For a customer project I was working on a couple of issues came up with how to do backup of IaaS in Azure. First of was how we were to handle Disaster Recovery both on a Storage level and on Virtual Infrastructure secondly how to handle backup of virtual machines in Azure. Now my first response on the second part has always been Azure Backup. Now in this particular case we had a challenge, the customer had applications which required a low RPO, which was max 4 hours.The second part was providing a low RPO for Linux based workloads as well and also how to ensure that someone with access rights in Azure was not able to delete files from Azure Backup?
So first of let’s discuss Azure Backup. Azure Backup providing different options for doing backup, first of is the native Azure Backup feature which provides IaaS level based backup and runs directly as a service in Azure. The second part is Azure Backup using the Mars agent which runs as a agent on the server which can provide lower RPO which lacks native integration with the Azure Portal to do restore and such. Regardless much of the other features are the same. The backup data is stored within a recovery vault which compresses the data but does not provide deduplication of data. The backup data is stored within a regular Storage Blob which does not support tiering nor reserved capacity.
Azure Backup also provides a solution called soft delete, which ensures that data is always available 14 days after someone deletes it. However someone can disable this feature trough the Portal (https://docs.microsoft.com/en-us/azure/backup/backup-azure-security-feature-cloud#disabling-soft-delete)
So instead of using these services, what if I used a Veeam agent based backup instead? Essentially setting up a Veeam VBR solution in Azure using Agents which point directly to an Azure Storage Blob?
NOTE: There is a new solution from Veeam coming soon, which provides native backup of Azure VM’s –> https://www.veeam.com/backup-azure.html which will allow this to be even easier since it will be copying backup data directly into a storage blob.
Veeam in its current form as the support for using Azure Storage Blob as a scale-out repository option, essentially you can use it to offload old data to Azure Blob Storage as part of a scale out repository. This means that backup data from agents would first need to hit a regular disk based VBR before being pushed out to a Azure Blob Storage. Secondly to ensure that no one was able to accidently delete the data from this backup solution using the VDC (Virtual Datacenter model) This solution would be added as another spoke using VNET Peering which would be pushing backup data over a VNET Peering.
So for this example we could setup Veeam agents on our virtual machines running in Azure do to backup to a centralized Veeam B&R solution, which could then offload those backup’s to a Azure Storage Blob, where data is hitting a cold based blob storage. I would still need local disk on the Azure IaaS backup repositories to handle the first 7 days of data before it could be offloaded to Cold Storage.
Now looking at this from a price perspective, what would it cost if I where to use regular Azure Backup IaaS for this solution?
1: Azure Backup – 100 VM’s x 120 GB of Data with 5% change rate (Retention is based upon 30 days, 5 weeks, 12 months, 5 years)
The cost would be using the Azure Price Calculator about USD 2 663,87 per month. So what if we were to setup a Veeam solution with local disks to handle the first full week of backup and then moving the backup data to Blob Storage Cold Tier?
This requires a bit more, since it is not a service (Veeam licenses, IaaS to handle backup proxy and repository, Managed disks to handle scale local disk for first week, then cold storage for the remaining data) Then also bandwidth cost as part of the VNET Peering for all the data that would be pushed from the agent to the central repository. Total cost for the Veeam Solution would be about USD 3200,96 per month for the Azure Cost and 715$ for the Veeam Backup Agents cost (based upon https://www.veeam.com/pricing-calculator?ad=vul-pricing-calc-up) another aspect here is that using Storage Accounts outside of Azure Backup also supports reserved capacity, that only applies if you use more then 100 TB of data stored within an storage account.
Now of course this would cost more, but this would provide a lower RPO, provide a backup solution disconnected from the rest of our workloads using VNET Peering in another subscription to ensure that no one with certain access could delete backup data within the current subscription. Of course there are other certain cost aspects with this as well such as operator cost,
Of course this would be a bit tricky to handle at scale since you would need to understand the limitations that IaaS has in Azure, but can certainly be done if you require a low RPO for virtual machines in Azure and is the only solution that Veeam has until they release Veeam for Azure.