10 reasons to choose Veeam Cloud Connect as BaaS


Userlevel 7
Badge +11

Why should a customer choose VEEAM Cloud Connect as BaaS with a service provider?

10 reasons why it’s such an asset to put a backup copy to a service provider using Veeam Cloud Connect

 

1 – Offsite backup copy

You all are familiar with the 3-2-1-1-0 golden rule (see my post at 3-2-1-1-0 Golden Backup Rule | Veeam Community Resource Hub), there should always be a backup copy available at an offsite location. Not all customers have the luxury having multiple sites with IT infrastructure available. In that case syncing a backup copy to a Veeam Service Provider is a perfect option having an offsite backup copy available.

 

2 – Secure end-to-end encryption

Be assured that all data is encrypted at the source (before it leaves the network of the customer), in transit and in storage at the service provider. This without affecting the data reduction ratios of built-in compression. When using a small bandwidth in comparison with the volume of data, a WAN Accelerator is a possible option to use.

 

3 – Protection against ransomware

Ransomware is very active these days. Ransomware encrypts your important and valuable data. More and more ransomware first encrypts your backups and then it encrypts your data. Therefore it’s very important to protect your backups as much as possible. Ransomware is especially infecting local drives and shares. A solution is again a copy to VCC, it’s using an SSL-connection to the service provider, therefore an extra protection to your backups.

 

4 – Protection against hackers

If a hacker hacks your IT-infrastructure and can get administrator permissions on your backup-server, than this hacker can of course delete all the backups… even the backups available at the service provider using the VBR-console or Powershell commands. This is by design.

But Veeam has created a solution for that!

If the service provider has enabled the feature Insider Protection for the tenant, than the deleted backups at VCC will first being put at a seperate folder (‘recycle bin‘) where it stays for a number of days set by the SP. This folder is not visible or accessible for the tenant (or in this case the hacker), but only for the service provider.

Be aware that scheduled GFS backup(s) are needed. This has no impact on the customer, only at the service provider because of using synthetic full backups.

In case of such a disaster, the service provider is able to copy those backup files to external media or public shared storage to put it available for the customer to restore the necessary data.

 

5 – Proximity

In most cases the service provider has implemented the VCC environment on-premises or in a datacenter in the same region. This gives the advantage of having a greater ‘trust’ than having its data somewhere in the public cloud. It has also the advantage of having the data sooner available in case of a disaster as mentioned in topic 4.

 

6 – Managed and monitored by service provider

In normal behaviour of BaaS the service provider will manage and monitor your backups at the VCC environment. This gives you as a customer more peace of mind.

Recommended is that the service provider organizes also scheduled restore-tests at their side using the backups of the customer to be sure that a good valuable copy is available at the SP.

A handy way of doing that is using the feature Direct Restore to Azure or AWS if the SP has not enough resources available. The SP only needs temporarely resources at the public cloud.

 

7 – Protection against disaster

If a real disaster happens at the customer’s site (earthquake, flood, …), backups are perfectly available at the service provider. Several options are possible then : copy the backup-files to external media and give them to the customer, direct restore the VMs to the public cloud or if the customer has ICT hardware available : just install VBR, add the service provider credentials and restore the backups over the secure SSL-connection to the available hardware.

 

8 – Backup copy in secure location

As already mentioned in topic 5, most of the service providers have implemented their VCC environment in a secured datacenter. This has the advantage that a datacenter is a secure location : only allowed people are having access to the building, the servers are running in ideal circumstances (temperature, dust, electricity flow, …)

 

9 – Possible alternative for tapes

A lot of customers are using tape-devices for having an airgapped backup copy. The disadvantage of that is : there is always manual handling needed (the tapes must be transported to an offsite location to follow the 3-2-1-1-0 rule) and tape-devices are mechanical devices, therefore sensitive for technical failures. An alternative is VCC : full automatic, no manual handling needed. Ok, it’s not a real airgapped solution, but when the feature ‘insider protection’ as mentioned in topic 4 is enabled, in my opinion it’s a worthy alternative for an airgapped backup with less handling.

 

10 – No extra licensed needed

Is using VCC, no extra licenses are needed. The customer only needs to use a paid license of Veeam Backup & Replication or Veeam Agent.

The customer only needs to pay the costs mentioned in the BaaS agreement of the service provider. In many cases this is : pay-as-you-grow. The more storage is needed, the more you pay.


14 comments

Userlevel 7
Badge +20

Great post! One minor point I’d like to highlight is that VCC for Enterprise requires no extra licensing but VCC for Service Provider can require differences in licensing. Was discussing this a few months ago with my Veeam Account Manager. Haven’t got any documents to hand that spell this out though. Will try and dig something out in the week!

Userlevel 7
Badge +17

To reason 10 there are additional costs for the WAN connection.

Otherwise the VCC is a great feature...

Userlevel 7
Badge +12

Great post! One minor point I’d like to highlight is that VCC for Enterprise requires no extra licensing but VCC for Service Provider can require differences in licensing. Was discussing this a few months ago with my Veeam Account Manager. Haven’t got any documents to hand that spell this out though. Will try and dig something out in the week!

Service Provider need a Cloud Connect enabled Server License. This doesn‘t cost you anything. The only requirement, you have to be a registered service provider.

And for each copied vm or agent to the Cloud Repo, service provider have to pay a monthly usage fee :-) 

if the Tenant uses a rental license, then the service fee for cloud connect is included in the rental license.

Userlevel 7
Badge +20

Great post! One minor point I’d like to highlight is that VCC for Enterprise requires no extra licensing but VCC for Service Provider can require differences in licensing. Was discussing this a few months ago with my Veeam Account Manager. Haven’t got any documents to hand that spell this out though. Will try and dig something out in the week!

