top of page
Search

Instant Recovery to Azure: Building a Real Cleanroom

  • Writer: Brad Linch
    Brad Linch
  • May 28
  • 5 min read

The same three problems come up in almost every cloud conversation I have: meeting RTOs in a cyber event when cloud is the DR location, a need to reduce cloud spend, and identifying a clean restore confidently. This might come as a surprise but Veeam has the answer to all three with the underlying technology that instant restore to Azure provides, yet it is one of the most underutilized capabilities in the Veeam platform.


Instant Recovery to Azure is very similar to instant restore to VMware for folks that are familiar. During recovery the VM is live and accessible in Azure before the full data migration to native Azure Managed Disks completes. What makes this unique is that it works for more than just native Azure VMs. Backup files from multiple workloads support instant restore to Azure including:

  • Hypervisors - VMware, AHV, Hyper-V, Proxmox, and HPE Morpheus

  • Public Cloud - EC2, Azure, and GCP

  • Physical Servers - Windows and Linux


A key architectural improvement an everyday Veeam user might notice above are Helper Appliance Templates stored in the Azure Compute Gallery. Previously, every restore required spinning up a helper appliance from scratch. Now, OS-specific templates, both Windows and Linux, are pre-published in the Compute Gallery for your target region. The result is a meaningful reduction in time-to-first-boot.


What this solves

This is great and all Brad but what business problem(s) are we actually solving here? Executives aren't buying 'instant restore.' They're buying confidence. Confidence that the business keeps running, that the breach doesn't make headlines, that the CFO doesn't have to explain a seven-figure cloud bill that grew because nobody right-sized the DR strategy. Let's walk through each of the 3 use-cases.


Cyber and Disaster Recovery to Azure: Veeam Vault as a Cleanroom

Ransomware recovery is not about 'do we have a backup?' The questions are: Is the restore point clean? Can we validate before restoring to production? Can we stand up a Minimum Viable Business (MVB) fast enough? Do we know the workloads that bring back our MVB?


Not only is Veeam Vault an immutable, offsite, logically air-gapped, encrypted copy of your data, but also is the environment where you identify a clean restore point. It's important to note, tight alignment with your security team is non-negotiable here. They own the forensic timeline and the blast radius analysis. Without that, you are guessing at a clean restore point, and that guess has consequences. Veeam has the below Cyber Resilience capabilities though to assist the security team:

  • Veeam's Breach Impact Analysis builds a graph of data accessed and regulations violated per region

  • Recon for Forensic Triage in Incident Response maps common indicators of compromise to the MITRE ATT&CK framework

  • Veeam Threat Hunter and YARA rules to scan backups in Vault to validate it is free of malware indicators


The isolation is architectural, not procedural. The restored VMs boot into a VNet with no routes to production. That's the full cleanroom chain: Vault for immutable storage and clean-point identification, isolated Azure VNet for live forensic validation, and instant restore as the mechanism that makes it fast enough to actually meet business RTOs under a real cyber event.


Protecting native Azure VMs

If your workloads already live natively in Azure, you may assume you're covered by Azure Backup. You are partially right, and that partial coverage is exactly where the risk and costs hide. Native Azure backups only restore the full VM, which requires organizations to store snapshots for a longer retention to achieve better RTOs. Also worth mentioning that Native Azure Backup has no dedupe and compression and therefore requires 2-3x more storage than Veeam. This workaround is costly to the business. You can calculate the cost for yourself here with Microsoft's backup calculator as finding all the different variables in billing is difficult.


With Veeam, those image-level backups target Vault for immutable, WORM-protected, logically air-gapped copies. Even if every snapshot in Azure is deleted, the Vault copy is intact. And critically, you can instant-restore those native Azure VMs back to Azure as native VMs in minutes, with Threat Hunter scanning the backup before it boots.


Reducing cloud and day 2 spend

The total cost of protection is something most vendors hope you do not calculate. In particular, the cost to recover. Compute costs during backup and recovery add up fast, and they don't show up on a data protection vendor quote. They show up on the cloud bill.


Architecturally, several vendors have to run their storage on a compute layer. This is far more expensive than storing data on Blob or Vault type media. In addition, vendors that can't restore natively to Azure VMs force customers into one of two expensive paths: restore through an appliance (adding significant compute cost on top of storage), or restore into Azure VMware Solution (AVS) or Nutanix Cloud Clusters (NC2), which are dedicated bare-metal infrastructure that carries a premium price tag and operational overhead to match. Neither path recovers you to a native Azure VM efficiently.


Veeam restores directly from Vault, which uses Azure Blob storage, with minimal compute. The workload boots from the backup data and migrates to native Azure managed disks in the background. No intermediary appliance running up a compute bill.


Good-to-knows when doing this at home

  • Deploy Helper Appliance Templates before you need them. If your first instant restore attempt is during a live incident and you have not pre-deployed the Compute Gallery templates for that region, you are adding significant time to your RTO while under maximum pressure. This is a quarterly drill item.

  • The isolated recovery VNet is not optional for cyber recovery. I have seen organizations boot a potentially compromised VM into a production Azure VNet to verify it works first. The result is always the same: it made things worse. Build the isolated network. It takes 15 minutes to create. Use it every time.

  • Azure API throttling kills mass restores. Use existing resource groups, NSGs, and storage accounts.

  • Restore point selection is a security decision, not a backup decision. Your security team drives the pre-compromise window using Recon Scanner and forensic analysis. The data protection team executes. These are two different conversations, and they should happen before the incident, not during it.

  • Test quarterly, not annually. Azure changes. Your workloads change. Execute the full recovery test quarterly. Recovery muscle is built through repetition, not documentation.


Conclusion

The organizations that recover fastest, whether from natural disasters or cyber events, treat recovery as a first-class engineering discipline, not an afterthought. Veeam's instant recovery to Azure, combined with Vault as a cleanroom, provides a recovery chain that is faster, cheaper, and more secure than anything built on native snapshots or competitor appliance models. Define your Minimum Viable Business. Know which workloads land in Azure first. Then practice until the answer to 'can we recover?' is 'we already have.'


  • linkedin

©2020 by LinchTips

Subscribe Form

bottom of page