I am trying to form a strategy for our backups. We are a small shop with a limited budget...of course. We are also very sensitive right now to protecting our VMs against ransomware attacks. We have security solutions in place for that, but I also want to make sure we have an "air-gapped" backup solution. Here is what I am thinking and I would like to get your feedback.
PRODUCTION ENVIORNMENT
2 Node Hyper-V Server setup as hyper-converged using Starwind vSAN
Approx 15 TB of data to be backed up. Will grow as time goes on.
Veeam B&R running as a VM in the Hyper-V cluster
2 Synology NAS serving as repos for Veeam.
- Each has an SMB shared folder presented to Veeam
- Separate backup jobs (backing up all VMs) in Veeam for each NAS
- Backup jobs are scheduled at opposite times of day for each NAS, because...
- Each NAS is connected to its own network switch that is connected to power via a smart outlet that we can set on/off schedules
- The outlets are scheduled in such a way that only one network switch is ever on at a given time (which is also when the Veeam job is scheduled for that given NAS). This helps ensure that an air-gapped NAS is always off the network with a good backup. The main hitch I can see here is that if the schedule goes long enough before we discover the ransomware, the other NAS could come online and also get encrypted, but I think that possibility is low. We would discover the issue in time to pull the good backup out of the timer schedule.
One Synology NAS at a remote location connected to the internet via 50mb up connection
- I'm not sure what the best approach here is for getting the data on the Synology. We don't have the budget or the location to setup an actual server at the remote location so I am hoping I can solve this with the NAS. My first thought is using the replication features built into the Synology and replicate one of the local NAS to the remote. But, I do not have experience with their software to know how stable it is.