Note: The description in the article is based on Veeam Backup & Replication 12.3, licensed using Veeam Universal License (VUL), which is similar to Enterprise Plus.
Immutable Backups and Object Storage
The principle of Immutability and ways to achieve it in Veeam Backup & Replication is described in detail in the article Veeam Backup & Replication - Immutable Repositories and Secure Backups. It ensures that data (backups) cannot be modified or deleted for a specified period (Immutability Period) after their creation. It's the principle of Write Once Read Many (WORM), where we can write data once and read it unlimited times.
The largest group of storage systems that support Immutability are (certain) object storage systems. And their main category is S3 compatible storage with the S3 Object Lock feature. A general description and functioning of object storage systems is contained in the article What is Object Storage?
S3 Compatible Object Storage Repository
Preparing S3 Object Storage on ONTAP
We can use NetApp ONTAP as S3 compatible object storage. We described the configuration in the previous article NetApp ONTAP S3 Object Storage.
- configure SVM with S3 protocol
- create an S3 bucket where backups will be stored; since we want to use Immutability, we must enable object locking
- for access, we need a user with set permissions, specifically their access and secret key
Documentation
- Amazon S3 and S3 Compatible Object Storage Considerations and Limitations
- Immutability Considerations and Limitations
- Adding S3 Compatible Object Storage
Creating Backup Repository S3 Compatible
- Veeam Backup & Replication Console
- Backup Infrastructure - Backup Repositories - Add Repository
- select Object Storage - S3 Compatible - S3 Compatible
- Name - unique name and description of the storage
- Account
- Service Point - enter FQDN (ideally for certificate) or IP address of the object storage (uses
https
, we can also specify port) - Region - probably not important for OnPrem storage,
us-east-1
works - Credentials - select or add access credentials to object storage (Access key and Secret key)
- Connection mode - choose the method of data transfer to object storage, either direct or through gateway
- Service Point - enter FQDN (ideally for certificate) or IP address of the object storage (uses
- Bucket
- Bucket - select a pre-prepared bucket for storing backups
- Folder - select an existing folder or create a new one
- Limit object storage consumption to - we can set a soft limit for storage usage, if the limit is exceeded, the running task will complete but a new one won't start
- Make recent backups immutable - we can set the immutability period, the time during which stored data cannot be modified or deleted, GUI allows setting 1 to 90 days, longer periods can be set using PowerShell
- when moving to the next step, we might get some warnings or errors (like missing license on NetApp and thus inability to use the S3 Object Lock feature)
- Mount Server - select mount server and its parameters for file and application item recovery
- Review - click Apply and installation and configuration of all required components will proceed
Azure Blob Storage Repository
Azure Blob Storage is Microsoft's cloud solution providing object storage. It uses three types of resources: Storage account, Container, and Blob.
Limitations and Support
- Microsoft Azure Object Storage Considerations and Limitations
- Immutability Considerations and Limitations
- Microsoft Azure Storage Accounts
Azure Blob Storage supports Immutability, which can be activated either at the Storage account, Container, or Version level. For use with Veeam Backup & Replication, we have several limitations that must be followed for immutability to work correctly and for Veeam to manage it (Azure policy management is not used).
