Last month I got a POC request from my customer, they are looking for a new data protection solution to replace their current backup solution. The requirements are below.
- Backup storage should come with encryption and immutable features.
- The backup data retention is 31 days in on-perm. We target to have 7 days or more in object storage which will be managed by Cloud Service Provider.
- SQL transaction log backup will be happening for every 15 mins.
- For SQL backup, only backup the SQL instance and copy it into the object storage.
- The Cloud Service Provider cannot access the backup data directly from object storage
- Keep one data copy in two separate object storages.
- If both Veeam Backup Server and Veeam Respository are attached by ransomware, we can restore data from the object storage to the production server in HQ.
- The backup solution is fully supported with VMware vSphere 7.0 and 8.0.
I prepared the following environment for this POC.
HQ Site
1 x Veeam Backup and Replication Server v12
1 x VMware vCenter Server 8
1 x VMware vSphere 8
1 x Veeam Repository
1 x Microsoft Windows 2019 Server (file service) – Guest OS
1 x Microsoft SQL 2019 Server – Guest OS
Cloud Services Provider
1 x Veeam Backup and Replication Server v12
1 x Veeam Repository
1 x Object Storage 1 (OBS1)
1 x Object Storage 2 (OBS2)
Backup Policies in Veeam VBR at HQ Site
1 x Microsoft Windows 2019 (Agentless backup and encryption enabled)
copy 1 > Veeam Repository
copy 2 > Object Stoage 1
1 x Microsoft SQl Server (Agent backup and encryption enabled)
copy 1 > Veeam Repository
copy 2 > Object Stoage 1
Backup Policies in Veeam VBR at Cloud Services Provider
Copy the data from Object Storage 1 into Object Storage 2
Select S3 Compatible.
Scenario 1
If both Veeam Repository (HQ) and Object Storage 1 (OBS1) are attached by ransomware, the Cloud Services Provider can restore the backup data (copy 3) into OBS1 from Object Storage 2 (OBS2), then the customer can restore the data into the Prodution Servers from OBS1.
Remark: The restore operation can be successfully completed with encryption key (provided by customer) into Object Storage 1. The restore operation is failed if without this encryption key.
Scenario 2
If both Veeam Repository (HQ) and Veeam Backup Server are attached by ransomware, the customer can new deploy a new Veeam Backup Server and connect to OBS1, then the customer can restore the data into the Prodution Servers from OBS1.
Summary
- Requirement 1: Veeam backup platform supported backup encryption and immutable features.
- Requirement 4: Using Veeam Agent backup and enabled application-aware processing.
- Requirement 5: Veeam backup platform supported the object storage as the target backup repository, and backup encryption supported this access management.
- Requirement 6: 3-2-1-1-0 Golden Backup Rule is the Veeam recommended configuration.
- Requirement 8: Veeam backup platform is fully supported with VMware vSphere 7.0 and 8.0.
I’m great to work with Veeam HK team and my team for this amazing POC.
