. Re-creates the file share from the share snapshot created at step 1 and mounts the share to the
worker instance.

c. Reads data from the file share on the worker instance, creates a catalog of files and folders (that is,
the index) of the share, and saves the index to the configuration database on the backup appliance.

d. Associates the created index with the share snapshot created at step 1.

The creation of the index may take significant time to complete. If a new backup policy session starts
and the previous indexing session is still running, a new indexing session will not be launched.

e. Deallocates the worker instance when the indexing session completes.

Snapshot Chain
During every backup session, Veeam Backup for Microsoft Azure creates a cloud -native snapshot of each Azure
file share added to a backup policy. The cloud-native snapshot itself is a collection of point-in-time snapshots of
share files that Veeam Backup for Microsoft Azure takes using native Microsoft Azure capabilities.

A sequence of cloud-native snapshots created during a set of backup sessions makes up a snapshot chain.
Veeam Backup for Microsoft Azure creates the snapshot chain in the following way:

1. During the first backup session, Veeam Backup for Microsoft Azure creates a snapshot of all Azure file
share data and saves it in the Azure region where the processed file share resides. This snapshot becomes
a starting point in the snapshot chain.

2. During subsequent backup sessions, Veeam Backup for Microsoft Azure creates snapshots with only those
files and directories that have changed since the previous backup session.

For more information on how snapshots work, see Microsoft Docs.

Each cloud-native snapshot in the snapshot chain contains metadata. Metadata includes information about the
processed Azure file share, the backup policy that created the snapshot, and a number of snapshots in the chain.
Veeam Backup for Microsoft Azure uses metadata to identify outdated snapshots, to load the configuration of a
source Azure file shares during recovery operations, and so on.

160 | V eeam Backup for Microsoft Azure | User Guide

Cloud-native snapshots act as independent restore points for backed -up Azure file shares. If you remove any
snapshot, it will not break the snapshot chain — you will still be able to roll back your data to any existing
restore point.

The number of cloud-native snapshots kept in the snapshot chain is defined by retention policy settings. For
more information, see Retention Policy for Snapshots.

161 | V eeam Backup for Microsoft Azure | User Guide

Retention Policy
Cloud-native snapshots and image-level backups are not kept forever — they are removed according to
retention policy settings specified in the backup schedule settings while creating a backup policy.

Depending on the data protection scenario, retention policy can be specified:

• In restore p oints — for cloud-native snapshots.

The snapshot chain can contain only the allowed number of restore points. If the number of allowed
restore points is exceeded, Veeam Backup for Microsoft Azure removes the earliest restore point from the
snapshot chain. For more information, see Retention Policy for Snapshots.

• In d ays/months/years — for image-level backups and archives.

Restore points in the backup chain can be stored only for the allowed period of time. If a restore point is
older than the specified limit, Veeam Backup for Microsoft Azure removes it from the backup chain. For
more information, see sections Retention Policy for Backups and Retention Policy for Archived Backups.

You can also specify retention settings for snapshots that become obsolete. For more information, see
Configuring Global Retention Settings.

Retention Policy for Snapshots

For cloud-native snapshots, Veeam Backup for Microsoft Azure retains the number of latest restore points
defined in backup scheduling settings.

During every successful backup session, Veeam Backup for Microsoft Azure creates a new restore point. If
Veeam Backup for Microsoft Azure detects that the number of restore points in the snapshot chain exceeds the
retention limit, it removes the earliest restore point from the chain. For more information on the snapshot
deletion process, see Microsoft Docs.

NOTE

Consider that Veeam Backup for Microsoft Azure does not apply retention policy settings to cloud -native
snapshots created manually. To learn how to remove these snapshots, see sections Managing VM Data and
Managing File Share Data.

Retention Policy for Backups

For image-level backups, Veeam Backup for Microsoft Azure retains restore points for the number of days
defined in backup scheduling settings.

162 | V eeam Backup for Microsoft A zure | User Guide

To track and remove outdated restore points from a backup chain, Veeam Backup for Microsoft Azure performs
the following actions once a day.

1. Veeam Backup for Microsoft Azure checks the configuration database to detect blob containers that
contain outdated restore points.

2. If an outdated restore point exists in a blob container, Veeam Backup for Microsoft Azure deploys a worker
instance in an Azure region in which the container with backed -up data resides.

3. Veeam Backup for Microsoft Azure transforms the backup chain in the following way:

a. Veeam Backup for Microsoft Azure rebuilds the full backup to include data of the incremental backup
that follows the full backup. To do that, Veeam Backup for Microsoft Azure injects into the full
backup data blocks from the earliest incremental backup in the chain. This way, the full backup
‘moves’ forward in the backup chain.

b. Veeam Backup for Microsoft Azure removes the earliest incremental backup from the chain as
redundant — this data has already been injected into the full backup.

3. Veeam Backup for Microsoft Azure repeats step 2 for all other outdated restore points found in the backup
chain until all the restore points are removed. As data from multiple restore points is injected into the
rebuilt full backup, Veeam Backup for Microsoft Azure ensures that the backup chain is not broken and
that you will be able to recover your data when needed.

Retention Policy for Archived Backups

For archived backups, Veeam Backup for Microsoft Azure retains restore points for the number of days defined
in backup scheduling settings.

To track and remove outdated restore points from an archive backup chain, Veeam Backup for Microsoft Azure
performs the following actions once a day:

1. Veeam Backup for Microsoft Azure checks the configuration database to detect archive backup
repositories that contain outdated restore points.

163 | V eeam Backup for Microsoft A zure | User Guide

 2. If an outdated restore point exists in a repository, Veeam Backup for Microsoft Azure transforms the
archive backup chain in the following way:

a. Veeam Backup for Microsoft Azure rebuilds the full archive backup to include in it data of the
incremental archive backup that follows the full archive backup. To do that, Veeam Backup for
Microsoft Azure injects into the full archive backup data blocks from the earliest incremental archive
backup in the chain. This way, the full archive backup ‘moves’ forward in the archive backup chain.

b. Veeam Backup for Microsoft Azure removes the earliest incremental archive backup from the chain as
redundant — this data has already been injected into the full archive backup.

3. Veeam Backup for Microsoft Azure repeats step 2 for all other outdated restore points found in the archive
backup chain until all the restore points are removed. As data from multiple restore points is injected into
the rebuilt full archive backup, Veeam Backup for Microsoft Azure ensures that the archive backup chain is
not broken and that you will be able to recover your data when needed.

164 | V eeam Backup for Microsoft Azure | User Guide

Performing VM Backup
To produce cloud-native snapshots and image-level backups of Azure VMs, Veeam Backup for Microsoft Azure
runs backup policies. A backup policy is a collection of settings that define the way backup operations are
performed: what data to back up, where to store backups, when to start the backup process, and so on.

One backup policy can be used to process multiple Azure VMs within different regions, but you can back up each
Azure VM with one backup policy at a time. If an Azure VM is added to more than one backup policy, it will be
processed only by a backup policy that has the highest priority. Other backup policies will skip this Azure VM
from processing. For information on how to set a priority for a backup policy, see Setting Backup Policy Priority.

To schedule data protection tasks to run automatically, create backup policies. For each protected Azure VM,
you can also take a cloud-native snapshot manually when needed.

165 | V eeam Backup for Microsoft A zure | User Guide

Creating VM Backup Policies
To create a backup policy, do the following:

1. Launch the Add VM Policy wizard.

2. Specify a backup policy name and description.

3. Configure backup source settings.

4. Configure guest processing options.

5. Configure backup target settings.

6. Create a schedule for the backup policy.

7. Specify automatic retry, health check and notification settings for the backup policy.

8. Review the estimated cost of protecting the selected Azure VMs.

9. Finish working with the wizard.

166 | V eeam Backup for Microsoft A zure | User Guide

Step 1. Launch Add VM Policy Wizard
To launch the Ad d VM Policy wizard, do the following:

1. Navigate to P olicies > Virtual Machines.

2. Click Ad d .

167 | V eeam Backup for Microsoft Azure | User Guide

Step 2. Specify Backup Policy Name
At the P olicy Info step of the wizard, use the Na me and Description fields to enter a name for the new backup
policy and to provide a description for future reference. The maximum length of the name is 255 characters. The
following characters are not supported: * : / \ ? " < > | ! @ # $ % ^ & ,.

168 | V eeam Backup for Microsoft Azure | User Guide

Step 3. Configure Backup Source Settings
At the Sources step of the wizard, specify backup source settings:

1. Select the Azure Active Directory where Azure VMs that you plan to back up reside .

2. Choose regions where Azure VMs that you want to back up reside.

3. Select resources to back up.

169 | V eeam Backup for Microsoft A zure | User Guide

Step 3a. Select Azure Account
In the Source section of the Sources step of the wizard, specify an Azure account whose permissions will be used
to access Azure services and resources, and to create cloud-native snapshots of Azure VMs.

1. Click Select Azure Active Directory.

2. In the Choose a n Azure account from the available list window, select the necessary Azure account from
the available accounts list. The specified Azure account must belong to a tenant that manages the Azure
VMs that you want to protect, and must be assigned permissions listed in section Azure Account
Permissions.

For an Azure account to be displayed in the list of available accounts, it must be added to Veeam Backup
for Microsoft Azure as described in section Adding Azure Service Accounts. If you have not added the
necessary Azure account to Veeam Backup for Microsoft Azure b eforehand, you can do it without closing
the Ad d VM P olicy wizard. To add an Azure account, click Ad d and complete the Ad d Azure account
wizard.

3. To save changes made to the backup policy settings, click Ap p ly.

170 | V eeam Backup for Microsoft Azure | User Guide

Step 3b. Select Regions
In the Reg ion section of the Sources step of the wizard, select regions where Azure resources that you want to
back up reside:

1. Click Choose regions.

2. In the Choose regions window, select the necessary regions from the Ava ilable regions list, and then click
Ad d .

3. To save changes made to the backup policy settings, click Ap p ly.

171 | V eeam Backup for Microsoft Azure | User Guide

Step 3c. Select Resources
In the Resources section of the Sources step of the wizard, select resources that you want to back up or to
exclude from the policy:

1. Click Select resources to protect.

2. In the Choose resource protection options window, choose whether you want to back up all Azure
resources from the regions selected at step 3b, or only specific resources.

If you select the All resources option, Veeam Backup for Microsoft Azure will regularly check for new
Azure VMs launched in the selected regions and automatically update the backup policy settings to
include these VMs in the backup scope.

If you select the P rotect the following resources option, you must also specify the resources explicitly:

a. From the Resource type drop-down list, select either of the following options:

▪ Subscription — to back up Azure VMs that belong to specific subscriptions.

▪ Resource group — to back up Azure VMs that belong to specific resource groups.

▪ Tag — to back up Azure VMs that have specific tags assigned.

▪ Virtual machine — to back up only specific Azure VMs.

b. Use the search field to the right of the Resource type list to find the necessary resource, and then
click P rotect to add the resource to the backup scope.

For a resource to be displayed in the list of available resources, it must reside in an Azure region that
has ever been specified in any backup policy. Otherwise, the only option to discover available
resources is to click Browse to select specific source from the global list and wait for Veeam Backup
for Microsoft Azure to populate the resource list.

TI P

You can simultaneously add multiple resources to the backup scope. To do that, click Browse to select
sp ecific source from the global list , select check boxes next to the necessary items in the list of available
resources, and then click P rotect.

If the list does not show the resources that you want to back up, click Rescan to launch the data collection
process. As soon as the process is over, Veeam Backup for Microsoft Azure will update the resource list.

If you still cannot find the necessary resources in the list, make sure that the Microsoft.ManagedServices
provider is registered in the subscription to which the resources belong, return to step 3a and click Rescan
in the Choose an Azure account from the available list window. To learn how to register a resource
provider, see Microsoft Docs.

IMP ORTANT

For the list of resources to be displayed correctly, make sure that your web browser zoom does not exceed
135%.

If you add a tag to the backup scope, Veeam Backup for Microsoft Azure will regularly check for new Azure
VMs assigned the added tag and automatically update the backup policy settings to include these VMs in
the scope. However, this applies only to Azure VMs from the regions selected at step 3b. If you select a
tag assigned to Azure VMs from other regions, these VMs will not be protected by the backup policy. To
work around the issue, either go back to step 3b and add the missing regions, or create a new backup
policy.

172 | V eeam Backup for Microsoft Azure | User Guide

 4. To save changes made to the backup policy settings, click Ap p ly.

TIP

As an alternative to selecting the P rotect the following resources option and specifying the resources
explicitly, you can select the All resources option and exclude a number of resources from the backup
scope. To do that, click Select resources to exclude and specify Azure VMs that you do not want to back up
— the procedure is the same as described for including resources in the backup scope.

Consider that if a resource appears both in the list of included and excluded resources, Veeam Backup for
Microsoft Azure will still not process the resource because the list of excluded resources has a higher
priority.

173 | V eeam Backup for Microsoft Azure | User Guide

Step 4. Specify Guest Processing Settings
If you want to back up Azure VMs that are currently running, you can configure guest processing settings at the
Guest Processing step of the wizard. These settings allow you to specify what actions Veeam Backup for
Microsoft Azure will perform when communicating with the guest OSes.

Particularly, you can specify the following guest processing settings:

• Application-aware processing. For Windows-based Azure VMs running VSS-aware applications, you can
enable application-aware processing to ensure that the applications will be able to recover successfully,
without data loss.

Application-aware processing is the Veeam technology based on Microsoft VSS. This option can be applied
only to the Windows-based Azure VMs that support Microsoft VSS. For more information on Microsoft
VSS, see Microsoft Docs.

• Guest scripting. You can instruct Veeam Backup for Microsoft Azure to run custom scripts on the
processed Azure VM before and after the backup operation. For example, Veeam Backup for Microsoft
Azure can execute a pre-snapshot script on the VM to quiesce these applications. This will allow Veeam
Backup for Microsoft Azure to create a transactionally consistent snapshot while no write operations occur
on the virtual disks. After the snapshot is created, a post-snapshot script can start the applications again.

Limitations and Requirements

When creating transactionally consistent backups, Veeam Backup for Microsoft Azure uses the Azure Service Bus
service to stop and start applications running on the processed Windows-based Azure VMs. To ensure proper
communication of the backup appliance and the guest OSes, all Windows-based Azure VMs for which you plan
to enable guest processing must have the 443 network port opened.

In case firewall rules configured for the Azure VMs do not allow inbound and outbound access using the 443
port, you must allow HTTPS traffic over 443 port for <FQDN>.servicebus.windows.net, where <FQDN> is
the name of the Service Bus namespace used by the Veeam backup service.

To find the Service Bus namespace name, do the following:

1. Log in to the Microsoft Azure portal.

2. Select the Azure service where the backup appliance belongs.

3. Choose the resource group associated with the backup appliance.

4. On the Resources tab of the Overview page, type type==Service Bus Namespace in the search field and
press [ENTER] on the keyboard.

The Service Bus namespace name will be displayed in the Na me column of the resource table.

Enabling Application-Aware Processing

To enable application-aware processing, in the Ap p lication Processing section of the Guest Processing step of
the wizard, set the E na ble application aware snapshots toggle to On.

174 | V eeam Backup for Microsoft Azure | User Guide

 IMP ORTANT

While creating application-aware snapshots, VSS Guest Agent uses the VSS Copy Backup type to create
snapshots of the processed Azure VMs during the backup policy session. This type of VSS backup does not
support truncation of transaction log. For more information on VSS Backup types, see Microsoft Docs.

Limitation and Considerations

To enable application-aware processing, VSS agents must be installed on source Azure VMs. To install VSS
agents, Veeam Backup for Microsoft Azure runs a specific PowerShell script on the source Azure VMs. That is
why if you use PowerShell execution policies to control the conditions under which PowerShell loads
configuration files and runs scripts on your source VMs, make sure that the Loca lMachine scope is set to the
RemoteSigned value. Otherwise, Veeam Backup for Microsoft Azure will not be able to run the script and
application-aware processing will fail.

Enabling Guest Scripting

To enable guest scripting, at the Guest Processing step of the wizard, do the following:

• For Azure VMs running Linux OS, set the Scripting for Linux instances toggle to On.

The Sp ecify scripting settings for Linux instances window will open.

• For Azure VMs running Microsoft Windows OS, set the Scripting for Microsoft Windows instances toggle to
On.
The Sp ecify scripting settings for W indows instances window will open.

IMP ORTANT

Supported script formats:

• For Windows-based Azure VMs Veeam Backup for Microsoft Azure supports the EXE, BAT, CMD,
WSF, JS, VBS and PS1 file formats.
• For Linux-based Azure VMs Veeam Backup for Microsoft Azure supports the SH file format.

175 | V eeam Backup for Microsoft Azure | User Guide

In the opened window, specify pre-snapshot and post-snapshot scripts that must be executed before and after
the backup operation:

1. In the P re-snapshot script section, do the following:

a. In the P a th in guest field, specify a path to the directory on an Azure VM where the pre-snapshot
script file resides.

b. In the Arg uments field, specify additional arguments that must be passed to the script when the script
is executed.

You can use runtime variables as arguments for the script. To see the list of available variables, click
P a rameters.

IMP ORTANT

Veeam Backup for Microsoft Azure will try to run a script residing in the specified directory for all Azure
VMs added to the backup policy. If you want to execute different scripts for different Azure VMs, ensure
that script files uploaded to these VMs have the same path and name.

2. Repeat step 1 for the post-snapshot scripts in the P ost-snapshot script section.

3. In the Ad d itional Options section, choose whether you want to run scripts only while creating repository
snapshots, to proceed with snapshot creation even though scripts are missing on some of the processed
instances, and to ignore exit codes returned while executing the scripts.

4. Click Ap p ly.

176 | V eeam Backup for Microsoft Azure | User Guide

Step 5. Configure Backup Target Settings
By default, backup policies create only cloud-native snapshots of processed Azure VMs. At the Ta rgets step of
the wizard, you can enable the following additional data protection scenarios:

• In the Sna pshot section, you can assign tags to cloud-native snapshots of the selected Azure VMs:

a. Click Ta g s from source volumes will not be copied and custom tags will not be applied .

b. In the Ta g s configurations window, choose whether you want to assign tags to the created snapshots.

▪ To assign already existing tags from the source virtual disks, select the Cop y Tags from source
volume check box.

▪ To assign your own custom tags, set the Ad d custom tags to created snapshots toggle to On,
and specify the tags explicitly. Click Ap p ly. Note that you cannot add more than 5 custom tags.

• In the Ba ckups section, set the E na ble backups toggle to On to instruct Veeam Backup for Microsoft Azure
to create image-level backups.

177 | V eeam Backup for Microsoft Azure | User Guide

Step 6. Specify Policy Scheduling Options
You can instruct Veeam Backup for Microsoft Azure to start the backup policy automatically according to a
specific backup schedule. The backup schedule defines how often data of the Azure VMs added to the backup
policy will be backed up.

To help you implement a comprehensive backup strategy, Veeam Backup for Microsoft Azure allows you to
create schedules of the following types:

• Daily — the backup policy will create restore points repeatedly throughout a day on specific days.

• Weekly — the backup policy will create restore points once a day on specific days.

• Monthly — the backup policy will create restore points once a month on a specific day.

• Yearly — the backup policy will create restore points once a year on a specific day.

Combining multiple schedule types together allows you to retain restore points for longer periods of time — for
more information, see Enabling Harmonized Scheduling. Combining multiple schedule types together also
allows you to archive backups — for more information, see Enabling Backup Archiving.

Specifying Daily Schedule

To create a daily schedule for the backup policy, at the Schedule step of the wizard, do the following:

1. Set the Da ily retention toggle to On and click E d it Daily Settings.

2. In the Da ily schedule window, select hours when the backup policy will create cloud -native snapshots and
image-level backups. Use the Run a t drop-down list to choose whether you want the backup policy to run
every day, on weekdays (Monday through Friday) or on specific days.

If you want to protect Azure VM data more frequently, you can instruct the backup policy to create
multiple cloud-native snapshots per hour. To do that, click the link to the right of the Sna pshots hour
selection area, and specify the number of cloud-native snapshots that the backup policy will create within
an hour.

NOTE

Veeam Backup for Microsoft Azure does not create image-level backups independently from cloud-native
snapshots. That is why when you select hours for image-level backups, the same hours are automatically
selected for cloud-native snapshots. To learn how Veeam Backup for Microsoft Azure performs backup, see
How Backup Works.

3. In the Da ily retention section, configure retention policy settings for the daily schedule:

o For cloud-native snapshots, specify the number of restore points that you want to keep in a snapshot
chain.

If the restore point limit is exceeded, Veeam Backup for Microsoft Azure removes the earliest restore
point from the chain. For more information, see Retention Policy for Snapshots.

IMP ORTANT

To allow the CBT mechanism to be used when processing Azure VM data, you must keep at least one
snapshot in the snapshot chain. However, by design, Veeam Backup for Microsoft Azure permanently
retains 2 cloud-native snapshots in the chain due to the CBT mechanism limitations. To learn how the CBT
mechanism works, see Changed Block Tracking.

178 | V eeam Backup for Microsoft Azure | User Guide

 o For image-level backups, specify the number of days (or months) for which you want to keep restore
points in a backup chain.

If a restore point is older than the specified time limit, Veeam Backup for Microsoft Azure removes the
restore point from the chain. For more information, see Retention Policy for Backups.

5. In the Rep ository section, select a backup repository where the created image-level backups will be
stored.

For a backup repository to be displayed in the Rep ository list, it must be added to Veeam Backup for
Microsoft Azure as described in section Adding Backup Repositories.

6. To save changes made to the backup policy settings, click Ap p ly.

Specifying Weekly Schedule

To create a weekly schedule for the backup policy, at the Schedule step of the wizard, do the following:

1. Set the W eekly retention toggle to On and click E d it W eekly Settings.

2. In the W eekly schedule window, select days of the week when the backup policy will create cloud -native
snapshots and image-level backups. Use the Create restore points at drop-down list to schedule a specific
time for the backup policy to run.

NOTE

Veeam Backup for Microsoft Azure does not create image-level backups independently from cloud-native
snapshots. That is why when you select days for image-level backups, the same days are automatically
selected for cloud-native snapshots. To learn how Veeam Backup for Microsoft Azure performs backup, see
How Backup Works.

179 | V eeam Backup for Microsoft Azure | User Guide

 4. In the W eekly retention section, configure retention policy settings for the weekly schedule:

o For cloud-native snapshots, specify the number of restore points that you want to keep in a snapshot
chain.

If the restore point limit is exceeded, Veeam Backup for Microsoft Azure removes the earliest restore
point from the chain. For more information, see Retention Policy for Snapshots.

IMP ORTANT

To allow the CBT mechanism to be used when processing Azure VM data, you must keep at least one
snapshot in the snapshot chain. However, by design, Veeam Backup for Microsoft Azure permanently
retains 2 cloud-native snapshots in the chain due to the CBT mechanism limitations. To learn how the CBT
mechanism works, see Changed Block Tracking.

o For image-level backups, specify the number of days (or months) for which you want to kee p restore
points in a backup chain.

