User Profile
Shabazdarr
Copper Contributor
Joined 6 years ago
User Widgets
Recent Discussions
Veeam Cloud Connect in Azure
This post is aimed at helping anyone looking at utilizing Veeam Cloud Connect from the Azure Market Place. This service is more applicable if you are a Managed Service Provider (MSP) as it allows you to host your customers backups on a multi-tenanted platform, offsite into the public cloud. Most IT professionals will have heard of Veeam and its range of products as they are one of leading vendors when it comes to data backup and replication. The above diagram shows an overview of how the Veeam Cloud Connect service looks. As you can see you have multiple customers backing data over an SSL connection to cloud repositories in Azure. To be in a position to use this service, the end user/customer needs to meet the following prerequisites: A Veeam Backup & Replication server is deployed and functioning in their on-premises infrastructure The infrastructure is running on Microsoft Hyper-V or VMware (Veeam Agent for Windows is also supported for physical Windows servers) The Veeam Backup & Replication Server has an Internet Connection or a Managed Service Provider to be able to offer this service they must meet the following prerequisites: A current Azure tenant subscription Is a Veeam Cloud Service Provider and has signed a rental agreement Before going into the steps required to configure this service lets go through some of the key roles and concepts: Roles and Concepts:The communication in Azure is between two parties, the Service Provider and the tenant. The Service Provider is the organization that provides the cloud infrastructure (mainly the repository) to the tenants, and the tenant is the customers who send data off site and stores their backups in the cloud infrastructure. In Azure, the Service Provider needs to perform the following tasks: Configure the Veeam Cloud Connect Infrastructure Create the relevant backup repositories Setup SSL certificates to allow for data encryption in transit Create Cloud Gateways Create and document the tenant user accounts The customer (or in this case ‘tenants’) need to perform the following tasks: Connect to the Azure hosted Veeam Cloud Connect platform from their on-premises Infrastructure. Configure backup jobs targeted at the Veeam Cloud Connect repository To get started with the Veeam Cloud Connect service in Azure you need to provision the virtual machine first via the ‘Azure Marketplace’. Now you have two options and it all depends on your requirement. If you are an Enterprise level company wanting to extend your backups offsite into Azure then ‘VCC for the Enterprise’ is the correct choice. For Managed Service Providers (MSP) who wish to run a multi tenanted solution in which they can send multiple customers backups into Azure then ‘VCC for Service Providers’ is what they require and that is what I went for. One thing to note is the current version in the bottom left. As of the time of me writing this post. You will need to make sure you are good with your patching and your on premises Veeam services are at the latest version otherwise you will need to update the version in Azure once the virtual machine is provisioned. When you click on ‘Create’ it then takes you to create a virtual machines where you can select the relevant configuration including: Virtual Machine name Azure Region Resource Group Size Administrator username and Password Once this process is completed you need to ensure the version of Veeam Backup & Replication installed on premises matches the version installed in Azure, and as I mentioned the version currently available within Azure is 9.5 update 3 which is not the latest version. After upgrading Veeam, we are ready to start configuring the Veeam Cloud Connect Service Provider platform. When you initially login to the Azure virtual instance the Veeam Cloud Connect Wizard will automatically start. To proceed any further you will need your Service Provider license which you should be sent once you have registered with Veeam for the Service Provider rental agreement. The rest of the wizard then takes you through the steps you need to follow in the Veeam Backup & Replication software both on-premises and Azure. The steps include the following: Configure Cloud Gateway in Azure:Customers, or ‘tenants’ do not communicate with the repositories in Azure like they do when dealing with an on premises Veeam server. Instead the Cloud Gateway is used to mask the repositories so they make a connection (by default over port 6180) to the service provider cloud gateway. You will need to ensure you configure a DNS name on the Azure virtual machine before you can do this. Configure Cloud Repository on the Azure Virtual Machine:This needs to be a location on an attached disk where you will store all your tenants backups. You may need to create some storage within the Azure platform and attach it to the virtual machine before you can do this. Configure Tenants in Azure:You will need to configure a tenant username, password and repository within your main backup location for each customer. Most important part of this is ensuring you document credentials for each tenant as these are needed when configuring the backup job on