Hello,
I would need to configure immutable backups for our DR site.
We have a Synology NAS which I would connect via iSCSI to the VM that will be LHR.
As I’m gone trough some documentation on Veeam for VHR I can see that there is an .ISO and a script for this.
Now the question is how would I approach this with adding iSCSi storage to it. I didn’t see a part where I can first do that then continue with VHR.
Answer
Veeam LHR and iSCSI
+1Best answer by MicoolPaul
Hi,
Before you proceed with this, I want to ask, have you considered the security risks of this? With network attached storage, and a virtual machine as the host, you’re making it really easy to undo the security benefits of LHR.
As a VM, there’s no way to disable console access, so access being gained to the hypervisor running the VM means access to the console, making it easy to reboot into single user mode as root and then destroying the data.
As the storage is shared over the network, the Synology becomes an attack point, why bother trying to destroy the LHR when I can log into the Synology and delete the disks, thereby breaking the immutability.
If you want to proceed down this route, does your Synology support running VMs? I’d suggest isolating your Synology from the network other than allowing its VMs to have network access, and then running LHR as a VM on the Synology with virtual disks interacting with the underlying storage. This will be more efficient at the data transport layer, and more secure.
+23Hi,
Before you proceed with this, I want to ask, have you considered the security risks of this? With network attached storage, and a virtual machine as the host, you’re making it really easy to undo the security benefits of LHR.
As a VM, there’s no way to disable console access, so access being gained to the hypervisor running the VM means access to the console, making it easy to reboot into single user mode as root and then destroying the data.
As the storage is shared over the network, the Synology becomes an attack point, why bother trying to destroy the LHR when I can log into the Synology and delete the disks, thereby breaking the immutability.
If you want to proceed down this route, does your Synology support running VMs? I’d suggest isolating your Synology from the network other than allowing its VMs to have network access, and then running LHR as a VM on the Synology with virtual disks interacting with the underlying storage. This will be more efficient at the data transport layer, and more secure.
Michael Paul - Opinions are my own and do not necessarily reflect the opinion of Veeam | https://micoolpaul.com | Mastodon: @micoolpaul@masto.nu | Bluesky: @micoolpaul.com
+1Hi,
Before you proceed with this, I want to ask, have you considered the security risks of this? With network attached storage, and a virtual machine as the host, you’re making it really easy to undo the security benefits of LHR.
As a VM, there’s no way to disable console access, so access being gained to the hypervisor running the VM means access to the console, making it easy to reboot into single user mode as root and then destroying the data.
As the storage is shared over the network, the Synology becomes an attack point, why bother trying to destroy the LHR when I can log into the Synology and delete the disks, thereby breaking the immutability.
If you want to proceed down this route, does your Synology support running VMs? I’d suggest isolating your Synology from the network other than allowing its VMs to have network access, and then running LHR as a VM on the Synology with virtual disks interacting with the underlying storage. This will be more efficient at the data transport layer, and more secure.
Hello
Thank you for this comprehensive response.
This is just trying it in our LAB before we continue to initial setup.
I need to double check if the Synology DiskStation can run something like Docker and try to implement it in that way.
What could be another option to have similar as immutable backups or air-gapped backups on the DR site with Synology DiskStation and iSCSI?
+23https://www.synology.com/en-global/dsm/feature/virtual_machine_manager
If you’ve got Synology storage then toughen up the security to the device and run the LHR as a VM 🙂 iSCSI will be slower VS direct storage access, it’ll be easier to secure this way too 🙂
Michael Paul - Opinions are my own and do not necessarily reflect the opinion of Veeam | https://micoolpaul.com | Mastodon: @micoolpaul@masto.nu | Bluesky: @micoolpaul.com
+1https://www.synology.com/en-global/dsm/feature/virtual_machine_manager
If you’ve got Synology storage then toughen up the security to the device and run the LHR as a VM 🙂 iSCSI will be slower VS direct storage access, it’ll be easier to secure this way too 🙂
Does it need to have internet access?
Can I configure just to have access to Internal network since I’m planning to “copy” Backup Copy Jobs that are in the second Synology NAS also located in the same location.
Second NAS is connected via iSCSI to Hyper-V VM over Ethernet cable.
Thank you for the great info 😁
+23Hi, it doesn’t need internet access, just local network access for communication to VBR. You can prevent the Synology management interfaces from being connected so only the VM network can communicate too, to prevent any backdoor access.
Michael Paul - Opinions are my own and do not necessarily reflect the opinion of Veeam | https://micoolpaul.com | Mastodon: @micoolpaul@masto.nu | Bluesky: @micoolpaul.com
+8I will attest that this works. I have a client running a Linux VM on a Synology NAS and it’s using the local storage as the XFS repo. Maybe not the best option, but probably better than running the LHR as a VM on the production cluster. I believe generally you just need to have a + NAS. For instance, the DS223+ (although that’s going to be a lower power 2-bay NAS, but you get the idea. I could be wrong on that, but last time I checked that was the case.
Derek M. Loseke, Senior Systems Engineer | Veeam Vanguard 2025 | Veeam Legend 2022-2024 | VMSP/VMTSP | VCP6-DCV | VSP/VTSP | CCNA | https://technotesanddadjokes.com | @dloseke
+1Hi, it doesn’t need internet access, just local network access for communication to VBR. You can prevent the Synology management interfaces from being connected so only the VM network can communicate too, to prevent any backdoor access.
So the Access to VHR can be restricted as much as it can be.
For the Synology Itself I should leave some network connection because of the security and firmware updates. I will give my best to restrict it as much as it can be with the firewall and rules.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.