If a restore point is older than the specified time limit, Veeam Backup for Microsoft Azure removes the
restore point from the chain. For more information, see Retention Policy for Backups.

5. In the Rep ository section, select a backup repository where the created image-level backups will be
stored.

For a backup repository to be displayed in the Rep ository list, it must be added to Veeam Backup for
Microsoft Azure as described in section Adding Backup Repositories.

6. To save changes made to the backup policy settings, click Ap p ly.

180 | V eeam Backup for Microsoft Azure | User Guide

Specifying Monthly Schedule
To create a monthly schedule for the backup policy, at the Schedule step of the wizard, do the following:

1. Set the Monthly retention toggle to On and click E d it Monthly Settings.

2. In the Monthly schedule window, select months when the backup policy will create cloud -native
snapshots and image-level backups. Use the Create restore points at and Run on drop-down lists to
schedule a specific time and day for the backup policy to run.

NOTE

Veeam Backup for Microsoft Azure does not create image-level backups independently from cloud-native
snapshots. That is why when you select months for image-level backups, the same months are
automatically selected for cloud-native snapshots. To learn how Veeam Backup for Microsoft Azure
performs backup, see How Backup Works.

3. In the Monthly retention section, configure retention policy settings for the monthly schedule:

o For cloud-native snapshots, specify the number of restore points that you want to keep in a snapshot
chain.

If the restore point limit is exceeded, Veeam Backup for Microsoft Azure removes the earliest restore
point from the chain. For more information, see Retention Policy for Snapshots.

IMP ORTANT

To allow the CBT mechanism to be used when processing Azure VM data, you must keep at least one
snapshot in the snapshot chain. However, by design, Veeam Backup for Microsoft Azure permanently
retains 2 cloud-native snapshots in the chain due to the CBT mechanism limitations. To learn how the CBT
mechanism works, see Changed Block Tracking.

o For image-level backups, specify the number of days (or months) for which you want to keep restore
points in a backup chain.

If a restore point is older than the specified time limit, Veeam Backup for Microsoft Azure removes the
restore point from the chain. For more information, see Retention Policy for Backups.

5. In the Rep ository section, select a backup repository where the created image-level backups will be
stored.

For a backup repository to be displayed in the Rep ository list, it must be added to Veeam Backup for
Microsoft Azure as described in section Adding Backup Repositories.

181 | V eeam Backup for Microsoft Azure | User Guide

 6. To save changes made to the backup policy settings, click Ap p ly.

Specifying Yearly Schedule

[This step applies only if you have instructed Veeam Backup for Microsoft Azure to create image -level backups
at the Ta rgets step of the wizard]

To create a yearly schedule for the backup policy, at the Schedule step of the wizard, do the following:

1. Set the Y ea rly retention toggle to On and click E d it Yearly Settings.

2. In the Y early schedule window, specify a day, month and time when the backup policy will create image-
level backups.

3. In the Keep backups for field, specify the number of years for which you want to keep restore points in a
backup chain.

If a restore point is older than the specified time limit, Veeam Backup for Microsoft Azure removes the
restore point from the chain. For more information, see Retention Policy for Backups.

4. In the Rep ository section, select a backup repository where the created image-level backups will be
stored.

For a backup repository to be displayed in the Rep ository list, it must be added to Veeam Backup for
Microsoft Azure as described in section Adding Backup Repositories.

182 | V eeam Backup for Microsoft A zure | User Guide

 5. To save changes made to the backup policy settings, click Ap p ly.

Enabling Harmonized Scheduling

When you combine multiple types of schedules, Veeam Backup for Microsoft Azure applies the harmonization
mechanism that allows you to leverage restore points for long -term retentions instead of taking a new restore
point every time. The mechanism simplifies the backup schedule, optimizes the backup performance and
reduces the cost of storing restore points.

With harmonized scheduling, Veeam Backup for Microsoft Azure can keep restore points created according to a
daily, weekly or monthly schedule for longer periods of time:

• Cloud-native snapshots can be kept for weeks and months.

• Image-level backups can be kept for weeks, months and years.

For Veeam Backup for Microsoft Azure to use the harmonization mechanism, there must be specified at least 2
different schedules: one schedule will control the regular creation of restore points, while another schedule will
control the process of retaining restore points. In terms of harmonized scheduling, Veeam Backup for Microsoft
Azure re-uses restore points created according to a more-frequent schedule (daily, weekly or monthly) to
achieve the desired retention for less-frequent schedules (weekly, monthly and yearly). Each restore point is
marked with a flag of the related schedule type: the (D) flag is used to mark restore points created daily, (W) —
weekly, (M) — monthly, and (Y) — yearly. Veeam Backup for Microsoft Azure uses these flags to control the
retention period for the created restore points. Once a flag of a less-frequent schedule is assigned to a restore
point, this restore point can no longer be removed — it is kept for the period defined in the retention settings.
When the specified retention period is over, the flag is unassigned from the restore point. If the restore point
does not have any other flags assigned, it is removed according to the retention settings of a more -frequent
schedule.

183 | V eeam Backup for Microsoft Azure | User Guide

 NOTE

Restore points created according to a more-frequent schedule and less-frequent schedules and stores in
the same backup repository, compose a single backup or snapshot chain and uses the same backup
repository. This means that regardless of flags assigned to restore points, Veeam Backup for Microsoft
Azure adds the restore points to the chain as described in sections Backup Chain and Snapshot Chain.

Consider the following example. You want a backup policy to create cloud-native snapshots of your critical
workloads 3 times a day, to keep 3 daily snapshots in the snapshot chain, and also to retain one of the created
snapshots for 2 weeks. In this case, you create 2 schedules when configuring the backup policy settings — daily
and weekly:

1. In the daily scheduling settings, you select hours and days when snapshots will be created (for example,
7:00 AM, 9:00 AM, and 11:00 AM; Working Days ), and specify the number of daily restore points to retain
(for example, 3).

Veeam Backup for Microsoft Azure will propagate these settings to the schedule with a lower frequency
(which is the weekly schedule in our example).

184 | V eeam Backup for Microsoft Azure | User Guide

 2. In the weekly scheduling settings, you specify which one of the snapshots created by the daily schedule
will be kept, and choose for how long you want to keep the selected snapshot.

For example, if you want to keep the daily restore point created at 7:00 AM on Monday for 2 weeks, you
select 7:00 AM, Monday and specify 2 restore points to retain in the weekly schedule settings.

According to the specified scheduling settings, Veeam Backup for Microsoft Azure will create cloud -native
snapshots in the following way:

1. On the first work day (Monday), a backup session will start at 7:00 AM to create the first restore point.
The restore point will be marked with the (D) flag as it was created according to the daily schedule.

Since 7:00 AM, Monday is specified in the weekly scheduling settings, Veeam Backup for Microsoft Azure
will assign the (W) flag to this restore point.

2. On the same day (Monday), after backup sessions run at 9:00 AM and 11:00 AM, the created restore
points will be marked with the (D) flag.

185 | V eeam Backup for Microsoft Azure | User Guide

 3. On the next work day (Tuesday), after a backup session runs a t 7:00 AM, the created restore point will be
marked with the (D) flag.

At the moment the backup session completes, the number of restore points with the (D) flag will exceed
the retention limit specified in the daily scheduling settings. However, Veeam Backup for Microsoft Azure
will not remove the earliest restore point ( 7:00 AM, Monday ) with the (D) flag from the snapshot chain as
this restore point is also marked with a flag of a less-frequent schedule. Instead, Veeam Backup for
Microsoft Azure will unassign the (D) flag from the restore point. This restore point will be kept for the
retention period specified in the weekly scheduling settings (that is, for 2 weeks).

4. On the same day (Tuesday), after a backup session runs at 9:00 AM, the number of res tore points with the
(D) flag will exceed the retention limit once again. Veeam Backup for Microsoft Azure will remove from
the snapshot chain the restore point created at 9:00 AM on Monday as no flags of a less -frequent
schedule are assigned to this restore point.

5. Veeam Backup for Microsoft Azure will continue creating restore points for the next week in the same way
as described in steps 1–4.

6. On week 3, after a backup session runs at 7:00 AM on Monday, the number of kept restore points will
exceed the retention limit. Veeam Backup for Microsoft Azure will unassign the (W) flag from the earliest
kept restore point. Since no other flags are assigned to this restore point, Veeam Backup for Microsoft
Azure will remove this restore point from the snapshot chain.

Enabling Backup Archiving

When you combine multiple types of schedules, you can enable the archiving mechanism to instruct Veeam
Backup for Microsoft Azure to store backed-up data in the low-cost, long-term Archive access tier. The
mechanism is the most useful in the following cases:

• Your data retention policy requires that you keep rarely accessed data in an archive.

186 | V eeam Backup for Microsoft Azure | User Guide

 • You want to reduce data-at-rest costs and to save space in the high-cost, short-term Hot and Cool access
tiers.

NOTE

Restoring from an archived backup is longer and more expensive than restoring from a regular backup as it
is required to retrieve data from the archive repository. For more information, see Retrieving Data From
Archive.

With backup archiving, Veeam Backup for Microsoft Azure can retain backups created according to a daily,
weekly or monthly schedule for longer periods of time:

• To enable monthly archiving, you must configure a daily or a weekly schedule (or both).

• To enable yearly archiving, you must configure a daily, a weekly or a monthly schedule (or all three).

For Veeam Backup for Microsoft Azure to use the archiving mechanism, there must be specified at least 2
different schedules: one schedule will control the regular creation of backups, while another schedule will
control the process of copying backups to an archive repository. Backup chains created according to these two
schedules will be completely different — for more information, see Backup Chain and Archive Backup Chain.

Consider the following example. You want a backup policy to create image-level backups of your critical
workloads once a week, to keep the backed-up data in a backup repository for 3 weeks, and also to keep
backups created once in 2 months in an archive repository for a year. In this case, you create 2 schedules when
configuring the backup policy settings — weekly and monthly:

1. In the weekly scheduling settings, you do the following:

a. Specify hours and days when backups will be created (for example, 7:00 AM, Monday ), and specify
the number of days for which Veeam Backup for Microsoft Azure will retain backups (for example, 21
days).

187 | V eeam Backup for Microsoft Azure | User Guide

 b. Select a repository with the Hot or Cool access tier that will store regular backups.

Veeam Backup for Microsoft Azure will propagate these settings to the archive schedule (which is the
monthly schedule in our example).

2. In the monthly scheduling settings, you do the following:

a. Specify when Veeam Backup for Microsoft Azure will create archive backups, and choose for how long
you want to retain the created backups (for example, January, March, May, July, September,
November, 12 months and First Monday ).

b. Enable the archiving mechanism by selecting a repository with the Archive access tier that will store
archive backups.

188 | V eeam Backup for Microsoft Azure | User Guide

 IMP ORTANT
• When you enable backup archiving, you become no longer able to create a schedule of the same
frequency for regular backups. By design, these two functionalities are mutually exclusive.
• If you enable backup archiving, it is recommended that you set the Sna pshots to keep value to 0, to
reduce unexpected snapshot charges.
• If you enable backup archiving, it is recommended that you set the Keep backups for value to at
least 6 months (or 180 days ), since the minimum storage duration of the Archive access tier is 180
days.
• If you select the On Da y option, harmonized scheduling cannot be guaranteed. Plus, to support the
On Da y option, Veeam Backup for Microsoft Azure will require to create an additional temporary
restore point if there are no other schedules planned to run on that day. However, the temporary
restore point will be removed during the Backup Retention process from Microsoft Azure Storage in
approximately 24 hours, to reduce unexpected infrastructure charges.

According to the specified scheduling settings, Veeam Backup for Microsoft Azure will create image -level
backups in the following way:

1. On the first Monday of February, a backup session will start at 7:00 AM to create the first restore point in
the regular backup chain. Veeam Backup for Microsoft Azure will store this restore point as a full backup in
the backup repository.

189 | V eeam Backup for Microsoft Azure | User Guide

 2. On the second and third Mondays of February, Veeam Backup for Microsoft Azure will create restore
points at 7:00 AM and add them to the regular backup chain as incremental backups in the backup
repository.

3. On the fourth Monday of February, Veeam Backup for Microsoft Azure will create a new restore point at
7:00 AM. By the moment the backup session completes, the earliest restore point in the regular backup
chain will get older than the specified retention limit. That is why Veeam Backup for Microsoft Azure will
rebuild the full backup and remove from the chain the restore point created on the first Monday.

For more information on how Veeam Backup for Microsoft Azure transforms regular backup chains, see
Retention Policy for Backups.

190 | V eeam Backup for Microsoft Azure | User Guide

 4. On the first Monday of March, a backup session will start at 7:00 AM to create another restore point in the
regular backup chain. At the same time, the earliest restore point in the regular backup chain will get older
than the specified retention limit again. That is why Veeam Backup for Microsoft Azure will rebuild the full
backup again and remove from the chain the restore point created on the second Monday.

After the backup session completes, an archive session will create a restore point with all data from the
regular backup chain. Veeam Backup for Microsoft Azure will copy this restore point as a full archive
backup to the archive repository.

5. Up to May, Veeam Backup for Microsoft Azure will continue adding new restore points to the regular
backup chain and deleting outdated backups from the backup repository, according to the specified
weekly scheduling settings.

On the first Monday of May, an archive session will create a restore point with only that data that has
changed since the previous archive session in March. Veeam Backup for Microsoft Azure will copy this
restore point as an incremental archive backup to the archive repository.

191 | V eeam Backup for Microsoft Azure | User Guide

 6. Up to the first Monday of February of the next year, Veeam Backup for Microsoft Azure will continue
adding new restore points to the regular backup chain and deleting outdated backups from the backup
repository, according to the specified weekly scheduling settings. Veeam Backup for Microsoft Azure wil l
also continue adding new restore points to the archive backup chain, according to the specified monthly
settings.

By the moment the archive session completes, the earliest restore point in the archive backup chain will
get older than the specified retention limit. That is why Veeam Backup for Microsoft Azure will rebuild the
full archive backup and remove from the chain the restore point created on the first Monday of March of
the previous year.

For more information on how Veeam Backup for Microsoft Azure transforms archive backup chains, see
Retention Policy for Archived Backups.

192 | V eeam Backup for Microsoft A zure | User Guide

Step 7. Configure General Settings
At the Settings step of the wizard, you can enable automatic retries, schedule health checks and specify
notification settings for the backup policy.

Automatic Retry Settings

To instruct Veeam Backup for Microsoft Azure to run the backup policy again if it fails on the first try, do the
following:

1. In the Schedule section of the step, select the Automatic retry failed policy check box.

2. In the field to the right of the check box, specify the maximum number of attempts to run the backup
policy. The time interval between retries is 600 seconds.

When retrying backup policies, Veeam Backup for Microsoft Azure processes only those Azure VMs that failed to
be backed up during the previous attempt.

NOTE

The automatic retry settings apply only to backup policies that run according to specific schedules — these
settings do not apply to policies started manually.

Health Check Settings

If you have enabled creation of image-level backups at step 5, you can instruct Veeam Backup for Microsoft
Azure to periodically perform a health check for backup restore points created by the backup policy. During the
health check, Veeam Backup for Microsoft Azure performs an availability check for data blocks in the whole
regular backup chain, and a cyclic redundancy check (CRC) for metadata to verify its integrity. The health check
helps you ensure that the restore points are consistent and that you will be able to restore data using these
restore points. For more information on the health check, see How Health Check Works.

NOTE

During a health check, Veeam Backup for Microsoft Azure does not verify archived restore points created
by the policy.

To instruct Veeam Backup for Microsoft Azure to perform a monthly health check, do the following:

1. In the Hea lth check section of the step, set the E na ble health check toggle to On.

2. Use the Run on drop-down lists to schedule a specific day for the health check to run.

NOTE

Veeam Backup for Microsoft Azure performs the health check during the last policy session that runs on
the day when the health check is scheduled. If another backup policy session runs on the same day, Veeam
Backup for Microsoft Azure will not perform the health check during that session. For example, if the
backup policy is scheduled to run multiple times on Saturday, and the health check is also scheduled to run
on Saturday, the health check will only be performed during the last policy session on Saturday.

193 | V eeam Backup for Microsoft A zure | User Guide

Notification Settings
To instruct Veeam Backup for Microsoft Azure to send email notifications for the backup policy, do the
following:

1. In the Notifications section of the step, set the E nabled toggle On.

If you set the toggle to Off, Veeam Backup for Microsoft Azure will send notifications according to the
configured global notification settings.

2. In the E ma il field, specify an email address of a recipient. Use a semicolon to separate multiple recipient
addresses. Do not use spaces after semicolons between the specified email addresses.

3. Use the Notify on list to choose whether you want Veeam Backup for Microsoft Azure to send email
notifications in case the backup policy completes successfully, completes with warnings or completes with
errors.

How Health Check Works

When Veeam Backup for Microsoft Azure saves a new backup restore point to a b ackup repository, it calculates
CRC values for metadata in the backup chain and saves these values to the chain metadata, together with the
instance data. When performing a health check, Veeam Backup for Microsoft Azure verifies the availability of
data blocks and uses the saved values to ensure that the restore points being verified are consistent.

194 | V eeam Backup for Microsoft Azure | User Guide

If you have enabled monthly health checks for the backup policy, Veeam Backup for Microsoft Azure performs
the following operations at the day scheduled for a health check to run:

1. As soon as a backup policy session completes successfully, Veeam Backup for Microsoft Azure starts the
health check as a new session. For each restore point in the standard backup chain, Veeam Backup for
Microsoft Azure calculates CRC values for backup metadata and compares them to the CRC values that
were previously saved to the restore point. Veeam Backup for Microsoft Azure also checks whether data
blocks that are required to rebuild the restore point are available.

If the backup policy session completes with an error, Veeam Backup for Microsoft Azure tries to run the
backup policy again, taking into account the maximum number of retries specified in the automatic retry
settings. After the first successful retry (or after the last one out of the maximum number of retries),
Veeam Backup for Microsoft Azure starts the health check.

2. If Veeam Backup for Microsoft Azure does not detect data inconsistency, the health check session
completes successfully. Otherwise, the session completes with an error.

Depending on the detected data inconsistency, Veeam Backup for Microsoft Azure performs the following
operations:

o If the health check detects corrupted metadata in a full or incremental restore point, Veeam Backup
for Microsoft Azure marks the backup chain as corrupted in the configuration database. During the
next backup policy session, Veeam Backup for Microsoft Azure copies the full instance image, creates
a full restore point in the backup repository and starts a new backup chain in the backup repository.

NOTE

Veeam Backup for Microsoft Azure does not support metadata check for encrypted backup chains.

o If the health check detects corrupted disk blocks in a full or an incremental restore point, Veeam
Backup for Microsoft Azure marks the restore point that includes the corrupted data blocks and all
subsequent incremental restore points as incomplete in the configuration database. During the next
backup policy session, Veeam Backup for Microsoft Azure copies not only those data blocks that have
changed since the previous backup session but also data blocks that have been corrupted, and saves
these data blocks to the latest restore point that has been created during the current session.

195 | V eeam Backup for Microsoft A zure | User Guide

Step 8. Review Estimated Cost
[This step applies only if you have created a schedule for the backup policy at the Schedule step of the wizard]

At the Cost Estimation step of the wizard, review the approximate monthly cost of Azure services that Veeam
Backup for Microsoft Azure will require to protect the Azure VMs added to the backup policy. The total
estimated cost includes the following:

• The cost of creating and maintaining snapshots of the Azure VMs.

For each Azure VM included in the backup policy, Veeam Backup for Microsoft Azure takes into account
the total size of virtual disks attached, the number of restore points to be kept in the snapshot chain, and
the configured scheduling settings.

• The cost of creating and maintaining image-level backups of the Azure VMs.
For each Azure VM included in the backup policy, Veeam Backup for Microsoft Azure takes into account
the total size of virtual disks attached, the number of restore points to be kept in the backup chain, and
the configured scheduling settings.

• The cost of transferring Azure VM data between Azure regions during data protection operations (for
example, if a protected Azure VM and the target storage a ccount reside in different regions).

If you get a warning message regarding additional costs associated with cross -region data transfer, you
can click View details to see available cost-effective options.

• The cost of making API requests to Microsoft Azure during data protection operations.

The estimated cost may occur to be significantly higher due to the backup frequency, cross -region data transfer
and snapshot charges. To reduce the cost, you can try the following workarounds:

• To avoid additional costs related to cross-region data transfer, select a backup repository that resides in
the same region as Azure VMs that you plan to back up.

• To reduce high snapshot charges, adjust the snapshot retention settings to keep less restore points in the
snapshot chain.

• To optimize the cost of storing backups, modify the scheduling settings to run the backup policy less
frequently, or specify an archive repository for long -term retention of restore points.

196 | V eeam Backup for Microsoft A zure | User Guide

197 | V eeam Backup for Microsoft Azure | User Guide
Step 9. Finish Working with Wizard
At the Summary step of the wizard, review summary information and click Finish.

198 | V eeam Backup for Microsoft Azure | User Guide

Creating VM Snapshots Manually
Veeam Backup for Microsoft Azure allows you to manually create snapshots of Azure VMs. Each snapshot is
saved to the same Azure region in which the protected Azure VM resides.

NOTE

Veeam Backup for Microsoft Azure does not include snapshots created manually in the snapshot chain and
does not apply the configured retention policy settings to these snapshots. This means that the snapshots
are kept in your Microsoft Azure environment unless you remove them manually, as described in section
Managing VM Data.

To manually create a cloud-native snapshot of an Azure VM, do the following:

1. Navigate to Resources > Virtual Machines.

2. Select the check box next to the necessary Azure VM and click Ta k e Snapshot Now .

For an Azure VM to be displayed in the list of available resources, it must reside in any of the regions
included in a backup policy as described in section Creating Backup Policies (step 3c).

3. Complete the Ta k e Manual Snapshot wizard:

a. At the Account step of the wizard, select an Azure account whose permissions Veeam Backup for
Microsoft Azure will use to create a snapshot.

For an account to be displayed in the Azure Account list, it must be added to Veeam Backup for
Microsoft Azure as described in section Adding Azure Service Account or Adding Repository Accounts.

b. At the Op tions step of the wizard, click Ta g s from source volumes will not be copied a nd custom tags
will not be applied to assign tags to cloud-native snapshots.

c. In the Ta g s configurations window, choose whether you want to assign tags to the created snapshot.

▪ To assign already existing tags from the source virtual disks, select the Cop y Tags from source
volume check box.

▪ To assign your own custom tags, set the Ad d custom tags to created snapshots toggle to On,
and specify the tags explicitly. To do that, use the Key and Va lue fields to specify a key and a
value for the new custom tag, and then click Ap p ly.

199 | V eeam Backup for Microsoft A zure | User Guide

 d. At the Summary step of the wizard, review configuration information, choose whether you want to
proceed to the Session Log tab to track the progress of snapshot creation, and click Finish.

