Best way to design and run an air-gapped datacenter

[KarmaKuma]

Wondering what options natively exist in Veeam world to have our prod datacenter backups (mainly VMs and NAS) restored to an air-gapped "warm stand-by" DR datacenter? The DR datacenter will have internet connectivity at all time (so it's not a dark site in classic terms) and be a technically identical but slightly scaled down clone of our prod datacenter (exactly the same hw, even down to the firewalls, switches, etc.), just less compute/storage (and single site, prod is active-active dualsite).

The context is to have an emergency datacenter infrastructure in an operational state of "we're ready to restore and access prod data at any time", should we be hit by a cyberattack that also "administratively kills" our prod datacenter infra. Time is money, so we do not want to spend days/weeks rebuilding the datacenter infra (if at all possible) before hopefully being ready to execute the first restore... ...As soon as forensics tells us which backup sets *should* be clean/usable, we want to be ready for restore action. This will also provide forensics the optimal grounds for analysis (think "yes yes, keep prod for a while in analysis state, we do not need it back for rebuild").

The DR datacenter would surely have its own "locally productive" Veeam server, proxies, repos, etc. to be able to backup local data. Such infra has its own "prod" aspects that need being backed up. Also once prod data has been restored into the DR infra it needs being backed up "in there".

But how do we get the prod data from prod repos (Veeam Vault) into the DR datacenter when struck by an attack? And on regular basis when doing test-runs? The two datacenters and their infra shall be "shared nothing/air-gapped" except DR having access to the prod Veeam Vault repo... Without interference from the DR backup infra into the prod backup infrastructure, obviously. Simply mounting the prod Veeam Vault repo from within the DR backup infra while the prod backup infra is up (think regular DR test-runs), probably is a big no no?

P.S. Business commitment is a given from a CAPEX and OPEX perspective

[nathano]

I think VRO will be in your future

https://www.veeam.com/products/veeam-da ... ation.html

[KarmaKuma]

Thanks for the feedback nathano. Would you mind trying to give me an idea on how VRO could/would help us to achieve this? I did read into several aspects of VRO and it seems to mainly focus on restore automation (as its name implies). Is there some feature I missed that would help us in achieving "visibility" into prod backup data via VRO that is unavailable without? Can VRO and some additional components be used to "bridge" prod and DR that is otherwise impossible? Something like:

Prod Backup Data <-> VRO <-> Air gapped DR Veeam environment


Do you have some links to information that showcases this?

Thanks again!