9.5 Advanced Registry settings
Veeam® Cloud Connect has many features and options that are available in the Graphical Interface. Service providers can configure and tune the software via the interface, or by using PowerShell or restful API as needed.
But, for even more special configurations, additional registry keys are available in the software.
WARNING: Default parameters are configured in the software because those are considered the best value for any given option, according to Veeam’s tests and field experience. Please change these values carefully, and always take your time to evaluate the effect any single change may have. If not sure, please involve Veeam Support to assist you.
Also note, unless stated differently, all registry keys need to be created in:
HKLM\SOFTWARE\Veeam\Veeam Backup and Replication
Finally, the Veeam Cloud Connect Service frequently rescans the registry, so it is not usually necessary to restart it to apply registry changes.
CloudIgnoreInaccessibleKey:DWORD = 1
When assigning a certificate to Cloud Connect Service, it tries to get the private key of the certificate, in order to check if it's accessible. If not, an error will show up in the GUI preventing the wizard from proceeding. This is a proactive way to handle situations when the certificate is imported — for example — under a wrong user account or due to another reason leading Cloud Service to be unable to access the private key. Without this verification, the provider will pass all the wizard steps, but all the tenants’ jobs will fail. For newer cryptographic providers — such as Microsoft Software Key Storage Provider or Let's Encrypt — there might be a situation when the said pre-check fails permanently, but after that, all the actual usage of the certificate via API goes well. So, we still don’t want to disable the check for all providers permanently, but those having “modern” certificates do need to set this registry key as a workaround.
CloudConnectEnhancedSecurityMode:DWORD = 1
This key has to be set on the tenant’s side. When enabled, a strict match of cloud gateway FQDN against the Cloud Service certificate is required for every cloud connection in order for jobs not to fail. Otherwise, (default value is 0) the certificate is checked against the provider’s FQDN upon initial connection only, and any mismatched names of the certificate and the Gateway Name/IP are ignored. This setting is needed for those providers who have a certificate issued by trusted CA, but have specified gateway IP instead of FQDN in the Gateway wizard. In this case, the tenant’s Veeam Backup & Replication cannot validate a certificate against a gateway name, as it only knows the gateway IP to connect to (not FQDN).
CloudReplicaNoStaticIpSDetectedWarning:DWORD = 1
It removes the warning when a Linux VM is replicated, stating that the IP address is not identified: "Static IP address not found".
CloudConnectionTimeoutSeconds:DWORD = 15
It only works on V220.127.116.111+, do not apply on any older version. Key to extend SSL Connection attempt, if connection attempt times out after 15 seconds. This is a Tenant Side key.
DisableVpnServerFirewall:DWORD = 0
Set value to 1 to disable Firewall on Service Provider NEA. By default, only IP addresses fetched from CloudGateway servers are allowed to connect to the NEA during a partial failover.
Specifies the local time (in HH:MM 24h format) when the daily Cloud Connect e-mail report is to be sent.
Disables sending the daily Cloud Connect e-mail report if all tenants’ jobs have a result of “success.” The report will be sent only if at least one error or warning is present.
Anti DDoS prevention
The cloud gateways have dedicated configurations to prevent DDoS (Distributed Denial of Service) attacks.
PeerCloudConnectionsLimit:DWORD = 64
Allowance for number of tenant connections to a gateway. The key goes on gateway servers only. The default value was 16 (v8), then increased to 64 (v9).
MaxSimultaneousCloudConnections:DWORD = 1024
Sets the number of concurrent streams to a gateway (regardless of tenant count). The key goes on the gateway servers only. The default value was 256 (v8), then increased to 1024 (v9).
These keys should be specified on a cloud gateway in:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Veeam\Veeam Gate Service
EncryptedTenantBackupsOnly:DWORD = 1
This key forced every incoming tenant to send only encrypted backups to Veeam Cloud Connect backup. Note: This option is enforced for every tenant; it's not possible to set this option per single tenant.
NOTE: please always refer to the dedicated thread in the private VCSP forums for updated versions of this section.
For service providers running over 300 concurrent tasks, we recommend to apply the settings listed in the forum post https://forums.veeam.com/veeam-cloud-service-providers-forum-f34/9-5-update-2-scalability-tweaks-t42630.html (the page is reachable only by registered Veeam service providers).