200 | V eeam Backup for Microsoft A zure | User Guide

Performing SQL Backup
To produce backups of Azure SQL databases, Veeam Backup for Microsoft Azure runs backup policies. A backup
policy is a collection of settings that define the way backup operations are performed: what data to back up,
where to store backups, when to start the backup process, and so on.

One backup policy can be used to process multiple Azure SQL databases within different regions, but you can
back up each Azure SQL database with one backup policy at a time. If an Azure SQL database is added to more
than one backup policy, it will be processed only by a backup policy that has the highest priority. Other backup
policies will skip this Azure SQL database from processing. For information on how to set a prior ity for a backup
policy, see Setting Backup Policy Priority.

To schedule data protection tasks to run automatically, create backup policies. For each protected Azure SQL
database, you can also create an image-level backup manually when needed.

IMP ORTANT

Veeam Backup for Microsoft Azure does not support back up of databases hosted by Azure Arc -enabled
SQL Managed Instances and SQL Servers on Azure Arc-enabled servers.

201 | V eeam Backup for Microsoft Azure | User Guide

Creating SQL Backup Policies
IMP ORTANT

SQL backup policies can protect only Azure SQL databases running on SQL Servers and databases located
on SQL Managed Instances. If you want to protect a database hosted by a SQL Server on Azure VM, create a
VM backup policy. Note that in this case, you will not be able to restore a single database without restoring
the entire VM.

To create a backup policy, do the following:

1. Launch the Add Azure SQL Policy wizard.

2. Specify a backup policy name and description.

3. Configure backup source settings.

4. Configure processing options.

5. Create a schedule for the backup policy.

6. Specify automatic retry, health check and notification settings for the backup policy .

7. Review the estimated cost of protecting the selected Azure SQL databases.

8. Finish working with the wizard.

202 | V eeam Backup for Microsoft A zure | User Guide

Step 1. Launch Add Azure SQL Policy Wizard
To launch the Ad d Azure SQL Policy wizard, do the following:

1. Navigate to P olicies > Azure SQL.

2. Click Ad d .

203 | V eeam Backup for Microsoft A zure | User Guide

Step 2. Specify Backup Policy Name
At the P olicy Info step of the wizard, use the Na me and Description fields to enter a name for the new backup
policy and to provide a description for future reference. The maximum length of the name is 255 characters. The
following characters are not supported: * : / \ ? " < > | ! @ # $ % ^ & ,.

204 | V eeam Backup for Microsoft A zure | User Guide

Step 3. Configure Backup Source Settings
At the Sources step of the wizard, specify backup source settings:

1. Select an Azure Active Directory where SQL Servers and databases that you plan to back up reside.

2. Choose regions where Azure SQL Servers and databases that you want to back up reside .

3. Select resources to back up.

205 | V eeam Backup for Microsoft A zure | User Guide

Step 3a. Select Azure Account
In the Source section of the Sources step of the wizard, specify an Azure account whose permissions will be used
to access Azure services and resources, and to create backups of Azure SQL Servers and databases.

1. Click Select Azure Active Directory.

2. In the Choose a n Azure account from the available list window, select the necessary Azure account from
the available accounts list. The specified Azure account must belong to a tenant that manages the Azure
VMs that you want to protect, and must be assigned permissions listed in section Azure Account
Permissions.

For an Azure account to be displayed in the list of available accounts, it must be added to Veeam Backup
for Microsoft Azure as described in section Adding Azure Service Accounts. If you have not added the
necessary Azure account to Veeam Backup for Microsoft Azure beforehand, you can do it without closing
the Ad d Azure SQL Policy wizard. To add an Azure account, click Ad d and complete the Ad d Azure account
wizard.

3. Click Ap p ly.

206 | V eeam Backup for Microsoft A zure | User Guide

Step 3b. Select Regions
In the Reg ion section of the Sources step of the wizard, select regions where Azure resources that you want to
back up reside.

1. Click Choose regions.

2. In the Choose regions window, select the necessary regions from the Ava ilable regions list, and then click
Ad d .

3. Click Ap p ly.

207 | V eeam Backup for Microsoft A zure | User Guide

Step 3c. Select Resources
In the Resources section of the Sources step of the wizard, select resources that you want to back up.

1. Click Select resources to protect.

2. In the Choose resource protection options window, choose whether you want to back up all Azure
resources from the regions selected at step 3b, or only specific resources.

If you select the All resources option, Veeam Backup for Microsoft Azure will regularly check for new
Azure SQL databases created in the selected regions and automatically update the backup policy settings
to include these databases in the backup scope.

If you select the P rotect the following resources option, you must also specify the resources explicitly:

a. From the Resource type drop-down list, select either of the following options:

▪ Database — to back up only specific Azure SQL databases.

▪ SQL server — to back up all Azure SQL databases that are located on a specific SQL Server.

b. Use the search field to the right of the Resource type list to find the necessary resource, and then
click P rotect to add the resource to the backup scope.

For a resource to be displayed in the list of available resources, it must reside in an Azure region that
has ever been specified in any backup policy. Otherwise, the only option to discover available
resources is to click Browse to select specific source from the global list and wait for Veeam Backup
for Microsoft Azure to populate the resource list.

TIP

You can simultaneously add multiple resources to the backup scope. To do that, click Browse to select
sp ecific source from the global list , select check boxes next to the necessary items in the list of available
resources, and then click P rotect.

If the list does not show the resources that you want to back up, click Rescan to launch the data collection
process. As soon as the process is over, Veeam Backup for Microsoft Azure will update the resource list.

If you still cannot find the necessary resources in the list, make sure that the Microsoft.ManagedServices
provider is registered in the subscription to which the resources belong, return to the step 3a and click
Rescan in the Choose an Azure account from the available list window. To learn how to register a resource
provider, see Microsoft Docs.

IMP ORTANT

For the list of resources to be displayed correctly, make sure that your web browser zoom does not exceed
135%.

4. To save changes made to the backup policy settings, click Ap p ly.

208 | V eeam Backup for Microsoft A zure | User Guide

 TIP

As an alternative to selecting the P rotect the following resources option and specifying the resources
explicitly, you can select the All resources option and exclude a number of resources from the backup
scope. To do that, click Select resources to exclude and specify the Azure SQL databases that you do not
want to back up — the procedure is the same as described for including resources in the backup scope.

Consider that if a resource appears both in the list of included and excluded resources, Veeam Backup for
Microsoft Azure will still not process the resource because the list of excluded resources has a higher
priority.

209 | V eeam Backup for Microsoft A zure | User Guide

Step 4. Configure Processing Options
At the P rocessing Options step of the wizard, choose whether you want to use a staging server to perform
backup. To learn how Veeam Backup for Microsoft Azure uses staging servers to protect Azure SQL databases,
see How Backup Works.

Protecting Databases Without Staging Server

To back up the selected databases without a staging server, do the following:

1. Select the P rocess databases using the production server option.

2. Click Configure Credentials.

3. In the Choose a SQL account window:

a. For each SQL Server added to the policy, specify an Azure SQL account whose permissions Veeam
Backup for Microsoft Azure will use to authenticate against the server. To do that, select the server
and click E d it. Then, in the E d it Account window, select the necessary account and click Sa ve.

For an account to be displayed in the Account list, it must be added to Veeam Backup for Microsoft
Azure as described in section Adding Accounts. If you have not added the necessary Azure SQL
account to Veeam Backup for Microsoft Azure beforehand, you can do it without closing the Ad d
P olicy wizard. To add an account, click Ad d and complete the Add Account wizard.

b. Click Ap p ly.

Protecting Databases Using Staging Server

To back up the selected databases using a staging server, do the following:

1. Select the Use staging servers option.

2. Click Choose server.

210 | V eeam Backup for Microsoft Azure | User Guide

 3. In the Choose staging server window:

a. From the Staging server drop-down list, select a SQL Server that will be used to copy the databases. If
you plan to back up a database located on an Azure SQL Managed Instance, you must specify the
source SQL Server as a staging server.

For a server to be displayed in the Sta ging server list, it must be added to the Microsoft Azure
environment as described in Microsoft Docs.

IMP ORTANT

If you use custom Transparent Data Encryption (TDE) to protect SQL Server data, consider that the same
Azure Key Vault cryptographic key must be used to encrypt the source and the staging SQL Servers to
allow Veeam Backup for Microsoft Azure to perform backup using the Use staging servers option.

b. From the SQL account drop-down list, select an Azure SQL account whose permissions Veeam Backup
for Microsoft Azure will use to authenticate against the staging server.

For an account to be displayed in the Account list, it must be added to Veeam Backup for Microsoft
Azure as described in section Adding Accounts. If you have not added the necessary Azure SQL
account to Veeam Backup for Microsoft Azure beforehand, you can do it without closing the Ad d
P olicy wizard. To add an account, click Ad d and complete the Add Account wizard.

NOTE

To perform backup with a staging server, Veeam Backup for Microsoft Azure uses the default Azure service
account to send REST API requests to the SQL Servers processed by the backup policy. That is why there is
no need to specify credentials for each SQL Server.

c. Click Ap p ly.

211 | V eeam Backup for Microsoft Azure | User Guide

Step 5. Specify Policy Scheduling Options
You can instruct Veeam Backup for Microsoft Azure to start the backup policy automatically according to a
specific backup schedule. The backup schedule defines how often data of the Azure SQL databases added to the
backup policy will be backed up.

To help you implement a comprehensive backup strategy, Veeam Backup for Microsoft Azure allows you to
create schedules of the following types:

• Daily — the backup policy will create restore points repeatedly throughout a day on specific days.

• Weekly — the backup policy will create restore points once a day on specific days.

• Monthly — the backup policy will create restore points once a month on a specific day.

• Yearly — the backup policy will create restore points once a year on a specific day.

Combining multiple schedule types together allows you to retain restore points for longer periods of time — for
more information, see Enabling Harmonized Scheduling. Combining multiple schedule types together also
allows you to archive backups — for more information, see Enabling Backup Archiving.

Specifying Daily Schedule

To create a daily schedule for the backup policy, at the Schedule step of the wizard, do the following:

1. Set the Da ily retention toggle to On and click E d it Daily Settings.

2. In the Da ily schedule window, select hours when the backup policy will create backups.

3. Use the Run a t drop-down list to choose whether you want the backup policy to run every day, on
weekdays (Monday through Friday) or on specific days.

4. In the Da ily retention section, specify the number of days (or months) for which you want to keep restore
points in a backup chain.

If a restore point is older than the specified time limit, Veeam Backup for Micr osoft Azure removes the
restore point from the chain. For more information, see Retention Policy for Backups.

5. In the Rep ository section, select a backup repository where the created backups will be stored.

For a backup repository to be displayed in the Rep ository list, it must be added to Veeam Backup for
Microsoft Azure as described in section Adding Backup Repositories.

212 | V eeam Backup for Microsoft A zure | User Guide

 6. To save changes made to the backup policy settings, click Ap p ly.

Specifying Weekly Schedule

To create a weekly schedule for the backup policy, at the Schedule step of the wizard, do the following:

1. Set the W eekly retention toggle to On and click E d it W eekly Settings.

2. In the W eekly schedule window, select days of the week when the backup policy will create backups.

3. Use the Create restore points at drop-down list to schedule a specific time for the backup policy to run.

4. In the W eekly retention section, specify the number of days (or months) for which you want to keep
restore points in a backup chain.

If a restore point is older than the specified time limit, Veeam Backup for Microsoft Azure removes the
restore point from the chain. For more information, see Retention Policy for Backups.

5. In the Rep ository section, select a backup repository where the created backups will be stored.

For a backup repository to be displayed in the Rep ository list, it must be added to Veeam Backup for
Microsoft Azure as described in section Adding Backup Repositories.

213 | V eeam Backup for Microsoft A zure | User Guide

 6. To save changes made to the backup policy settings, click Ap p ly.

Specifying Monthly Schedule

To create a monthly schedule for the backup policy, at the Schedule step of the wizard, do the following:

1. Set the Monthly retention toggle to On and click E d it Monthly Settings.

2. In the Monthly schedule window, select months when the backup policy will create backups.

3. Use the Create restore points at and Run on drop-down lists to schedule a specific time and day for the
backup policy to run.

4. In the Monthly retention section, specify the number of days (or months) for which you want to keep
restore points in a backup chain.

If a restore point is older than the specified time limit, Veeam Backup for Microsoft Azure removes the
restore point from the chain. For more information, see Retention Policy for Backups.

5. In the Rep ository section, select a backup repository where the created backups will be stored.

For a backup repository to be displayed in the Rep ository list, it must be added to Veeam Backup for
Microsoft Azure as described in section Adding Backup Repositories.

214 | V eeam Backup for Microsoft Azure | User Guide

 6. To save changes made to the backup policy settings, click Ap p ly.

Specifying Yearly Schedule

[This step applies only if you have instructed Veeam Backup for Microsoft Azure to create image -level backups
at the Ta rgets step of the wizard]

To create a yearly schedule for the backup policy, at the Schedule step of the wizard, do the following:

1. Set the Y ea rly retention toggle to On and click E d it Yearly Settings.

2. In the Y early schedule window, specify a day, month and time when the backup policy will create backups.

3. In the Keep backups for field, specify the number of years for which you want to keep restore points in a
backup chain.

If a restore point is older than the specified time limit, Veeam Backup for Microsoft Azure removes the
restore point from the chain. For more information, see Retention Policy for Backups.

4. In the Rep ository section, select a backup repository where the created backups will be stored.

For a backup repository to be displayed in the Rep ository list, it must be added to Veeam Backup for
Microsoft Azure as described in section Adding Backup Repositories.

215 | V eeam Backup for Microsoft A zure | User Guide

 5. To save changes made to the backup policy settings, click Ap p ly.

Enabling Harmonized Scheduling

When you combine multiple types of schedules, Veeam Backup for Microsoft Azure applies the harmonization
mechanism that allows you to leverage restore points for long -term retentions instead of taking a new restore
point every time. The mechanism simplifies the backup schedule, optimizes the backup perform ance and
reduces the cost of storing restore points in backup repositories.

With harmonized scheduling, Veeam Backup for Microsoft Azure can keep restore points created according to a
daily, weekly or monthly schedule for longer periods of time (for weeks, months and years).

For Veeam Backup for Microsoft Azure to use the harmonization mechanism, there must be specified at least 2
different schedules: one schedule will control the regular creation of restore points, while another schedule will
control the process of retaining restore points. In terms of harmonized scheduling, Veeam Backup for Microsoft
Azure re-uses restore points created according to a more-frequent schedule (daily, weekly or monthly) to
achieve the desired retention for less-frequent schedules (weekly, monthly and yearly). Each restore point is
marked with a flag of the related schedule type: the (Daily) flag is used to mark restore points created daily,
(Weekly) — weekly, (Monthly) — monthly, and (Yearly) — yearly. Veeam Backup for Microsoft Azure uses these
flags to control the retention period for the created restore points. Once a flag of a less -frequent schedule is
assigned to a restore point, this restore point can no longer be removed — it is kept for the period defined in the
retention settings. When the specified retention period is over, the flag is unassigned from the restore point. If
the restore point does not have any other flags assigned, it is removed according to the retention settings of a
more-frequent schedule.

216 | V eeam Backup for Microsoft A zure | User Guide

Consider the following example. You want a backup policy to create backups of your critical workloads once a
day, to keep 3 daily backups in the backup chain, and also to keep one of the created backups for 2 weeks. In
this case, you create 2 schedules when configuring the backup policy settings — daily and weekly:

1. In the daily scheduling settings, you select hours and days when backups will be created (for example,
7:00 AM; Working Days ), and specify the number of days for which you want to retain daily restore p oints
in a backup chain (for example, 3).

Veeam Backup for Microsoft Azure will propagate these settings to the schedule with a lower frequency
(which is the weekly schedule in our example).

217 | V eeam Backup for Microsoft Azure | User Guide

 2. In the weekly scheduling settings, you specify which one of the backups created by the daily schedule will
be retained for a longer period, and choose for how long you want to keep the selected backup.

For example, if you want to keep the daily restore point created on Monday for 2 weeks, you select 7:00
AM, Monday and specify 14 days in the weekly schedule settings.

According to the specified scheduling settings, Veeam Backup for Microsoft Azure will create image -level
backups in the following way:

1. On the first work day (Monday), a backup session will start at 7:00 AM to create the first restore point.
The restore point will be marked with the (D) flag as it was created according to the daily schedule.

Since 7:00 AM, Monday is specified in weekly schedule settings, Veeam Backup for Microsoft Azure will
assign the (W) flag to this restore point.

2. On the same week, after backup sessions run on Tuesday and Wednesday, the created restore points will
be marked with the (D) flag.

218 | V eeam Backup for Microsoft A zure | User Guide

 3. On the fourth work day (Thursday), after a backup session runs at 7:00 AM, the created restore point will
be marked with the (D) flag.

By this moment, the earliest restore point in the backup chain will get older than the specified retention
limit. However, Veeam Backup for Microsoft Azure will not remove the earliest restore point ( 7:00 AM,
Monday ) with the (D) flag from the backup chain as this restore point is also marked with a flag of a less -
frequent schedule. Instead, Veeam Backup for Microsoft Azure will unassign the (D) flag from the restore
point. This restore point will be kept for the retention period specified in the weekly scheduling settings
(that is, for 2 weeks).

4. On the fifth working day (Friday), after a backup session runs at 7:00 AM, the created restore point will be
marked with the (D) flag.

By this moment, the restore point created on Tuesday with the (D) flag will get older than the specified
retention limit. Veeam Backup for Microsoft Azure will remove from the backup chain the restore point
created at 7:00 AM on Tuesday as no flags of a less-frequent schedule are assigned to this restore point.

5. Veeam Backup for Microsoft Azure will continue creating restore points for the next week in the same way
as described in steps 1–4.

6. On week 3, after a backup session runs at 7:00 AM on Monday, the earliest week ly restore point in the
backup chain will get older than the specified retention limit. Veeam Backup for Microsoft Azure will
unassign the (W) flag from the earliest weekly restore point. Since no other flags are assigned to this
restore point, Veeam Backup for Microsoft Azure will remove this restore point from the backup chain.

NOTE

This section does not explain how Veeam Backup for Microsoft Azure rebuilds the backup chain when
applying the configured retention policy settings — it focuses on the harmonization mechanism itself only.
To learn what types of backups Veeam Backup for Microsoft Azure includes in the backup chain and how it
transforms the chain when removing outdated restore points, see sections Backup Chain and Retention
Policy for Backups.

219 | V eeam Backup for Microsoft A zure | User Guide

Enabling Backup Archiving
When you combine multiple types of schedules, you can enable the archiving mechanism to instruct Veeam
Backup for Microsoft Azure to store backed-up data in the low-cost, long-term Archive access tier. The
mechanism is the most useful in the following cases:

• Your data retention policy requires that you keep rarely accessed data in an archive.

• You want to reduce data-at-rest costs and to save space in the high-cost, short-term Hot and Cool access
tiers.

NOTE

Restoring from an archived backup is longer and more expensive than restoring from a regular backup as it
is required to retrieve data from the archive repository. For more information, see Retrieving Data From
Archive.

With backup archiving, Veeam Backup for Microsoft Azure can retain backups created according to a daily,
weekly or monthly schedule for longer periods of time:

• To enable monthly archiving, you must configure a daily or a weekly schedule (or both).

• To enable yearly archiving, you must configure a daily, a weekly or a monthly schedule (or all three).

For Veeam Backup for Microsoft Azure to use the archiving mechanism, there must be specified at least 2
different schedules: one schedule will control the regular creation of backups, while another sche dule will
control the process of copying backups to an archive repository. Backup chains created according to these two
schedules will be completely different — for more information, see Backup Chain and Archive Backup Chain.

Consider the following example. You want a backup policy to create backups of your critical workloads once a
week, to keep the backed-up data in a backup repository for 3 weeks, and also to keep backups created once in
2 months in an archive repository for a year. In this case, you create 2 schedules when configuring the backup
policy settings — weekly and monthly:

1. In the weekly scheduling settings, you do the following:

a. Specify hours and days when backups will be created (for example, 7:00 AM, Monday ), and specify
the number of days for which Veeam Backup for Microsoft Azure will retain backups (for example, 21
days).

220 | V eeam Backup for Microsoft A zure | User Guide

 b. Select a repository with the Hot or Cool access tier that will store regular backups.

Veeam Backup for Microsoft Azure will propagate these settings to the archive schedule (which is the
monthly schedule in our example).

2. In the monthly scheduling settings, you do the following:

a. Specify when Veeam Backup for Microsoft Azure will create archive backups, and choose for how long
you want to retain the created backups (for example, January, March, May, July, September,
November, 12 months and First Monday ).

b. Enable the archiving mechanism by selecting a repository with the Archive access tier that will store
archived data.

221 | V eeam Backup for Microsoft A zure | User Guide

 IMP ORTANT
• When you enable backup archiving, you become no longer able to create a schedule of the same
frequency for regular backups. By design, these two functionalities are mutually exclusive.
• If you enable backup archiving, it is recommended that you set the Keep backups for value to at
least 6 months (or 180 days ), since the minimum storage duration of the Archive access tier is 180
days.
• If you select the On Da y option, harmonized scheduling cannot be guaranteed. Plus, to support the
On Da y option, Veeam Backup for Microsoft Azure will require to create an additional temporary
restore point if there are no other schedules planned to run on that day. However, the temporary
restore point will be removed during the Backup Retention process from Microsoft Azure Storage in
approximately 24 hours, to reduce unexpected infrastructure charges.

According to the specified scheduling settings, Veeam Backup for Microsoft Azure will create image-level
backups in the following way:

1. On the first Monday of February, a backup session will start at 7:00 AM to create the first restore point in
the regular backup chain. Veeam Backup for Microsoft Azure will store this restore point as a full backup in
the backup repository.

222 | V eeam Backup for Microsoft Azure | User Guide

 2. On the second and third Mondays of February, Veeam Backup for Microsoft Azure will create restore
points at 7:00 AM and add them to the regular backup chain as incremental backups in the backup
repository.

3. On the fourth Monday of February, Veeam Backup for Microsoft Azure will create a new restore point at
7:00 AM. By the moment the backup session completes, the earliest restore point in the regular backup
chain will get older than the specified retention limit. That is why Veeam Backup for Microsoft Azure will
rebuild the full backup and remove from the chain the restore point created on the first Monday.

For more information on how Veeam Backup for Microsoft Azure transforms regular backup chains, see
Retention Policy for Backups.

223 | V eeam Backup for Microsoft Azure | User Guide

 4. On the first Monday of March, a backup session will start at 7:00 AM to create another restore point in the
regular backup chain. At the same time, the earliest restore point in the regular backup chain will get older
than the specified retention limit again. That is why Veeam Backup for Microsoft Azure will rebuild the full
backup again and remove from the chain the restore point created on the second Monday.

After the backup session completes, an archive session will create a restore point with all data from the
regular backup chain. Veeam Backup for Microsoft Azure will copy this restore point as a full archive
backup to the archive repository.