premises. Add the Service Provider on-premises:In Veeam Backup & Replication you need the customer to add you as a service provider. You will need to give them your Cloud Gateway FQDN and the port (6180) and they will need to ensure that this port is allowed outbound to ensure Veeam can communicate with Cloud Connect platform in Azure. At this point the majority of the configuration is completed, however we are still not ready to send data into the Azure platform. Before we can do this we need to ensure the transfer of data is secure, which is done by installing and configuring an SSL certificate which will allow you to encrypt data in transit so customers data is secure whilst being backed up. The final part is to setup the backup jobs so the customer can start backing up data to the Veeam Cloud Connect service hosted in Azure. With the backup configuration you have the exact same features you would with an on premises backup job, including the notification features as well as scheduling. The main benefit of the Azure offering of the Veeam Cloud Connect service is that not all Managed Service Providers have the luxury of being able to host a private data center where they can house the amount of Infrastructure required for a good size Veeam Cloud Connect Service. The Azure offering takes care of that issue and more, as with most private cloud services you get the added redundancy, durability and availability of the Microsoft Azure Data Center. Also Azure have added disk sizes that makes it a much more scalable cloud provider offering. Please feel to drop me a reply if you have any questionsAzure Identity Management
I have done a lot of work with customers over the last 6 months around starting there journey into cloud and I feel one of the foundations of that is Identity Management. The following is some information i hope proves useful to anyone wanting to understand the difference between the various aspects of Identity Management in Azure and in what type of Scenario to use them In my experience there are three main services with Azure Identity Management: Azure Active Directory (Azure AD) Hybrid AD Azure Active Directory Domain Services (Azure AD DS) I will discuss how each works, in what scenarios you can make best use of them and finally some pros and cons for each one. Azure Active Directory Azure Active Directory is Microsoft’s cloud-based identity management service which integrates with Exchange Online, SharePoint Online and Microsoft Teams to name a few of the services. Like most Azure Cloud services, Azure Active Directory (or Azure AD for short) has different levels of features, all dependent on the subscription you assign the user. The four main levels are: Azure Active Directory free Azure Active Directory Premium P1 Azure Active Directory Premium P2 Pay as you go feature licenses Azure Active Directory freeprovides user and group management, self-service password change for cloud users and SSO capabilities in Azure, Office 365 and certain 3rd party SaaS apps. You can also have integration with on-premises Active Directory but this will be discussed further in the Hybrid section Azure Active Directory Premium P1has all the same features and capabilities as the free version but has more support with hybrid users, advanced administration including dynamic groups and cloud password write back capabilities. Azure Active Directory Premium P2has all the same features and capabilities as Premium P1 but also, P2 offers Active Directory Identity Protection to help provide risk based conditional access to your applications and critical company data. Pay as you go feature license:These are additional feature licenses, such as Active Directory Business-to-Customer (B2C). B2C can help provide identity and access management solutions for your customer-facing applications Azure AD can be used in a few different scenarios, for example: If your Infrastructure is fully Microsoft 365 and you are using Azure AD to manage user accounts and groups, Exchange Online for email, SharePoint online for Document management, Teams for collaboration and telephony and Intune to manage Windows 10 device and security. Another scenario you can use Azure AD is in a Hybrid environment, where you need to Synchronize Active Directory on-premises users and groups with Microsoft 365. This will be discussed further in the Hybrid Section Pros of Azure ADinclude: Centralized administration of users through different locations Comprehensive Organizational Unit management via a single interface Microsoft Integrated Security Cons of Azure ADinclude: No integration with on premises applications unless they support SAML or requires further configuration and resources (Hybrid) Has a massive reliance on Microsoft 365 so any outage can cause a lot of issues Azure Hybrid Identity Azure Hybrid identity requires both Azure AD and Active Directory on-premises. To achieve Hybrid Identity with Azure AD, one of three authentication methods can be used: Password hash Synchronization (PHS) Pass-through authentication (PTA) Federated (AD FS) These authentication methods also provide single-sign on (SSO) capabilities which allows to automatically sign in to apps on corporate devices which are connected to your corporate network. Password