(click to expand table of contents)
Architecture
Two applications will be used to meet our requirements laid out above. Veeam Backup for Office 365 and Veeam Backup and Replication. In order to provide end-user self-service, Veeam Backup and Replication will be installed using a rental license with Cloud Connect enabled. This allows the Cloud Connect feature to be enabled by which Tenants are authenticated for self-service restore. By combining the Cloud Connect service from Veeam Backup and Replication and Veeam Backup for Office 365, consumers of a VCSP’s offerings can perform self-service restore operations through Veeam Explorers.
Veeam Cloud Connect Documentation:
https://helpcenter.veeam.com/docs/backup/cloud/cloud_overview.html?ver=100
Veeam Backup for Office 365 Documentation:
https://helpcenter.veeam.com/docs/vbo365/guide/vbo_introduction.html?ver=40
Veeam Explorers Overview:
https://helpcenter.veeam.com/docs/backup/explorers/explorers_introduction.html?ver=100
Use of Virtual Machines
It is recommended that all systems deployed are virtual machines for ease of installation and flexibility for scale. It is up to the VCSP to decide on the most appropriate platform and location taking into consideration the following: HA capabilities, storage durability, and operational costs.
Backup and Replication (Cloud Connect)
An independent installation of Backup and Replication is recommended in order to prevent any outside Veeam Cloud Connect Backup or Replication workload from impacting this Backup for Office 365 platform. This would apply to both performance and non-performance related troubleshooting scenarios. Once a Cloud Connect (VCSP) license has been installed on this Backup and Replication server it will be referred to as a Veeam Cloud Connect Server (VCC).
Provisioned by the Cloud Connect server, the Cloud Gateway (CGW in Diagram #1) will provide an ingress point during Tenant self-service restore operations. The Cloud Connect server authenticates Tenant Backup and Replication servers & Explorers (Exchange, SharePoint, OneDrive) when performing restore activities. The connection between Tenant Explorers and Cloud Connect is also used to provide restored data in some restore scenarios.
The Day 1 deployment section provides a walkthrough of installing Veeam Backup and Replication, installing a Cloud Connect license, and configuration of the Cloud Gateway.
Diagram #1 (Cloud Connect)
Backup for Office 365
Veeam Backup for Office 365 will be installed on the Backup and Replication server created above. This combination provides secure multi-tenant self-service restore capabilities.
The “work” configured by the Backup for Office 365 server will be performed by a separate system, a Backup for Office 365 proxy. One or more proxies will act as multi-tenant workers that service multiple jobs and organizations. Separate repositories and object storage repositories will be used to store our tenant data.
For maximum performance, scalability, and separation of system roles the Backup and Replication/Backup for Office 365 server should *not* be used as a Backup for Office 365 Proxy. There are some scenarios in which a VBO Server might be utilized for the Proxy role, such as Public Cloud Deployments. In a Public Cloud deployment, the financial impact is largely a justification of the decision to combine roles. However, for the purpose of this blueprint, which is to maximize performance, scalability, etc. we will not utilize the VBO Server as a Proxy for backup jobs.
The Day 1 deployment section provides a walkthrough of installing Backup for Office 365. Following the Day 1 deployment guide sizing provides both an efficient design and a straightforward path to scale with future demand.
Diagram #2 (VBO Core components)
Modern Authentication
Authenticating as a legitimate user or application is required to interact with Office 365. Microsoft has provided an important functionality for Office 365 users who have enabled or been forced to use Modern Authentication.
Modern Authentication is defined here: https://docs.microsoft.com/en-us/microsoft-365/enterprise/hybrid-modern-auth-overview?view=o365-worldwide#what-is-modern-authentication.
“Modern Authentication enables Active Directory Authentication Library (ADAL)-based sign-in for Office client apps across different platforms. This enables sign-in features such as Multi-Factor Authentication (MFA), smart card, and certificate-based authentication.”
Leveraging certificate-based authentication was included in Backup for Office 365 v4c and it is the suggested method for configuring Organizations in this blueprint.
Active Directory
Veeam Backup for Office 365 v4c requires Active Directory and that the VBO server and the Proxies/Repositories are in the same or trusted Domain. Additional Active Directory considerations are detailed here: https://helpcenter.veeam.com/docs/vbo365/guide/vbo_considerations.html?ver=40
Backup Storage
The Veeam Backup for O365 software supports the use of two different storage types. In this blueprint we recommend using both Block and Object Storage.
Storage Type | Use case | Reasoning |
---|---|---|
Block | O365 Local Cache / Metadata | Local cache increases search speed and reduces API calls from Object (reducing data egress charges if applicable) |
Object Storage | O365 Tenant protected data | Unlimited storage/expansion. Bucket per Tenant |
Block Storage
When combined with Object Storage Veeam Backup for Microsoft Office 365 uses a cache on Block Storage from which it retrieves the structure of the backed-up objects of your organizations. This cache is stored and maintained in JetBlue DB format, on Block storage attached to the VBO Proxies. Granular detail for the Object Storage Cache can be found here: https://helpcenter.veeam.com/docs/vbo365/guide/understanding_cache.html?ver=40.
An Object Storage platform is used in this blueprint to hold backed-up O365 data.
Object Storage
Object Storage is a foundational concept for this blueprint. For a production installation, we recommend using a platform with software/hardware support. There are many vendors with Object Storage platforms suitable for use. The Veeam Ready program provides verified compatibility with Object Storage providers. See the Veeam Ready Object section here: https://www.veeam.com/ready.html. Object Storage, when used by Veeam Backup for Office 365, provides the following benefits utilized in this blueprint:
- Encryption at rest for Backup for Office 365 Backup files
- Data reduction of 40 - 55% (depending on Exchange, SharePoint, OneDrive ratio)
- Allows for maximum scalability. Jet DBs, on Block Storage, are used for system configuration and cache repositories when combined with Object Storage.
- Purpose-built Veeam backup format