Best way to architect Veeam and onsite immutability?

[NorthGuard]

What is the best and cleanest way to setup onsite immutability for B&R, given that Veeam B&R can't run on Linux and immutability must run on Linux?

I could just go the *easy* way and drop in 2 boxes:

-Windows Box running B&R
- Linux Box with immutable storage

But them I am putting in 2 boxes at clients.

I could drop in ESXi with 2 VMs - one for B&R and one for Linux?

Just curious how everyone is handling this?

[Gostev]

You would not want to have a backup server running on the same server as your hardened repository though? The latter is all about reducing the attack surface to absolute possible minimum, so running an application server on this box is just wrong.

For the very same reason, you would not want to run a hardened repository in a VM, because you're immediately adding the entire hypervisor host to the attack surface. Anyone who controls the hypervisor can just nuke the entire machine.

This means your hardened repository must always be the dedicated physical server, while for the backup server you have all the flexibility: you can run it on the existing server, in a VM, on a standalone server etc.

[NorthGuard]

I am 100% with you and is why I was asking.

I don't like the idea of both being on the same box as instances, because that defeats the purpose ( like you said ).

In the case of a businesses with a single, on-prem server ( ie., dc ) would you:

- run B&R as a VM instance on that server and just have a 2nd box as the immutable storage repository?
- run B&R directly on that server and just point the repository to the immutable location?
- put in another box that just acts as the B&R server?

[LickABrick]

If I understand correctly in both instances you would only have 1 copy of your backup (2 if you include production data). I would suggest using the 3-2-1 (https://www.veeam.com/blog/321-backup-rule.html) rule.

I would use the 2nd box as a physical VBR server and repository and use something like Wasabi (https://wasabi.com/) as a immutable cloud backup. In this case you would fulfill the requirements for the 3-2-1 rule.
Currently you need to use a scale-out backup repository but in V12 you can backup directly to S3 repositories.

It sounds like your customer is kinda small so Wasabi should be pretty affordable as well.

[NorthGuard]

I do currently keep backups offsite, but my on-site backups are not immutable. I am exploring that option and the nature is my post is the best way to do that,

[Gostev]

Honestly, for smaller clients I would just have an immutable offsite copy and call it a day.