Is my topology correct?

[shlomia]

Hi, I recently made some changes / upgrades in my topology and I was wondering what are your thoughts about it because I'm experiencing high load on my storage server.
So, the storage it self is EMC 4012 configured with 4 nics (10G each) with multipath.
The disks are hybrid, SSD for the cache tier and SAS for the storage tier.
I connected the EMC via iSCSI to my VMware vCenter, then I created a linux VM with OpenMediaVault installed and attached a disk from EMC to the VM it self.
The linux server specs: CPU (Intel(R) Xeon(R) Silver 4216 CPU @ 2.10GHz) assigned 8 Cores. 32 GB RAM.
I then created few SMB shares and added it as repository to my Veeam console.
It works pretty good, but I keep getting alerts for high load on the VM and high disk latency.
synthetic full backup are pretty slow.
https://i.imgur.com/JmJTxKa.png

This is a screenshot from my VM using glances:
https://i.imgur.com/aH6H2xZ.png

I created the linux OMV because I wanted the ability to use SMB for authentication.. I have few servers backing up stuff to this server.

Thanks

[Mildur]

Hi Shlomi

I then created few SMB shares and added it as repository to my Veeam console. Synthetic full backup are pretty slow.

Using SMB shares as repositories is a bad choice for doing synthetic full. You won't be able to use Fast Clone, which means you need a lot more storage and longer processing time for your Synthetic Full Backups. You should enable only Active Full when using SMB Shares. For Synthetic Full, data blocks must be transferred from the SMB Share to the gateway server and then written back to the SMB Share as a new Synthetic Full backup. With Active Full, data blocks will only be transferred once from the gateway server to the SMB share.

If it has to be a Linux VM as a backup repository server, please use a Linux OS like Ubuntu and use the available storage as an XFS partition. Add this VM as a Linux Repository. Then you can use Fast Clone which gives you space less and faster Synthetic Fulls processing.
Please also make sure that this VM is not running on your production VmWare Server. And have a backup copy outside of this infrastructure. Maybe Backup Copy to Object Storage (V12) or a capacity tier (V11+V12)

Best,
Fabian

[shlomia]

Hi,
I'm thinking about 2 options, please advise me what is the best option
Right now, my Veeam B&R server ( console ) is a VM on my production VMware environment.
my EMC is connected via iSCSI to my ESXi's on a specific portgroup & vlan.
I understand this is a huge no no.
So, Option #1:
Physical server for Veeam B&R server ( Install windows OS and Veeam B&R on it? ).
Then, I will use iSCSi on it to connect it to my EMC.
I have a question about that:
I'm suppose to use that EMC storage for other stuff as well, and not only Veeam jobs.
I have SQL / IIS servers that write logs / backups via SMB to that storage.
So, if I move the iSCSI connection directly to the physical windows server, how can I give access for the other servers to write as well? ( in secure way ) SMB shares?

Option #2:
Keep the Veeam B&R as a VM in my production environment, but this time I will connect the iSCSI directly to the guest OS and not my ESXi's, I guess that way, if someone get malicious access to my vCSA, he won't be able to delete the datastore or something, right?
But, if he gets access to my vCSA, he could just console inside my Veeam VM and delete the backups from the attached iSCSI disk?
Is there "Immutable" backups solution? I'm not sure I'm correct but Veeam immutable backups is only for AWS S3 storage?
And, today I have backup copies to a cloud service provider and I just noticed that I can easily delete the backups from my Veeam B&R console, is there a way to restrict that? so anyone that somehow get's access to my Veeam B&R Console, won't be able to delete these external backups.

Thanks!

[shlomia]

anyone?

[Mildur]

Hi Shlomi

But, if he gets access to my vCSA, he could just console inside my Veeam VM and delete the backups from the attached iSCSI disk?

Correct. But he can also just delete your Repository VM if the backup storage is a virtual disk on your vSphere host. That's why I asked if you have a different infrastructure.

Is there "Immutable" backups solution? I'm not sure I'm correct but Veeam immutable backups is only for AWS S3 storage?

There are other solutions. In V11 we have our Hardened Repository. You can use a Linux machine as a repository and use it as a hardened repository.
And Veeam Backup & Replication V12 will bring immutability support for Azure Blob and HPE StoreOnce.

And, today I have backup copies to a cloud service provider and I just noticed that I can easily delete the backups from my Veeam B&R console, is there a way to restrict that?

Your Service Provider can enable a feature called Insider Protection. Every Backup you delete on your side will be moved to an unreachable recycle bin on the service providers repositories for a few days until it's deleted forever. You can check with your Service Provider if he has enabled that feature.

I have SQL / IIS servers that write logs / backups via SMB to that storage.
So, if I move the iSCSI connection directly to the physical windows server, how can I give access for the other servers to write as well? ( in secure way ) SMB shares?

Would it be possible to backup this data with Veeam? What log files are we talking about? Connection Logs? Or Transactions Logs?

I would go with Option 1.
Use a dedicated host as a VBR Server and connect your EMC with iSCSI (reFS 64kb formatted disks for FastClone support). Use Cloud Connect for your copy. But check with your Service Provider if he supports Insider Protection and how long. You need it to have a protection against unwanted deletion.

If Insider Protection is not available, check out one of the immutable repository solutions we support. Maybe Option 2 could be an idea then. Use your existing VBR server inside a VM and buy a physical server for a hardened repository with immutably support.
Protect the VBR server with MFA for local and remote logins.
You can use iSCSI storage from your EMC appliance with a hardened repository, but consider that you need additional protection for the EMC appliance. An administrator can delete the iSCSI LUN on the EMC appliance. The immutability of the backup files inside the iSCSI LUN will be ignored.

Best,
Fabian