Recap : Surebackup - what, why and how

  • 7 January 2024

Userlevel 7
Badge +12

Hi all

During the last physical event of Veeam VUG BeLux at the end of 2023 I gave a session about Veeam Surebackup.

What it is, why it is needed and how it should be implemented and being used.

In this post I will give a summary about the content of that session so everyone can enjoy the content 😁


What is surebackup ?

Automated or manual mechanism
To verify the recoverability of the backups
Can be used for :
  • For VMs on a Vmware or Hyper-V environment
  • Since V12 : also possible for agent backups (physical devices or cloud devices)

Possible for :

  • Regular backups
  • Backups from storage snapshots
  • Regular replica’s (only VMware)


Why do we need surebackup ?

To be sure of the recoverability of our backups

To apply to the 3-2-1-1-0 rule - to apply the 0 of the golden backup rule


Requirements : 

License :
  • Perpetual socket-based license : at least an Enterprise license
  • Veeam Universal License (VUL)
  • SAN licenses in case of storage snapshots (Vmware only)
Infrastructure :
  • The necessary memory
  • The necessary compute
  • Spare storage capacity
  • vPower NFS Service (only for Vmware)


How surebackup works : 

Steps :
  • Boots the machine in an isolated environment
    • From backup-files on the repository
    • It uses vPower NFS (Vmware)
    • It uses instant recovery (Hyper-V)
  • Run tests for the machine
  • Powers the machine off
  • Create a report and send by email

Creates a report on recovery verification results

Optionally :
  • Scans for malware
  • Performs integrity check (validate backup files)

During verification :

  • Read-only, changes written to redo log files



Recovery Verification Tests : 


Predefined Tests
  • Heartbeat test (Vmware Tools – Hyper-V Integration Services are required)
  • Ping test (Vmware Tools – Hyper-V Integration Services are required)
  • Application test
    • DNS servers, Domain Controllers, Global Catalog servers, mail servers and web servers -  it uses an application-specific port
    • Microsoft SQL Server - it uses a script to attempt to connect to instances and databases on the SQL server

Custom Verification Tests


Components : 

Application Group (optional)
  • Optional component
  • A group of machines (at least 1) on which a verified machine is dependent
  • It creates the surroundings for the verified machine
  • Typically : Domain Controllers, DNS server, DHCP server, SQL server
  • The machines of an application group keeps running until the job is finished
Virtual Lab (required)
  • Required component
  • Is an isolated virtual environment (safe space) in which the verified machine and machines from the application group are started and tested
  • Not only being used for surebackup – also on-demand sandbox and staged restore
  • Not needed to have extra resources
  • Fully fenced off from the production environment
  • The network configuration of the production environment is being mirrored

Surebackup Job (required)


  • Required component
  • A task for perform recovery verification
  • Manually or automatically by schedule
  • Steps :
    • VBR starts the virtual lab
    • VMs of the application group will be started, tested and keeps running
    • VMs of the linked jobs will be started and tested
  • By default per 3 VMs concurrently – recommended to keep this value as default
  • Possible to lower the RAM allocation (vCPU automatically)
  • Be aware of the scheduling of scheduled backup-jobs (locked)
  • Optionally : check backup file integrity and malware scan


Extra features to understand :

Proxy Appliance

  • Component needed to enable communication between production and virtual lab
  • It’s a lightweight Linux-based VM deployed on the host where the virtual lab is created
  • Assigned a IP-address in the production network
  • In a dedicated virtual lab folder and resource pool on the host and dedicated virtual switch
  • Acts as a gateway between production and virtual lab
  • Uses network adapters : one per every isolated network
  • Important : those adapters needs the IP-address of the real production default gateway
  • Optional : without no automatic tests are possible – only health-test and manual tests


IP Masquerading


  • VBR uses masquerade IP addressing to let traffic into the virtual lab
  • Every VM in the virtual lab has a masquerade IP address
  • Entry point to the VM in the virtual lab from the production environment
  • Rules that route requests to VMs in the virtual lab are specified in the routing table
    • VBR : by default - automatically
    • Client machine – see further
  • The proxy appliance acts as a NAT device


Static IP Mapping 


  • Needed when you want to provide many clients with access to a restored VM
  • Use-cases : user-directed application item-level testing (exchange owa, ...)
  • To access a VM in the virtual lab, you must reserve a static IP address in the pool of production IP addresses and map this IP address of a VM in the virtual lab
  • Alternatively DNS alias records can be used



Recommendations - troubleshooting : 


  • Windows Firewall – enable the option to automatically turn off
  • Windows Updates – can violate the maximum boot time
  • Install vmware tools or hyper-v integration services on servers with Veeam agent to recover
  • When using VBR and Virtual Lab on different subnets – extra manual configuration of routing between networks is required


Extra possibilities : 


  • SureReplica (only Vmware)
  • On-Demand Sandbox to perform tests for production VMs
  • Used scenario’s :
    • Troubleshoot problems with VMs
    • Test software patches and upgrades
    • Install new software...
  • Application group is required to store all the VM





Userlevel 7
Badge +21

Really great post Nico. Great information for the community. 👍

Userlevel 7
Badge +19

Very detailed. Great reminder info Nico. Thank you for sharing!

Userlevel 7
Badge +9

Great info @Nico Losschaert!  I would like to suggest embedding the recording into this post.

Userlevel 7
Badge +12

Great info @Nico Losschaert!  I would like to suggest embedding the recording into this post.

Thx @Iams3le , being a physical event nothing is being recorded, and by the way this was done in Dutch 😊

Userlevel 7
Badge +6

Great post @Nico Losschaert Thanks