Achieving 3-2-1-1-0 Protection for Cloud Native Workloads

Userlevel 7
Badge +20

Today’s topic will be regarding Cloud Native workloads within Azure & AWS and how best to adhere to Veeam’s 3-2-1-1-0 best practices and how concepts can differ from traditional on-premises data protection. Remember the 3-2-1-1-0 best practice is a minimum desired standard and going above and beyond these minimums will help your data availability and recoverability objectives.

The public cloud has provided a huge transformation opportunity for organisations, the pay as you go model enables organisations to deploy quickly and without the overheads of infrastructure management. But these platforms are still part of a shared-responsibility model, with a key risk that you retain being, the protection of your data.

3 - Copies of Your Data

Lets start with the easiest one. Three copies of your data, including your production data. Public cloud services such as Azure will inform you that they retain three synchronous copies of your data as a minimum via their “Locally Redundant Storage” offering, or using “Zone-Redundant Storage” to keep three copies of your data synchronised across three availability zones within the primary region. This shouldn’t be recognised as any more than a single copy of data, due to the synchronised state. Any damage or deletion of data will impact all copies simultaneously.

Instead use the native Veeam Backup offering for the public cloud of your choice to create backups of your data, this will enable you to create copies of data that are independent to the state of the production data. We’ll touch on what type of backups we can use to meet this criteria shortly.


2 - Media Types

The goal of copying your data onto multiple media types, is to prevent encountering an issue impacting all your recoverability scenarios. For example, if you stored all of your data within AWS S3 buckets, but you lost access to your AWS tenant, you’ve lost access to all copies of your data.

So how can we escape our Azure/AWS storage offerings? The best way is by utilising a Veeam Backup & Replication server, either on-premises or within another datacentre that is isolated from your public cloud. Deploy the Veeam Backup for Microsoft Azure / Veeam Backup for AWS plugin and create a backup copy job. This will enable you to take copies from the cloud to your own environment, and by extension, your own storage media of choice.


1 - Offsite Copy

This one is more simple, if your data is backed up within a particular public cloud region, make sure at least one of your backups isn’t within that same region. If you were using Azure’s North Europe as your primary production and primary backup region, then a regional failure would impact both copies of data. To counter this you could copy to another public cloud region such as West Europe or outside of the public cloud to your own infrastructure using the guidance discussed in the previous point above.


1 - Immutable Backup

Depending on your public cloud vendor, you may or may not already have an option available. AWS supports immutability on S3 storage, whilst Microsoft don’t have a publicly available immutable storage option yet. Have no fear as these aren’t the only options. By leveraging the Veeam Backup & Replication plugin it is still possible to perform backup copy jobs to the following immutable locations:

  • Rotated USB Drives
  • Tape
  • Veeam Cloud Connect for Service Providers
  • S3 Compatible storage with Object Lock (Immutability)

There are multiple considerations when deciding which option suits your business best, my default recommendation is for Veeam Cloud Connect due to the true isolation it provides, as you and your team have no management capabilities over a service provider’s infrastructure, it eliminates the insider threat, nobody can steal a tape or USB drive or gain physical access to destroy them. Whilst the availability of all backup copies via the internet provides for much faster recovery as opposed to Tape or USB on average. Why do I recommend Veeam Cloud Connect over an S3 vendor? Typically the IT administrator who has established the account with the S3 storage provider has far more control over the data. But by leveraging Veeam Cloud Connect instead we can ensure a level of independence to the copy of data.


0 - Backup Recovery Errors

Normally if this was an on-premises deployment I would be recommending the configuration of SureBackup/SureReplica, however these technologies don’t currently exist within the public cloud space sadly. However it is still possible to restore copies of VMs within the public cloud and use functionality such as Instant VM recovery to manually test backups from the public cloud within your own infrastructure, or use the restore to AWS/Azure mechanisms to launch them from an entirely different public cloud.

The lack of SureBackup doesn’t mean this process has to become manual, it is entirely possible via the Veeam PowerShell module to create your own customised testing of your backups automatically via scripting. It’s well worth a read of what you can do with Veeam and PowerShell (a LOT).


Closing Comments


Hopefully through this post you’ve compared to your current data protection and found ways of making it more robust.

Make sure when designing a data protection strategy to consider not just the technical obstacles that could necessitate data recovery, but also environmental and commercial. If a billing issue with a public cloud vendor could shut down your environment and leave your backups inaccessible, you’ve allowed your data to be held to ransom from the provider.

Likewise if you choose to have off-site copies, increasing the distance between them will help protect further from environmental issues. If you used both AWS and Azure within London, a disaster within this city could cause an incident that impacts both copies of data, but using London and Berlin would dramatically decrease the chances of a simultaneous disaster.


Userlevel 7
Badge +21

Great Post. I myself am now also advocating air gapped/off line as well. I do trust immutability but completely offline or on a tape in a vault is totally out of reach :).

Userlevel 7
Badge +20

Great Post. I myself am now also advocating air gapped/off line as well. I do trust immutability but completely offline or on a tape in a vault is totally out of reach :).

Thanks @Geoff Burke! Appreciate the feedback. Agreed, we want 24x7 access to data until we want it out of reach of a malicious event. Offsite tape + VCC is a brilliant combination to meet data availability with immutability via software + isolated management fault domain combined with the total isolation of tape for larger RPO break glass emergencies.

Userlevel 7
Badge +9

Nice one @MicoolPaul 

Userlevel 7
Badge +12

Great writing and good topic!

Offsite copy to the cloud is becoming more and more popular - even where i live :joy:

Userlevel 5
Badge +4

I especially liked the illustrations. They drive home the abstraction of the 3-2-1-1 rule statement (kind of like the Three Laws of Robotics...oh boy, nerd alert). Thanks for this. I’ve shared it and reposted already and have it bookmarked for future conversations.


Userlevel 7
Badge +20

Thanks for the feedback and sharing everyone 😀