Synthetic Full Backup over WAN

[ukulele]

Hi everyone,

I have some Questions regarding my plan to implement a new backup over WAN. I found some threads but mostly older then 5+ years, so I start a new one.

Situation:
Our enviroment is pretty simple: 3 ESXi Hosts, 1 vCenter 7 U2 (Essentials Licence), 1 physical Backup Server running Veeam B&R 11 (Essentials Enterprise (no Plus!)). Every night I make a backup (Reverse Incremental) to local repository, resiling on the physical backup server (Windows 2012 R2). Every wednesday after that there is a tape job as Secondary Backup Target configured. The tape contains the latest Full Backup and is taken offsite. That's basicly it besides some File Copy Jobs. Now we like to send our backup over WAN, First in addition to tape, later tape maybe removed from our Backup Plan. Also, we have a 2nd (old) serverroom we want to take advantage off. So the Backup Plan will finally consist of two local Backup Repositories (Windows Backup Server + a new NAS) in two different fire sections (but still neighbourhood) and one new NAS reachable over WAN.

Planning:
From my understanding I should move from Reverse Incemental to Synthetic Full Backup. Every Synthetic Full Backup is basicly just an Incremental Backup reorganized on the bacup location. So the Incremtal Backup is the only data transported over to the Repository.
https://helpcenter.veeam.com/docs/backu ... ml?ver=110

Questions:
1) Most important to me is to understand one thing. In my planned szenario I would make a Synthetic Full Backup to the local Backup Server first, then duplicate this on the NAS next door, then again duplicate this over WAN to the offsite NAS. But, if my Synthetic Full Backup is done, it will delete the latest increment. How do I send this increment over to two more Backup Repositories? Will the Backup Job wait until all jobs under "Secondary Target" are done and use the increment for transfer?
2) I definatly want to form a complete Synthetic Full Backup on the remote site too, so I only need to have a Veeam Data Mover Role on the device (or atleast in the local network) offsite, correct? Or do I need a Veeam Proxy or something else too?
3) I am considering options for the target systems, thinking about NAS. Would it be possible and maybe recommended to put a Data Mover Role on a NAS? Considering right now: Synology, QNAP, TrueNAS (previously known as FreeNAS) or OpenMediaVault. Any Best Practice recommendations?
4) Would my Licence (Essentials Enterprise) allow me to install as many Veeam Roles on as many Servers? Could not find any limitations, just for the number of Hypervisors and vCenter Servers.
5) Right now I don't see a huge benefit from Essentials Enterprise Plus Licence. The size of my Increment would have a max ~70GB and could be done in 3-4 hours over WAN. So I consider WAN Acceleration just a nice to have, is there anything else usefull in it?
6) What is Best Practice for "Transport Security"? Right now i would establish a VPN Connection outgoing from the offsite so the Backup Server would have no way to reach the offsite location on its own intend. The backup itself would be unencrypted as long as I consider offsite a secured space. Or is there something build into Veeam for optimal Transport Security? Would Backup File Encryption affect transport speed?

Thx for any advice.

[Andreas Neufert]

I would go an implement the best practices. Local backup and then implement a backup copy job to a second site. Direct Backup over WAN I would never do as restore will be not performant and depending on stability of the WAN link.
Backup copy will continously check for new restore points and will transport them to the other site.
You need some compute power there to run a Repository (or Gateway Server). In the end only the changes (minus compression) then go over the WAN link and the chain is built by the backup repository server there.

I would place a small server on the second site with local disks. YOu can maybe then install hardened linux repository on it to make your backups immutable there.

Yes, Essentials Enterprise can use Backup Copy Jobs... Enterprise Plus would give you additional Software WAN Accelerators for reducing the data that goes over the WAN link further.
VPN connection is the way to go as you wrote. You can enable additionally Transport or Data Encryption if you like. If you implement Data Encryption, check Enterprise Manages capability of Password Loss Prevention.

[ukulele]

I never said anything about Direct Backup over WAN, as I described before it should be:
A Synthetic Full Backup to local Disk of physical Backup Server
B Duplicate/Copy/Replicate this Backup to NAS in different fire section
C Duplicate/Copy/Replicate this Backup again to NAS offsite over WAN

If I run A and the Synthetic Full Backup is created (1. Increment created, 2. Full Backup formed, 3. Increment deleted) and it's completly done I got no Increment left I could copy over to my 2nd and 3rd Backup Location. Therefor my first Question (1.) how Veeam handles this situation exactly.

