Skip to main content

How To: Use Veeam Recovery Orchestrator for Clean Rooms!

ertelle1

First I want to give recognition for this script and setup to Senior Solutions Architect Claudio Fortuna! Thank you for your contribution. 

A new Orchestrator strategy for Security teams and DR teams alike! Organizations looking to scan their backups for malicious threats either before, during, or after an incident can now use Veeam Recovery Orchestrator (VRO) to scan backups from their copies, within an isolated environment. So how does this work?

First, let’s talk about the architecture: organizations with a secondary environment or a true clean room (that is off the domain) can leverage Orchestrator and the embedded Veeam Backup & Replication (VBR) server to import and restore from backups or backup copies. With this scenario in mind if you were to lose the original backup server, the embedded backup server in Orchestrator can take control of the backups. To automate this process a script is included that will be part of the restore plan. A restore plan automates the recovery actions of the vSphere VMs we are looking to recover in the clean room. Part of the actions even include an AV scan as well as a YARA Rule Scan, which will search for patterns or indicators of compromise when restoring the VM from a backup. Once the VRO server has control over the backups, the restore plan can be initiated to run, and VMs from backups can be rebuilt and scanned into your clean room. So, what do we need to get started?

  • Production VBR server running in Production datacenter.
  • Secondary environment (a true clean room will be off the domain) with Veeam Recovery Orchestrator running here, and a second VMware vCenter Server.
  • A backup repository at each location with backups being handled by the primary VBR server.
  • Script (provided here) which is a pre-plan script to attach the repository to the embedded VBR server.
Pre-plan Script to Seize the Repository
  • Optional Script to detach the repository for post-plan execution.
Post-plan Script for Clean-up
  • A restore plan to orchestrate this entire workflow
VRO Clean Room Architecture

The Set Up

First, in Veeam Recovery Orchestrator under plan steps we will need to add in a new custom script step. For this custom script it was named “Seize Repository” as part of the script we will also include a timeout period of about 10 minutes to ensure the Orchestrator Data Collection has time to inventory the backups and restore points. If your environment or backups are larger this can be extended.

Add Custom Plan Step which includes the script for seizing repository

Create a Restore Plan selecting your secondary Recovery Location, as well as your backups that you want to test. Next, we will add in the new plan step we created as part of the pre-plan steps of the restore plan.

Create Restore Plan with pre-planned script

Next, we will execute the restore plan. Keep in mind we set the timeout period to 10 minutes to give Orchestrator plenty of time to inventory the new restore points before proceeding to the next steps for starting VM recovery and scanning of the machines. For larger environments it might take longer than 10 minutes for the data sync to complete, but you can customize this for your environment.
 

Watch the progress of the data sync
The Pre-plan steps will show completed with a warning sign
Valid restore points found

The Outcome

Validated VMs recovered from backups into an isolated environment for any DR or security needs. Organizations can use this method to test multiple VMs from backups to ensure validated clean recovery. With a documented and repeatable process, users can be sure that their backups will work for them when they need it the most.

Mildur
marco_s
Raffaele Valensise
12 people like this
  • Mildur
    Mildur
  • marco_s
    marco_s
  • Raffaele Valensise
    Raffaele Valensise
  • AlecKing
    AlecKing
  • Andanet
    Andanet
  • J
    jAcord
  • spenceratx
    spenceratx
  • rico.wezenberg
    rico.wezenberg
  • ClaudioFortuna
    ClaudioFortuna
  • Matt Crape
    Matt Crape
  • Dynamic
    Dynamic
  • leduardoserrano
    leduardoserrano

3 comments

marco_s
Forum|alt.badge.img+8
  • marco_s
  • Influencer
  • 369 comments
  • September 3, 2024

Very interesting feature, thank you @ertelle1!

Marco Sorrentino - Italy | System Engineer | VMCE & VMCA
D
  • DanielH
  • New Here
  • 1 comment
  • October 23, 2024

Great use case for VRO! 

QQ. This would require for Orchestrator Agent to be installed on production backup server, correct? Otherwise, orchestrator server would not have backup job (TVM 100 Backup Job in your case) within its inventory to be able to select it as source for a recovery plan. That said, is a permanent connection between VRO and production backup server a requirement? 

 

sajjad ali
  • sajjad ali
  • Not a newbie anymore
  • 3 comments
  • October 24, 2024

Using Veeam Recovery Orchestrator for clean rooms involves several key steps to ensure a seamless disaster recovery process. Here’s how to effectively implement it:

  1. Set Up Your Environment: Ensure you have a Veeam Backup & Replication environment configured, as Recovery Orchestrator integrates with it.

  2. Define Recovery Plans: Create recovery plans that outline the steps for restoring applications and systems. Include details on clean room requirements, such as isolation from the main network to prevent contamination.

  3. Test Your Plans: Use the built-in testing features to simulate recovery scenarios in a clean room environment. This helps ensure that your recovery processes are effective and meet compliance standards.

  4. Automate Recovery Tasks: Leverage Veeam’s automation features to streamline recovery tasks, such as starting virtual machines, restoring backups, and validating data integrity.

  5. Monitor and Document: Continuously monitor recovery operations and document the process. This documentation is crucial for audits and for improving future recovery efforts.

By following these steps, you can effectively use Veeam Recovery Orchestrator in clean room environments to ensure reliable and compliant disaster recovery operations.

Sajjad

Comment


Terms & Conditions