Skip to main content
  • EN

Implement 3-2-1 rule with SOBR on Synology and Wasabi

According to @Rick Vanover , the Scale-out Backup Repository (SOBR) is a logical entity that groups several backup repositories called extents. This is a software way to pool storage for backup data management. I have written a detailed guide on my blog “how to Achieve 3-2-1 rule with SOBR on Synology or OOTBI and Wasabi”.

We can implement the 3-2-1 backup rule via the SOBR. The 3-2-1 backup rule recommends having three copies of your data, stored on two different types of media, with one copy kept off-site. Here is a great post by Rick below as well.

A scale-out backup repository is an architecture that enables you to extend your backup storage by adding multiple repositories. Adding a new extent to an existing scale-out repository is an easy way to extend storage without relocating backup chains.

The focus of this article is using Synology DS923+ Appliance. But you can also achieve 3-2-1 with the Object First OOTBI appliance. With the recent addition of 192TB, you are sure of 768- TB in a four-node OOTBI Cluster! With Veeam’s 12.1.2 release, you can get over 3PB of storage using OOTBI clusters as extents in a Veeam Scale-Out Backup Repository (SOBR).
 

With the above information about OOTBI, you could deploy OOTBI appliance in the Performance Tier on the primary data center and as a Capacity Tier in the secondary data center, with immutability enabled in both tiers.

 

From the architecture below, these are the various repository types that make up a Scale-out Backup Repository (SOBR). In this article, we will focus on the Performance and Capacity Tier. If you wish to learn more about the Archive Tier, please see the images below. You can search through the community for tons of articles on this topic. You will find them very interesting.

  •  

 

 

Below is a short description of these tiers. You can learn more about backup strategy.

  • Performance tiers: Allows granular placement of backup to one or more extents.  This level is used for fast access to data
  • Capacities Tier: This extends the backup storage transparently and intelligently to the object storage. The “Cloud Tier” is also referred to as the “Capacity Tier”.
  • Archive Tier: The archive tier is an additional tier of storage that can be attached to a scale-out backup repository. You can transfer data to the archive tier from performance extents that consist of Amazon S3, Microsoft Azure, or S3 compatible with data archiving object storage repositories and capacity extents.

Create Storage Bucket

In this section, we will create an object storage repository to act as a Capacity Tier. This will help us store backup in an off-site location, thereby complying with the 3-2-1 rule. Navigate to the Wasabi Management Console (dashboard). Click on Buck and then on “Create Bucket”.

 

Ensure “Object versioning” and “Object Lock” is selected. Click on Next to proceed.
Bucket Created

Do not configure any tiering or lifecycle rules on object storage buckets used for Veeam Object Storage Repositories. They are unsupported at the time of writing this article

 

Access Key Creation

Log into the Wasabi console and click on Access Key. Then, click on the “create New Access key”

Ensure you download the CSV or copy keys to clipboard and save in a safe location. Else, when this window is closed, you will never be able to access the Secret key anymore.

Create “Wasabi S3 Veeam Repository”

This process is pretty straight forward. Launch Veeam backup and Replication console and navigate to the Backup Infrastructure. Click on Backup Repository and select “Add Repository”. On the add backup repository wizard, select “Object Storage’.

On the S3 compatible wizard, select S3 Compatible as this will add an S3 compatible storage.

From the “New Object Storage repository’ wizard, enter the name and click next.

 

On the Account section, specify the Service point, region and credential. You can learn more about the service URLs for Wasabi’s Storage Regions. Object storage not limited to Wasabi as used in this article includes Amazon S3, Microsoft Azure Blob Storage, and other S3-compatible storage services such as Wasabi.

Browse to the Bucket and also create a Folder from here as discussed above.

Complies with 3-2-1 rule as a copy of data will be stored off-site.

Immutability protects from ransomware attacks by locking the objects which prevents them from being modified or deleted by malicious software or humans.

Specify to “make the recent backup immutable for x-number of days as you wish”. You bucket must have the object lock and versioning enabled for this to work. Else, you will have to create a new bucket if not enabled previously during creation.

 

Click Apply to continue

 

Click Finish to complete the Object Storage Creation

 

Create SOBR

Launch the Open Veeam Backup & Replication. Navigate to the “Backup Infrastructure” tab. Right-click on “Scale-Out Repositories” and select “Add Scale-Out Backup Repository.”

To add some “Extents” (Backup Repositories), click on the Add button.

Note: After you add a backup repository or an object storage repository to the scale-out backup repository, they no longer exist as individual backup repositories. When a backup repository or an object storage repository is added as a performance extent, some of its original settings are kept, and some are not.

The performance extents of the scale-out backup repository should be located in the same site

I will be selecting two repositories to act as the Performance Tier. These are on two different Synology DS923+ NAS. Click Ok to proceed.
Please see ‘Setup DS923+ Synology NAS as a Backup Repository for VBR“, and how to Setup iSCSI Target and Storage LUN on Synology DS923+ for VBR.

