Veeam Immutable Backups with Pure Storage FlashArray//C SafeMode

  • 27 February 2021

Userlevel 4
  • Comes here often

When it comes to protecting your business against Ransomware, there are three critical components of a successful strategy. Any solution that you're going to rely upon must have all three of these attributes:

  1. Simple

  2. Immutable

  3. Fast

The combo of Veeam Backup and Replication alongside SafeMode snapshots on Pure Storage FlashArray//C is uniquely capable of delivering on all three of these critical requirements.



When it comes to data protection, it's easy to let your guard down. The best solutions are the ones that don't require constant care and feeding. They are simple to set up and simple to maintain. Veeam and Pure have each built a solid reputation on designing products that are intuitive and easy to use. Veeam backups made immutable by FlashArray SafeMode are "set and forget" simple.


This simplicity comes in part due to the fact that you don't have to change a thing about your Veeam deployment to enable SafeMode protected backups.

  • SafeMode protects the entire Veeam Backup Repository and underlying storage.

  • SafeMode works with both Windows and Linux Repositories, formatted with any VBR supported file system (NTFS, ReFS*, EXT4, and XFS).

  • SafeMode works with Veeam Backup and Replication v10 and v11.

  • SafeMode works with every backup method (forward incremental, forever-forward incremental, and reverse incremental).

*While SafeMode will work with ReFS formatted repositories, it is not currently recommended due to Microsoft's lack of support for Trim/Unmap.




The word "immutable" gets thrown around a lot, so I want to dig into what exactly this means for SafeMode.


FlashArray snapshots are immutable by design and always have been; meaning you can not alter or encrypt the content of a FlashArray snapshot. I think anyone who thinks about this for any length of time however will realize that this alone isn't sufficient for ransomware protection. Why? Even though I can't alter the data in a snapshot, I could simply just delete it. This is where SafeMode comes into play. SafeMode adds some very important enhancements to FlashArray snapshots.

  1. In addition to being safe from modification or encryption, SafeMode also prevents snapshots from being deleted.

  2. SafeMode lets you pick the frequency and retention policy of these immutable snapshots.

  3. SafeMode may only be disabled or modified by Pure Technical Support working with an authorized designee from your organization.



How does this work with Veeam?

  • You'll start by setting up FlashArray to serve as your Veeam Repository just as you would today.

  • Next, create a snapshot schedule to take regular FlashArray snapshots of your repo and determine for how long you want those snapshots saved.

  • Finally, enable SafeMode. Once enabled, it can't be disabled, the retention can't be reduced, and the resulting snapshots can't be deleted prior to the configured retention setting; even with FlashArray administrative credentials.

Should your Veeam repo ever be compromised, simply roll back to the latest good snapshot. Even if your VBR server is completely lost, the portable nature of Veeam backup files means your protected repository will be ready to get you back up and running fast. For an extra layer of protection, consider also configuring your Veeam Configuration Backup to be saved to a SafeMode protected repo as well. This way you can easily restore your full Veeam configuration and speed up the recovery process.



The last critical component is speed. SafeMode can help ensure that your backups will survive the attack, but none of that matters if you can't restore quickly enough to bring your business back online before suffering the consequences of an extended outage. Keep in mind that traditional backup solutions weren't built for recovering from the massive amounts of data that could be compromised in a ransomware attack. They were designed for ingest and deduplication, not fast rehydration and recovery.


The combination of Veeam Instant VM, Instant NAS (v11), and Instant DB (v11) Recovery alongside the capacity optimized all-QLC all-flash FlashArray //C means recovery happens quickly even for large datasets.


Veeam Backup and Replication v11 - Hardened Linux Repository

One of the most powerful aspects of Veeam backup immutability with SafeMode is the fact that it works with any Windows or Linux backup repo configuration. This flexibility means you don't have to make any changes to your Veeam deployment to get SafeMode protection.


But what if you want extra protection? FlashArray SafeMode can also be used alongside the new Hardened Linux Repo feature in VBR v11. Using these two features together enables a defense-in-depth scenario where each feature reenforces the benefits of the other. The Hardened Linux Repo acts as the first line of defense, preventing the deletion of individual backup files; and SafeMode adds storage protection, protecting you from a direct attack to the infrastructure, even against an attacker with administrative credentials. Be sure to check out Zane Allyn's post about this exciting new feature of VBR v11 on the West Cost IT Hipster blog.



There is no shortage of vendors out there today touting "ransomware protection." When evaluating, be sure to ask these three questions.

  1. Is is simple enough to implement and maintain that you'll have confidence it's set up and working properly; or do you need to learn new techniques and change your business processes to conform to new requirements?

  2. Does it offer immutability not only against encryption, but also against deletion; and does that protection extend all the way from the app down to the infrastructure?

  3. Does it offer the performance you need to bounce back from an attack quickly enough to minimize the consequences of a long term business outage; or are you going to be waiting days or even weeks for recovery from tape, cloud, or legacy disk based solutions simply not designed the challenge?


Userlevel 7
Badge +12

SafeMode may only be disabled or modified by Pure Technical Support working with an authorized designee from your organization.

I like this concept; immutability/security is worthless if I can easily switch it off. I don't known Pure Storage (but I often see those good looking bezels 😉 ); do the arrays have some kind of RMM where you could reboot the system and wipe it via boot CD or something similar? That way you could circumvent all security methods.

Userlevel 4

Hi Regnor. Management is done via the GUI, CLI, and API. All methods enforce the SafeMode policies.

I agree, it’s important to understand how any immutability feature is enabled/disabled. My post talks about immutability for block storage, but I also like the S3 Object Lock API as implemented by AWS for this reason. When it’s used in compliance mode, even an admin user can’t circumvent it. My concern with non-AWS implementations of Object Lock however are that they don’t inherently address the administrative access concerns. That would require additional considerations by the particular S3 vendor.

Userlevel 6
Badge +1

Thanks for sharing


Userlevel 1

This is a great feature. can any one speak to  Pure Dedupe/Compression in combination with Veeam space efficiencies? Can Pure still get 3:1 after Veeam does its thing? I’m getting mixed messages on this. thanks

Userlevel 7
Badge +3

Thanks for Sharing 

Userlevel 7
Badge +20

Thanks for sharing.  Nice to see storage vendors implementing these types of things.  Having Pure add this on top of other Immutable features is great.  Will definitely investigate further.

Userlevel 7
Badge +4

Thanks for Sharing

Userlevel 6
Badge +1

Thanks for Sharing