5. Up to May, Veeam Backup for Microsoft Azure will continue adding new restore points to the regular
backup chain and deleting outdated backups from the backup repository, according to the specified
weekly scheduling settings.

On the first Monday of May, an archive session will create a restore point with only that data that has
changed since the previous archive session in March. Veeam Backup for Microsoft Azure will copy this
restore point as an incremental archive backup to the archive repository.

224 | V eeam Backup for Microsoft A zure | User Guide

 6. Up to the first Monday of February of the next year, Veeam Backup for Microsoft Azure will continue
adding new restore points to the regular backup chain and deleting outdated backups from the backup
repository, according to the specified weekly scheduling settings. Veeam Backup for Microsoft Azure wil l
also continue adding new restore points to the archive backup chain, according to the specified monthly
settings.

By the moment the archive session completes, the earliest restore point in the archive backup chain will
get older than the specified retention limit. That is why Veeam Backup for Microsoft Azure will rebuild the
full archive backup and remove from the chain the restore point created on the first Monday of March of
the previous year.

For more information on how Veeam Backup for Microsoft Azure transforms archive backup chains, see
Retention Policy for Archived Backups.

225 | V eeam Backup for Microsoft Azure | User Guide

Step 6. Configure General Settings
At the Settings step of the wizard, you can enable automatic retries, schedule health checks and specify
notification settings for the backup policy.

Automatic Retry Settings

To instruct Veeam Backup for Microsoft Azure to run the backup policy again if it fails on the f irst try, do the
following:

1. In the Schedule section of the step, select the Automatic retry failed policy check box.

2. In the field to the right of the check box, specify the maximum number of attempts to run the backup
policy. The time interval between retries is 600 seconds.

When retrying backup policies, Veeam Backup for Microsoft Azure processes only those Azure SQL databases
that failed to be backed up during the previous attempt.

NOTE

The automatic retry settings apply only to backup policies that run according to specific schedules — these
settings do not apply to policies started manually.

Health Check Settings

Veeam Backup for Microsoft Azure can periodically perform a health check for all restore points cre ated by the
backup policy. During the health check, Veeam Backup for Microsoft Azure performs an availability check for
data blocks in the whole regular backup chain, and a cyclic redundancy check (CRC) for metadata to verify its
integrity. The health check helps you ensure that the restore points are consistent and that you will be able to
restore data using these restore points. For more information on the health check, see How Health Check Works.

NOTE

During a health check, Veeam Backup for Microsoft Azure does not verify archived restore points created
by the policy.

To instruct Veeam Backup for Microsoft Azure to perform a monthly health check, do the following:

1. In the Hea lth check section of the step, set the E na ble health check toggle to On.

2. Use the Run on drop-down lists to schedule a specific day for the health check to run.

NOTE

Veeam Backup for Microsoft Azure performs the health check during the last policy session that runs on
the day when the health check is scheduled. If another backup policy session runs on the same day, Veeam
Backup for Microsoft Azure will not perform the health check during that session. For example, if the
backup policy is scheduled to run multiple times on Saturday, and the health check is also scheduled to run
on Saturday, the health check will only be performed during the last policy session on Saturday.

226 | V eeam Backup for Microsoft Azure | User Guide

Notification Settings
To instruct Veeam Backup for Microsoft Azure to send email notifications for the backup policy, do the
following:

1. In the Notifications section of the step, set the E nabled toggle On.

If you set the toggle to Off, Veeam Backup for Microsoft Azure will send notifications according to the
configured global notification settings.

2. In the E ma il field, specify an email address of a recipient. Use a semicolon to separate multiple recipient
addresses. Do not use spaces after semicolons between the specified email addresses.

3. Use the Notify on list to choose whether you want Veeam Backup for Microsoft Azure to send email
notifications in case the backup policy completes successfully, completes with warnings or completes with
errors.

How Health Check Works

When Veeam Backup for Microsoft Azure saves a new backup restore point to a backup repository, it calculates
CRC values for metadata in the backup chain and saves these values to the chain metadata, together with the
instance data. When performing a health check, Veeam Backup for Microsoft Azure verifies the availability of
data blocks and uses the saved values to ensure that the restore points being verified are consistent.

227 | V eeam Backup for Microsoft A zure | User Guide

If you have enabled monthly health checks for the backup policy, Veeam Backup for Microsoft Azure performs
the following operations at the day scheduled for a hea lth check to run:

1. As soon as a backup policy session completes successfully, Veeam Backup for Microsoft Azure starts the
health check as a new session. For each restore point in the standard backup chain, Veeam Backup for
Microsoft Azure calculates CRC values for backup metadata and compares them to the CRC values that
were previously saved to the restore point. Veeam Backup for Microsoft Azure also checks whether data
blocks that are required to rebuild the restore point are available.

If the backup policy session completes with an error, Veeam Backup for Microsoft Azure tries to run the
backup policy again, taking into account the maximum number of retries specified in the automatic retry
settings. After the first successful retry (or after the last one out of the maximum number of retries),
Veeam Backup for Microsoft Azure starts the health check.

2. If Veeam Backup for Microsoft Azure does not detect data inconsistency, the health check session
completes successfully. Otherwise, the session completes with an error.

Depending on the detected data inconsistency, Veeam Backup for Microsoft Azure performs the following
operations:

o If the health check detects corrupted metadata in a full or incremental restore point, Ve eam Backup
for Microsoft Azure marks the backup chain as corrupted in the configuration database. During the
next backup policy session, Veeam Backup for Microsoft Azure copies the full instance image, creates
a full restore point in the backup repository and starts a new backup chain in the backup repository.

NOTE

Veeam Backup for Microsoft Azure does not support metadata check for encrypted backup chains.

o If the health check detects corrupted disk blocks in a full or an incremental restore point, Veeam
Backup for Microsoft Azure marks the restore point that includes the corrupted data blocks and all
subsequent incremental restore points as incomplete in the configuration database. During the next
backup policy session, Veeam Backup for Microsoft Azure copies not only those data blocks that have
changed since the previous backup session but also data blocks that have been corrupted, and saves
these data blocks to the latest restore point that has been created during the current session.

228 | V eeam Backup for Microsoft Azure | User Guide

Step 7. Review Estimated Cost
[This step applies only if you have created a schedule for the backup policy at the Schedule step of the wizard]

At the Cost Estimation step of the wizard, review the approximate monthly cost of Azure services that Veeam
Backup for Microsoft Azure will require to protect the Azure SQL databases added to the backup policy. The
total estimated cost includes the following:

• The cost of creating and maintaining backups of the Azure SQL databases.
For each Azure SQL database included in the backup policy, Veeam Backup for Microsoft Azure takes into
account the size of the database and the configured scheduling settings.

• The cost of transferring Azure SQL database data between Azure regions during data protection
operations (for example, if a protected Azure SQL database and the target storage account reside in
different regions).

If you get a warning message regarding additional costs associated with cross -region data transfer, you
can click View details to see available cost-effective options.

• The cost of making API requests to Microsoft Azure during data protection operations.

The estimated cost may occur to be significantly higher due to the backup frequency and cross -region data
transfer. To reduce the cost, you can try the following worka rounds:

• To avoid additional costs related to cross-region data transfer, select a backup repository that resides in
the same region as Azure SQL databases that you plan to back up.

• To optimize the cost of storing backups, modify the scheduling settings to run the backup policy less
frequently, or specify an archive repository for long -term retention of restore points.

229 | V eeam Backup for Microsoft Azure | User Guide

Step 8. Finish Working with Wizard
At the Summary step of the wizard, it is recommended that you run the backup policy configuration check
before you click Finish.

The configuration check will verify whether the specified accounts have all the required permissions, and
networks settings are configured properly to launch worker instances. To run the configuration check, click Test
Configuration. Veeam Backup for Microsoft Azure will display the P olicy configuration test window where you
can view the progress and results of the performed check. If the account permissions are insufficient or worker
instance settings are not configured properly, the check will complete with errors.

If the configuration check discovers that network settings are not configured properly, Veeam Backup for
Microsoft Azure will not be able to launch worker instances and thus perform the backup. To fix the network
issues, do the following:

1. Close the P olicy configuration test window, and then click Finish to close the Ad d Policy wizard.

Veeam Backup for Microsoft Azure will save the configured backup policy.

2. To prevent the backup policy from failing, disable it as described in section Disabling and Enabling Backup
Policies.

3. Depending on the error message received during the configuration check, do the following:

o Make sure that network settings are configured for each Azure reg ion selected at step 3b. For
information on how to configure network settings for Azure regions, see Managing Worker Instances.

o Make sure that the virtual networks specified in the network settings for the Azure regions have
access to the required Azure services. For more information on the required Azure services, see
System Requirements.

4. After the network issues are fixed, you can enable the backup policy as described in section Disabling and
Enabling Backup Policies.

230 | V eeam Backup for Microsoft A zure | User Guide

Creating SQL Backups Manually
Veeam Backup for Microsoft Azure allows you to manually create backups of Azure SQL databases.

NOTE

Veeam Backup for Microsoft Azure does not include backups of Azure SQL databases created manually in
the backup chain and does not apply the configured retention policy settings to these backups. This means
that the backups are kept in the backup repository unless you remove them manually, as described in
section Managing SQL Data.

To manually create a backup of an Azure SQL database, do the following:

1. Navigate to Resources > Azure SQL.

2. Select the check box next to the necessary Azure SQL database and click Ta k e Backup Now.

For an Azure SQL database to be displayed in the list of available resources, it must reside in any region
included in a backup policy as described in section Creating Backup Policies (step 3c).

3. Complete the Ta k e Manual Backup wizard:

a. At the Account step of the wizard, select an Azure Active Directory whose permissions Veeam Backup
for Microsoft Azure will use to create a backup.

For an Azure Active Directory to be displayed in the list of available directories, it must be created in
the Microsoft Azure portal as described in Microsoft Docs.

b. At the Op tions step of the wizard, do the following:

i. In the Ba ckup target section, click Choose backup repository.

In the Sp ecify the backup repository window, select a backup repository where the created
backup will be stored. For a backup repository to be displayed in the Rep ository list, it must be
added to Veeam Backup for Microsoft Azure as described in section Adding Backup Repositories.

NOTE

You can select only a backup repository with the Hot or Cool access tier.

ii. In the Sp ecify database processing settings section, choose whether you want to use a staging
server to perform backup. For more information, see Configure Processing Options.

231 | V eeam Backup for Microsoft A zure | User Guide

 c. At the Summary step of the wizard, review configuration information, choose whether you wa nt to
proceed to the Session Log tab to track the progress of backup creation, and click Finish.

232 | V eeam Backup for Microsoft Azure | User Guide

Performing File Share Backup
To produce snapshots of Azure file shares, Veeam Backup for Microsoft Azure runs backup policies. A backup
policy is a collection of settings that define the way snapshots are created: what data to protect, when to start
the snapshot creation process, and so on.

One backup policy can be used to process multiple Azure file shares within different regions, but you can back
up each Azure file share with one backup policy at a time. If an Azure file share is added to more than one
backup policy, it will be processed only by a backup policy that has the highest priority. Other backup policies
will skip this Azure file share from processing. For information on how to set a priority for a backup policy, see
Setting Backup Policy Priority.

To schedule data protection tasks to run automatically, create backup policies. For each protected Azure file
share, you can also take a cloud-native snapshot manually when needed.

233 | V eeam Backup for Microsoft Azure | User Guide

Creating File Share Backup Policies
To create a backup policy, do the following:

1. Launch the Add Azure Files Policy wizard.

2. Specify a backup policy name and description.

3. Configure backup source settings.

4. Create a schedule for the backup policy.

5. Specify automatic retry settings and notification settings for the backup policy .

6. Review the estimated cost of protecting the selected Azure file shares.

7. Finish working with the wizard.

234 | V eeam Backup for Microsoft A zure | User Guide

Step 1. Launch Add Azure Files Policy Wizard
To launch the Ad d Azure Files P olicy wizard, do the following:

1. Navigate to P olicies > Azure Files.

2. Click Ad d .

235 | V eeam Backup for Microsoft Azure | User Guide

Step 2. Specify Backup Policy Name
At the Info step of the wizard, use the Na me and Description fields to enter a name for the new backup policy
and to provide a description for future reference. The maximum length of the name is 255 characters. The
following characters are not supported: * : / \ ? " < > | .

236 | V eeam Backup for Microsoft Azure | User Guide

Step 3. Configure Backup Source Settings
At the Sources step of the wizard, specify backup source settings:

1. Select an Azure Active Directory where Azure file shares that you plan to protect reside .

2. Choose regions where Azure file shares that you want to protect reside.

3. Select resources to protect.

4. Enable Azure file share indexing.

237 | V eeam Backup for Microsoft A zure | User Guide

Step 3a. Select Azure Account
In the Account section of the Sources step of the wizard, specify an Azure account whose permissions will be
used to access Azure services and resources, and to create cloud -native snapshots of Azure file shares.

1. Click Configure account.

2. In the Choose a n Azure account from the available list window, select the necessary Azure account from
the available accounts list. The specified Azure account must belong to a tenant that manages the Azure
VMs that you want to protect, and must be assigned permissions listed in section Azure Account
Permissions.

For an Azure account to be displayed in the list of available accounts, it must be added to Veeam Backup
for Microsoft Azure as described in section Adding Azure Service Accounts. If you have not added the
necessary Azure account to Veeam Backup for Microsoft Azure beforehand, you can do it without closing
the Ad d Azure Files Policy wizard. To add an Azure account, click Ad d and complete the Ad d Azure
a ccount wizard..

3. Click Ap p ly.

238 | V eeam Backup for Microsoft Azure | User Guide

Step 3b. Select Regions
In the Reg ion section of the Sources step of the wizard, select regions where Azure resources that you want to
protect reside.

1. Click Choose regions.

2. In the Choose regions window, select the necessary regions from the Ava ilable regions list, and then click
Ad d .

3. Click Ap p ly.

239 | V eeam Backup for Microsoft Azure | User Guide

Step 3c. Select Resources
In the Resources section of the Sources step of the wizard, select resources that you want to protect.

1. Click Select resources to protect.

2. In the Choose resource protection options window, choose whether you want to protect all Azure
resources from the regions selected at step 3b, or only specific resources.

If you select the All resources option, Veeam Backup for Microsoft Azure will regularly check for new
Azure file shares created in the selected regions and automatically update the backup policy settings to
include these file shares in the backup scope.

If you select the P rotect the following resources option, you must also specify the resources explicitly:

a. From the Resource type drop-down list, select either of the following options:

▪ Resource group — to protect Azure file shares that belong to specific resource group s.

▪ File Share — to protect only specific Azure file shares.

▪ Storage account — to protect Azure file shares that reside in specific storage accounts.

b. Use the search field to the right of the Resource type list to find the necessary resource, and then
click P rotect to add the resource to the backup scope.

For a resource to be displayed in the list of available resources, it must reside in an Azure region that
has ever been specified in any backup policy. Otherwise, the only option to discover available
resources is to click Browse to select specific source from the global list and wait for Veeam Backup
for Microsoft Azure to populate the resource list.

TIP

You can simultaneously add multiple resources to the backup scope. To do that, click Browse to select
sp ecific source from the global list , select check boxes next to the necessary items in the list of available
resources, and then click P rotect.

If the list does not show the resources that you want to protect, click Rescan to launch the data collection
process. As soon as the process is over, Veeam Backup for Microsoft Azure will update the resource list.

If you still cannot find the necessary resources in the list, make sure that the Microsoft.ManagedServices
provider is registered in the subscription to which the resources belong, return to step 3a and click Rescan
in the Choose an Azure account from the available list window. To learn how to register a resource
provider, see Microsoft Docs.

IMP ORTANT

For the list of resources to be displayed correctly, make sure that your web browser zoom does not exceed
135%.

4. To save changes made to the backup policy settings, click Ap p ly.

240 | V eeam Backup for Microsoft A zure | User Guide

 TIP

As an alternative to selecting the P rotect the following resources option and specifying the resources
explicitly, you can select the All resources option and exclude a number of resources from the backup
scope. To do that, click Select resources to exclude and specify Azure file shares that you do not want to
protect — the procedure is the same as described for including resources in the backup scop e.

Consider that if a resource appears both in the list of included and excluded resources, Veeam Backup for
Microsoft Azure will still not process the resource because the list of excluded resources has a higher
priority.

241 | V eeam Backup for Microsoft Azure | User Guide

Step 3d. Enable File Share Indexing
While performing Azure file share indexing for a file system, Veeam Backup for Microsoft Azure creates a
catalog of all files and directories (that is, the index) and saves the index to the configuration database on the
backup appliance. This index is further used to reproduce the file system structure and to enable browsing and
searching for specific files across multiple restore points. To learn how indexing works, see File Share Backup.

IMP ORTANT

When performing indexing operations, Veeam Backup for Microsoft Azure uses the Server Message Block
(SMB) 3 and New Technology LAN Manager (NTLM) v2 protocols to authenticate against the processed file
shares. That is why authentication using these protocols must be enabled on the file shares that you plan
to index. Otherwise, indexing of the file shares will fail.

For more information on Azure Files identity-based authentication options for SMB access, see Microsoft
Docs.

In the Ind exing section of the Sources step of the wizard, you can instruct Veeam Backup for Microsoft Azure to
perform indexing of the processed Azure file shares. To do that, set the E na ble indexing toggle to On.

NOTE

Azure file share indexing is not supported in the Free edition of Veeam Backup for Microsoft Azure. For
more information on license editions, see Licensing.

242 | V eeam Backup for Microsoft A zure | User Guide

Step 4. Specify Policy Scheduling Options
You can instruct Veeam Backup for Microsoft Azure to start the backup policy automatically according to a
specific backup schedule. The backup schedule defines how often data stored in file systems added to the
backup policy will be backed up.

To help you implement a comprehensive backup strategy, Veeam Backup for Microsoft Azure allows you to
create schedules of the following types:

• Daily — the backup policy will create restore points repeatedly throughout a day on specific days.

• Weekly — the backup policy will create restore points once a day on specific days.

• Monthly — the backup policy will create restore points once a month on a specific day.

Combining multiple schedule types together allows you to keep restore points for longer periods of time. For
more information, see Enabling Harmonized Scheduling.

Specifying Daily Schedule

To create a daily schedule for the backup policy, at the Schedule step of the wizard, do the following:

1. Set the Da ily retention toggle to On and click E d it Daily Settings.

2. In the Create daily schedule window, select hours when Veeam Backup for Microsoft Azure will create
snapshots.

3. Use the Run a t drop-down list to choose whether you want the backup policy to run everyday, on
weekdays (Monday through Friday) or on specific days.

4. In the Da ily retention section, specify the number of restore points that you want to keep in a snapshot
chain.

If the restore point limit is exceeded, Veeam Backup for Microsoft Azure removes the earliest restore point
from the chain. For more information, see Retention Policy for Snapshots.

5. To save changes made to the backup policy settings, click Ap p ly.

243 | V eeam Backup for Microsoft A zure | User Guide

Specifying Weekly Schedule
To create a weekly schedule for the backup policy, at the Schedule step of the wizard, do the following:

1. Set the W eekly retention toggle to On and click E d it W eekly Settings.

2. In the Create weekly schedule window, select days of the week when Veeam Backup for Microsoft Azure
will create snapshots.

3. Use the Create restore points at drop-down list to schedule a specific time for the backup policy to run.

4. In the W eekly retention section, specify the number of restore points that you want to keep in a snapshot
chain.

If the restore point limit is exceeded, Veeam Backup for Microsoft Azure removes the earliest restore point
from the chain. For more information, see Retention Policy for Snapshots.

5. To save changes made to the backup policy settings, click Ap p ly.

Specifying Monthly Schedule

To create a monthly schedule for the backup policy, at the Schedule step of the wizard, do the following:

1. Set the Monthly retention toggle to On and click E d it Monthly Settings.

2. In the Create monthly schedule window, select months when the backup policy will create snapshots.

3. Use the Create restore points at and Run on drop-down lists to schedule a specific time and day for the
backup policy to run.

4. In the Monthly retention section, specify the number of restore points that you want to keep in a snapshot
chain.

If the restore point limit is exceeded, Veeam Backup for Microsoft Azure removes the earliest restore point
from the chain. For more information, see Retention Policy for Snapshots.

244 | V eeam Backup for Microsoft A zure | User Guide

 5. To save changes made to the backup policy settings, click Ap p ly.

Enabling Harmonized Scheduling

When you combine multiple types of schedules, Veeam Backup for Microsoft Azure applies the harmonization
mechanism that allows you to leverage restore points for long-term retentions instead of taking a new restore
point every time. The mechanism simplifies the backup schedule, optimizes the backup performance and
reduces the cost of storing restore points in backup repositories.

With harmonized scheduling, Veeam Backup for Microsoft Azure can keep restore points created according to a
daily or weekly schedule for longer periods of time (for weeks and months).

For Veeam Backup for Microsoft Azure to use the harmonization mechanism, there must b e specified at least 2
different schedules: one schedule will control the regular creation of restore points, while another schedule will
control the process of retaining restore points. In terms of harmonized scheduling, Veeam Backup for Microsoft
Azure re-uses restore points created according to a more-frequent schedule (daily or weekly) to achieve the
desired retention for less-frequent schedules (weekly and monthly). Each restore point is marked with a flag of
the related schedule type: the (Daily) flag is used to mark restore points created daily, (Weekly) — weekly, and
(Monthly) — monthly. Veeam Backup for Microsoft Azure uses these flags to control the retention period for the
created restore points. Once a flag of a less-frequent schedule is assigned to a restore point, this restore point
can no longer be removed — it is kept for the period defined in the retention settings. When the specified
retention period is over, the flag is unassigned from the restore point. If the restore point does not have a ny
other flags assigned, it is removed according to the retention settings of a more-frequent schedule.

245 | V eeam Backup for Microsoft A zure | User Guide

Consider the following example. You want a backup policy to create cloud -native snapshots of your critical
workloads 3 times a day, to keep 3 daily snapshots in the snapshot chain, and also to retain one of the created
snapshots for 2 weeks. In this case, you create 2 schedules when configuring the backup policy settings — daily
and weekly:

1. In the daily scheduling settings, you select hours and days when snapshots will be created (for example,
7:00 AM, 9:00 AM, and 11:00 AM; Working Days ), and specify the number of daily restore points to retain
(for example, 3).

Veeam Backup for Microsoft Azure will propagate these settings to the schedule with a lowe r frequency
(which is the weekly schedule in our example).

246 | V eeam Backup for Microsoft A zure | User Guide

 2. In the weekly scheduling settings, you specify which one of the snapshots created by the daily schedule
will be kept, and choose for how long you want to keep the selected snapshot.

For example, if you want to keep the daily restore point created at 7:00 AM on Monday for 2 weeks, you
select 7:00 AM, Monday and specify 2 restore points to retain in the weekly schedule settings.