Yes I need some compute resources offsite, that's clear. I'm looking for the right OS and hardware here. First I need to know wich Veeam Backup Roles I have to run (I think I just need Data Mover? and a Repository if you consider that a "Role"). I have no clue if a out-of-the-box NAS like QNAP or Synology does have enough ressoruces (is there some hardware requirements anywhere?) and if there is Veeam Software or a szenario with Docker where I could run Veeam Data Mover, maybe anybody has done this before. My skills with Linux are limited but I can try a hardend Linux as well. Will it be possible to run VPN on a hardend Linux?

VPN it is for Transport Security, is there any benefit in enableing additionally Transport Encyption?

[Andreas Neufert]

Hi,

you need to rollout a "Repository Server" on the second site. In case of a SMB/NFS/Dedup Appliance, this role is called Gateway Server and you can add a Windows Server there as "Managed Server" so that you can select it as "Gateway Server".
Mount Server should be set as well on this site as the synthetic processing is handeled by this role.

Veeam do not Copy the backup chain from the primary site to the second site by just coping files. We will transfer restore points on a incremental forever processing. Source can be any chain including your Reverse Incremental chain and the data flown to the second site is always incremental. It will then create a new chain on the second site depending on the settings of the Backup Copy Job.

[ukulele]

So the remote Repository Server can only be Windows or would a hardend Linux cover this as well?

Is my Licence covering as many Repository Servers as I want or is this limited?

[Andreas Neufert]

It can be as well a Linux Hardened Repository.

If you rollout a SMB/NFS/Dedup Repository, you need an additional server there to keep the syntehtic full/merge processing within the site.

[ukulele]

Case-ID 05012528

So I tested some things to the extend now, finding an answer to my questions 1 & 2, atleast I think.

Setting:
- I installed a hardend Linux Backup Repository on Ubunutu by the book, backups on this Repo are set immutable for 7 days, Fast Clone in XFS is enabled. (For testing, the Linux Repo resides on ESXi, shouldn't make a difference to real hardware.)
- My primary Backup Server runs B&R 11.0.0.837 on Windows 2012 R2
- First I created a Backup Job: VM to Default Repo (Windows); backup mode incremental / create Syntethic Full Backup periodically on Tue, Wed, Thu; Retention Policy 8 days
- Seconed I created a Backup Copy Job: "Backup Job" to Linux Repo; Retention Policy 8 days; "Keep certain full backups longer for archival purposes" is set, also GFS is set to "keep weekly full backups for 1 week", "if multiple full backups exist, use the one from Tue"

This lead to a behavior I did not expect (when planned for Synthetic Full Backup).
1.) Primary Repo: Increment vib-File gets created.
2.) Primary Repo: Synthetic Full Backup vbk-File gets created.
3.) Primary Repo: vib gets deleted.
4.) Secondary Repo: vib-File gets created, seems like only the vib-Data is transfered.
- This I did not expect: The vib gets deleted first, so has to be extracted from vbk again. Works, I would have thought of that as a problem. Can't tell if this is the most efficent way but it should do as long as not the whole vbk is transfered.
5a.) Secondary Repo: vib is kept.
- This I did not expect as well: I thought of it as if the Synthetic Full Backup would have been created on Linux Repo too. But the vib remains unless GFS is set:
5b.) Secondary Repo: vbk gets created when GFS is set
6b.) Secondary Repo: vib gets deleted (for this to happen it must not be set immutable but I couldn't watch this happening by now)

This is what I want to happen, storing vbk on a 2nd Repo while just transfering vib-Data. I just find it a lttle confusing that GFS and Syntethic Full Backups basicly result in the same thing. I would love to see this explained in a clarifying way like in https://helpcenter.veeam.com/docs/backu ... ml?ver=110

Regarding my question 3:
I will just set it all up on Linux on a dedicated hardware. I'm wondering however how much performance is needed and if Veeam hardend Linux Repo would run on ARM? I guess not but did not found any statement about that.

[foggy]

You can find the system requirements for the repository server here: https://helpcenter.veeam.com/docs/backu ... ory-server