The backup will be stored in two separate media and this help us comply with the 3-2-1, and another offsite to Wasabi Object storage. I am utilizing the Network Attached Storage ((SMB (CIFS)Share), and via Direct Attached Storage (Windows Server) by iSCSI LUN

Click on “Yes” in order for the jobs to be automatically updated to point to SOBR.

When you configure a scale-out backup repository, you must set the backup file placement policy for backup repositories. The backup file placement policy describes how backup files are distributed between extents. Select data Locality

If you set the Data locality policy for a scale-out backup repository, all backup files that belong to the same backup chain are stored on the same extent of the scale-out backup repository. A new backup chain can be stored on the same extent or
another extent as described in this image.

For the Capacity Tier, I will check the button to extend “Scale-out backup repository capacity with object storage”.

I have the option to choose the S3 compatible object storage I have added above and then click on OK.

Do not forget to check the “Copy backup to object storage as soon as they are created“. This help comply with the 3-2-1 rule.

The COPY mode ensures 3-2-1 rule unlike the move mode

Note: If you use some existing REPO for SOBR, Veeam Backup and Replication will detect the existing backup file in your Performance Tier extents (REPO). You will then be asked if you want to copy all existing backups to the Capacity Tier or just the latest backup chains. I am fine with the latest backup and will then click on Next to proceed. Here, Veeam Backup & Replication will copy the active backup chain only to the Capacity Tier.

 

According to @Michael Melter and I quote ‘From V10 we already saw the “copy mode”. This now allowed us to fully leverage the capacity tier of the SOBR to obey the 3-2-1 rule by having a copy of the backups in another site. It could even be considered an air-gapped backup as it is only accessible via an API and no direct access to disks whatsoever is possible”. Direct deletion from within Veeam by a rogue admin though is still possible.


For me, I will be testing this feature at a later time. So I have unselected it and will click on Apply to save the SOBR.

Click on finish to close the Scale-out Backup Repository wizard.

 

Create Backup Job

In the Veeam Backup and Replication console, and click on the Home view. Then select “Backup Job” on the ribbon. I am interested in backing up a Virtual Machine at the moment.

Enter the backup Job name

Click on Add and in the “Add Objects” wizard, select the VM and click on OK.

Select the Backup Repository we created above. This is the Scale-out Backup Repository.

Configuring a secondary backup location is important to ensure redundancy and reliability in case the primary backup location fails or becomes inaccessible. But this is not inline with the scope of this article.

On Guess processing, I will click next to proceed. If you select “Enable application-aware processing”. This will require you to enter the Guest OS credentials. Click on Next to proceed.

I do not care about automatic job schedule because this is different for everyone. Click on Apply.

In order to run the job, click on “Run the job when I click Finish”.

Note: To discover on which performance extent of the scale-out backup repository a particular backup file is stored, you can examine the job session statistics or check the backup properties from the inventory pane. Click Backup under Jobs, in the working area, right-click the job and select Statistics. In the bottom left pane of the window, click the VM name. In the Action pane, locate the message: “Using ….. repository extent*.

 

As you can see, the full backup is complete

By leveraging SOBR, you can effectively adhere to the 3-2-1 backup rule, enhancing your data protection strategy.

Now you can perform a restore also from the Capacity Tier as the backup is available in the object storage.

 

Veeam SOBR Offload job is a storage management job to offload the backup from performance tier to capacity tier in SOBR. By default, this job will be kicked off every 4 hours by Veeam server. Below is a “Hidden” feature to run the offload job as below.

To do this, hold down the control button and right-click on the SOBR. Then , click on “Run tiering job now”.

Note: SOBR Offload has the lowest priority. So, if you have any of the other job types running during your SOBR Offload window.
The SOBR Offload job(s) may not get assigned enough repository slots to finish within your preferred time frame.

I will recommend you to take a look at the article on my blog for additional information not included in this guide.

 

Note: In today’s digital age, the 3-2-1 Rule has evolved and expanded and we have the 3-2-1-1-0 Rule with at least three backups of your data on two different media, with one off-site and one that is offline, air-gapped, or immutable for zero errors after automated backup testing and recoverability verification with Veeam Data Platform. Backing up your data is not enough – you must ensure that each backup is recoverable, complete, and uncorrupted. I have referenced a fantastic post by @Nico Losschaert on the 3-2-1-1-0.

 

  •  

In summary, leveraging SOBR in your backup strategy allows you to easily meet the 3-2-1 backup rule by creating multiple copies of your data across different types of storage, including at least one offsite location. This approach enhances data redundancy and ensures data availability in case of local failures or disasters by avoiding a single points of failure.

Love this @Iams3le → It’s “DOUBLE PLAY” Immutability, 2 different immutability control planes. Ultra-Resilient awesomeness.

Love this @Iams3le → It’s “DOUBLE PLAY” Immutability, 2 different immutability control planes. Ultra-Resilient awesomeness.

Thank you very much, Rick!

Well done!

One suggestion, which I’ll address in a forthcoming article, is to make sure the Root user for Wasabi is using Multi-factor Auth (MFA) AND Muti-user Auth (MUA) to provide Nth level protection for the account, over and above the use of object lock for data protection.

Good one , thanks

Good one , thanks

You are welcome! 

Comment


Terms & Conditions