Hi all
During the last physical event of Veeam VUG BeLux at the end of 2023 I gave a session about Veeam Surebackup.
What it is, why it is needed and how it should be implemented and being used.
In this post I will give a summary about the content of that session so everyone can enjoy the content 
What is surebackup ?
Automated or manual mechanism
To verify the recoverability of the backups
Can be used for :
- For VMs on a Vmware or Hyper-V environment
- Since V12 : also possible for agent backups (physical devices or cloud devices)
Possible for :
- Regular backups
- Backups from storage snapshots
- Regular replica’s (only VMware)
Why do we need surebackup ?
To be sure of the recoverability of our backups
To apply to the 3-2-1-1-0 rule - to apply the 0 of the golden backup rule
Requirements :
License :
- Perpetual socket-based license : at least an Enterprise license
- Veeam Universal License (VUL)
- SAN licenses in case of storage snapshots (Vmware only)
Infrastructure :
- The necessary memory
- The necessary compute
- Spare storage capacity
- vPower NFS Service (only for Vmware)
How surebackup works :
Steps :
- Boots the machine in an isolated environment
- From backup-files on the repository
- It uses vPower NFS (Vmware)
- It uses instant recovery (Hyper-V)
- Run tests for the machine
- Powers the machine off
- Create a report and send by email
Creates a report on recovery verification results
Optionally :
- Scans for malware
- Performs integrity check (validate backup files)
During verification :
- Read-only, changes written to redo log files
Recovery Verification Tests :
Predefined Tests
- Heartbeat test (Vmware Tools – Hyper-V Integration Services are required)
- Ping test (Vmware Tools – Hyper-V Integration Services are required)
- Application test
- DNS servers, Domain Controllers, Global Catalog servers, mail servers and web servers - it uses an application-specific port
- Microsoft SQL Server - it uses a script to attempt to connect to instances and databases on the SQL server
Custom Verification Tests
Components :
Application Group (optional)
- Optional component
- A group of machines (at least 1) on which a verified machine is dependent
- It creates the surroundings for the verified machine
- Typically : Domain Controllers, DNS server, DHCP server, SQL server
- The machines of an application group keeps running until the job is finished
Virtual Lab (required)
- Required component
- Is an isolated virtual environment (safe space) in which the verified machine and machines from the application group are started and tested
- Not only being used for surebackup – also on-demand sandbox and staged restore
- Not needed to have extra resources
- Fully fenced off from the production environment
- The network configuration of the production environment is being mirrored
Surebackup Job (required)
- Required component
- A task for perform recovery verification
- Manually or automatically by schedule
- Steps :
- VBR starts the virtual lab
- VMs of the application group will be started, tested and keeps running
- VMs of the linked jobs will be started and tested
- By default per 3 VMs concurrently – recommended to keep this value as default
- Possible to lower the RAM allocation (vCPU automatically)
- Be aware of the scheduling of scheduled backup-jobs (locked)
- Optionally : check backup file integrity and malware scan
Extra features to understand :
Proxy Appliance
- Component needed to enable communication between production and virtual lab
- It’s a lightweight Linux-based VM deployed on the host where the virtual lab is created
- Assigned a IP-address in the production network
- In a dedicated virtual lab folder and resource pool on the host and dedicated virtual switch
- Acts as a gateway between production and virtual lab
- Uses network adapters : one per every isolated network
- Important : those adapters needs the IP-address of the real production default gateway
- Optional : without no automatic tests are possible – only health-test and manual tests
IP Masquerading
- VBR uses masquerade IP addressing to let traffic into the virtual lab
- Every VM in the virtual lab has a masquerade IP address
- Entry point to the VM in the virtual lab from the production environment
- Rules that route requests to VMs in the virtual lab are specified in the routing table
- VBR : by default - automatically
- Client machine – see further
- The proxy appliance acts as a NAT device
Static IP Mapping
- Needed when you want to provide many clients with access to a restored VM
- Use-cases : user-directed application item-level testing (exchange owa, ...)
- To access a VM in the virtual lab, you must reserve a static IP address in the pool of production IP addresses and map this IP address of a VM in the virtual lab
- Alternatively DNS alias records can be used
Recommendations - troubleshooting :
- Windows Firewall – enable the option to automatically turn off
- Windows Updates – can violate the maximum boot time
- Install vmware tools or hyper-v integration services on servers with Veeam agent to recover
- When using VBR and Virtual Lab on different subnets – extra manual configuration of routing between networks is required
Extra possibilities :
- SureReplica (only Vmware)
- On-Demand Sandbox to perform tests for production VMs
- Used scenario’s :
- Troubleshoot problems with VMs
- Test software patches and upgrades
- Install new software...
- Application group is required to store all the VM
regards
Nico