Hash Synchronizationcan be configured (as with all three methods) using Azure AD connect utility. Azure AD connect synchronizes a hash, of the hash, of a users password from an on-premises Active Directory instance to a cloud-based Azure AD instance. Active Directory on premises stores password in the form of a hash value representation, of the actual user password. To Synchronize your password, Azure AD connect sync extracts your password hash from the on-premises Active Directory instance. Extra security processing is applied to the password hash before it is synchronized to the Azure Active Directory authentication service. Passwords are synchronized on a per-user basis and in chronological order. Pass-through authenticationallows users to sign in to both on-premises and cloud-based applications using the same password. This feature is an alternative to Password Hash Synchronization , which provide the same benefit of cloud authentication. You can combine pass-through authentication with Single-sign on features so when users are accessing applications on their corporate machines inside the network they do not need to type in their passwords. Federated (AD FS)is a collection of domains that have established a trust. The level of trust may vary however, but typically includes authentication and almost always includes authorization. You can federate your on-premises environment with azure AD and use this federation for authentication and authorization. This sign-in method ensures that all users authentication occurs on-premises. This method allows administrators to implement more rigorous levels of access control. There is much more to Federation but that is for another discussion. These three different methods of Hybrid authentication all have various scenarios which they support. Password Hash Synchronization is ideal for if you have an on-premises Infrastructure but have recently started your journey into Microsoft 365 with a few services like Exchange Online and SharePoint Online. Password Hash Synchronization will allow users to have a single password and also have single-sign on when on the corporate network. Pass-through authentication is ideal for businesses wanting to enforce their on-premises Active Directory security and password policies into the Cloud identity. Active Directory Federation can provide additional advanced authentication required for smart-card based authentication or third-party MFA. Password Hash Pros: Cloud scale/resilience since this all native Azure AD with no other reliance during authentication Provides breach replay protection and reports of leaked credentials since the stored hash can be used t compare against credentials found on the dark web Password Hash Cons: If the Active Directory Account has been locked, restricted hours set or password expired it will not impact the ability to logon via azure AD Pass-through authentication (PTA) Pros: This is lighter than using federation and establishes an inbound 443 connection to Azure AD not requirement any inbound port exceptions Any Active Directory account restrictions like hours, account lockout, password expired would be enforced Pass-through authentication (PTA) Cons: Legacy authentication (Pre 2013 Office clients) may not work with PTA Federation Pros: Supports 3rd party MFA and custom policies/claims rules Certification based authentication Federation Cons: Large amount of Infrastructure required Firewall exceptions needed with the ADFS Proxy Can limit scale/availability Azure Active Directory Domain Services Azure Active Directory Domain Services (Azure AD DS for short) provides managed domain services such as: Domain Join Group Policy Lightweight directory access Protocol (LDAP) Kerboros/NTLM authentication You use these domain services without the need to headaches of having to manage, deploy and patch a domain controller in the cloud. Azure AD DS integrates with your existing AD tenant which makes it possible for users to sign in using their existing credentials. You can also use existing groups, and users accounts to secure access to resources which provides a smoother ‘lift-and-shift’ of on-premises resources to Azure. Azure AD DS replicates identity information from Azure AD, so works with Azure AD tenants that are cloud-only, or synchronized with an on-premises Active Directory Domain Services (AD DS) environment. The same set of Azure AD DS features exist for both environments. Azure AD DS offers alternatives to the need to create a VPN connection back to an on-premises AD DS environment or run and manage VMs in Azure to provide identity services. The following feature of Azure AD DS simplify deployment and management operations: Simplified Deployment experience:Azure AD DS is enabled for your Azure AD tenant using a single wizard Integrated with Azure AD:User accounts, group membership and credentials are automatically available from your Azure AD tenant. NTLM and Kerboros Authentication:With support for NTLM and Kerboros authentication, you can deploy applications that rely on Windows-integrated authentication Much like Azure AD, Azure AD DS can be used in a Hybrid environment to include integration with on-premises applications I hope you find this useful, please ask any questions!