According to the specified scheduling settings, Veeam Ba ckup for Microsoft Azure will create cloud-native
snapshots in the following way:

1. On the first work day (Monday), a backup session will start at 7:00 AM to create the first restore point.
The restore point will be marked with the (D) flag as it was created according to the daily schedule.

Since 7:00 AM, Monday is specified in the weekly scheduling settings, Veeam Backup for Microsoft Azure
will assign the (W) flag to this restore point.

2. On the same day (Monday), after backup sessions run at 9:00 AM and 11:00 AM, the created restore
points will be marked with the (D) flag.

247 | V eeam Backup for Microsoft A zure | User Guide

 3. On the next work day (Tuesday), after a backup session runs at 7:00 AM, the created restore point will be
marked with the (D) flag.

At the moment the backup session completes, the number of restore points with the (D) flag will exceed
the retention limit specified in the daily scheduling settings. However, Veeam Backup for Microsoft Azure
will not remove the earliest restore point ( 7:00 AM, Monday ) with the (D) flag from the snapshot chain as
this restore point is also marked with a flag of a less-frequent schedule. Instead, Veeam Backup for
Microsoft Azure will unassign the (D) flag from the restore point. This restore point will be kept for the
retention period specified in the weekly scheduling settings (that is, for 2 weeks).

4. On the same day (Tuesday), after a backup session runs at 9:00 AM, the number of restore points with the
(D) flag will exceed the retention limit once again. Veeam Backup for Microsoft Azure will r emove from
the snapshot chain the restore point created at 9:00 AM on Monday as no flags of a less -frequent
schedule are assigned to this restore point.

5. Veeam Backup for Microsoft Azure will continue creating restore points for the next week in the sa me way
as described in steps 1–4.

6. On week 3, after a backup session runs at 7:00 AM on Monday, the number of kept restore points will
exceed the retention limit. Veeam Backup for Microsoft Azure will unassign the (W) flag from the earliest
kept restore point. Since no other flags are assigned to this restore point, Veeam Backup for Microsoft
Azure will remove this restore point from the snapshot chain.

248 | V eeam Backup for Microsoft A zure | User Guide

Step 5. Configure General Settings
At the Settings step of the wizard, you can enable automatic retries and specify notification settings for the
backup policy.

Automatic Retry Settings

To instruct Veeam Backup for Microsoft Azure to run the backup policy again if it fails on the first try, do the
following:

1. In the Schedule section of the step, select the Automatic retry failed policy check box.

2. In the field to the right of the check box, specify the maximum number of attempts to run the backup
policy. The time interval between retries is 600 seconds.

When retrying backup policies, Veeam Backup for Microsoft Azure processes only those Azure file shares that
failed to be protected during the previous attempt.

NOTE

The automatic retry settings apply only to backup policies that run according to specific schedules — these
settings do not apply to policies started manually.

Notification Settings
To instruct Veeam Backup for Microsoft Azure to send email notifications for the backup policy, do the
following:

1. In the Notifications section of the step, set the E nabled toggle On.

If you set the toggle to Off, Veeam Backup for Microsoft Azure will send notifications according to the
configured global notification settings.

2. In the E ma il field, specify an email address of a recipient. Use a semicolon to separate multiple recipient
addresses. Do not use spaces after semicolons between the specified email addresses.

249 | V eeam Backup for Microsoft A zure | User Guide

 3. Use the Notify on list to choose whether you want Veeam Backup for Microsoft Azure to send email
notifications in case the backup policy completes successfully, completes with warnings or completes with
errors.

250 | V eeam Backup for Microsoft A zure | User Guide

Step 6. Review Estimated Cost
[This step applies only if you have created a schedule for the backup policy at the Schedule step of the wizard]

At the Cost Estimation step of the wizard, review the approximate monthly cost of Azure services that Veeam
Backup for Microsoft Azure will require to protect the Azure file shares added to the backup policy. The total
estimated cost includes the following:

• The cost of creating and maintaining snapshots of the Azure file shares.
For each Azure file share included in the backup policy, Veeam Backup for Microsoft Azure takes into
account the number of restore points to be kept in the snapshot chain and the configured scheduling
settings.

• The cost of making API requests to Microsoft Azure during data protection operations.

The estimated cost may occur to be significantly higher due to the backup frequency and snapshot charges. To
reduce high snapshot charges, adjust the snapshot retention settings to keep less restore points in the snapshot
chain.

251 | V eeam Backup for Microsoft A zure | User Guide

Step 7. Finish Working with Wizard
At the Summary step of the wizard, review summary information and click Finish.

252 | V eeam Backup for Microsoft Azure | User Guide

Creating File Share Snapshots Manually
Veeam Backup for Microsoft Azure allows you to manually create snapshots of Azure file shares. Each snapshot
is saved to the same Azure region in which the protected Azure file share resides.

NOTE

Veeam Backup for Microsoft Azure does not include snapshots created manually in the snapshot chain and
does not apply the configured retention policy settings to these snapshots. This means that the snapshots
are kept in your Microsoft Azure environment unless you remove them manually, as described in section
Managing File Share Data.

To manually create a cloud-native snapshot of an Azure file share, do the following:

1. Navigate to Resources > Azure Files.

2. Select the check box next to the necessary Azure file share and click Ta k e Snapshot Now .

For an Azure file share to be displayed in the list of available resources, it must reside in any region
included in a backup policy as described in section Creating Backup Policies (step 3c).

3. Complete the Ta k e Manual Snapshot wizard:

a. At the Account step of the wizard, select an Azure account whose permissions Veeam Backup for
Microsoft Azure will use to create a snapshot.

For an account to be displayed in the Azure Account list, it must be added to Veeam Backup for
Microsoft Azure as described in section Adding Azure Service Account or Adding Repository Accounts.

b. At the Summary step of the wizard, review configuration information, choose whether you want to
proceed to the Session Log tab to track the progress of snapshot creation, and click Finish.

253 | V eeam Backup for Microsoft Azure | User Guide

Managing Backup Policies
After you create backup policies, you can edit, enable and run them, and also view the details of each backup
policy in Veeam Backup for Microsoft Azure. You can also remove backup policies that you do not use anymore,
export settings of the existing policies and import new ones.

254 | V eeam Backup for Microsoft A zure | User Guide

Editing Backup Policy Settings
For each backup policy, you can modify settings configured while creating the policy:

1. Navigate to P olicies.

2. Switch to the necessary tab and select the backup policy.

3. Click E d it.

4. Edit the backup policy settings as described in section Performing VM Backup, Performing SQL Backup or
Performing File Share Backup.

255 | V eeam Backup for Microsoft Azure | User Guide

Setting Backup Policy Priority
By default, Veeam Backup for Microsoft Azure runs backup policies in the order you create them. However, you
can set the backup policy priority manually.

1. Navigate to P olicies.

2. Switch to the necessary tab and click P olicy Priority.

3. In the P riority Order window, use the Up and Down arrows to set the priority order for backup policies, and
the Top and Bottom arrows to immediately set the highest or the lowest priority for a policy. Click Ap p ly
to save the settings.

The first backup policy in the list will have the highest priority.

NOTE

If an Azure resource is included into multiple backup policies, it will be processed only by the backup policy
that has the highest priority.

256 | V eeam Backup for Microsoft Azure | User Guide

Enabling and Disabling Backup Policies
By default, Veeam Backup for Microsoft Azure runs all created backup policies according to the specified
schedules. However, you can temporarily disable a backup policy so that Veeam Backup for Microsoft Azure
does not run the backup policy automatically. You will still be able to manually start or enable the disabled
backup policy at any time you need.

To enable or disable a backup policy, do the following:

1. Navigate to P olicies.

2. Switch to the necessary tab and select the backup policy.

3. Click E nable or Disable.

257 | V eeam Backup for Microsoft A zure | User Guide

Starting and Stopping Backup Policies
You can start a backup policy manually, for example, if you want to create an additional restore point in the
snapshot or backup chain and do not want to modify the configured backup policy schedule. You can also stop a
backup policy if processing of an Azure resource is about to take too long, and you do not w ant the policy to
have an impact on the production environment during business hours.

To start or stop a backup policy, do the following:

1. Navigate to P olicies.

2. Switch to the necessary tab and select the backup policy.

3. Click Sta rt or Stop.

258 | V eeam Backup for Microsoft Azure | User Guide

Exporting and Importing Backup Policies
Veeam Backup for Microsoft Azure allows you to use settings of an existing backup policy as a template for
creating other backup policies. You can export a backup policy to a .JSON file, modify the necessary settings in
the file, and then import the policy to the same or a different backup appliance.

Exporting Backup Policies

To export a backup policy to a .JSON file, do the following:

1. Navigate to P olicies.

2. Switch to the necessary tab and select the backup policy.

3. Click Ad vanced > E xport Policy.

Veeam Backup for Microsoft Azure will save the backup policy settings as a single .JSON file to the default
download directory on the local machine.

Importing Backup Policies

To import a backup policy from a .JSON file, do the following:

1. Click Ad vanced > Import Policy.

259 | V eeam Backup for Microsoft Azure | User Guide

 2. In the Imp ort Policy window, specify a name for the imported backup policy, paste the content of the
necessary .JSON file, and click Imp ort.

260 | V eeam Backup for Microsoft A zure | User Guide

Managing Backed-Up Data
Veeam Backup for Microsoft Azure stores information on all protected Azure resources in the configuration
database. Even if a resource is no longer protected by any configured backup policy and even if the resource is
no longer exists in Microsoft Azure, information on the backed-up data will not be deleted from the database
until Veeam Backup for Microsoft Azure automatically removes all restore points associated with this resource
according to the retention settings saved in the backup metadata. You can a lso remove the restore points
manually on the P rotected Data tab.

NOTE

Veeam Backup for Microsoft Azure does not include restore points created manually in backup and
snapshot chains, and does not apply the configured retention policy settings to these re store points. This
means that the restore points are kept in your Microsoft Azure environment unless you remove them
manually, as described in sections Removing VM Backups and Snapshots, Removing SQL Backups and
Removing File Share Snapshots.

261 | V eeam Backup for Microsoft A zure | User Guide

Managing VM Data
After a backup policy successfully creates a restore point of an Azure VM according to the specified schedule, or
after you create a snapshot of a VM manually, Veeam Backup for Microsoft Azure adds the VM to the resource
list on the P rotected Data tab.

The P rotected Data tab displays Azure resources that are already protected by Veeam Backup for Microsoft
Azure. Each resource is represented with a set of properties, such as:

• Virtual Machine — the name of the Azure VM.

• P olicy — the name of the backup policy that protects the Azure VM.

• Restore Points — the number of restore points created for the Azure VM.

• La st Backup — the date and time of the most recent restore point created for the Azure VM.

• Reg ion — the region in which the Azure VM resides.

• VM Size — the VM size of the Azure VM.

• Resource Group — the resource group that stores resources related to the Azure VM.

• Op erating System — the operating system running on the Azure VM.

• File-level Recovery URL — a link to the File-level recovery browser.

The link appears when Veeam Backup for Microsoft Azure starts a restore session to perform file-level
recovery. The link contains a public DNS name of the worker instance hosting the File-level recovery
browser and authentication information used to access this worker instance.

• Tena nt ID — the unique identification number of the Azure tenant to which the Azure VM belongs.

• Sub scription ID — the unique identification number of the Microsoft Azure subscription that is used to
manage costs of the Azure VM.

On the P rotected Data tab, you can also perform the following actions:

• Remove restore points if you no longer need them. For more information, see Removing Backups and
Snapshots.

262 | V eeam Backup for Microsoft Azure | User Guide

 • Restore data of backed-up Azure VMs. For more information, see Performing VM Restore.

263 | V eeam Backup for Microsoft Azure | User Guide

Removing Backups and Snapshots
Veeam Backup for Microsoft Azure applies the configured retention policy settings to automatically remove
cloud-native snapshots and image-level backups created for Azure VMs by backup policies. If necessary, you can
also remove the backed-up data manually.

IMP ORTANT

Do not delete backups from Microsoft Azure storage accounts in the Microsoft Azure portal. If some
backup in a backup chain is missing, you will not be able to roll back Azure VM data to the necessary state.

To remove backed-up data manually, do the following:

1. Navigate to P rotected Data > Virtual Machines.

2. Select Azure VMs whose data you want to remove.

3. Click Remove and select either of the following options:

o Sna pshots > All — to remove all cloud-native snapshots created for the selected Azure VMs both by
backup policies and manually.

o Sna pshots > Local — to remove all cloud-native snapshots created for the selected Azure VMs by
backup policies.

o Sna pshots > Ma nual — to remove all cloud-native snapshots created for the selected Azure VMs
manually.

o Ba ckups > All — to remove all image-level backups created for the selected Azure VMs.

o Ba ckups > Ba ckup — to remove all image-level backups created in backup repositories for the selected
Azure VMs.

o Ba ckups > Archive — to remove all image-level backups created in archive repositories for the
selected Azure VMs.

o Sna pshots and Backups — to remove both cloud-native snapshots and image-level backups created
for the selected Azure VMs.

264 | V eeam Backup for Microsoft A zure | User Guide

Removing Azure VM Snapshots Created
Manually
To remove all cloud-native snapshots created for an Azure VM manually, follow the instructions provided in the
Removing Backups and Snapshots section. If you want to remove a specific cloud-native snapshot created
manually, do the following:

1. Navigate to P rotected Data.

2. Select the check box next to the necessary Azure VM, and click the link in the Restore P oints column.

3. In the Ava ilable Restore P oints window, select the necessary snapshot and click Remove Manual Snapshot.

265 | V eeam Backup for Microsoft Azure | User Guide

Retrieving Data from Archive
Backups stored in archive repositories are not immediately accessible. If you want to restore an Azure VM from a
backup that is stored in a repository with the Archive access tier, you must first retrieve the archived data.
During the data retrieval process, a temporary copy of the archived data is created in an Azure blob container
where the repository is located. This copy is stored in the Hot access tier for a period of time that you specify
when launching the data retrieval process. If the time period expires while a restore operation is still running,
Veeam Backup for Microsoft Azure automatically extends the period to keep the retrieved data available for one
more hour. You can also extend the availability period manually.

To retrieve archived data, you can launch the data retrieval process either from the Data Retrieval wizard before
you begin a restore operation, or directly from the Restore Virtual Machines and Restore Disks wizards. When
you retrieve archived data, you can choose one of the following priority options:

• Sta ndard Priority — the default priority option. The retrieved data will be available within 15 hours.

• Hig h Priority — the fastest but more expensive priority option. The retrieved data will be available within
one hour if the size of the backup is less than 10 GB.

For more information on priority options, see Microsoft Docs

Retrieving Data Manually

To retrieve archived data of an Azure VM, do the following:

1. Navigate to P rotected Data > Virtual Machines.

2. Select the necessary Azure VM.

3. Click the link in the Restore Points column.

4. In the Ava ilable Restore P oints window, select a restore point that contains archived data you want to
retrieve, and click Retrieve Backup. The Da ta Retrieval wizard will open.

266 | V eeam Backup for Microsoft Azure | User Guide

 5. At the Da ta Retrieval step of the wizard, specify the following settings:

a. In the Retrieval mode section, select the retrieval option that Veeam Backup for Microsoft Azure will
use to retrieve the data.

b. In the Ava ilability period section, specify the number of days for which you want to keep the data
available for restore operations.

You will be able to manually extend data availability later if required.

TIP

If you want to receive an email notification when the data availability period is about to expire, select the
Send notification email check box, and specify the number of hours before the expiration time when the
notification will be sent.

6. At the Summary step of the Da ta Retrieval wizard, review configuration information and click Retrieve.

267 | V eeam Backup for Microsoft A zure | User Guide

Extending Data Availability
To extend time for which you want to keep retrieved data available for restore operations:

1. Select the Azure VM for which you want to extend availability of the retrieved data.

2. Click E x tend Availability.

Alternatively, click the link in the Restore Points column. In the Da ta Retrieval window, select the restore
point that contains the retrieved data, and click E x tend Availability.

3. In the E x tend Data Availability P eriod window, specify the number of days for which you want to keep the
data available for restore operations, and click E x tend.

268 | V eeam Backup for Microsoft Azure | User Guide

Managing SQL Data
After a backup policy successfully creates a restore point of an Azure SQL database according to the specified
schedule, or after you create a backup of a database manually, Veeam Backup for Microsoft Azure adds the
database to the resource list on the P rotected Data tab.

The P rotected Data tab displays Azure resources that are already protected by Veeam Backup for Microsoft
Azure. Each resource is represented with a set of properties, such as:

• Da tabase — the name of the Azure SQL database.

• Server Name — the name of the SQL Server where the protected Azure SQL database is located.

• P olicy — the name of the backup policy that protects the Azure SQL database.

• Restore Points — the number of restore points created for the Azure SQL database.

• La st Backup — the date and time of the most recent restore point created for the Azure SQL database.

• Resource Group — the resource group that stores resources related to the Azure SQL database.

• Reg ion — the region in which the Azure SQL database resides.

• SQL E lastic P ool — the name of the elastic pool to which the Azure SQL database is added.

• Tena nt ID — the unique identification number of the Azure tenant where the Azure SQL database belongs.

• Sub scription ID — the unique identification number of the Microsoft Azure subscription that is used to
manage costs of the Azure SQL database.

On the P rotected Data tab, you can also perform the following actions:

• Remove restore points if you no longer need them. For more information, see Removing Backups.

• Restore data of backed-up Azure SQL databases. For more information, see Performing SQL Restore.

269 | V eeam Backup for Microsoft Azure | User Guide

Removing Backups
Veeam Backup for Microsoft Azure applies the configured retention policy settings to automatically remove
image-level backups created for SQL databases by backup policies. If necessary, you can also remove the
backed-up data manually.

IMP ORTANT

Do not delete backups from Microsoft Azure storage accounts in the Microsoft Azure portal. If some
backup in a backup chain is missing, you will not be able to roll back Azure SQL database data to the
necessary state.

To remove backed-up data manually, do the following:

1. Navigate to P rotected Data > Azure SQL.

1. Select Azure SQL databases whose data you want to remove.

3. Click Remove and select either of the following options:

o All — to remove all image-level backups created for the selected Azure SQL databases both by backup
policies and manually.

o Ba ckups — to remove all image-level backups created in backup repositories for the selected Azure
SQL databases.

o Archive — to remove all image-level backups created in archive repositories for the selected Azure
SQL databases.

o Ma nual — to remove all image-level backups created for the selected Azure SQL databases manually.

270 | V eeam Backup for Microsoft A zure | User Guide

Removing SQL Backups Created Manually
To remove all image-level backups created for a SQL database manually, follow the instructions provided in the
Removing Backups section. If you want to remove a specific image-level backup created manually, do the
following:

1. Navigate to P rotected Data > Azure SQL.

2. Select the check box next to the necessary Azure SQL database, and click the link in the Restore P oints
column.

3. In the Ava ilable Restore P oints window, select the necessary restore point and click Remove.

271 | V eeam Backup for Microsoft Azure | User Guide

Retrieving Data from Archive
Backups stored in archive repositories are not immediately accessible. If you want to restore an Azure SQL
database from a backup that is stored in a repository with the Archive access tier, you must first retrieve the
archived data. During the data retrieval process, a temporary copy of the archived data is created in an Azure
blob container where the repository is located. This copy is stored in the Hot access tier for a period of time that
you specify when launching the data retrieval process. If the time period expires while a restore operation is still
running, Veeam Backup for Microsoft Azure automatically extends the period to kee p the retrieved data
available for one more hour. You can also extend the availability period manually.

To retrieve archived data, you can launch the data retrieval process either from the Data Retrieval wizard before
you begin a restore operation, or directly from the SQL Database Restore wizard. When you retrieve archived
data, you can choose one of the following priority options:

• Sta ndard Priority — the default priority option. The retrieved data will be available within 15 hours.

• Hig h Priority — the fastest but more expensive priority option. The retrieved data will be available within
one hour if the size of the backup is less than 10 GB.

For more information on priority options, see Microsoft Docs

Retrieving Data Manually

To retrieve archived data of an Azure SQL database, do the following:

1. Navigate to P rotected Data > Azure SQL.

2. Select the necessary Azure SQL database.

3. Click the link in the Restore Points column.

4. In the Ava ilable Restore P oints window, select a restore point that contains archived data you want to
retrieve, and click Retrieve Backup. The Da ta Retrieval wizard will open.

272 | V eeam Backup for Microsoft A zure | User Guide

 5. At the Da ta Retrieval step of the wizard, specify the following settings:

a. In the Retrieval mode section, select the retrieval option that Veeam Backup for Microsoft Azure will
use to retrieve the data.

b. In the Ava ilability period section, specify the number of days for which you want to keep the data
available for restore operations.

You will be able to manually extend data availability later if required.

TIP

If you want to receive an email notification when data availability period is about to expire, select the Send
notification email check box and choose when you want to be notified (that is, the number of hours
remaining until data expiration).

6. At the Summary step of the Da ta Retrieval wizard, review configuration information and click Retrieve.

273 | V eeam Backup for Microsoft A zure | User Guide

Extending Data Availability
To extend time for which you want to keep retrieved data available for restore operations:

1. Select the Azure SQL database for which you want to extend availability of the retrieved data.

2. Click E x tend Availability.

Alternatively, click the link in the Restore Points column. In the Da ta Retrieval window, select the restore
point that contains the retrieved data, and click E x tend Availability.

3. In the E x tend Data Availability P eriod window, specify the number of days for which you want to keep the
data available for restore operations, and click E x tend.

274 | V eeam Backup for Microsoft A zure | User Guide

Managing File Share Data
After a backup policy successfully creates a restore point of an Azure file share according to the specified
schedule, or after you create a snapshot of a file share manually, Veeam Backup for Microsoft Azure adds the
file share to the resource list on the P rotected Data tab.

The P rotected Data tab displays Azure resources that are already protected by Veeam Backup for Microsoft
Azure. Each resource is represented with a set of properties, such as:

• File Share — the name of the Azure file share.

• P olicy — the name of the backup policy that protects the Azure file share.

• Restore Points — the number of restore points created for the Azure file share.

NOTE

Veeam Backup for Microsoft Azure displays all existing snapshots of Azure file share resources, not only
snapshots created by the Veeam backup service. Azure file share snapshots created in Microsoft Azure
Storage have the E x ternal snapshot type and cannot be deleted from the Veeam Backup for Microsoft
Azure Web UI.

• La st Backup — the date and time of the most recent restore point created for the Azure file share.

• Resource Group — the resource group that stores resources related to the Azure file share.

• Reg ion — the region in which the Azure file share resides.

• File-level Recovery URL — a link to the File-level recovery browser.

The link appears when Veeam Backup for Microsoft Azure starts a restore session to perform file-level
recovery.

• Tena nt ID — the unique identification number of the Azure tenant where the Azure file share belongs.

• Sub scription ID — the unique identification number of the Microsoft Azure subscription that is used to
manage costs of the Azure file share.

On the P rotected Data tab, you can also perform the following actions:

• Remove restore points if you no longer need them. For more information, see Removing Backups.

• Restore data of backed-up Azure file shares. For more information, see Performing File Share Restore.

