Air-gapping your backups sounds simple in theory:
“Just isolate them so nothing can touch them.”
But in practice?
That’s where things get tricky.
Because the moment you start locking things down too aggressively, you risk:
- Breaking backup jobs
- Slowing down restores
- Creating operational headaches
- Or worse—making recovery harder when you actually need it
I’ve seen environments go too far:
- Backups fully isolated… but unusable
- Processes so manual they never get tested
- Security so tight it blocks recovery workflows
That’s not resilience. That’s friction.
So let’s talk about how to air-gap Veeam the right way—without breaking operations.
First: What “Air-Gap” Actually Means
Air-gap doesn’t have to mean physically unplugged (although it can).
In modern environments, it usually means:
- Logical isolation
- Controlled access
- Separation from production risk
The goal isn’t to make backups unreachable.
The goal is to make them untouchable by attackers—while still usable by you.
The Core Principle
Backups should be easy for you to access… and very hard for anything else.
That balance is everything.
1. Separate Your Backup Infrastructure (Don’t Keep It Flat)
If your Veeam components live in the same network as production, you don’t have an air gap.
You have a shared blast radius.
What to do:
- Place repositories in a separate network segment
- Restrict communication paths:
- Only allow required ports
- Only allow specific systems
What this prevents:
- Lateral movement from compromised systems
- Direct access to backup storage
Isolation is your first layer—not your only one.
2. Use Immutable Storage (But Don’t Stop There)
Immutability is essential—but it’s not the full story.
What it does:
- Prevents deletion/modification of backups
- Protects against ransomware encryption
What it doesn’t do:
- Control access
- Ensure clean restore points
- Prevent misuse of credentials
Best approach:
- Combine immutability with isolation
- Use hardened repositories or object storage with immutability
Immutability protects data. Air-gapping protects access.
- Some great options are Object First, Data Domain with Retention Lock, Exagrid , and the Veeam Software Appliance (VSA)
3. Lock Down Access (Identity Is the Real Target)
Attackers don’t just attack storage—they attack credentials.
What to implement:
- MFA for Veeam console and management access
- Role-based access control (RBAC)
- Separate admin accounts (no shared credentials)
Critical rule:
Backup admins should not share credentials with:
- Domain admins
- General IT accounts
If identity is compromised, your air gap is at risk.
4. Control When and How Backups Are Accessible
This is where you introduce a functional air gap.
Backups don’t need to be constantly accessible.
Options:
- Scheduled access windows
- On-demand mounting of backup storage
- Restricted API or service access
Why it matters:
Even if attackers gain access, they have limited opportunity to interact with backups.
Reduce exposure time, reduce risk.
5. Use Backup Copies to Create Separation
One of the easiest ways to introduce air-gapping in Veeam is through backup copy jobs.
Strategy:
- Primary backups (fast access, operational)
- Secondary copies (isolated, protected)
Examples:
- Copy to object storage with immutability
- Copy to a separate site or repository
- Copy to offline or limited-access storage
Benefit:
Even if your primary environment is compromised, your copy is not.
One backup is operational.
Two backups are resilient.
6. Consider Offline or Semi-Offline Copies
For higher security environments, go further.
Options:
- Periodically disconnected storage
- Tape (yes, still relevant)
- Manual or scheduled offline exports
Trade-off:
- Slower access
- More operational effort
But:
This is your last line of defense.
7. Test Recovery Through the Air Gap
This is where many environments fail.
They build isolation… but never test recovery through it.
You should test:
- Restoring from immutable storage
- Recovering from backup copies
- Accessing data across isolated networks
What you’ll uncover:
- Network limitations
- Permission issues
- Performance constraints
An air gap that can’t be used for recovery isn’t protection—it’s a problem.
8. Document the Process (Before You Need It)
During an incident, you don’t want to figure out:
- How to access isolated backups
- Which credentials to use
- What steps are required
Create a runbook:
- Step-by-step recovery process
- Access requirements
- Network paths
- Escalation contacts
Then test it.
9. Keep It Operationally Realistic
This is where most designs fail.
They aim for maximum security… and ignore usability.
Ask yourself:
- Can I restore quickly?
- Can someone else follow the process?
- Will this work under pressure?
If the answer is no, simplify.
Security that blocks recovery isn’t resilience.
What a Balanced Air-Gap Looks Like
At the end of the day, a well-designed Veeam air-gap strategy looks like this:
- Segmented infrastructure
- Immutable storage
- Strong access control
- Backup copies in separate locations
- Optional offline layer
- Tested recovery workflows
Not one control.
Multiple layers working together.
Final Thought
Air-gapping isn’t about making backups untouchable.
It’s about making them uncompromisable—without making them unusable.
The best air-gap strategy is one that attackers can’t break…
and your team can still rely on when everything else fails.
Because in a real incident, protection only matters if recovery still works.
My next article will be a follow-up on “common air-gap mistakes”