Skip to main content
Question

Veeam Recovery Orchestrator - Clean Room / Requirements

  • May 21, 2026
  • 6 comments
  • 55 views
Stabz
Forum|alt.badge.img+9

Hi community! 

I’m working on an architecture to implement VRO with a Clean Room. 

I ll be in this kind of topology : 
 

I notice in the prerequisites, this point : 
“The current release of Veeam Recovery Orchestrator (v 13.0.1) requires at minimum an initial connection to the production vCenter to gather inventory and create restore plans using vSphere tags.
Connection to the production VBR is optional and only required to create restore plans based on backup jobs.”

The principle of a clean room is to have an environment that is completely decoupled from production, acting as a safe place to store and test backups, and as a trusted source for a clean recovery of workloads, even if the production environments are infected or compromised.
Opening network flows to production, even temporarily, seems to go against that principle in my opinion, even if those flows are limited. In my architecture, I have a production vCenter and most likely a dedicated vCenter for the clean room, since standalone ESXi hosts cannot be targeted/managed directly.

I’d be interested to hear your thoughts on this prerequisite.

Philippe DUPUIS |Veeam Certified Engineer | https://original-network.com/

    6 comments

    Chris.Childerhose
    Forum|alt.badge.img+21

    One question I would have is if this is a requirement once the connection is made and done doing what it needs can you remove it?  I get your point about clean room for sure.

    Chris Childerhose (Enterprise Architect) - VMCA | VMCE | VMCE-SP | Veeam Vanguard 8* | Veeam Legend 5* | VUG Canada Leader | vExpert 7* | Toronto VMUG Leader | VCAP-DCV/VCP-DCV/VCP-VVF | Object First Ace | Cisco Champion | Twitter: @cchilderhose | Blog Site – https://just-virtualization.tech
    dips
    Forum|alt.badge.img+7
    • dips
    • On the path to Greatness
    • May 21, 2026

    I think there is always going to be an element of some sort of connection back to production. What about the backups, how are they going to end up in the Clean Room? Maybe instead of opening up Veeam, would storage to storage replication be an option with the connection only required during the transfer?

    Dipen N. K. | IT Security Specialist | Veeam Legend 2022 - 2025 | Former Cyber Security Space VUG Leader
      eblack
      Forum|alt.badge.img+2
      • eblack
      • Influencer
      • May 21, 2026

      I think there is always going to be an element of some sort of connection back to production. What about the backups, how are they going to end up in the Clean Room? Maybe instead of opening up Veeam, would storage to storage replication be an option with the connection only required during the transfer?

      I stage cleanrooms without VRO but you make a good point here about connections. We segregate by using storage snapshots.  I will snap the production repo or DS and then mount those snaps as read only to a hotsite env buildout. In that site there will be a new fresh repo that mounts the snap vols or an ESX/VCSA env that mounts the DS. This works really well in practice. For s3 I’ve found the simple way to get to restores is to stand up a clean VBR and restore the running config with a backup copy from prod. After the restore all the s3 buckets come up clean and rehydrate just fine. 

        Stabz
        Forum|alt.badge.img+9
        • Stabz
        • Author
        • Veeam Legend
        • May 21, 2026

        One question I would have is if this is a requirement once the connection is made and done doing what it needs can you remove it?  I get your point about clean room for sure.

        VRO uses vSphere Tags for jobs and recovery locations. Tagging infrastructure components is necessary to create a Recovery Location and let VRO restore to an alternative site. It also lets the administrator set up a pool of resources that VRO can use to recover workloads.

        Tagging VMs allows the Orchestrator to bypass the connection to the production Veeam Backup & Replication server, and use exclusively the embedded VBR for recovery. 

        By using Restore Plans and VM tagging, the only required connection is to the vCenter. This connection does not need to be maintained continously: it is only needed when new VMs are added or removed and a rescan must be performed.

        Well… if you have a lot of modifications in your vSphere infrastructure you have to open the link ofen.

        I think there is always going to be an element of some sort of connection back to production. What about the backups, how are they going to end up in the Clean Room? Maybe instead of opening up Veeam, would storage to storage replication be an option with the connection only required during the transfer?

         

        In my case the backups are replicated throw an internal mechanism between the appliance during a specific time window.

         

        Philippe DUPUIS |Veeam Certified Engineer | https://original-network.com/
          Marcel.K
          Forum|alt.badge.img+12
          • Marcel.K
          • Veeam Legend
          • May 21, 2026

          Restoring into clean room is one part. How about with continue of backups if VBR is missing in clean room?

          Marcel Kačmár | VCSP Partner 2022 | VMCE 2024 | VMCA 2024 | Veeam Legend 2025 |
            Stabz
            Forum|alt.badge.img+9
            • Stabz
            • Author
            • Veeam Legend
            • May 22, 2026

            Restoring into clean room is one part. How about with continue of backups if VBR is missing in clean room?

            In my case we have also an restart room, where there is an sleeping VBR, but in VRO you have an embedded VBR which could be used for backup.

            Philippe DUPUIS |Veeam Certified Engineer | https://original-network.com/
              Terms & ConditionsAccessibility statement