Questions on offsite backup architecture

[rreimche]

Hello dear Veeam community,

on the main company site we have several servers and one Backup-Server with Veeam. On this server we backup other servers which are Hyper-V virtual machines. We also want to have an offsite-copy of some important data available as windows network shares on site one. On the other site, where the copy should be placed, we want to have a Windows Server which should play 2 roles:
- secondary domain controller (for the case when the primary one on the other site is not available);
- veeam gateway server.
In the same network of the site 2 we want to put a simple windows workstation (not a server machine), USB-attach an Overland Tandberg RDX QuikStor with a several TB cartridge, make the storage a network share and add this share in the Veeam server on site 1 as backup repository. Then we want to create a backup job that saves the important data to this repository.

- amount of important data: less that 1 TB;
- the sites are connected via IPSec VPN over WAN with about 100 Mbit/s max throughput (which is in practice around 60-70 Mbit/s);
- the two sites are in different subnets;
- the important data should be available for backup job in the form of a windows network share (other options are welcome too).

I would be grateful for answers on any of the following questions:
- wouldn't it be better to attach the RDX-Storage to the Gateway Server directly, not to another computer in the respectable network?
- do I need to install Veeam to Gateway Server and use a separate license or does it work by installing an agent, controlled from the main backup server?
- may we select certain data from the backed-up or source virtual machines directly to avoid using network shares in the source network?
- is this architecture viable at all? What am I missing or what could be made better?

Thank you very much in advance for the help!
Roman

[Mildur]

Hi Roman

- is this architecture viable at all? What am I missing or what could be made better?

Will the RDX media be in the Drive all the time or do you have planned to rotate different medias? If you leave them in the Drive, you won't have an airgapped backup copy. A attacker can delete the backups.
Instead of using an RDX Drive, you could consider to buy a server with local attached disks and use it as a Linux hardened repository at the second location. This gives you immutability for your backup files and you have a offsite backup. Ransomware Protection is a very important topic and should be considered for every backup environment.

wouldn't it be better to attach the RDX-Storage to the Gateway Server directly, not to another computer in the respectable network?

Don't use Overland Tandberg RDX QuikStor as a network share.
If you want to use this type of storage, add it as a rotated backup drive. You can find our KB article and a Whitepaper from Overland here: https://www.veeam.com/kb4048
I don't see the requirement to have an additional workstation to manage this drive if you have already a server. Connect the RDX Drives to a server. To optimize the copy time, connect it to the Gateway Server at your primary location. I assume, your team works there, so switching RDX media will be easier as in the second location (if you have to drive there).

- do I need to install Veeam to Gateway Server and use a separate license or does it work by installing an agent, controlled from the main backup server?

Gateway Server doesn't need additional veeam licenses. From a veeam perspective, you pay only for the protected workload and not on how many components you have installed or backup copies your are creating.

- may we select certain data from the backed-up or source virtual machines directly to avoid using network shares in the source network?

You have two options.
- Create a Backup Job and send it directly to the RDX Drive.
- Create a Backup Copy Job and copy the Backups from the network Share to the RDX Drive.
If you use a Linux Hardened Repository or a RDX Drive, Veeam will only copy incremental data from the Network Share over the Gateway Server to the RDX or Linux Hardened Repository. You can calculate how long that takes. Use the daily incremental size and your bandwidth and calculate the time it takes to send over the amount of data.

On the other site, where the copy should be placed, we want to have a Windows Server which should play 2 roles:
- secondary domain controller (for the case when the primary one on the other site is not available);
- veeam gateway server.

If one site is down, what happens to all the other services? File Server, Application Server?
Do you have Veeam Replicas configured? A Domain Controller alone will not be enough to keep your environment running, if the entire site goes down.
Our recommendation is to run the backup server at the DR site, just in case you need to failover Replicas or restore backups.
And I don't recommend to install Veeam Components on a Domain Controller. It works, but mixing Domain Controller with third party software is never good from a security perspective

[rreimche]

I like the idea of having a hardened linux repo. Do I still need a gateway server on the second site for it? Can I use a single linux machine for both: gateway and repo?

Thank you in advance.

[Mildur]

A Gateway Server is not required for Linux Hardened Repositories.
A Gateway Server is only used for Dedup Appliances, NAS based Backup Repositories and Object Storage.