Improve Veeam B&R configuration

[Valle1975]

Good mornind to everyone!
I read a lot of posts about the your strategy for Backup with Veeam B&R, and I have a doubt about my actual one.
I have a Vsphere 6.5 Cluster with n.2 Hosts and one datastore on a small SAN (just 3 TB of data) and 9 VMs (8 Windows Server and 1 Linux Suse Ent.)
Now my Veeam B&R configuration is:
- n.1 Backup Job of all VM DAILY to a Synology NAS by CIFS with 20 restore point and create Active full on Saturday.
Ended that, Daily using Hyper Backup(Synology inside app) , I backup daily this to USB connected to the NAS , and Disconnect the USB DRIVE and POWER OFF THE NAS.

- n.1 Backup Job of all VM DAILY to a DIFFERENT Synology NAS by CIFS with 30 restore point and fcreate Active full on Saturday.
Ended that, Daily using USB Copy (Synology inside app) , I backup daily this to USB connected to the NAS , and Disconnect the USB DRIVE.

I'm unable to use cloud service for externalize the backup, so I must use USB Drive.
In several posts I read about various configuration ,and I'm a little confused about the best configuration for my situation, and I try to ask you how improve this configuration for maximum safety agains Ramsomware, and best recovery time.
Thanks a lot.

[ejenner]

You don't mention whether any of those backup jobs create an off-site copy?

'Off Site' doesn't really have to mean that it's not on the same site but if you've taken reasonable precautions to ensure both your backups aren't vulnerable to the same possible environmental risks. i.e. could both your NAS devices suffer from flood damage by the same broken pipe. Or if a fire started or a burglary is there any safety in place to ensure both NAS devices would not both be destroyed / stolen.

Depending on the nature of the data you're protecting 'off site' could mean far away enough not to be damaged in the event of a nuclear strike or the complete shutdown of a city, think about a pandemic disease perhaps. If your files aren't that important then having both NAS devices in the same room does create risks but they might be acceptable risks in your case.

[Valle1975]

HI Ejennerm, you are right.
The n.1 NAS are placedy in a secondary building inside Factory, in a second floor, about 200 meters far the Server Room, and n.2 NAS are in the server room.
Actual the n.2 USB HDD are placed near both NAS and i leave it always. (maybe changing some strategy for USB DRIVE, I can begin to use n.2 HDD in rotation and move to my house , 15 km far away..)
Waiting future improvement on connectivity, for the actual situation I think it 's a accettable risks for our reality.
My questions, after those right considerations, need to find the best fix for my actual strategy of backup, without using Cloud opportunity.
How do you suggest me to improve my backup strategy?
Thank a lot.

[foggy]

Hi Valerio, given your limitations, I think your strategy looks good overall. You have an offline copy of your backups which protects you from the ransomware attacks.

[Valle1975]

Thanks Foggy, often I read that it's better to use CopyJob from the first backup job to the second NAS or External USB device.
How is it the real advantages vs a second BackupJob??
Thanks a lot.

[veremin]

The production storage doesn't get hit with additional load (snapshot creation, snapshot deletion), neither do source VMs. Thanks!

[Valle1975]

Thanks Veremin.

[veremin]

You're welcome. By the way, additional benefit will be GFS retention which currently can be enabled only on backup copy job. Thanks!

[Valle1975]

It's one of the solution read in several posts, but according to you, I will remove the second Backup Job, and substitute it with a backupCopy jobs to the second NAS, or directly to USB Drive (maybe introducing USB Drive rotation?
Thanks

[foggy]

Yes, this is one of the best practices used to comply with the 3-2-1- rule.

[veremin]

If you're planning to use rotated drives, don't forget to enable corresponding option in backup repository settings. Thanks!

[ChrisGundry]

My suggestions:
1. Don't forget to backup the HyperV host itself if there is anything on it configuration/data wise that you don't want to lose.
2. Backup the Veeam configuration backups to a location such as the USB drive if possible. Whilst you can restore full Veeam backup files in a standalone way, having the Veeam config backup will help you get your environment back up even quicker.
3. Consider how you will restore any of these files if your infrastructure is down. If your Veeam server was on your main site and virtual and it's now gone, along with your AD, how are you going to restore? Consider using non-AD credentials for Veeam and consider having the Veeam B&R installed at your DR site or somehow off your production virtualization host. A 2nd server for Veeam, or even a decent workstation in some cases can be a good option. That way if your host fails or your SAN fails then your Veeam install is still available and you can restore to alternative host/storage.
4. Configure your Veeam server/backup repo's to be 'off network'. They don't use AD credentials, even domain admins can't access the repo files directly from the network or ideally locally. This prevents ransomware from accessing and deleting/encrypting them.
5. Test your backups