To enforce security and protect your backup data against ransomware attacks, Veeam Backup & Replication v11 allows you to configure double immutable backups on-prem and cloud.
This solution takes benefit of the following configuration:
- One Backup Repository for the primary backup.
- One Immutable Scale-out Repository with a Hardened Repository (performance tier) and an S3 Cloud Repository with Object Lock capability enabled (capacity tier).
- Backup Copy leveraging the Copy mode (mirroring) feature.
Blog series
Veeam v11: configure double immutable backups on-prem and cloud - pt.1
Veeam v11: configure double immutable backups on-prem and cloud - pt.2
The 3-2-1-1-0 backup rule
To enforce protection of backup data against ransomware attacks, Veeam extended the 3-2-1 backup rule to 3-2-1-1-0. The additional 1 and 0 at the end provides additional steps to ensure data integrity and availability:
- 3 copies of data
- 2 different media
- 1 copy being off site
- 1 copy being offline, air-gapped or immutable
- 0 errors with SureBackup recovery verification
Configure Veeam Repositories
To achieve the target of having multiple immutable backups, we need to create three repositories:
- A local Repository
- A Hardened Repository
- An S3 Object Storage Repository
Local primary Repository
If Veeam solution is already in use at your organization, a local repository should be already available and configured in the Backup Infrastructure > Repository area.
Different repositories, such as Data Domain (DD Boost), NFS (direct NFS), SMB, and so forth, can be used to store primary backups.
Configure a local Hardened Repository
If a local repository is already in place, the Hardened Repository is the new repository to configure to store local Backup Copies. The repository leverages the Linux OS capability to make files immutable protecting them from deletion, overwriting and changes.
The complete procedure to configure a Hardened Repository can be found in this post.
Configure the Immutable Cloud Repository (Wasabi)
To have immutable backups in the cloud, you need to choose a provider that provides S3 or S3-Compatible Object Storage service with the Object Lock capability. In this example, Wasabi is the provider used to store immutable Backup Copies.
If you already have an account registered, from your favorite browser access the Wasabi login page. Enter your credentials then click Sign in.
Regardless if you already have existing Buckets in Wasabi, you need to create a new one to enable the Object Lock capability. Click Create Bucket to configure an immutable repository.
Enter a Bucket Name e specify the Region to use. Click Next to continue.
Enable Bucket Versioning and Enable Object Locking options then click Next.
Click Create Bucket to confirm bucket creation.
The Bucket with Object Lock feature enabled has been created successfully.
Next step is the creation of the Cloud Repository in Veeam to be used in the Scale-out Repository as Capacity Tier.
Configure the Object Storage Repository
After creating the Bucket in Wasabi, the configuration of the Object Storage Repository in Veeam is the next step.
From the Veeam console, access the Backup Infrastructure area and select Backup Repositories. Click on Add Repository button.
Select Object storage as repository type.
Since we are using Wasabi, select S3 Compatible as object storage type.
Enter a Name for the object storage repository and click Next.
Specify the Service point and the Region to use. Select the correct Credentials to access the Bucket then click Next.
Click Browse to select the previously created Bucket with the Object Lock feature enabled. Click OK.
Click Browse to specify/create the folder to store backups in the selected Bucket. Click OK.
Enable the Limit object storage consumption option if you want to keep space consumption under control. Enable and configure the Make recent backups immutable for xx days option to set the Immutability retention for stored backups in the Object Storage Repository. Click Apply.
Click Finish to save the configuration.
The Object Storage Repository has been created.
Configure the Scale-out Repository
Right click the Scale-out Repositories section and select Add scale-out backup repository option.
Enter a Name for the Scale-out Repository then click Next.
Click Add to select the extent to use as Performance Tier. Select the Hardened Repository previously created then click OK.
Once the Performance Tier has been selected, click Next.
Since only one extent is configured, select Data locality then click Next.
Enable and configure the following options:
- Extend scale-out backup repository capacity with object storage - select the previously configured Object Storage Repository.
- Copy backup to object storage as soon as they are created - select this option to use the mirror copy mode.
- Move backup to object storage as they age out of the operational restore window - when the backup is older than specified days, it is moved to Object Storage Repository. In the example, a backup age of 14 days has been configured to match the Immutability retention set for the Hardened Repository selected.
- Encrypt data uploaded to object storage - to add an extra layer of security, backups stored to the cloud object storage should be encrypted.
Click Apply.
Click Finish to save the Scale-out Repository configuration.
The just created Scale-out Repository.
The configuration of the required Veeam Repositories is now complete. Part 2 will cover the backup jobs configuration and a full test of the Immutability feature.
Great Article always love your content. Thank you very much.
Is part 2 on the way as the link for part 2 takes me to the same page?
I would like to hear how you work with the Time Active & Time Deleted restrictions with Wasabi if you use them. Thanks.
I don't use any Wasabi's policy. I prefer the Immutability is controlled directly by Veeam because I want that all backup retentions are controlled from a single and centralized point, immutability included.