Azure Backup Options: afi.ai, Cohesity, Rubrik, Veeam

All of the four vendors in this comparison can run the management service as vendor-hosted SaaS, with afi.ai and Rubrik offering only this deployment option.

Veeam offers two deployment options: VBAz, where the customer runs the orchestrator as a Linux Azure VM in their Azure subscription, and Veeam Data Cloud (VDC), where Veeam itself runs the orchestrator stack in their Azure tenant. VDC was originally developed by a cloud provider (CT4) as a frontend layered on top of Veeam's backup software. Veeam acquired CT4 in 2023 and later rebranded the service to VDC.

In addition to the vendor-hosted option, Cohesity also offers a self-managed Cloud Edition (CE) deployment, in which the full software stack (management UI, data movers, and backup repository) runs in the customer Azure subscription. CE is based on the on-prem DataProtect codebase, repackaged to run on cloud Azure VMs in 2017.

All the products authenticate via an Entra ID application (service principal) with a custom role at subscription or management-group scope. However, the products take very different paths on whether they place an orchestrator, data movers, and other artefifacts inside the customer's Azure subscription. The persistent footprint ranges from zero (afi.ai) through small-and-variable (Rubrik) to always-on (Veeam and Cohesity).

afi.ai deploys nothing into the customer's Azure subscription for VM, Azure SQL, or Azure Database for PostgreSQL workloads. Data movement is driven from afi.ai's service over Azure REST APIs using the service principal. For AKS workloads only, afi.ai installs an in-cluster Kubernetes data-mover agent that calls the Azure managed-disk snapshot API directly.

Cohesity DPaaS deploys persistent Linux storage-proxy VMs (Standard_D8s_v3 closed appliance images) into a customer-specified VNet, subnet, and resource group, in every Azure region under protection. Sizing guidance is one proxy per 160 VMs or 16 TB of source data. The proxies run continuously regardless of job state.

Cohesity Cloud Edition is an alternative deployment model where the customer runs a cluster of Linux Azure VMs (minimum three VMs, each with 16vCPU) running Cohesity's software. The VM cluster acts as orchestrator, data mover, and backup store/cache in one. Backups are stored on its locally attached managed disks. Storage capacity scales by adding nodes (current version 7.2.2 is rated at up to 200 TB usable per node). Backups can be written to a customer-owned Azure Blob storage account, with metadata, indexes and a hot cache on managed disks attached to the cluster VMs.

Rubrik RSC has no orchestrator in Azure. Data movers run as pods on an Azure Kubernetes Service (AKS) cluster that Rubrik provisions inside the customer Azure subscription. The cluster is configured as an AKS private cluster (API server bound to a customer VNet, no public endpoint). The customer can configure a hard ceiling for node count (buckets of 32, 64, 128, or 256 nodes) and the AKS cluster autoscaler grows the nodepool between 1 and that ceiling on demand.

Veeam VBAz continuously runs the orchestrator VM inside customer Azure subscription. A single VM can protect multiple Azure subscriptions across multiple Entra tenants by attaching additional service accounts (Veeam recommends 1 appliance per Azure region for cross-region scenarios). At job start the orchestrator launches one ephemeral Linux data-mover VM per protected resource and destroys it on completion. The data mover count scales with concurrent job count.

Veeam VDC moves the orchestrator out of the customer Azure subscription, as Veeam runs it in its own Azure tenant. Ephemeral Linux data-mover VMs are still launched into the customer subscription, identical to VBAz.

afi.ai and Cohesity DPaaS store the master backup copy outside Azure, in vendor-managed object storage. Cohesity Cloud Edition, Rubrik, and Veeam keep the master backup copy inside the customer's Azure tenancy. All the products use TLS in transit and support customer-managed encryption keys.

The four solutions use two different Azure primitives to perform backups. Veeam, Rubrik, and Cohesity create per-disk incremental managed-disk snapshots; Afi creates VM Restore Points (a newer Azure primitive that captures all of a VM's disks atomically and integrates with VSS for application consistency without the vendor needing an in-guest agent).

In both cases Azure stores only the delta versus the previous restore point/snapshot of the same disk. Each vendor then either calls BeginGrantAccess/BeginGetAccess to obtain a SAS URI on the disk-level artifact and reads only the changed byte ranges via the page-blob Get Page Ranges Diff REST operation (afi.ai, Veeam) or creates a temporary managed disk from the snapshot and attaches it as a block device to a worker (Cohesity DPaaS, Rubrik). Compression and encryption happen at the data mover (or, for afi.ai, at the afi.ai backend) before data is written to the backup repository.

