Using object storage as a backup target
Post Reply
mbroaders
Service Provider
Posts: 59
Liked: 2 times
Joined: May 15, 2012 9:06 am
Full Name: Martin Broaders
Contact:

Immutability on Capacity Tier Move

Post by mbroaders »

Scenario is as below

Scale Out Repo 1
On Premise Veeam Hardened Repository
Primary Repository
30 days backups
Copy Mode to Wasabi

Scale Out Repo 2
On Premise Windows Repository
Backup Copies
12 Monthly GFS Points
5 Yearly GFS Points
Move Mode Enabled to move anything older than 1 month to Wasabi


Client wants immutability on all cloud points (Copied and Moved). What is the best way to configure this? I think i am confusing myself by reading the Block Generation support article.

Mildur
Veeam Legend
Posts: 1680
Liked: 674 times
Joined: May 13, 2017 4:51 pm
Full Name: Fabian K.
Location: St. Gallen, Switzerland
Contact:

Re: Immutability on Capacity Tier Move

Post by Mildur »

You can activate Object Lock on the Capacity Tier.
You can configure max 90 days in the GUI. Veeam will add 10 days to that value (Block Generation rule).
You can‘t activate Object Lock on existing buckets. You have to start fresh and configure them.

If you want more than this 100 days immutability on the s3 Object Storage, you need to use Powershell (999 days max value) to configure it. I don‘t recommend that.

https://helpcenter.veeam.com/archive/ba ... itory.html

Code: Select all

 Set-VBRAmazonS3CompatibleRepository -Repository <VBRAmazonS3CompatibleRepository> -ImmutabilityPeriod <int32>

—————-

For your SOBR 1 scenario, you will need weekly full or the object lock could be a problem if the full backup needs to be merged with the oldest increment.
VMCE 2021 | Veeam Legends 2021
Working with Veeam since 2017 for a VCSP in Switzerland

mbroaders
Service Provider
Posts: 59
Liked: 2 times
Joined: May 15, 2012 9:06 am
Full Name: Martin Broaders
Contact:

Re: Immutability on Capacity Tier Move

Post by mbroaders »

We will have weekly Synthetic fulls on SOBR 1 so I think we are ok with this.

For SOBR 2 I am still confused. The plan is to move monthly and yearly backups up. The desired retention and by extent the desired immutability period for monthly backups is 12 months and 5 years for the yearly backups.

Is this achievable with the setup outlined above?

Mildur
Veeam Legend
Posts: 1680
Liked: 674 times
Joined: May 13, 2017 4:51 pm
Full Name: Fabian K.
Location: St. Gallen, Switzerland
Contact:

Re: Immutability on Capacity Tier Move

Post by Mildur »

I would try the config with 7-30 daily Restore Points and GFS with weekly, monthly and yearly fulls, and configure to move inactive chains after 30 days to capacity tier, then it could work with the only GFS Restore Points to Wasabi. I don‘t have my onpremise object storage to test it out for you yet.

But you cannot configure object lock for 5 years on a capacity tier. Max value in the shell is 999 days. This is around 3 years.

post391289.html#p391289
VMCE 2021 | Veeam Legends 2021
Working with Veeam since 2017 for a VCSP in Switzerland

mbroaders
Service Provider
Posts: 59
Liked: 2 times
Joined: May 15, 2012 9:06 am
Full Name: Martin Broaders
Contact:

Re: Immutability on Capacity Tier Move

Post by mbroaders »

Thanks Mildur. That’s exactly what we are planning for the SOBR 2 points. 7 restore points, then Monthly and Yearly.
You have given me a bit to think about. I think even setting 1 year immutability on the SOBR 2 repository could be enough and that as you brought up is doable via powershell.

mbroaders
Service Provider
Posts: 59
Liked: 2 times
Joined: May 15, 2012 9:06 am
Full Name: Martin Broaders
Contact:

Re: Immutability on Capacity Tier Move

Post by mbroaders »

Just to come back to this, my initial confusion came from reading the following article about the hardened repo and assuming that the same settings took place when being sent to Object Storage. I take it that this isn't the case?

https://helpcenter.veeam.com/docs/backu ... ml?ver=110

GFS backup files

If the backup repository is part of a scale-out backup repository with the capacity tier added, the immutability period for full backup files with GFS retention policy is set according to the backup repository setting.

Otherwise, the following periods will be compared: the immutability period set for the backup repository and the GFS backup file lifetime. The immutability period for full backup files with GFS retention policy will equal the longest of these periods.

Gostev
SVP, Product Management
Posts: 29094
Liked: 5356 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Immutability on Capacity Tier Move

Post by Gostev » 2 people like this post

Yes, with SOBR it's a bit different, depending on the tier.

Capacity Tier provides short-term lock. The original goal for this functionality was the protection of recent backups against ransomware. Besides, long locks were perceived dangerous on expensive hot object storage classes (as you're going to be stuck with paying for storing your backups for as long as the lock was set, potentially years). Finally, for Amazon and Azure at least, backups are not supposed to stay on Capacity Tier for an extended time in any case, as there's also Archive Tier. And locking them for the entire retention duration on Capacity Tier would prevent offload to Archive Tier.

Archive Tier on the other hand functions just like hardened repository. We had no long-term data lock concerns here since it is 20 or more times cheaper than hot object storage.

mbroaders
Service Provider
Posts: 59
Liked: 2 times
Joined: May 15, 2012 9:06 am
Full Name: Martin Broaders
Contact:

Re: Immutability on Capacity Tier Move

Post by mbroaders »

Thanks Gostev appreciate the response. When you say that Archive Tier functions just like a hardened repository is this not only the case when using Amazon S3 Glacier? If Azure Archive Tier was used couldn't someone delete the backups using the Veeam Console before the retention period was up?
There seems to be a lot of caveats in and around immutability and the type of storage it is on.

Gostev
SVP, Product Management
Posts: 29094
Liked: 5356 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Immutability on Capacity Tier Move

Post by Gostev » 1 person likes this post

That is correct: Azure Archive Storage does not yet officially support Object Lock, the technology is currently in preview.

Post Reply

Who is online

Users browsing this forum: pirx and 11 guests