NOTE

Consider that if you delete a file share from Microsoft Azure, the snapshots of this file share will be deleted
as well. To protect your snapshots from accidental deletion, you can use the file share soft delete option.
For more information on the soft delete option for Azure file shares, see Microsoft Docs.

275 | V eeam Backup for Microsoft A zure | User Guide

276 | V eeam Backup for Microsoft A zure | User Guide
Removing Snapshots
Veeam Backup for Microsoft Azure applies the configured retention policy settings to automatically remove
cloud-native snapshots created by backup policies. If necessary, you can also remove the backed -up data
manually.

NOTE

In Veeam Backup for Microsoft Azure, you can remove only snapshots created by the Veeam backup
service. To delete E x ternal snapshots, use Microsoft Azure portal as described in Microsoft Docs.

To remove backed-up data manually, do the following:

1. Navigate to P rotected Data > Azure Files.

2. Select Azure file shares whose data you want to remove.

3. Click Remove and select either of the following options:

o All — to remove all cloud-native snapshots created for the selected Azure file shares both by backup
policies and manually.

o P olicy Snapshots — to remove all cloud-native snapshots created for the selected Azure file shares by
backup policies.

o Ma nual Snapshots — to remove all cloud-native snapshots created for the selected Azure file shares
manually.

277 | V eeam Backup for Microsoft A zure | User Guide

Removing File Share Snapshots Created
Manually
To remove all cloud-native snapshots created for a file share manually, follow the instructions provided in the
Removing Snapshots section. If you want to remove a specific cloud-native snapshot created manually, do the
following:

1. Navigate to P rotected Data > Azure Files.

2. Select the check box next to the necessary file share, and click the link in the Restore Points column.

3. In the Ava ilable Restore P oints window, select the necessary snapshot and click Remove Manual Snapshot.

278 | V eeam Backup for Microsoft A zure | User Guide

Performing Restore
In various disaster recovery scenarios, Veeam Backup for Microsoft Azure allows you to perform the following
restore operations using backed-up data:

• Restore of Azure VMs — restores Azure VMs from cloud-native snapshot or image-level backups to the
original location or to a new location.

• Restore of Azure SQL databases — restores Azure SQL databases from image-level backups to the original
or to a new location.

• Restore of Azure file shares — restore files of Azure file shares from cloud-native snapshots to the original
location or to a new location.

279 | V eeam Backup for Microsoft A zure | User Guide

Performing VM Restore
Veeam Backup for Microsoft Azure offers the following restore options:

• VM Restore — restores an entire Azure VM.

• Disk Restore — restores virtual disks attached to an Azure VM.

• File-level Restore — restores individual files and folders of an Azure VM.

You can restore Azure VM data to the most recent state or to any available restore point.

280 | V eeam Backup for Microsoft A zure | User Guide

Performing Entire VM Restore
In case a disaster strikes, you can restore an entire Azure VM from a cloud -native snapshot or image-level
backup. Veeam Backup for Microsoft Azure allows you to restore one or more Azure VMs at a time, to the
original location or to a new location.

How VM Restore Works

To restore an Azure VM from a cloud-native snapshot, Veeam Backup for Microsoft Azure uses native Microsoft
Azure capabilities. To restore an Azure VM from an image-level backup, Veeam Backup for Microsoft Azure
performs the following steps:

1. [This step applies only if you perform restore from an archived backup] Retrieves data from the archived
restore point.

2. [This step applies only if you perform restore to the original location] Creates a staging resource group in
which virtual disks of the restored Azure VM will be created, and assigns the Veeam backup appliance ID
tag to the group. The tag value is the ID of Azure VM running the backup applia nce.

3. Creates empty virtual disks. The number of empty virtual disks equals the number of virtual disks attached
to the source Azure VM.

4. Launches a worker instance in the Azure region where the restored Azure VM will reside, and then
attaches empty virtual disks to the worker instance.

5. Restores backed-up data to the empty virtual disks on the worker instance.

6. Detaches the virtual disks with the restored data from the worker instance.

7. Deallocates the worker instance.

8. [This step applies only if you perform restore to the original location] Removes the source Azure VM and
the source disks from Microsoft Azure.

9. [This step applies only if you perform restore to the original location] Moves the virtual disks from the
staging resource group to the original resource group of the source Azure VM.

10. Creates an Azure VM in the specified location.

11. Attaches the created virtual disks with the restored data to the Azure VM.

12. [This step applies only if you perform restore to the original location] Removes the staging resource
group.

Before You Begin

To restore an Azure VM from a backup that is stored in an archive repository, you must retrieve the archived
data first. You can either retrieve the archived data manually before you begin the restore operation, or launch
the data retrieval process right from the restore wizard. To learn how to retrieve data manually, see Retrieving
Data From Archive.

How to Perform VM Restore

To restore an Azure VM, do the following:

1. Launch the Restore Virtual Machines wizard.

281 | V eeam Backup for Microsoft A zure | User Guide

 2. Select a restore point.

3. Select an Azure account.

4. Choose a restore mode.

5. Specify data retrieval settings.

6. Specify Azure VM settings.

7. Specify disk names.

8. Configure network settings.

9. Specify a restore reason.

10. Finish working with the wizard.

282 | V eeam Backup for Microsoft Azure | User Guide

Step 1. Launch Restore Virtual Machines Wizard
To launch the Restore Virtual Machines wizard, do the following:

1. Navigate to P rotected Data > Virtual Machines.

2. Select the check box next to the necessary Azure VM.

3. Click Restore > VM Restore.

Alternatively, click the link in the Restore Points column. Then, in the Ava ilable Restore Points window,
select the necessary restore point and click Restore > VM Restore.

283 | V eeam Backup for Microsoft Azure | User Guide

Step 2. Select Restore Point
At the Virtual Machines step of the wizard, select a restore point that will be used to restore the selected Azure
VM. By default, Veeam Backup for Microsoft Azure uses the most recent valid restore point. However, you can
restore the Azure VM data to an earlier state.

IMP ORTANT

If you select a restore point stored in an archive repository and the same restore point is also available in a
regular repository, Veeam Backup for Microsoft Azure will display the confirmation window where you
must choose whether you want to use the archived or regular restore point to perform the restore
operation.

To select a restore point, do the following:

1. Select the Azure VM.

2. Click Restore Point.

3. In the Sp ecify restore point window, select the necessary restore point and click Ap p ly.

To help you choose a restore point, Veeam Backup for Microsoft Azure provides the following information
on each available restore point:

o Created — the date when the restore point was created.

o Ba ckup Destination — the type of the restore point:

▪ <Repository Name> — an image-level backup created by a backup policy.

▪ Snapshot — a cloud-native snapshot created by a backup policy.

▪ Manual Snapshot — a cloud-native snapshot created manually.

284 | V eeam Backup for Microsoft A zure | User Guide

Step 3. Select Azure Account
At the Account step of the wizard, select an Azure account whose permissions Veeam Backup for Microsoft
Azure will use to perform the restore operation.

1. Click Select a ccount.

2. In the Choose a n Azure account window, select the necessary account and click Ap p ly.

For an Azure account to be displayed in the list of available accounts, it must be added to Veeam Backup
for Microsoft Azure as described in section Adding Azure Service Accounts. If you have not added the
necessary Azure account to Veeam Backup for Microsoft Azure beforehand, you can do it without closing
the Ad d VM P olicy wizard. To add an Azure account, click Ad d and complete the Ad d Azure account
wizard.

285 | V eeam Backup for Microsoft Azure | User Guide

Step 4. Choose Restore Mode
At the Restore Mode step of the wizard, choose whether you want to restore the selected Azure VM to the
original or to a custom location.

If you select the Restore to a new location, or with different settings option, you must also select a Microsoft
Azure subscription and an Azure region in which the restored Azure VM will reside:

1. Click the link in the Sub scription field. Then, select the necessary subscription in the Choose subscription
window.

For a subscription to be displayed in the list of available subscriptions, it must be associated or added to
an Azure Active Directory tenant to which the Azure account selected at step 3 of the wizard belongs. To
learn how to associate or add Azure subscriptions to Azure Active Directory tenants, see Microsoft Docs.

2. Click the link in the Reg ion field. Then, select the necessary Azure region in the Choose region window.

NOTE

Data transfer to a new location may require additional costs and may take more time to complete.

286 | V eeam Backup for Microsoft Azure | User Guide

Step 5. Specify Retrieval Settings
[This step applies only if you have selected a restore point stored in an archive repository at the Virtual
Ma chines step of the wizard]

At the Da ta retrieval step of the wizard, choose a retrieval mode and specify a period for which you want to keep
the data available.

1. Click the link in the Retrieval mode section.

a. In the Retrieval settings window, for each processed Azure VM, do the following:

i. Select an Azure VM and click E d it.

ii. In the E d it Retrieval Mode window, select the retrieval mode that Veeam Backup for Microsoft
Azure will use to retrieve the archived data, and click Sa ve. For more information on data
retrieval modes, see Retrieving Data From Archive.

b. To save changes made to the data retrieval settings, click Ap p ly.

2. Click E d it Availability Period in the Ava ilability period section.

a. In the Ava ilability period window, specify the number of days for which you want to keep the data
available for restore operations. You can manually extend the availability period later if required.

TIP

If you want to receive an email notification when data availability period is about to expire, select the Send
notification email check box and choose when you want to be notified (that is, the number of hours
remaining until data expiration).

287 | V eeam Backup for Microsoft A zure | User Guide

 b. To save changes made to the availability period settings, click Ap p ly.

288 | V eeam Backup for Microsoft A zure | User Guide

Step 6. Specify Instance Settings
[This step applies only if you have selected the Restore to a new location, or different settings option at the
Restore Mode step of the wizard]

At the Settings step of the wizard, do the following:

1. Select an Azure VM.

2. If you want to specify a name for the restored Azure VM, click Rena me.

In the Virtual machine name window, specify a new name and click Ap p ly.

3. If you want to change the Azure VM settings, click E d it.

In the Virtual machine settings window, do the following:

a. From the Virtual machine size drop-down list, select a VM size for the restored Azure VM. For more
information on VM sizes, see Microsoft Docs.

IMP ORTANT

If the VM size of the original Azure VM differs from the size of the restored VM, Microsoft Azure may apply
additional charges for maintaining the restored VM.

b. From the Resource g roup drop-down list, select a resource group to which the restored Azure VM will
belong.

For a resource group to be displayed in the Resource group list, it must be created in the Microsoft
Azure portal as described in Microsoft Docs.

c. From the Disk type drop-down list, select a type of virtual disks that will be attached to the restored
Azure VM. For more information on disk types, see Microsoft Docs.

d. Use the Ava ilability type drop-down list to choose whether you want to include the restored Azure
VM in an availability set or to place the VM in an availability zone.

Availability sets allow you to distribute VMs across multiple physical hardware resources. Availability
zones allow you to distribute VMs across multiple unique physical locations and to protect your data
from datacenter failures. For more information on availability options for virtual machines in Azure,
see Microsoft Docs.

289 | V eeam Backup for Microsoft Azure | User Guide

 e. To save changes made to the Azure VM settings, click Ap p ly.

290 | V eeam Backup for Microsoft A zure | User Guide

Step 7. Specify Disk Names
[This step applies only if you have selected the Restore to a new location, or different settings option at the
Restore Mode step of the wizard]

At the Disks step of the wizard, you can specify a new name for each restored virtual disk:

1. Select a virtual disk that you want to rename, and click Rename.

2. In the E d it Disk Name window, specify a name that you want to use for the selected virtual disk, and click
Ap p ly.

291 | V eeam Backup for Microsoft A zure | User Guide

Step 8. Configure Network Settings
[This step applies only if you have selected the Restore to a new location, or different settings option at the
Restore Mode step of the wizard]

At the Network step of the wizard, do the following:

1. Select the Azure VM.

2. Click E d it.

3. In the Network settings window, select a virtual network and a subnet to which you want to connect the
restored Azure VM. For a virtual network to be displayed in the Virtual network list, it must be created in
the Microsoft Azure portal as described in Microsoft Docs. For a subnet to be displayed in the Sub net list,
it must be created within the selected virtual network as described in Microsoft Docs.

You can also specify a security group (virtual firewall) that will be associated with the restored VM.
Security groups are used to filter network inbound traffic to and outbound traffic from Azure resources.
Each security group contains a set of rules that control the traffic. For a network security group to be
displayed in the Security group list, it must be created in the Microsoft Azure portal as described in
Microsoft Docs.

292 | V eeam Backup for Microsoft Azure | User Guide

Step 9. Specify Restore Reason
At the Rea son step of the wizard, specify a reason for restoring the Azure VM. This information will be saved to
the session history, and you will be able to reference it later.

293 | V eeam Backup for Microsoft Azure | User Guide

Step 10. Finish Working with Wizard
At the Summary step of the wizard, review summary information and click Restore.

TIP

If you want to start the restored Azure VM as soon as the restore process completes, select the P ower on
ta rget instance after restoring check box.

294 | V eeam Backup for Microsoft A zure | User Guide

Performing Disk Restore
In case a disaster strikes, you can restore corrupted virtual disks of an Azure VM from a cloud -native snapshot or
image-level backup. Veeam Backup for Microsoft Azure allows you to restore virtual disks to the original
location or to a new location.

How Disk Restore Works

To restore virtual disks from a cloud-native snapshot, Veeam Backup for Microsoft Azure uses native Microsoft
Azure capabilities. To restore virtual disks from an image-level backup, Veeam Backup for Microsoft Azure
performs the following steps:

1. [This step applies only if you perform restore from an archived backup] Retrieves data from the archived
restore point.

2. [This step applies only if you perform restore to the original location] Creates a staging resource group in
which virtual disks of the restored Azure VM will be created, and assigns the Veeam backup appliance ID
tag to the group. The tag value is the ID of Azure VM running the backup appliance.

3. Creates empty virtual disks. The number of empty virtual disks equals the number of disks you want to
restore.

4. Launches a worker instance in the Azure region where the restored virtual disks will reside, and attaches
the empty virtual disks to the worker instance.

5. Restores backed-up data to the empty virtual disks on the worker instance.

6. Detaches the virtual disks with the restored data from the worker instance.

7. Deallocates the worker instance.

8. [This step applies only if you perform restore to the original location] Removes the source virtual disks
from Microsoft Azure.

9. [This step applies only if you perform restore to the original location] Moves the virtual disks from the
staging resource group to the original resource group.

10. [This step applies only if you perform restore to the original location] Attaches the created virtual disks
with the restored data to the Azure VM.

11. [This step applies only if you perform restore to the original location] Removes the staging re source
group.

NOTE

When restoring to a new location, Veeam Backup for Microsoft Azure does not attach the restored virtual
disks to any Azure VM — the disks are placed to the specified location as standalone virtual disks.

Before You Begin

To restore a virtual disk from a backup that is stored in an archive repository, you must retrieve the archived
data first. You can either retrieve the archived data manually before you begin the restore operation, or launch
the data retrieval process right from the restore wizard. To learn how to retrieve data manually, see Retrieving
Data From Archive.

295 | V eeam Backup for Microsoft Azure | User Guide

How to Perform Disk Restore
To restore virtual disks attached to a protected Azure VMs, do the following:

1. Launch the Restore Disks wizard.

2. Select a restore point.

3. Select an Azure account.

4. Choose a restore mode.

5. Specify data retrieval settings.

6. Specify disk settings.

7. Specify a restore reason.

8. Finish working with the wizard.

296 | V eeam Backup for Microsoft Azure | User Guide

Step 1. Launch Restore Disks Wizard
To launch the Restore Disks wizard, do the following:

1. Navigate to P rotected Data > Virtual Machines.

2. Select the check box next to the Azure VM whose virtual disks you want to restore.

3. Click Restore > Disk Restore.

You can also click the link in the Restore Points column. Then, in the Restore Points window, select the
necessary restore point and click Restore > Disk Restore.

297 | V eeam Backup for Microsoft A zure | User Guide

Step 2. Select Restore Point
At the Restore P oint step of the wizard, select a restore point that will be used to restore virtual disks of the
selected Azure VM. By default, Veeam Backup for Microsoft Azure uses the most recent valid restore point.
However, you can restore the disks to an earlier state.

IMP ORTANT

If you select a restore point stored in an archive repository and the same restore point is also available in a
regular repository, Veeam Backup for Microsoft Azure will display the confirmation window where you
must choose whether you want to use the archived or regular restore point to perform the restore
operation.

To select a restore point, do the following:

1. Select the Azure VM.

2. Click Cha nge Restore Point.

3. In the Sp ecify restore point window, select the necessary restore point and click Ap p ly.

To help you choose a restore point, Veeam Backup for Microsoft Azure provides the following information
on each available restore point:

o Created — the date when the restore point was created.

o Ba ckup Destination — the type of the restore point:

▪ <Repository Name> — an image-level backup created by a backup policy.

▪ Snapshot — a cloud-native snapshot created by a backup policy.

▪ Manual Snapshot — a cloud-native snapshot created manually.

TIP

If you want to restore only specific virtual disks of the selected Azure VM, you can exclude the unnecessary
disks from the restore process. To do that, click E x clusions to open the Select exclusions window, select
check boxes next to the disks that you do not want to restore, and click Ap p ly.

298 | V eeam Backup for Microsoft Azure | User Guide

Step 3. Select Azure Account
At the Account step of the wizard, select an Azure account whose permissions Veeam Backup for Microsoft
Azure will use to perform the restore operation.

1. Click Select a ccount.

2. In the Choose a n Azure account window, select the necessary account and click Ap p ly.

For an Azure account to be displayed in the list of available accounts, it must be added to Veeam Backup
for Microsoft Azure as described in section Adding Azure Service Accounts. If you have not added the
necessary Azure account to Veeam Backup for Microsoft Azure beforehand, you can do it without closing
the Ad d VM P olicy wizard. To add an Azure account, click Ad d and complete the Ad d Azure account
wizard.

299 | V eeam Backup for Microsoft Azure | User Guide

Step 4. Choose Restore Mode
At the Restore Mode step of the wizard, choose whether you want to restore the selected virtual disks to the
original or to a custom location.

If you select the Restore to a new location, or with different settings option, you must also select a Microsoft
Azure subscription and an Azure region in which the restored virtual disks will reside:

1. Click the link in the Sub scription field. Then, select the necessary subscription in the Choose subscription
window.

For a subscription to be displayed in the list of available subscriptions, it must be associated or added to
an Azure Active Directory tenant to which the Azure account selected at step 3 of the wizard belongs. To
learn how to associate or add Azure subscriptions to Azure Active Directory tenants, see Microsoft Docs.

2. Click the link in the Reg ion field. Then, select the necessary Azure region in the Choose region window.

NOTE

Data transfer to a new location may require additional costs and may take more time to complete.

300 | V eeam Backup for Microsoft A zure | User Guide

Step 5. Specify Retrieval Settings
[This step applies only if you have selected a restore point stored in an archive repository at the Restore Point
step of the wizard]

At the Da ta retrieval step of the wizard, choose a retrieval mode and specify a period for which you want to keep
the data available.

1. In the Retrieval Mode section, select the retrieval mode that Veeam Backup for Microsoft Azure will use to
retrieve the archived data. For more information on data retrieval modes, see Retrieving Data From
Archive.

2. In the Ava ilability Period section, specify the number of days for which you want to keep the data
available for restore operations. You can manually extend the availability period later if required.

TIP

If you want to receive an email notification when data availability period is about to expire, select the Send
notification email check box and choose when you want to be notified (that is, the number of hours
remaining until data expiration).

301 | V eeam Backup for Microsoft Azure | User Guide

Step 6. Specify Disk Settings
[This step applies only if you have selected the Restore to a new location, or different s ettings option at the
Restore Mode step of the wizard]

At the Disks step of the wizard, you can configure disk properties for each restored virtual disk:

1. Select the necessary disk.

2. Click E d it.

3. In the Disk properties window, do the following:

a. In the Disk name field, specify a new name for the restored virtual disk.

b. From the Resource group drop-down list, select a resource group where the restored virtual disk will
belong.

For a resource group to be displayed in the list of available resource groups, it must be created in the
Microsoft Azure portal as described in Microsoft Docs.

b. From the Disk type drop-down list, select a type for the restored virtual disk. For more information on
disk types, see Microsoft Docs.

NOTE

You cannot convert managed virtual disks into unmanaged, but you can convert unmanaged virtual disks
into managed.

c. [Applies only to unmanaged disks] From the Storage account drop-down list, select an Azure storage
account to which you want to restore the selected virtual disk.

For a storage account to be displayed in the Storage account list, it must be created in the Microsoft
Azure portal as described in Microsoft Docs.

d. [Applies only to managed disks] From the Ava ilability zone drop-down list, select an availability zone
to which you want to place the restored virtual disk.

e. To save changes made to the virtual disk settings, click Ap p ly.

302 | V eeam Backup for Microsoft A zure | User Guide

Step 7. Specify Restore Reason
At the Rea son step of the wizard, specify a reason for restoring the virtual disks. This information will be saved
to the session history, and you will be able to reference it later.

303 | V eeam Backup for Microsoft A zure | User Guide

Step 8. Finish Working with Wizard
At the Summary step of the wizard, review summary information and click Restore.

304 | V eeam Backup for Microsoft A zure | User Guide

Performing File-Level Recovery
In case a disaster strikes, you can recover corrupted or missing files of an Azure VM from a cloud -native
snapshot or image-level backup. Veeam Backup for Microsoft Azure allows you to download the necessary files
and folders to a local machine using the File-level recovery browser.

IMP ORTANT

If Azure Disk Encryption is enabled for virtual disks attached to the selected Azure VM, Veeam Backup for
Microsoft Azure will not be able to perform the file-level recovery operation. File-level recovery for Azure
VMs with the Azure Disk Encryption option enabled is not supported in the current Veeam Backup for
Microsoft Azure version. For more information on Azure Disk Encryption, see Microsoft Docs.

You can recover files and folders from the following file systems only:

• Microsoft Windows systems — FAT, FAT32, NTFS.

• Linux systems — ext2, ext3, ext4, XFS, Btrfs.

Veeam Backup for Microsoft Azure supports file-level recovery only for Microsoft Windows basic volumes.

TIP

If you want to recover files from file systems that are not supported by Veeam Backup for Microsoft Azure,
you can add a backup repository that contains backups of Azure VMs to the backup infrastructure as an
external repository, and perform the file-level recovery operation as described in the Veeam Backup &
Replication User Guide.

How File-Level Recovery Works

To recover files and folders of a backed-up Azure VM, Veeam Backup for Microsoft Azure performs the following
steps:

1. Launches a worker instance in either of the following Azure regions:

o To recover files and folders from a cloud-native snapshot, the worker instance is launched in the
region where the cloud-native snapshot resides.

o To recover files and folders from an image-level backup, the worker instance is launched in the region
where the backup repository storing backed-up data resides.

2. Attaches virtual disks of the Azure VM to the worker instance.

The disks are not physically extracted from the backup — Veeam Backup for Microsoft Azure emulates
their presence on the worker instance. The source backup itself remains in the read -only state.