Multi-disk consistency.

As a result of relying on per-disk snapshots (one snapshot per attached disk), multi-disk consistency is best-effort in case of Cohesity, Rubrik, and Veeam. The snapshots are issued in quick succession but are not atomic across disks. Veeam reconciles the per-disk snapshots into a logical group by tagging them with shared metadata.

Application consistency.

afi.ai gets application consistency directly from the Restore Point's applicationConsistent mode, with no separate vendor agent. Cohesity, Rubrik, and Veeam either rely on crash consistency (the snapshot taken on a running VM is recoverable like a power-cut state) or require an in-guest agent to coordinate VSS on Windows or pre/post scripts on Linux.

The vendor-specific data flow

The afi.ai backend calls ARM to create an Azure VM Restore Point in a Restore Point Collection in the source subscription (first one is full, subsequent ones are incremental). It then enumerates the per-disk Disk Restore Points inside the VM Restore Point, generates SAS URIs, and reads changed page ranges directly from Azure Storage to the afi.ai backend over HTTPS, with no in-Azure data mover. The Restore Point Collection is retained in the customer subscription for 7 days; older recovery points exist only in afi.ai's object store.

The Cohesity DPaaS cloud management service calls ARM to create per-disk incremental snapshots. The storage-proxy VM in the customer VNet attaches each snapshot via a SAS URI (private-endpoint paths supported, with a 32 TB per-disk cap when used), reads the changed page ranges, deduplicates and compresses the stream, encrypts it, and pushes it over an outbound TLS-encrypted gRPC tunnel (port 443) to the Cohesity data-plane endpoint in the customer-selected Cohesity region. The per-disk snapshot is removed at job end.

The Cohesity Cloud Edition cluster running in customer Azure VMs is both orchestrator and data mover. It calls ARM for per-disk incremental snapshots and pulls changed page ranges via SAS URI into its own clustered storage on the cluster's locally attached managed disks, with opt-in tiering to Azure Blob.

The Rubrik SaaS console invokes ARM to snapshot the disks. The AKS data-mover cluster scales up; for the changed-block read to the customer's archive Blob storage account, a pod streams blocks from the snapshot via a SAS URI over HTTPS (routed through Azure private endpoints if the snapshot's network policy is private-only), with no temporary disk created in this path. For file indexing and file-level recovery, a separate pod creates a temporary managed disk from the snapshot, attaches it, and walks the filesystem. Only the index (not file contents) is sent to the SaaS console. For application-consistent in-guest backups, an AKS pod coordinates with an in-guest Rubrik agent installed on the VM. AKS nodes scale back down when idle.

The Veeam orchestrator VM calls ARM to create per-disk incremental snapshots, tagging each with metadata so the orchestrator can treat the per-disk snapshots of one VM as one logical unit. It launches one Linux data-mover VM per protected VM in the same region/subnet. The data mover reads changed page ranges from snapshot SAS URIs, compresses and encrypts the stream into Veeam-native backup files, and writes to the target Blob container. The data-mover VM is destroyed at job end. To enable the page-range diff against the next backup, VBAz permanently retains the two most recent per-disk snapshots in the source resource group; older snapshots are purged per policy. Orchestrator-to-mover control messaging uses Azure Queue Storage which avoids the need for VNet peering or public IPs between the orchestrator VM and movers.

Recovery follows the inverse of the backup path. afi.ai and Cohesity DPaaS must rehydrate from vendor-hosted storage for any point older than the local snapshot/restore-point retention window.

Cohesity Cloud Edition rehydrates from its in-cluster managed disks. Rubrik and Veeam can restore from the per-disk snapshots they keep in the source resource group when the recovery point is within the snapshot-retention window, skipping rehydration; older points are read back from the Blob repository.

File-level recovery is implemented as:

• direct streaming from the vendor backup copy via the SaaS UI in afi.ai and Cohesity DPaaS;
• reading from local cluster storage in Cohesity Cloud Edition;
• an AKS pod in Rubrik that creates a disk from the snapshot, mounts it, and stages requested files into a customer Storage account;
• a worker VM in Veeam (with a dedicated file-level recovery web service).

Coverage of basic Azure VM and Azure SQL Database is universal. Differences appear at Azure SQL Managed Instance, PostgreSQL, Cosmos DB, Azure Files, Azure Blob Storage, AKS, and VMware on Azure (Azure VMware Solution). The vendors with an in-tenant cluster option (Cohesity Cloud Edition, Rubrik with its Linux-VM cluster build) cover the widest set.

