1. Introduction

In 2014, with the release of Veeam® Backup & Replication™ v8, Veeam introduced a new technology — named Veeam Cloud Connect — developed specifically for service providers to create and serve remote backup repositories.

In 2016, Veeam Backup & Replication v9 added replication functionality to Veeam Cloud Connect.

At the end of 2016, Veeam Backup & Replication v9.5 was released.

In 2018, Veeam has released the new Veeam Backup & Replication v9.5 Update 3a, with even more capabilities available to service providers running Cloud Connect.

In January 2019, Veeam Backup & Replication 9.5 Update 4 has been released, with additional features for Cloud Connect like Cloud Tier and the support for VMware vCloud Director.

Service providers who are part of the Veeam Cloud & Service Provider (VCSP) program can use Veeam Cloud Connect to offer customers Backup as a Service (BaaS) and Disaster Recovery as a Service (DRaaS). Every Veeam Backup & Replication v8, v9 or v9.5 customer can then consume these services from their service provider of choice to send backups off site or to replicate (v9.x and newer users only) virtual machines (VMs).

With Veeam Cloud Connect, service providers can build their own Veeam-powered services offering, leveraging a technology built from the ground up to be multi-tenant and scalable.

Veeam Cloud Connect removes the main hurdles that such services required in the past by implementing different design concepts in its architecture.

No VPN tunnels

It is not easy to configure a VPN automatically, and it usually requires interaction between the service provider and the customer. Even when it is properly configured, it requires ongoing monitoring and management to guarantee it is always up and running. Otherwise, customers cannot consume the service offered via VPN.

With Veeam Cloud Connect, every connection happens directly over the internet using a single TCP/UDP port protected by SSL/TLS encryption. This is possible thanks to a new and dedicated Veeam component called a cloud gateway. A cloud gateway is responsible for the transfer of all backup and replication traffic over the single port connection. The connection uses the public internet and guarantees complete confidentiality of the data traversing the connection.

General overview of Veeam Cloud Connect Backup

1.1 : General overview of Veeam Cloud Connect Backup


The second design principle is complete support for multi-tenancy. Service providers create competitive services by sharing their resources among their customers. This allows for price reduction but cannot happen at the expense of security. Each tenant needs to be completely isolated from everyone else and in total control of his or her slice of the environment, just like in a dedicated environment. This is possible in Veeam Cloud Connect thanks to two different components: a cloud repository and a cloud host. For backups, service providers expose a cloud repository to customers. The cloud repository creates an abstraction layer over an existing backup repository so multiple customers can store backups inside the same shared repository with the same level of confidentiality they have with a dedicated repository.

For replicas, service providers can offer a cloud host. A cloud host is an abstracted view of the virtualized environment — either VMware vSphere or Microsoft Hyper-V — confined by a hardware plan that sets limits on CPU, memory, storage and networking that the customer can consume.

Another component, called a network extension appliance (NEA), stretches the network connections between the customer and the service provider sites and guarantees complete isolation of customer networks at the service provider site. Multi-tenancy is built into Veeam Cloud Connect and doesn’t require additional components.


A service exposed via public internet connection and shared between multiple tenants cannot ignore security. Veeam Cloud Connect offers different levels of security:

  • At source: By leveraging the encryption capability first introduced in Veeam Backup & Replication v8, data is immediately encrypted by Veeam components on the customer side using industry standard AES-256-bit encryption, and encryption keys generated by the customer. Customers can choose encryption, but service providers can make it mandatory in the software.
  • In flight: The connection between a tenant and the cloud gateway(s) is encrypted using SSL certificates (technically, it’s TLS 1.2). This way, no man-in-the-middle attack will happen unnoticed, and even unencrypted data can traverse the public internet securely.
  • At rest: Backup files are stored in an encrypted format at the service provider using customer keys. There is no possibility for the service provider to read the content of a customer’s backups if the customer doesn’t share the passwords with the provider. This guarantees complete confidentiality to customers and removes any liability issue from service providers.

NOTE: Veeam native encryption or vSphere 6.5 encryption are not available for replicated VMs.

Even when encryption is enabled, it doesn’t affect the data reduction ratios of Veeam’s built-in WAN acceleration, as is the case with general-purpose WAN acceleration. In fact, Veeam specifically designed its purpose-built WAN acceleration to work in conjunction with encryption. For more information, see Appendix B.


Veeam Backup & Replication has always been renowned for its simple and powerful graphical interface. However, when service providers need to manage their environments at scale, no one can avoid looking into automation. Veeam Cloud Connect can be managed in all its aspects and automated with PowerShell or integrated in an existing customer portal, thanks to RESTful API.


The two abstracted components Veeam Cloud Connect creates appear in the customer’s local Veeam installation like local resources. This is to guarantees a consistent user experience and greatly improves ease of use. Customers do not have to learn new tools or processes to consume the resources exposed via Veeam Cloud Connect; they can simply configure backup copy jobs (toward a cloud repository) or replication jobs (toward a cloud host) as before. The ease of use and complete integration makes Veeam Cloud Connect an easy-to-onboard and easy-to-consume solution for service providers.

Any customer with a paid license of Veeam Backup & Replication v8 (for off-site backups) or v9.x (for off-site backups and replicas) will have the client component of Veeam Cloud Connect available in the same user interface. Directly inside the Veeam backup console, customers can find a service provider who offers Veeam Cloud Connect and select the desired service provider by country and other parameters. Once the customer subscribes to the service the service provider offers, the customer will receive the parameters needed to activate the Veeam Cloud Connect service.

Veeam Backup & Replication installed at the customer site will connect via the cloud gateway(s) at the service provider authenticates the customer, and it will enumerate and expose the subscribed resources as if they were local.

Once the new resources are added to the console, customers can start using them just like regular local resources: Make them targets for any backup, backup copy or replica job, directly within the user interface.

Table of contents