3. Launches the File-level recovery browser.

The File-level recovery browser displays the file system tree of the backed -up Azure VM. In the browser,
you select the necessary files and folders to recover.

4. Saves the selected files and folders to the local machine.

5. Detaches the virtual disks from the worker instance.

6. Deallocates the worker instance.

305 | V eeam Backup for Microsoft A zure | User Guide

Before You Begin
To recover files and folders of an Azure VM from a backup that is stored in an archive backup repository, you
must retrieve the archived data manually before you begin the file-level recovery operation. To learn how to do
that, see Retrieving Data from Archive.

How to Perform File-Level Recovery

To recover files and folders of a protected Azure VM, do the following:

1. Launch the File-Level Recovery wizard.

2. Select a restore point.

3. Specify a restore reason.

4. Finish working with the wizard — start a recovery session.

5. Choose files and folders to recover.

6. Stop the recovery session.

306 | V eeam Backup for Microsoft A zure | User Guide

Step 1. Launch File-Level Recovery Wizard
To launch the File-level Recovery wizard, do the following:

1. Navigate to P rotected Data > Virtual Machines.

2. Select the check box next to the necessary Azure VM.

3. Click Restore > File-Level Recovery.

You can also click the link in the Restore Points column. Then, in the Ava ilable Restore Points window,
select the necessary restore point and click Restore > File-Level Recovery.

307 | V eeam Backup for Microsoft A zure | User Guide

Step 2. Select Restore Point
At the Virtual Machine step of the wizard, select a restore point that will be used to recover files and folders of
the selected Azure VM. By default, Veeam Backup for Microsoft Azure uses the most recent valid restore point.
However, you can restore the Azure VM data to an earlier state.

To select a restore point, do the following:

1. Select the Azure VM.

2. Click Cha nge Restore Point.

3. In the Sp ecify restore point window, select the necessary restore point and click Ap p ly.

To help you choose a restore point, Veeam Backup for Microsoft Azure provides the following information
on each available restore point:

o Created — the date when the restore point was created.

o Ba ckup Destination — the type of the restore point:

▪ <Repository Name> — an image-level backup created by a backup policy.

▪ Snapshot — a cloud-native snapshot created by a backup policy.

▪ Manual Snapshot — a cloud-native snapshot created manually.

IMP ORTANT

If you select a restore point stored in an archive repository, you will be redirected to the Data Retrieval
wizard. Complete the Da ta Retrieval wizard, wait until the retrieval operation completes and then launch
the File-level Recovery wizard again.

308 | V eeam Backup for Microsoft A zure | User Guide

Step 3. Specify Recovery Reason
At the Rea son step of the wizard, specify a reason for recovering files and folders. This information will be sav ed
to the session history, and you will be able to reference it later.

309 | V eeam Backup for Microsoft A zure | User Guide

Step 4. Start Recovery Session
At the Summary step of the wizard, review summary information and click Sta rt.

As soon as you click Sta rt, Veeam Backup for Microsoft Azure will close the Azure Files File-level Recovery
wizard and start a restore session. You can track the progress of the restore session in the File-level Recovery
window. To open the File-level Recovery window, navigate to P rotected Data and click the link in the File-level
Recovery URL column. During the recovery session, Veeam Backup for Microsoft Azure will launch a worker
instance and attach virtual disks of the processed Azure VM to it.

In the URL column of the window, Veeam Backup for Microsoft Azure will display a link to the File-level
recovery browser. You can use the link in either of the following ways:

• Click the link to open the File-level recovery browser on your local machine while the recovery session is
running.

• Copy the link, close the File-level Recovery window and open the File-level recovery browser on another
machine.

IMP ORTANT

When you click Cop y URL, Veeam Backup for Microsoft Azure copies the following information to the
clipboard:

• A link to the File-level recovery browser that includes a public DNS name of the worker instance
hosting the browser and authentication information used to access the browser.
• A thumbprint of a TLS certificate installed on the worker instance hosting the File-level recovery
browser.

To avoid a man-in-the-middle attack, before you start recovering files and folders, check that the
certificate thumbprint displayed in the web browser from which you access the File-level recovery browser
matches the provided certificate thumbprint.

310 | V eeam Backup for Microsoft Azure | User Guide

Step 5. Download Recovered Files and Folders
In the File-level recovery browser, you can find and recover items (files and folders) of the selected Azure VM.
All recovered items will be saved in a single .ZIP archive to the default download directory on a machine from
which you access the File-level recovery browser.

1. In the File-level recovery browser, navigate to a folder that contains the necessary files.

2. In the working area, select check boxes next to the files and click Ad d to Restore List.

3. Repeat steps 1-2 for all other folders whose files you want to recover.

4. Switch to the Restore List tab.

5. On the Restore List tab, review the list of items to recover, select check boxes next to the items, and click
Download.

311 | V eeam Backup for Microsoft Azure | User Guide

Step 6. Stop Recovery Session
After you finish working with the File-level recovery browser, it is recommended that you stop the recovery
session so that Veeam Backup for Microsoft Azure can unmount and detach virtual disks of the processed Azure
VM from the worker instance and deallocate the worker instance.

To stop the recovery session, click Stop in the File-level Recovery window. If you do not perform any actions in
the File-level recovery browser for 30 minutes, Veeam Backup for Microsoft Azure will stop the recovery session
automatically.

TIP

If you accidentally close the File-level Recovery window, navigate to P rotected Data and click the link in
the File-level Recovery URL column to open the window again.

312 | V eeam Backup for Microsoft A zure | User Guide

Performing SQL Restore
In case a disaster strikes, you can restore an entire Azure SQL datab ase from an image-level backup. Veeam
Backup for Microsoft Azure allows you to restore one or more databases at a time, to the original location or to a
new location.

IMP ORTANT

Within one restore session, you can restore only those Azure SQL databases that belong to the same SQL
Server.

How SQL Restore Works

To restore an Azure SQL database from an image-level backup, Veeam Backup for Microsoft Azure performs the
following steps:

1. [This step applies only if you perform restore from an archived backup ] Retrieves data from the archived
restore point.

2. Launches a worker instance in the Azure region where the SQL Server that will host the restored database
resides.

3. Creates an empty database on the target SQL Server using the Azure REST API.

4. Restores backed-up data to a BACPAC file on the worker instance.

5. Imports data from the BACPAC file to the created database.

6. Performs consistency checks for the restored database.

7. Deallocates the worker instance.

6. [This step applies only if you perform restore to the original location and if the source database is still
present in the location] Renames the restored database and then removes the source database from the
SQL Server.

Before You Begin

To restore an Azure SQL database from a backup that is stored in an archive repository, you must retrieve the
archived data first. You can either retrieve the archived data manually before you begin the restore operation, or
launch the data retrieval process right from the restore wizard. To learn how to retrieve data manually, see
Retrieving Data From Archive.

How to Perform SQL Restore

To restore Azure SQL database, do the following:

1. Launch the SQL Database restore wizard.

2. Select a restore point.

3. Select an Azure account.

4. Choose a restore mode.

5. Select an Azure SQL account.

313 | V eeam Backup for Microsoft A zure | User Guide

 6. Specify data retrieval settings.

7. Configure restore settings.

8. Specify a restore reason.

9. Review summary information.

314 | V eeam Backup for Microsoft Azure | User Guide

Step 1. Launch SQL Database Restore Wizard
To launch the SQL Database Restore wizard, do the following:

1. Navigate to P rotected Data > Azure SQL.

2. Select the check box next to the necessary Azure SQL Database.

3. Click Restore Database.

Alternatively, click the link in the Restore Points column. Then, in the Ava ilable Restore Points window,
select the necessary restore point and click Restore Database.

315 | V eeam Backup for Microsoft A zure | User Guide

Step 2. Select Restore Point
At the Da tabases step of the wizard, select a restore point that will be used to restore the selected Azure SQL
database. By default, Veeam Backup for Microsoft Azure uses the most recent valid restore point. However, you
can restore the database data to an earlier state.

IMP ORTANT

If you select a restore point stored in an archive repository and the same restore point is also available in a
regular repository, Veeam Backup for Microsoft Azure will display the confirmation window where you
must choose whether you want to use the archived or regular restore point to perform the restore
operation.

To select a restore point, do the following:

1. Select the Azure SQL database.

2. Click Restore Point.

3. In the Sp ecify restore point window, select the necessary restore point and click Ap p ly.

To help you choose a restore point, Veeam Backup for Microsoft Azure provides the following information
on each available restore point:

o Da te — the date when the restore point was created.

o Access Tier — the storage tier of a backup repository where the restore point is stored.

316 | V eeam Backup for Microsoft A zure | User Guide

Step 3. Select Azure Account
At the Account step of the wizard, select an Azure account whose permissions Veeam Backup for Microsoft
Azure will use to perform the restore operation.

1. Click Select a ccount.

2. In the Choose a n Azure account window, select the necessary account and click Ap p ly.

For an Azure account to be displayed in the list of available accounts, it must be added to Veeam Backup
for Microsoft Azure as described in section Adding Azure Service Accounts. If you have not added the
necessary Azure account to Veeam Backup for Microsoft Azure beforehand, you can do it without closing
the Ad d VM P olicy wizard. To add an Azure account, click Ad d and complete the Ad d Azure account
wizard.

317 | V eeam Backup for Microsoft Azure | User Guide

Step 4. Choose Restore Mode
At the Restore Mode step of the wizard, choose whether you want to restore the Azure SQL database to the
original or to a custom location.

318 | V eeam Backup for Microsoft Azure | User Guide

Step 5. Select Azure SQL Account
[This step applies only if you have selected the Restore to the original location option at the Restore Mode step
of the wizard]

At the SQL a ccount step of the wizard, select an Azure SQL Server account that will be used to authenticate
against the SQL Server that will host the restored database.

1. Click Instance.

2. In the Choose a SQL server account to use window, select the necessary Azure SQL Server account and
click Ap p ly.

For an Azure SQL Server account to be displayed in the list of available accounts, it must be added to
Veeam Backup for Microsoft Azure as described in section Adding Accounts.

IMP ORTANT

Portal Operators and Restore Operators can use only those Azure SQL Server accounts that have been
specified for the SQL Server in settings of any backup policy created by a Portal Administrator.

319 | V eeam Backup for Microsoft A zure | User Guide

Step 6. Specify Retrieval Settings
[This step applies only if you have selected a restore point stored in an archive repository at the Da tabases step
of the wizard]

At the Da ta retrieval step of the wizard, choose a retrieval mode and specify a period for which you want to keep
the data available.

1. Click the link in the Retrieval mode section.

a. In the Retrieval settings window, for each processed Azure SQL database, do the following:

i. Select an Azure SQL database and click E d it.

ii. In the E d it Retrieval Mode window, select the retrieval mode that Veeam Backup for Microsoft
Azure will use to retrieve the archived data, and click Sa ve. For more information on data
retrieval modes, see Retrieving Data From Archive.

b. To save changes made to the data retrieval settings, click Ap p ly.

2. Click E d it Availability Period in the Ava ilability period section.

a. In the Ava ilability period window, specify the number of days for which you want to keep the data
available for restore operations. You can manually extend the availability period later if required.

TIP

If you want to receive an email notification when data availability period is about to expire, select the Send
notification email check box and choose when you want to be notified (that is, the number of hours
remaining until data expiration).

320 | V eeam Backup for Microsoft A zure | User Guide

 b. To save changes made to the availability period settings, click Ap p ly.

321 | V eeam Backup for Microsoft A zure | User Guide

Step 7. Configure Restore Settings
[This step applies only if you have selected the Restore to a new location, or with different settings option at
the Restore Mode step of the wizard]

At the Settings step of the wizard, specify a SQL Server that will host the restored databases:

1. Click E d it Server Settings in the Server Settings section.

2. In the Server settings window, do the following:

a. From the Reg ion drop-down list, select an Azure region where the SQL Server that will host the
restored database resides.

b. From the SQL server drop-down list, select the target SQL Server.

c. From the E lastic pool drop-down list, select an elastic pool to which the restored database will be
added.

For an elastic pool to be displayed in the list of available pools, it must be created in the Micr osoft
Azure portal as described in Microsoft Docs.

d. From the SQL account drop-down list, choose an Azure SQL Server account that will be used to
authenticate against the target SQL Server.

For an Azure SQL Server account to be displayed in the list of available accounts, it must be added to
Veeam Backup for Microsoft Azure as described in section Adding Account.

e. To save changes made to the server settings, click Ap p ly.

3. Use the Da tabase settings section to specify a new name for the restored database. To do that, select the
database and click Rena me.

322 | V eeam Backup for Microsoft Azure | User Guide

Step 8. Specify Restore Reason
At the Rea son step of the wizard, specify a reason for restoring the Azure SQL database. This information will be
saved to the session history, and you will be able to reference it later.

323 | V eeam Backup for Microsoft Azure | User Guide

Step 9. Finish Working with Wizard
At the Summary step of the wizard, review summary information and click Res tore.

TIP

It is recommended that you check the network connection status of the target SQL Server to verify
whether Veeam Backup for Microsoft Azure will be able to connect to the server to perform the restore
operation. To run the connection check, click Test Connection. Veeam Backup for Microsoft Azure will
display the Test connection window where you can view the progress and results of the performed check.

Fixing Network Issues

If the backup policy check reveals that network settings are not configured properly, Veeam Backup for
Microsoft Azure will not be able to launch worker instances and thus perform the operation.

To fix network issues:

1. Close the Test connection window, and then click Ca ncel to close the SQL Database Restore wizard.

2. Depending on the error message received after the backup policy check, do the following:

o Make sure that network settings are configured for each Azure region selected at step 7. For
information on how to configure network settings for Azure regions, see Managing Worker Instances.

o Make sure that virtual networks specified in network settings for Azure regions have access to the
required Azure services. The required Azure services are listed in the System Requirements section.

3. After network issues are fixed, you can start the SQL Database Restore wizard again.

324 | V eeam Backup for Microsoft A zure | User Guide

Performing File Share Restore
In case a disaster strikes, you can recover corrupted or missing files of an Azure file share from a cloud -native
snapshot. Veeam Backup for Microsoft Azure allows you to restore files and folders to the original file share or
to another file share.

How File Share Restore Works

To restore files and folders of an Azure file share, Veeam Backup for Microsoft Azure performs the following
steps:

1. On the backup appliance, restores the file share tree.

2. Launches the File-level recovery browser.

The File-level recovery browser displays the file tree of the backed-up file share. In the browser, you can
specify the necessary restore point, and select files and folders that will be restored.

3. Restores the specified backed-up files and folders from the restore point to the selected file sha re.

How to Perform File Share Restore

To restore files and folders of a protected Azure file share, do the following:

1. Launch Azure Files File-Level Recovery wizard.

2. Select an Azure account.

3. Choose a restore mode.

4. Specify a restore reason.

5. Finish working with the wizard — start a recovery session.

6. Select a restore point.

7. Choose files and folders to restore.

8. Stop the restore session.

325 | V eeam Backup for Microsoft Azure | User Guide

Step 1. Launch Azure Files File-Level Recovery
Wizard
To launch the Azure Files File-Level Recovery wizard, do the following:

1. Navigate to P rotected Data > Azure Files.

2. Select the check box next to the necessary Azure file share.

3. Click Restore > File-Level Restore.

Alternatively, click the link in the Restore Points column. Then, in the Ava ilable Restore Points window,
select the necessary restore point and click File-Level Restore.

326 | V eeam Backup for Microsoft Azure | User Guide

Step 2. Select Azure Account
At the Account step of the wizard, select an Azure account whose permissions Veeam Backup for Microsoft
Azure will use to perform the restore operation.

1. Click Select a ccount.

2. In the Choose a n Azure account window, select the necessary account and click Ap p ly.

For an Azure Active Directory to be displayed in the list of available directories, it must be created in the
Microsoft Azure portal as described in Microsoft Docs.

327 | V eeam Backup for Microsoft A zure | User Guide

Step 3. Choose Restore Mode
At the Restore Mode step of the wizard, choose whether you want to restore files of the file share to the original
or to a custom location.

If you select the Restore to a new location, or with different settings option, you must also specify the file share
that will host the restored files, and select a Microsoft Azure subscription and an Azure region in which the
target file share resides:

1. Click the link in the Sub scription field. Then, select the necessary subscription in the Choose subscription
window.

For a subscription to be displayed in the list of available subscriptions, it must be associated or added to
an Azure Active Directory tenant to which the Azure account selected at step 3 of the wizard belongs. To
learn how to associate or add Azure subscriptions to Azure Active Directory tenants, see Microsoft Docs.

2. Click the link in the Reg ion field. Then, select the necessary Azure region in the Choose region window.

3. Click the link in the File Share field. Then, select the necessary file share in the Choose target file share
window.

For a file share to be displayed in the list of available shares, it must be deployed under the selected
subscription in the Microsoft Azure portal, as described in Microsoft Docs.

NOTE

Data transfer to a new location may require additional costs and may take more time to complete.

328 | V eeam Backup for Microsoft Azure | User Guide

Step 4. Specify Restore Reason
At the Rea son step of the wizard, specify a reason for restoring files and folders. This information will be saved
to the session history, and you will be able to reference it later.

329 | V eeam Backup for Microsoft Azure | User Guide

Step 5. Start Recovery Session
At the Summary step of the wizard, review summary information and click Sta rt.

As soon as you click Sta rt, Veeam Backup for Microsoft Azure will close the Azure Files File-level Recovery
wizard and start a restore session. You can track the progress of the restore session in the File-level Recovery
window. To open the File-level Recovery window, navigate to P rotected Data and click the link in the File-level
Recovery URL column.

In the URL column of the window, Veeam Backup for Microsoft Azure will display a link to the File -level
recovery browser. You can use the link in either of the following ways:

• Click the link to open the File-level recovery browser on your local machine while the restore session is
running.

• Copy the link, close the File-level Recovery window and open the File-level recovery browser on another
machine.

330 | V eeam Backup for Microsoft A zure | User Guide

Step 6. Select Restore Point
By default, Veeam Backup for Microsoft Azure uses the most recent valid restore point. However, you can
restore files and folders to an earlier state.

To select a restore point in the file-level recovery browser, do the following:

1. On the Browse tab, click the link in the Restore P oint field.

2. In the Select Restore Point window, choose a date when the restore point was created, select the
necessary restore point from the Restore P oints list and click Ap p ly.

331 | V eeam Backup for Microsoft A zure | User Guide

Step 7. Choose Items to Recover
In the File-level recovery browser, you can find and restore items (files and folders) of the s elected Azure file
share. All restored items will be saved to the specified file share.

1. On the Browse tab, navigate to a folder that contains the necessary files.

2. In the working area, select check boxes next to the files and click Ad d to Restore List.

3. Repeat steps 1-2 for all other folders whose files you want to restore.

4. Switch to the Restore List tab, review the list of files and folders, select check boxes next to the items that
you want to recover and do the following:

o To restore copies of the selected files and folders to the target file share, click Restore > Keep.

If files and folders with the same names exist on the target file share, Veeam Backup for Microsoft
Azure will save the selected files to this file share with the following names — <file_name>-
Copy<ordinal_number>. Otherwise, Veeam Backup for Microsoft Azure will save the selected files
to this file share with the original names.

o To restore the selected files and folders to the target file share, click Restore > Overwrite.

If files and folders with the same names exist on the target file share, Veeam Backup for Microsoft
Azure will overwrite these files. Otherwise, Veeam Backup for Microsoft Azure will save the selected
files to this file share.

As soon as you click Restore, Veeam Backup for Microsoft Azure will recover the selected files. You can
track the progress and view the results of the restore operation in the Session Log section of the Restore
List tab.

332 | V eeam Backup for Microsoft Azure | User Guide

Step 8. Stop Restore Session
After you finish working with the File-level recovery browser, it is recommended that you stop the restore
session. To do that, click Stop in the File-level Recovery window. If you do not perform any actions in the File-
level recovery browser for 30 minutes, Veeam Backup for Microsoft Azure will stop the restore session
automatically.

TIP

If you accidentally close the File-level Recovery window, navigate to P rotected Data and click the link in
the File-level Recovery URL column to open the window again.

333 | V eeam Backup for Microsoft Azure | User Guide

Reviewing Dashboard
Veeam Backup for Microsoft Azure comes with an Overview dashboard that provides at-a-glance real-time
overview of the protected Azure resources and allows you to estimate the overall backup performance. The
dashboard includes the following widgets:

• Sessions in Last 24 Hours — displays the number of all sessions started for data protection and disaster
recovery operations (including system sessions) that completed successfully during the past 24 hours, the
number of sessions that completed with warnings, the number of sessions that completed with errors, and
the number of sessions that are currently running.

To get more information on the sessions, click either View Session Logs or any of the widget rows. In the
latter case, the Session Log tab will show only those sessions that have the same status as that clicked in
the widget.

For more information on the Session Log tab, see Viewing Session Statistics.

• Successful Policy Tasks — displays the number of snapshots, backups and archived backups successfully
created by backup policies during a specific time period (the past 24 hours by default), and the number of
attempts that were made to create these restore points.

To specify the time period, click the link next to the Schedule icon. To get more information on the
created snapshots, backups or archived backups, click any of the widget rows. In the latter case, the
Session Log tab will show only those sessions during which Veeam Backup for Microsoft Azure created the
same items as that clicked in the widget.

For more information on the Session Log tab, see Viewing Session Statistics.

• Top P olicies — shows top 8 backup policies for fluctuations in execution time (including retries). For each
policy, the widget calculates the growth rate to detect whether it took less or more time for the policy to
complete in comparison with the previous policy run.

• P rotected Workloads — displays the number of available Azure resources tha t got protected by Veeam
Backup for Microsoft Azure during a specific time period (the past 24 hours by default).
To specify the time period, click the link next to the Schedule icon. To get more information on the
protected resources, click any of the widget rows.

For more information on the available resources, their properties and the actions you can perform for the
resources, see Viewing Available Resources.

• Storage Usage — displays the amount of storage space that is currently consumed by backups and
archived backups created by Veeam Backup for Microsoft Azure in blob containers, and the number of
snapshots created for the protected resources. The widget also calculates the ratio of the total amount of
storage space used in the Standard Storage class to the total amount of storage space used in the Cool,
Hot and Archive access tiers.

• Bottlenecks Overview — is designed to help you avoid possible backup bottlenecks.

The widget analyzes the total amount of time waited to launch worker instances during data protection
operations in different Azure regions, and displays the most problematic region (if any).

The widget also analyzes the amount of CPU quota across all regions to detect whether the quota has
already been reached in any of the regions, and whether Veeam Backup for Microsoft Azure failed to
launch a worker instance in that region during a backup or restore process. For more information on VM
sizes of Azure VMs that operate as worker instances, see Managing Worker Instances.

The widget also analyzes the number of management operations performed in Azure storage accounts
where Veeam Backup for Microsoft Azure writes data to backup repositories, and displays a warning if the
storage throttling limit for any of these accounts has been breached.

