Off-site Backup Copy Setup

[hmusa]

I want to verify a few things to see if I understand the infrastructure correctly - sorry if these are stupid questions.

a) I have a vSphere setup in-house that I'm backing up with B&R v7. My Veeam Server is doing everything: backup server, repository, proxy. Everything is clean.

b) I setup an Amazon EC2 Instance and opened up security groups to allow all traffic pushed to it from our office WAN IP. I installed B&R here on the EC2 as well.

c) I created a Repository on a) pointing to the public IP address of b). It recognizes the installation out there, confirms the backup directory, confirms NFS directory and ports, everything looks good. I setup the Backup Copy to look to this Repository, and the copy works properly - though I'm still futzing with how to throttle the consumed bandwidth.

I see two places to setup throttling. One inside any Proxy, it seems to access global throttling rules by IP route. Two, inside the Repository, theres a box called data ingestion rate. What's the difference between these two? (Odd that the former is Mbps and the latter is MB/s.)

Is there any reason to setup a proxy on b) the remote EC2 machine? It seems like there's no reason to go into the GUI on that machine. The install just gets the service agents going, but aside from licensing there's nothing else to setup. I've read a lot of about people doing proxy-to-proxy replication, and I'm curious if that would bring some benefit in a Backup Copy scenario - like utilize the CPU's out on the EC2. In the Backup Copy, I don't see a place to choose a Proxy, so maybe this should be telling me something.

Is this secure? I notice that the Proxy on a) has a tick-box to select network encryption, but I'm not sure this is the path I'm using. It seems like it's going from the backup server on a) to the repository (through a to b). But maybe everything the backup server crunches goes through its Proxy.

Thank you for your patience - having a thick-brain day.

[edfops]

Data ingestion rate is at the disk level which is typically MB/s, the global throttling is meant for your network bandwidth which is measured typically in Mbps.
Since you are concerned with how the WAN link is used, use global throttling. I suppose setting data ingestion instead would work, but not quite the way it is intended to be used.

I would not register the EC2 server as a proxy in your current situation, you are not using it for traditional backup jobs (Backup Copy is a purely separate concept and should be treated as such). You certainly could with no impact to the server, up to you really.

Great question on encryption as I believe it would not be used as you suggest (proxy does not come into play), do you have encryption on the point-point connections (network layer)? There is no encryption at rest but I imagine EC2 handles this aspect.

[veremin]

In this case, you need to use global throttling rules. They should be applied between two VB&R agents - "source" (source repository) and "target" (target repository) ones. Thanks.

[foggy]

Is this secure? I notice that the Proxy on a) has a tick-box to select network encryption, but I'm not sure this is the path I'm using.

This setting refers to network traffic encryption between the host and the proxy server (source data retrieval) only. Moreover, proxy servers are not involved in the backup copy at all, but Veeam agents installed on source and target repositories are (or WAN accelerators, if WAN accelerated mode is used). Currently traffic between Veeam agents is not encrypted, so it is recommended to have VPN if you are backing up/replicating over internet.

[hmusa]

Thanks everyone! It's great to work with people who read and understand all of this. Perfectly answers my questions, but begs another.

If I understand correctly then, one might setup a proxy on b) the Amazon EC2 instance. Create a job there pointing to the hosts on a) my LAN. Tick the box to encrypt traffic between the host/s and that proxy server. And 'pull' encrypted backups offsite. Is that a common use scenario? Would that be less efficient then the Backup Copy setup?

I'm having issues standing up a reliable VPN, so I'm exploring workarounds to avoid additional costs there. Might be inevitable though.

[veremin]

If you start backing up to cloud location directly, using EC2 instance as the proxy, then, the data will cross WAN link in uncompressed, undeduplicated state; something you'd like to avoid, from my perspective. Thanks.

[hmusa]

Excellent. Thank you all very much!

[veremin]

You're welcome. Feel free to ask, if any other questions arise. Thanks.