Virtual Linux Hardened Repository Best Practice Clarification

[CatMDV]

I have a situation for which I could not quite figure out the best practice. For a short recap:

- Running a dedicated SAN storage
- SAN is directly connected to a physical server running vSphere (that is standalone and outside vCenter environment)
- This physical server runs 2 Repository server VMs with storage in RDM physical mode connecting to the SAN storage LUNs
- The physical server then connects to the rest of the network.

The best practice guide here https://bp.veeam.com/vbr/2_Design_Struc ... repository says it is NOT recommended to use VMs for hardened repositories in production environments and the reasons stated are mostly due to security controls.

But as you can see, my situation is a bit unique since the repository server is already a separate physical server, only that the physical server is using VMs because I want to run more than 1 repo for different types of workloads. The BP says "Ideally the Linux Hardened Repository should be an administratively and physically isolated system.", which it kind of is in this situation.

So my question is, if I am OK with the security concerns, are there any other reasons for not opting for VMs when using hardened repositories? And alternatively, what would you suggest my setup/design be in a scenario where I have dedicated SAN and physical server to run the repository environment, but I need to run more than one repository servers on it at the same time?

[haslund]

You can have more than one repository on a Linux Hardened Repository, what is the reason you would like to split it up to two repository servers instead of two repositories on a single Linux Hardened Repository?

The primary benefit of the Linux Hardened Repository is immutability - the ability to prevent malicious/accidental deletion of backups. By virtualising the server, the entire VM could easily be deleted thus defeating the primary benefit of the Linux Hardened Repository.