The solutions' footprints range from no in-tenant infrastructure (afi.ai) to the full stack running in the customer's Azure subscription (Veeam and Cohesity CE).

afi.ai's strength is operational simplicity, as it requires service-principal registration only, with nothing to size, patch, or scale. Cohesity DPaaS keeps the orchestrator and storage outside of Azure but still requires always-on proxy VMs in every protected region.

Veeam and Cohesity CE have the heaviest in-tenant footprint and the most self-contained as the customer owns and operates everything and backup data never leaves the tenancy, but patching and Azure VM/disk costs have to be managed by the customer.

Rubrik offers the middle ground, with SaaS console and on-demand AKS for the data path, so customer-side compute scales to near-zero between jobs while data stays in the customer's Blob storage.

The architectural differences track closely with when each product was first built for Azure and which Azure primitives existed at that time.

Azure Managed Disks reached GA in February 2017 and incremental managed-disk snapshots with changed-block tracking landed in April 2020. The multi-disk, application/crash-consistent VM Restore Points API was introduced as API version 2021-03-01 (application-consistent) and 2021-07-01 (crash-consistent). Azure-native vaulted backup for PostgreSQL Flexible Server reached GA in February 2025.

Cohesity DataPlatform Cloud Edition for Azure first shipped on May 25, 2017, predating every modern Azure backup primitive. Veeam Backup for Microsoft Azure 1.0 reached GA on April 28, 2020, roughly contemporaneously with incremental disk snapshots and a year before the VM Restore Points API. Rubrik first announced Polaris-driven Azure VM protection in October 2019, with Azure SQL Database SaaS support added in December 2021. Cohesity DataProtect-as-a-Service launched as a BaaS offering in December 2020, with Azure VM and Azure SQL support added in 2023. Afi's Azure VM/SQL/PostgreSQL service appeared on the Azure Marketplace in February 2025.

This timing explains most of the architectural differences:

• Customer-hosted vs. SaaS control plane is a vendor heritage. Cohesity Cloud Edition is the on-prem 2015-era clustered DataPlatform ported onto Azure VMs in 2017; the cluster has always been the management plane, and Cohesity later added a separate SaaS console (originally called Helios, now part of Data Cloud) that CE clusters can register with. Veeam VBAz inherits the same on-prem-first design philosophy as Veeam Backup & Replication (first shipped 2008): customer owns the management server, the configuration database, and the repository. The newer entrants (Rubrik for Azure in 2019, Cohesity DPaaS in 2020, afi.ai in 2025) were designed cloud-first and put the control plane in vendor SaaS from day one.
• Data-mover compute primitive correlates with launch date. afi.ai (2025) is the only product that builds on the VM Restore Points API as its primary primitive; that API simply did not exist for the others when they were designed. Veeam (2020) and Rubrik for Azure (2019/2020) both predate the VM Restore Points API and so build directly on managed-disk snapshots plus the Disk SDK; Veeam launches a fresh Linux VM per job because that was the cleanest way to scale Disk-SDK readers in early-2020 Azure. Rubrik chose AKS because, by the time it was built, AKS had matured (GA June 2018) and offered cheaper idle scaling than always-on VMs. Cohesity DPaaS for Azure VM (2023) reuses the same persistent-proxy pattern Cohesity already used for AWS and on-prem VMware.
• Where the backup data is stored reflects both product heritage and positioning. Veeam, Rubrik, and Cohesity Cloud Edition keep the master copy in the customer's Azure subscription - a model rooted in their on-prem heritage of customer-owned repositories, and the only practical option before Azure's managed-disk incremental snapshot differential-read API went GA in April 2020, which made efficient out-of-Azure incremental egress feasible at scale. Cohesity DPaaS and Afi take the opposite stance, deliberately shipping the master copy out of Azure to vendor-managed object storage for SaaS-native sovereignty and air-gap.

The two older Azure-native products (Veeam VBAz 2020, Cohesity CE 2017) carry forward on-prem architectural assumptions; the three SaaS-first products (Rubrik for Azure 2019, Cohesity DPaaS 2023, afi.ai 2025) reflect successively newer Azure primitives and architecture, including AKS for Rubrik, out-of-tenant SaaS storage for Cohesity DPaaS, and the VM Restore Points API for afi.ai.

All product names are trademarks or registered trademarks of their respective holders; use of them does not imply any affiliation with or endorsement by them.