NIST/ITAR compliant cloud repositories with immutability

[CaliMSP]

Hi all,
We have a client under NIST/ITAR compliance and they need off-siting for Veeam backups to a compliant cloud repository. Ideally it should have latest storage features such as immutability support. Does anyone know of any Veeam Cloud repositories that are NIST and ITAR complaint (must be US based with all US staff).

Thanks

[HannesK]

Hello,
and welcome to the forums.

Just to be sure... which "Veeam Cloud repositories" are the focus? Veeam Cloud Connect or Scale-out repositories with immutable object storage as capacity tier?

Disclaimer: I'm not familiar with the regulations you mention, but I assume the following:

1) for cloud connect: a compliance Veeam cloud service provider with Hardened Repository in the backend might do the job
2) for object storage: a compliant S3 compatible (with immutability support) object storage provider should do the job. I assume that Amazon & Co have the required certifications
3) If it's more about Veeam itself, then we have a dedicated department for US government services which they / you could contact.

Best regards,
Hannes

[Andreas Neufert]

@JoseM

[CaliMSP]

We are looking for an object storage provider and I just found out that apparently WASABI is NIST compliant for US datacenters. It that it will satisfy this requirements. https://wasabi-support.zendesk.com/hc/e ... -EAR-data-

However, It's probably best if I provide the end goal of what we are trying to do and maybe get some additional details even if we already identified Wasabi as the likely choice.
Setup
2 vmware servers
1 onsite NAS storage with SSD caching
Veeam
- proxy on each server
- cross replicating live VMs between two servers
- daily reverse incremental backup jobs to the NAS (primary backup) (60 days)
-

Goal
- off-site storage for a total loss disaster situation
- encrypted, geo-distributed, immutable (until it ages out), off-site backups at a low cost NIST compliant storage provider
- much smaller backup chain, maybe 4 restore points
- ideally the backup should be as fresh as possible considering time needed to push off-site, but no older than 1 week
- off-site job should not block on-site jobs from executing and creating new restore points.

Questions:
1) How to configure job so it backups daily on-site, even while it is in the process of uploading a restore point off-site (so that they don't interfere)?
2) Can it do so from reading existing on-site backups to create a new backup in object storage instead of "copying" on-site backups to the cloud?
2) Any performance tuning tips to consider when configuring Veeam for off-site jobs to object storage over public internet?

[Andreas Neufert]

Veeam Scale our Backup Repository with Cloud Tier can process backups locally while offloading is running. The backups get priority.

It all depends on the Repository Task slot definition. it processes one VM disk for backup or offloads one restore point to the cloud. The offload runs when the task slots are not used for backup.

At the Object Repository definition you can tune how many task slots are maximum used for offloading. Each task slot will use 64 connections to the object storage. Wasabi usually can handle more than 2000 connections for a bucket so that you usually do not have to tune anything. I recommend to enable Immutability for the backups and enable encryption. The offload is always incremental forever.

[CaliMSP]

As I'm going through SOBR and Tiers in documentation, it seems that I can't specify a separate backup schedule for off-site to capacity tier. (for example from 60 daily restore points, only make synthetic weekly backups to be uploaded to the Capacity Tier once a week). It will copy and/or move all restore points from one of the existing backup jobs only.

Since uploads to a cloud take much longer than to on-site storage, I'm strongly considering having a regular daily backup for on-site and then creating a separate backup job that would run every 3-4 days or even every week and then those get uploaded to the Capacity Tier (cloud).

It would be great to see a new feature that would do GFS type of a backup created in Capacity tier from existing "local" backup chains by reading the daily chain.

[Mildur]

Hi Cali

With V12, there should be direct backup functionality to Object Storage. I don‘t know exactly how it will work, I‘m not working for veeam.
But this could help your request. Creating a backup job or a backup copy job which runs one only on the weekend. I think it will be possible.

[Andreas Neufert]

Hi Cali, you missed me saying that it is incremental forever upload. So it is better to upload daily the compressed changes as every now and then a full file.

[HannesK]

yep, V12 brings the missing requests like the requested 4 restore points or a separate GFS backup chain.

I also recommend checking out the FAQ