Service Provider need a Cloud Connect enabled Server License. This doesn‘t cost you anything. The only requirement, you have to be a registered service provider.

And for each copied vm or agent to the Cloud Repo, service provider have to pay a monthly usage fee :-) 

if the Tenant uses a rental license, then the service fee for cloud connect is included in the rental license.

Thanks for expanding on this, saves me going off to get the documentation!

Userlevel 7
Badge +8

To reason 10 there are additional costs for the WAN connection.

Otherwise the VCC is a great feature...


Exactly my first though hehe

Userlevel 7
Badge +11

Thanks for this rich post @Nico Losschaert!

 

Userlevel 7
Badge +11

Thx all for the feedback!

Hello Nico, great posts to Orbid365!! It’s nice when someone can eloquently describe everything in detail and not have an agenda to hide imperfect solutions. I wanted to introduce myself to you as the SVP of a service provider that has created a storage repository for Veeam Cloud Connect, but also solved the one piece of the puzzle that no one wants to talk about, which you correctly alluded to, which is enabling “Insider Protection” as not really providing the actual airgapped, immutable solution that is really desired. Our service, Isolated Data Tier (IDT) uses VCC as the transport platform to send data offsite to our high-security data facility, then we automatically create a copy of that data which is then completely removed from any network or access to the internet, or even the client or their admins. We feel our solution is so innovative, and supported by Veeam, which we absolutely love. And after reading your two very well-written articles, we’d like to speak to you more about our service… and hopefully you recognize the difference in what we provide and will be willing to share that with your audience. This is the ultimate in ransomware, offsite/offline Veeam protection. Please contact me at mike@perpetualstorage.com. Thanks so much!!

Userlevel 7
Badge +20

Great post @Nico Losschaert one thing to expand on with WAN Accelerators is that they are required at both ends - Tenant & Cloud Provider.  Enabling it on the Cloud Provider end when a Tenant does not have it installed can actually hurt the performance of the Veeam server for all Tenants.  We determined this and actually used a script to turn WAN Acceleration off for all Tenants which improved performance.

Just something to think about on top of all this great stuff. :thumbsup_tone2:

Userlevel 7
Badge +11

@Chris.Childerhose , what do you mean exactly by this? WAN Acceleration can be enabled on the cloud provider and of course in the copy-job of the tenant itself. When both are enabled WAN Acceleration is being used. In my VCC setup, we enable always WAN Acceleration for all tenants, but only 25% of all our tenants are using WAN Acceleration in their copy-job to the VCC. Of course if you use WAN Acceleration no multiple tasks can be used concurrently while this is possible at direct transport. If you set the max. concurrent tasks for a tenant higher than 1 direct transport can be faster than using WAN Acceleration is some scenarios. What do you mean exactly in hurting the performance? What is slow? Alle transport of all tenants??? So non of your tenants are using WAN Acceleration?

Userlevel 7
Badge +20

@Nico Losschaert - When no tenant has a WAN Accelerator installed and you turn it on on the CP side it hurts all tenant performance in our case especially when there are Agent backups coming to the VCC.

When we turned off WAN Acceleration from all tenants in VCC the performance was much improved for all Tenants sending jobs no matter what kind including Agents.

We do have Tenants that use WAN Acceleration but this is something we ask and ensure they have deployed before just randomly turning it on for all which as stated hinders performance.  If a Tenant has deployed a WAN Accelerator then we be sure to turn it on for them on our side.

Most of our tenants have very good internet connections so don’t really require it, but that is one of our scoping questions when setting up new Tenants or when existing ones have issues.

I am not saying this works for everyone but in our case having it turned off for all and only enabling when needed or the tenant has WAN installed was the best way for us to have the best performance.

Userlevel 7
Badge +11

@Chris.Childerhose , thx for your explanation. So if I understand correctly. When you were setting up the CP side and turning on WAN Acceleration for all tenants but no single one tenant is using WAN Acceleration the performance for all tenants is not good? At this moment you have a combination of tenants using WAN Acceleration and tenants not using WAN Acceleration. If they are not using WAN then you are not enabling it on the CP side for this tenant. I understand that and think that’s a good idea. I will probably do that also. But at this moment when using a combination, you don’t have performance issues except perhaps if you are enabling WAN at the CP side and the tenant is not using it. We also are having tenants with agents, WAN is also enabled at the CP side. Never heard of that issue. Did you mention this to VEEAM Support? With what version of VBR at the CP side did this occur?

Userlevel 7
Badge +20

@Nico Losschaert -- no problem.  We have spoken to Veeam Support and were told the best thing is to leave it off for all especially when no Tenant uses it.

This was in Veeam v10a and we are just starting to upgrade to v11 now so will see how things behave after the upgrade.

Seems like it would not make sense but in our case performance was an issue when it was enabled on all Tenants then when turned off things got much much better.  :smiley:

Userlevel 7
Badge +11

@Chris.Childerhose, thx for sharing this. Nice to know. I’m using VCC already from version 9.0, always upgrading one of the first so our customers can also upgrade (otherwise breaking) and are using now version 11 without a problem. But I keep this in mind and will also turn off WAN Accelerator for the tenants not using this. Success with the upgrade! I also suggest to restart all components (cloud gateways, WAN Accelerators) after upgrading before putting out of maintenance even it is not required. I had also something like that : cloud gateways not running smoothly after upgarde, no restart of the cloud gateways because not necessary, but after reboot things begun running smoothly...

Comment