Veeam options in this scenario

[dhayes16]

Hello all. I hope everyone is well. We just picked up a customer who has 2 locations connected via a point to point high speed pipe. One site (the primary site) has a newly installed virtual server with about 3tb of storage and 6 vms and the other remote site has a single physical server with about 2 TB of storage (total 5tb). Currently they are using storagecraft (which was installed in 2014) to backup to a local netgear Nas at each site and then replicated to the other site via intelligent ftp. It is working OK but they really do not have a good DR solution here at all. Those vms created on the Nas devices would take forever to pull back in the event of a disaster. And there are no options for immutability or ransomware protection.

So we are looking to install veeam here. Basically install BDRs at each location with a ton of storage. Then replicate the vms (from site 1) and the physical server (from site 2) between locations as they are doing now. The advantage here is that we can spin up replicated vms in the event of a disaster. But the main concern we have is immutability in the event of a ransomware takeover. And accomplishing the 123 rule.

The main concern we have is airgapped backups. We were thinking of installing a tape drive at the one main location to get the backups airgapped. As an alternative we looked into insider protection but that seems to be for cloud connect partner solutions (as opposed to replicating between sites). Also we have looked at immutability via s3 object lock to aws as an option as well. Perhaps installing an on prem s3 storage option like minio?

V11 is coming with Linux secure repo which might fit the bill.

How would you architect such a solution?

[orb]

Hi,

The same for you.

Your customer seems to have a modest infrastructure in term of VMs, amount of data and very likely budget. A valid approach would be

Backup to a NAS with NFS (multi-link if 1 GbE if enough spindles), Active Full job only, per-VM mode
Backup Copy Job to Second Site
Replicate VM and used your Backup Copy as Source (pruning). It works great when customers between 12h-24has RPO and it saves the fact you need to move the data once through your line.

You could implement BTFRS snapshot/recycle bin at the NAS level for ransomware protection.
XFS requires a different approach and set of skills. The size and the amount of data isn't worth it.

VCC with Insider is good if it fits your customer budget.
S3 is good if it fits your customer budget.

btw, Veeam 11 is not a requirement here and verify the required licence level for certain functionalities.

You could do replication with your NAS still, while it works I prefer not to choose it since I prefer to have a unified view through Veeam Console / Reporting.

Regards,
Oli

[dhayes16]

Thank you kindly for the response. I truly appreciate it. In this configuration do you suggest a server to run b&r at each location? To serve as proxy, etc? One thing we would like to provide (as an option) is having a server at each side for DR to spin up in the event of major server outage. Right now a standard configuration we push out is an on prem windows server with a bunch of disk as the backup target which also replicates to a vcc or s3. This site is different in that they have a high speed pipe to have their own cloud site. Basically one site replicating to the other and visa versa.

Also you mention Nas with nfs. I thought Veeam normally recommends iscsi. Are you suggesting nfs on the Nas due to it being formatted btrfs? I do like the idea of btrfs a lot. Or even a freenas.. But I am just curious on how the DR piece would fit it.

Again thanks for your opinions . We want to do best practices.

Take care

[orb]

Thank you kindly for the response. I truly appreciate it. In this configuration do you suggest a server to run b&r at each location? To serve as proxy, etc? One thing we would like to provide (as an option) is having a server at each side for DR to spin up in the event of major server outage.

Yes, you are correct Veeam components need to be deployed on each side "proxy/repo/guest/mount" and the "server" in the DR. This could be all VM or physical.

Right now a standard configuration we push out is an on prem windows server with a bunch of disk as the backup target which also replicates to a vcc or s3. This site is different in that they have a high speed pipe to have their own cloud site. Basically one site replicating to the other and visa versa.

Cross-replication is valid if you have source material on each site. The physical server is a very solid way too.

Also you mention Nas with nfs. I thought Veeam normally recommends iscsi. Are you suggesting nfs on the Nas due to it being formatted btrfs? I do like the idea of btrfs a lot. Or even a freenas.. But I am just curious on how the DR piece would fit it.

Veeam is a very versatile tool. ReFS/XFS will always shine when your network is a bottleneck e.g. 1GbE or low disk spindles count but a load of data to backup. In the end, your target is RPO/RTO, the constrain of your customer budget and your abilities to maintain the system over time. Nobody wants something overcomplicated

Oli

[dhayes16]

Thanks for the detailed responses. Veeam is definitely a super flexible solution. I do have a question that ties into your original response regarding btrfs. What do you think about having a windows server powered bdr at each site replicating to each other formatted with refs. Then we have the DR functionality discussed here with standby replicated vms.

Then have another backup copy job dumping data to a synology, freenas or some other device running btrfs. So if the entire infrastructure is hit with ransomware then we can pull back from snapshots (as long as the Nas console is not compromised). Maybe that would work? Or even the secure Linux in v11 when it hits. Basically a regular computer with tons of disk running the secure Linux platform.

Since this is point to point with no cloud storage I am thinking this might be an option.

Again thanks for taking the time to reply and happy holidays!

[orb]

Thanks for the detailed responses. Veeam is definitely a super flexible solution. I do have a question that ties into your original response regarding btrfs. What do you think about having a windows server powered bdr at each site replicating to each other formatted with refs. Then we have the DR functionality discussed here with standby replicated vms.

I would not have 2 VBR server replicating at each other since they cannot federate themselves. It is just administration overhead. You could have a server on standby but it depends on your RTO. Deploying a machine, install the software and restore your backup config is fast and very easy. Replicate your data with copy jobs.

Then have another backup copy job dumping data to a synology, freenas or some other device running btrfs. So if the entire infrastructure is hit with ransomware then we can pull back from snapshots (as long as the Nas console is not compromised). Maybe that would work? Or even the secure Linux in v11 when it hits. Basically a regular computer with tons of disk running the secure Linux platform.

Yes, correct snapshot technology open "immutability like" as long you keep it well hidden until v11 is here.

Oli

[foggy]

In the case of two Veeam B&R instances, you should be careful with the servers running components for both - they should have exactly the same patch level to avoid issues.

[dhayes16]

I would not have 2 VBR server replicating at each other since they cannot federate themselves. It is just administration overhead. You could have a server on standby but it depends on your RTO. Deploying a machine, install the software and restore your backup config is fast and very easy. Replicate your data with copy jobs.

Thanks.. I should be been thorough. I do intend to replicate on prem to the individual servers at each location and then do a backup copy job for the replication between sites. We just need a lot of disk.