334 | V eeam Backup for Microsoft A zure | User Guide

 To learn how to resolve a bottleneck, click the How to resolve? link in the widget row.

335 | V eeam Backup for Microsoft Azure | User Guide

Viewing Session Statistics
For each performed data protection or disaster recovery operation, Veeam Backup for Microsoft Azure starts a
new session and stores its records in the configuration database. You can track real -time statistics of all running
and completed operations on the Session Log tab.

To view the full list of tasks executed during an operation, click the link in the Sta tus column. To view the full
list of Azure resources processed during an operation, click the link in the Items column.

TIP

If you want to specify the time period during which Veeam Backup for Microsoft Azure will keep session
records in the configuration database, follow the instructions provided in section Configuring Global
Retention Settings.

336 | V eeam Backup for Microsoft Azure | User Guide

Collecting Object Properties
You can export properties of objects managed by Veeam Backup for Microsoft Azure as a single .CSV or .XML
file. To do that, navigate to the necessary tab and click E x port. Veeam Backup for Microsoft Azure will save the
file with the exported data to the default download directory on the local machine.

NOTE

Even if you try to export properties of a specific object, Veeam Backup for Microsoft Azure will still export
all properties of all objects present on the currently opened tab.

337 | V eeam Backup for Microsoft A zure | User Guide

Updating Veeam Backup for Microsoft
Azure
Veeam Backup for Microsoft Azure allows you to check for new product versions and available package updates,
download and install them right from the Web UI.

NOTE

If the backup appliance is managed by a Veeam Backup & Replication server, you will not be able to update
Veeam Backup for Microsoft Azure from the Web UI. To learn how to install updates on backup appliances
added to the backup infrastructure, see the Integration with Veeam Backup & Replication Guide, section
Upgrading Appliances.

It is recommended that you timely install available updates to avoid performance issues while working with the
product. For example, timely installed security updates may help you prevent potential security issues and
reduce the risk of compromising sensitive data.

338 | V eeam Backup for Microsoft Azure | User Guide

Checking for Updates
Veeam Backup for Microsoft Azure automatically notifies you about newly released product versions and
package updates available for the operating system running on the backup appliance. However, you can check
for the available updates manually if required:

1. Switch to the Configuration page.

2. Navigate to Sup p ort Information.

3. Switch to the Up d ates tab.

4. Click Check and View Updates.

If new updates are available, Veeam Backup for Microsoft Azure will display them on the Up dates tab of the
Veeam Updater page. To view detailed information on an update, select the check box next to the update and
click W ha t's new?

339 | V eeam Backup for Microsoft Azure | User Guide

Installing Updates
To download and install new product versions and available package updates, you can use either of the
following options:

• Install updates immediately

• Schedule update installation

You can also set a reminder to send update notifications.

IMP ORTANT

Consider the following:

• You can update the standalone backup appliance using the Veeam updater service only. Updating of
the backup appliance manually is not supported.
• You can update the backup appliance managed by a Veeam Backup & Replication server from the
Veeam Backup & Replication console as described in the Integration with Veeam Backup &
Replication Guide, section Upgrading Appliances. Updating managed backup appliances using the
Veeam updater service is not supported.

Installing Updates
IMP ORTANT

Before you install a product update, make sure all backup policies are disabled and restore tasks are
finished. Otherwise, the update process will interrupt running activities, which may result in data loss.

To download and install available product and package updates:

1. Open the Veea m Updater page:

a. Switch to the Configuration page.

b. Navigate to Sup p ort Information.

c. Switch to the Up d ates tab.

d. Click Check and View Updates.

2. On the Veeam Updater page, do the following:

a. In the Up dates are available for this system section, select check boxes next to the necessary updates.

b. In the Choose a ction section, select the Install updates now option, select the Reb oot automatically
a fter install if required check box to allow Veeam Backup for Microsoft Azure to reboot the backup
appliance if needed, and then click Install Updates Now.

340 | V eeam Backup for Microsoft A zure | User Guide

 NOTE

The updater may require you to read and accept the Veeam license agreement and the 3rd party
components license agreement. If you reject the agreements, you will not be able to continue installation.

Veeam Backup for Microsoft Azure will download and install the updates; the results of the installation process
will be displayed on the History tab. Keep in mind that it may take several minutes for the installation process to
complete.

NOTE

When installing product updates, Veeam Backup for Microsoft Azure restarts all services running on the
backup appliance, including the Web UI service. That is why Veeam Backup for Microsoft Azure may log you
out when the update process completes.

Scheduling Update Installation

You can instruct Veeam Backup for Microsoft Azure to automatically download and install available product
versions and package updates on a specific date at a specific time:

1. On the Veeam Updater page, in the Up d ates are available for this system section, select check boxes next
to the necessary updates.

2. In the Choose a ction section, do the following:

a. Select the Schedule updates installation option and configure the necessary schedule.

IMP ORTANT

When selecting a date and time when updates must be installed, make sure no backup policies are
scheduled to run at the selected time. Otherwise, the update process will interrupt the running activities,
which may result in data loss.

b. Select the Reb oot automatically after install if required check box to allow Veeam Backup for
Microsoft Azure to reboot the backup appliance if needed.

341 | V eeam Backup for Microsoft Azure | User Guide

 c. Click Schedule Updates.

Veeam Backup for Microsoft Azure will automatically download and install the updates on the selected date at
the selected time; the results of the installation process will be displayed on the History tab.

Setting Update Reminder

If you have not decided when to install available product versions and package updates, you can set an update
reminder — instruct Veeam Backup for Microsoft Azure to send an update notification later.

To do that, on the Veeam Updater page, in the Choose action section, do the following:

1. Select the Remind me later option and choose when you want to receive the reminder.

If you select the Nex t Week option, Veeam Backup for Microsoft Azure will send the reminder on the
following Monday.

342 | V eeam Backup for Microsoft A zure | User Guide

 2. Click Remind me later.

343 | V eeam Backup for Microsoft A zure | User Guide

Viewing Update History
To see the results of the update installation performed on the backup appliance, do the following:

1. Switch to the Configuration page.

2. Navigate to Sup p ort Information.

3. Switch to the Up d ates tab.

4. Click Check and View Updates.

5. On the Veeam Updater page, switch to the History tab.

For each date when an update was installed, the Veeam Updater page will display the name of the update and
its status (whether the installation process completed successfully, completed with warnings or failed to
complete).

To download logs for the installed updates, select the necessary date in the Da te section, and click View Full
Log . Veeam Backup for Microsoft Azure will save the logs as a single file to the default download directory on
the local machine.

344 | V eeam Backup for Microsoft Azure | User Guide

Getting Technical Support
If you have any questions or issues with Veeam Backup for Microsoft Azure, you can search for a resolution on
Veeam R&D Forums or submit a support case in the Veeam Customer Support Portal.

When you submit a support case, it is recommended that you provide the Veeam Customer Support Team with
the following information:

• Version information for the product and its components

• The error message or an accurate description of the problem you are facing

• Log files

Viewing Product Details

To view the product details, do the following:

1. Switch to the Configuration page.

2. Navigate to Sup p ort Information > Updates.

The Ab out section of the Up dates page displays the following information:

• Server version — the currently installed version of Veeam Backup for Microsoft Azure.

• W orker version — the version of worker instances launched by Veeam Backup for Microsoft Azure.

• FLR service version — the version of the File-level recovery service currently running on the backup
appliance.

• Microsoft Azure Tenant ID — the unique identification number of the Azure tenant to which the backup
appliance belongs.

• Sup port Code — the unique identification number of the Veeam support contract.

345 | V eeam Backup for Microsoft A zure | User Guide

 TIP

You can click the link in the Up dates section to check for, download and install new product versions and
available package updates. For more information, see Updating Veeam Backup for Microsoft Azure.

Downloading Logs
To download the product logs, do the following:

1. Switch to the Download Logs tab.

2. Click Download Logs.

3. In the Download Logs window, specify a time interval for which the logs will be collected:

o Select the La st option if you want to collect data for a specific number of days in the past.

o Select the P eriod option if you want to collect data for a specific period of time in the past.

After you click Download, the logs will be saved locally in the default download folder as a single .ZIP
archive.

346 | V eeam Backup for Microsoft A zure | User Guide

Appendix. Working in Private
Environments
For Veeam Backup for Microsoft Azure to be able to work with Azure resources that operate in private
environment, there is a list of configuration actions that must be performed both on the Veeam Backup for
Azure and the client side.

Actions Performed by Veeam Backup for Microsoft Azure

Veeam Backup for Microsoft Azure will automatically configure network settings required:

• To allow secure communication between the backup appliance and storage accounts where Veeam
applications and scripts are stored.

Veeam Backup for Microsoft Azure creates these accounts in Azure regions where workers are launched
and protected VMs with VSS agents reside.

• To allow Azure Service Bus to transfer data between services in private virtual networks.

IMP ORTANT

To let Veeam Backup for Microsoft Azure perform tasks in private environments, Azure Service Bus must be
upgraded to the Premium tier. For more information on Azure Service Bus tiers, see Microsoft Docs.

Actions Performed by Client

To back up and restore Azure resources operating within private virtual networks (VNets), you must grant
Veeam Backup for Microsoft Azure access to these resources. To do that, configure specific network settings to
allow traffic from VNets to which the backup appliance and workers are connected to reach your resources.
Depending on the Azure resource to which you want to grant access, do either of the following:

• Configure network settings for a storage account.

• Configure network settings for a SQL Server.

• Configure network settings for a SQL Managed Instance.

347 | V eeam Backup for Microsoft A zure | User Guide

Configuring Network Settings for Storage
Accounts
To allow Veeam Backup for Microsoft Azure to create and manage backup repositories, and to back up
unmanaged Azure VMs and file shares, in a storage account where your resources reside, you can either add
firewall rules that will grant access to specific VNets, or create private endpoints that will be used to connect to
the resources.

IMP ORTANT

Firewall rules are applied only for VNets that are created in the same region or in paired regions. That is
why if the backup appliance and the storage account are residing in different regions that are not paired,
you must create private endpoints to securely connect to resources that you want to protect. For more
information on paired Azure regions, see Microsoft Docs.

348 | V eeam Backup for Microsoft A zure | User Guide

Configuring Firewall Settings
To configure firewall rules for a storage account in which Azure resources that you want to protect reside, do
the following:

1. Log in to the Microsoft Azure portal.

2. Click More services and select Resource groups on the All services page.

3. On the Resource groups page, select the resource group to which the necessary storage account belongs.
The resource group page will open.

4. In the Resource list, locate and click the storage account. The Storage account page will open.

5. Navigate to Security + networking > Networking.

6. On the Firewalls and virtual networks tab, choose the Selected networks option and click Ad d existing
virtual network.

7. In the Ad d networks window:

a. From the Sub scription drop-down list, select a Microsoft Azure subscription to which Azure VM
hosting Veeam Backup for Microsoft Azure belongs.

b. From the Virtual networks drop-down list, select check boxes next to necessary virtual networks:

▪ To allow Veeam Backup for Microsoft Azure to manage backup repositories and to back up Azure
VMs, select VNets to which the backup appliance and workers are connected.

▪ To allow Veeam Backup for Microsoft Azure to back up Azure file shares, select the VNet to
which the backup appliance is connected.

c. From the Sub nets drop-down list, select check boxes next to subnets to which the backup appliance
or workers are connected.

NOTE

To allow access from virtual networks to storage accounts, Microsoft Azure uses service endpoints. If any
of the selected networks do not have service endpoints enabled for Microsoft.Storage, Microsoft Azure will
raise a warning. In this case, click E nable and wait for the process to complete. For more information on
service endpoints, see Microsoft Docs.

d. Click Ad d .

8. Click Sa ve.

349 | V eeam Backup for Microsoft A zure | User Guide

Creating Private Endpoints
If the backup appliance resides in another region than the resources that you want to back up, or you do not
want to add firewall rules, you can create private endpoints for your storage account to allow Veeam Backup for
Microsoft Azure access to the resources. Private endpoints are network interfaces that use private IP addresses
from your virtual network. For more information on private endpoints, see Microsoft Docs.

You must create a separate private endpoint for every VNet to which the backup appliance or workers are
connected. To create a private endpoint, complete the following steps:

1. Launch the Create a private endpoint wizard.

2. Configure private endpoint settings.

3. Specify resource settings.

4. Specify virtual network settings.

5. Specify DNS settings.

6. Assign tags.

7. Finish working with the wizard.

350 | V eeam Backup for Microsoft A zure | User Guide

Step 1. Launch Create a Private Endpoint Wizard
To launch the Create a private endpoint wizard for a storage account in which you want to create a private
endpoint, do the following:

1. Log in to the Microsoft Azure portal.

2. Click More services and select Resource groups on the All services page.

3. On the Resource groups page, select the resource group to which the necessary storage account belongs.
The resource group page will open.

4. In the Resources list, select the storage account. The Storage account page will open.

5. Navigate to Security + networking > Networking.

6. Switch to the P rivate endpoint connections tab and click P rivate endpoint to launch the wizard Create a
p rivate endpoint wizard.

351 | V eeam Backup for Microsoft A zure | User Guide

Step 2. Configure Private Endpoint Settings
At the Ba sics step of the Create a private endpoint wizard, do the following:

1. From the Sub scription drop-down list, select a Microsoft Azure subscription to which your virtual network
belongs.

2. From the Resource group drop-down list, select a resource group to which your newly created private
endpoint will belong. You can either use an existing resource group or create a new one. For more
information on creating and managing resource groups, see Microsoft Docs.

3. In the Na me field, enter a name for the private endpoint.

4. From the Reg ion drop-down list, select an Azure region of the virtual network to which the backup
appliance or workers are connected.

For more information on the Azure regions, see Microsoft Docs.

5. Click Nex t: Resource >.

352 | V eeam Backup for Microsoft Azure | User Guide

Step 3. Specify Resource Settings
At the Resource step of the Create a private endpoint wizard, do the following:

1. From the Ta rget sub-resource drop-down list, select the type of the resource:

o Select blob if you are creating a private endpoint to allow Veeam Backup for Microsoft Azure to
manage backup repositories or back up Azure VMs.

o Select file if you are creating a private endpoint to allow Veeam Backup for Microsoft Azure to back up
Azure file shares.

2. Click Nex t: Configuration >.

353 | V eeam Backup for Microsoft Azure | User Guide

Step 4. Specify Virtual Network Settings
At the Virtual Network step of the Create a private endpoint wizard, do the following:

1. From the Virtual network drop-down list, select a virtual network to which the backup appliance or
workers are connected.

2. From the Sub net drop-down list, select a subnet to which the backup appliance or workers are connected.
For a subnet to be displayed in the list, it must be created within the selected virtual network as described
in Microsoft Docs.

3. Click Nex t: DNS >.

354 | V eeam Backup for Microsoft A zure | User Guide

Step 5. Specify DNS Settings
At the DNS step of the Create a private endpoint wizard, do the following:

1. In the P rivate DNS integration section, create a new DNS zone to override the DNS resolution from a
public to private endpoint:

a. To the right of the Integrate with private DNS zone field, click Y es .

b. From the Sub scription drop-down list, select a subscription to which the DNS zone will belong.

c. From the Resource group drop-down list, select the resource group to which the DNS zone will
belong.

2. Click Nex t: Tags > .

355 | V eeam Backup for Microsoft Azure | User Guide

Step 6. Assign Tags
At the Ta rgets step of the Create a private endpoint wizard, you can assign tags to the newly created private
endpoint and private DNS zone if needed.

356 | V eeam Backup for Microsoft Azure | User Guide

Step 7. Finish Working with Wizard
At the Review + create step of the Create a private endpoint wizard, review configured settings and click Create.

357 | V eeam Backup for Microsoft A zure | User Guide

Configuring Network Settings for SQL
Server
To allow Veeam Backup for Microsoft Azure to back up SQL Servers operating in private environment, you can
either add firewall rules that will grant access to specific VNets, or create private endpoints that will be used to
connect to the resources.

IMP ORTANT

Firewall rules are applied only for VNets that are created in the same region or in paired regions. That is
why if the backup appliance and the SQL Server are residing in different regions that are not paired, you
must create private endpoints to securely connect to resources that you want to protect. For more
information on paired Azure regions, see Microsoft Docs.

358 | V eeam Backup for Microsoft Azure | User Guide

Configuring Firewall Settings
To configure firewall rules for a SQL Server, do the following:

1. Log in to the Microsoft Azure portal.

2. Click More services and select Resource groups on the All services page.

3. On the Resource groups page, select the resource group to which the necessary SQL Server belongs. The
resource group page will open.

4. In the Resource list, locate and click the SQL Server that you want to protect. The SQL server page will
open.

IMP ORTANT

If you plan to back up SQL databases using a staging server, you must select the SQL Server that will be
used as a staging one. To learn how to use staging servers, see Performing Backup.

5. Navigate to Security > Firewalls and virtual networks.

6. On the Firewalls and virtual networks tab, click Ad d existing virtual network.

7. In the Create/Update virtual network rule window, create a new firewall rule:

a. In the Na me field specify a name for the rule.

b. From the Sub scription drop-down list, select a Microsoft Azure subscription to which Azure VM
hosting Veeam Backup for Microsoft Azure belongs.

c. From the Virtual networks drop-down list, select check boxes next to virtual networks to which
workers are connected.

d. From the Sub nets drop-down list, select check boxes next to subnets to which workers are connected.

NOTE

To allow access from virtual networks to SQL Servers, Microsoft Azure uses service endpoints. If any of the
selected networks do not have service endpoints enabled for Microsoft.Sql, Microsoft Azure will raise a
warning. In this case, click E na ble and wait for the process to complete. For more information on service
endpoints, see Microsoft Docs.

359 | V eeam Backup for Microsoft Azure | User Guide

Creating Private Endpoints
If the backup appliance resides in another region than the SQL Server that you want to protect, or you do not
want to add firewall rules, you can create private endpoints for your SQL Server to allow Veeam Backup for
Microsoft Azure access to the databases. Private endpoints a re network interfaces that use private IP addresses
from your virtual network. For more information on private endpoints, see Microsoft Docs.

You must create a separate private endpoint for every VNet to which workers are connected. To create a private
endpoint, complete the following steps:

1. Launch the Create a private endpoint wizard.

2. Configure private endpoint settings.

3. Specify resource settings.

4. Specify configuration settings.

5. Assign tags.

6. Finish working with the wizard.

360 | V eeam Backup for Microsoft A zure | User Guide

Step 1. Launch Create a Private Endpoint Wizard
To launch the Create a private endpoint wizard for a SQL Server for which you want to create a private endpoint,
do the following:

1. Log in to the Microsoft Azure portal.

2. Click More services and select Resource groups on the All services page.

3. On the Resource groups page, select the resource group to which the necessary SQL Server belongs. The
resource group page will open.

4. In the Resource list, locate and click the SQL Server that you want to protect. The SQL server page will
open.

5. Navigate to Security > Networking.

6. Switch to the P rivate access tab and click Create a private endpoint to launch the wizard Create a private
end point wizard.

361 | V eeam Backup for Microsoft A zure | User Guide

Step 2. Configure Private Endpoint Settings
At the Ba sics step of the Create a private endpoint wizard, do the following:

1. From the Sub scription drop-down list, select a Microsoft Azure subscription to which Azure VM hosting
Veeam Backup for Microsoft Azure belongs.

2. From the Resource group drop-down list, select a resource group to which your newly created private
endpoint will belong. You can either use an existing resource group or create a new one. For more
information on creating and managing resource groups, see Microsoft Docs.

3. In the Na me field, enter a name for the private endpoint.

4. From the Reg ion drop-down list, select an Azure region of the virtual network to which workers are
connected.

For more information on the Azure regions, see Microsoft Docs.

5. Click Nex t: Resource >.

362 | V eeam Backup for Microsoft Azure | User Guide

Step 3. Specify Resource Settings
At the Resource step of the Create a private endpoint wizard, do the following:

1. From the Sub scription drop-down list, select a Microsoft Azure subscription to which a SQL Server that
you want to protect belongs.

2. From the Resource type drop-down list, select the Microsoft.Sql/servers type.

3. From the Resource drop-down list, select the SQL Server that you want to protect.

IMP ORTANT

If you plan to back up SQL databases using a staging server, you must select the SQL Server that will be
used as a staging one. To learn how to use staging servers, see Performing Backup.

4. From the Ta rget sub-resource drop-down list, select sqlServer.

5. Click Nex t: Configuration >.

363 | V eeam Backup for Microsoft Azure | User Guide

Step 4. Specify Virtual Network Settings
At the Virtual Network step of the Create a private endpoint wizard, do the following:

1. From the Virtual network drop-down list, select a virtual network to which workers are connected.

2. From the Sub net drop-down list, select a subnet to which workers are connected. For a subnet to be
displayed in the list, it must be created within the selected virtual network as described in Microsoft Docs.

3. Click Nex t: DNS >.

364 | V eeam Backup for Microsoft A zure | User Guide

Step 5. Specify DNS Settings
At the DNS step of the Create a private endpoint wizard, do the following:

1. In the P rivate DNS integration section, create a new DNS zone to override the DNS resolution from a
public to private endpoint:

a. To the right of the Integrate with private DNS zone field, click Y es .

a. From the Sub scription drop-down list, select a subscription to which the DNS zone will belong.

b. From the Resource group drop-down list, select the resource group to which the DNS zone will
belong.

2. Click Nex t: Tags > .

365 | V eeam Backup for Microsoft Azure | User Guide

Step 6. Assign Tags
At the Ta rgets step of the Create a private endpoint wizard, you can assign tags to the newly created private
endpoint and private DNS zone if needed.

366 | V eeam Backup for Microsoft Azure | User Guide

Step 7. Finish Working with Wizard
At the Review + create step of the Create a private endpoint wizard, review configured settings and click Create.

367 | V eeam Backup for Microsoft A zure | User Guide

Configuring Network Settings for SQL
Managed Instance
To allow Veeam Backup for Microsoft Azure to back up a SQL Managed Instance, you must configure the peering
connection between the VNet to which workers are connected and the VNet to which a SQL Managed Instance is
connected. To do that, perform the following steps:

1. Log in to the Microsoft Azure portal.

2. Open the Resource group page.

3. In the Resource list, locate and click a virtual network to which the SQL Managed Instance is connected.
The Virtual network page will open.

4. Navigate to Settings > P eering.

5. Click Ad d to open the Ad d peering page.

6. On the Ad d peering page, specify the following settings:

a. In the This virtual network section, specify a name for the peering link that will be added to the VNet
to which the SQL Managed Instance is connected. Leave the default settings for the other options in
this section.

b. In the Remote virtual network section, specify a name for the peering link that will be added to the
VNet to which workers are connected. Leave the default settings for the other options in this section.

c. From the Sub scription drop-down list, select a Microsoft Azure subscription to which workers belong.

d. From the Virtual networks drop-down list, select the virtual network to which workers are connected.

e. Click Ad d .

368 | V eeam Backup for Microsoft A zure | User Guide