| KB ID: | 4190 |
| Product: | Veeam Backup for Microsoft Azure |
Challenge
- To back up a database, workers must be able to connect to the source SQL server.
In case of consistent backup (using a staging server), the workers must connect to the staging server. Connection to the source server is not required as Microsoft Azure performs the copy from the source to the staging server. - To restore a database, workers must be able to connect to the target SQL server.
Cause
An error is reported when workers cannot reach SQL Servers. There can be different causes of such errors, for example:
- Incorrect credentials used to log in to the server
- Workers cannot reach the server due to networking issues
Solution
Incorrect credentials used to log in to the server
As the backup process is based on the BACPAC export, workers must connect using any SQL account to access the database.
- For backup operations, the selected account must have access to all protected databases.
- For restore operations, the account must have full access to the newly created (restored) databases.
Workers cannot reach the server due to networking issues
The virtual network where all Veeam Backup for Azure workers are running must be enabled in the SQL server firewall.
In case of the SQL Managed Instances, enable the public endpoint in the instance networking options and then configure the security group of the network where the SQL Managed Instance is connected.
If there are any other firewalls between Veeam Backup for Azure and the SQL Servers or SQL Managed Instances, they must be configured as well.
- Connections to SQL Servers use port 1433.
- Connection to SQL Managed Instances run on port 3342.
More information
- Playbook for addressing common security requirements with Azure SQL Database and Azure SQL Managed Instance
- Security Overview - Azure SQL Database & Azure SQL Managed Instance
- Configure public endpoint - Azure SQL Managed Instance
- Secure a database - Azure SQL Database
- Create a server-level firewall rule - Azure SQL Database
- Verify port security in the built-in firewall - Azure SQL Managed Instance
- IP firewall rules - Azure SQL Database and Azure Synapse Analytics