You can do either option as it is when you create the virtual lab you specify the host(s).  See here - https://helpcenter.veeam.com/docs/backup/vsphere/surebackup_hiw.html?ver=120

It doesn’t really matter ​@dario72 because the Data (Virtual) Lab created for use with SureBackup is completely isolated from production. That said, if you have enough resources for a separate SureBackup environment, that would be best, so long as the networking is setup up to mirror your prod so you have valid testing.

Hope that helps.

This means that the Surebackup Esxi host must have the same port groups as the productive ESXi?

Ideally, yes; but when you run the SureBackup job, a NAT appliance is created to isolate the prod network from your backup testing VMs. The link Chris shared above shows via diagrams how it looks and what each component does. Hope that helps.

I think both options are ok. 

Maybe you should look on  rest of things like licenses and if it make sense to use dedicated esx for sure backup only. Maybe is big and is waste of resources. So you can use it for production as well and just limit number of parallel VMs proccessed by sure backup.

Another thing is like mentioned above. You need to configure all networks, firewalls like NSX ... it will be more complicated for operational team ...

If you will use dedicated vCenter. You need to register it in Veeam console and adding premission for customer in enteprise manager ... From my point of view is btter to have solution simple as possible to be easy to operate it by admin in prodution .... 

You do not need a separate vCenter just to run SureBackup. You can and typically should configure SureBackup on the production vCenter, while using a dedicated ESXi host (or cluster) for running SureBackup jobs.

​@dario72  If you use a dedicated ESXi host and it is used for production to verify sure backups, pay attention to the ESXi network configuration

• Isolated Networks: These are the networks within the Virtual Lab that mimic your production networks. They are designed to be completely cut off from your live environment to prevent any interference.

• Port Groups: In VMware vSphere, port groups are used to connect virtual machines to virtual switches. For SureBackup, Veeam creates specific port groups for the isolated networks.

Key Considerations for Isolation

• No Uplinks (Standard Switches): If you're using Standard vSwitches, the isolated port groups created by Veeam will typically have no physical uplinks. This ensures that traffic within the virtual lab cannot leave the ESXi host and interfere with production.

• VLAN Tagging (Distributed Switches - dVS): For environments using Distributed vSwitches (dVS), which are common in multi-host setups or for SureReplica, physical isolation via uplinks might be used, or more commonly, VLAN tagging is employed. You assign a unique VLAN ID to the isolated port group that is not used in your production environment. This VLAN should also be isolated at your physical network hardware level (e.g., by filtering this VLAN ID) to prevent any leakage.

• Masquerade Network: To allow the Veeam Backup & Replication server to communicate with the VMs in the isolated lab, Veeam uses a "masquerade" network. This is a separate IP range that is routed through the Virtual Lab appliance. The original VMs in the lab retain their production IPs, and the Virtual Lab appliance handles the translation.