- we must activate versioning for Storage account
- Immutability must be set at the container level (not for Storage account)
- Default immutability policy is not supported (must not be enabled)
- Soft delete for blobs is not supported (must not be enabled)
- we must not configure Lifecycle management policies for container data
- we must not enable immutability for an existing container (must create a new one)
Creating Azure Blob Storage
- Introduction to Azure Blob Storage
- Storage account overview
- Create an Azure storage account
- How to Configure Azure Storage Account to Leverage Immutability with Veeam Backup & Replication
Creating Storage account
- Microsoft Azure portal
- within our Azure subscription and specific Resource group, we create (Create) a Storage account
- on several tabs, we fill in parameters for the created Storage account (only main items are listed here)
- Basics
- Storage account name - name that must be globally unique within Azure (Storage account already taken)
- Performance - performance Standard for regular general-purpose v2 storage account
- Redundancy - as needed, cheapest is Locally-redundant storage (LRS)
- Advanced
- Security - Allow enabling anonymous access on individual containers - disable
- Security - Enable storage account key access - enable if we want to allow authorization using access key
- Blob storage - Access tier - based on needs and costs, choose Hot, Cool, or Cold
- Networking
- Network connectivity - Network access - select Enable public access from all networks
- Data protection
- Recovery - Enable soft delete for blobs - disable, must be turned off
- Tracking - Enable versioning for blobs - enable, it's a condition for using immutability
- Access control - Enable version-level immutability support - disable, Veeam recommends using immutability at container level
Creating Container
- open the created Storage account
- Data storage - Containers - New container
- Name - container name (lowercase letters, numbers, and hyphen)
- click on Advanced
- Enable version-level immutability support - enable for using immutability
Getting Access key
We can access the storage using an access key or Entra ID account.
- open the created Storage account
- Security + networking - Access key
- for Veeam, we need Storage account name and one of the keys
Creating Backup Repository Azure Blob Storage
- Veeam Backup & Replication Console
- Backup Infrastructure - Backup Repositories - Add Repository
- select Object Storage - Hyperscalers - Microsoft Azure Storage - Azure Blob Storage
- Name - unique name and description of the storage
- Account
- Credentials - select or add access credentials to the Storage account (we can use Access key, here called Shared key)
- Region - typically
Azure Global (Standard)
- Connection mode - choose the method of data transfer, either direct or through gateway
- Container
- Container - select a pre-prepared container for storing backups
- Folder - select an existing folder or create a new one
- Limit object storage consumption to - we can set a soft limit for storage usage, if the limit is exceeded, the running task will complete but a new one won't start
- Make recent backups immutable - we can set the immutability period, the time during which stored data cannot be modified or deleted, GUI allows setting 1 to 90 days, longer periods can be set using PowerShell
- Use cool blob storage tier (may result in higher cost) - for certain situations we can use this option, but we must consider costs vs. usage
- Mount Server - select mount server and its parameters for file and application item recovery, using the Configure button we can set up a Helper Appliance that will be temporarily deployed in Azure for health check and retention application
- Review - click Apply and installation and configuration of all required components will proceed
Backup Job
Backup Repositories
Overview of created repositories.
Creating Backup Job
We create a backup job in the standard way, for example according to Veeam Backup & Replication - Backup Job. As Storage - Backup repository we select our Azure Blob Storage Repository or S3 Compatible Repository. Backup immutability will be at least as long as the Immutability period set on the storage (Backup Repository).
Backups - Object Storage
After performing a backup job, we will see created backups in the Object Storage folder.
Attempting to Delete Backup Files
When we try to delete a backup in Veeam Backup & Replication, the deletion won't occur and we'll receive information that Immutability is set until a certain date. For testing, I set the Immutability period to only 1 day, yet it shows that the file is immutable for 11 days. The explanation is in Block Generation.
Object Storage
Storing Backups
Object storage doesn't work with files but with objects. Veeam divides backup files into blocks of certain size and uploads them as objects. Immutability is set for each object. By default, it works with a block size of 1 MB, each block is then compressed. The result is many files up to 1 MB in size.
During incremental backup, only new or changed data is uploaded as new objects. For existing data, only the immutability date is updated. To save I/O operations, Veeam adds several days to the immutability expiration date. This is referred to as Block Generation.
Accessing Objects on S3 Compatible Object Storage
As a tool for managing S3 storage, we can use for example AWS CLI, S3 Browser GUI, or Rclone. S3 Browser is recommended in many places as it's handy and convenient. The website states that a freeware version is available, but after installation, it's indicated that it's only for non-commercial use. It also has various limitations, for example, it doesn't allow deleting multiple objects at once.
S3 Browser allows deleting object versions on the Versions tab. And it also allows deleting the entire bucket, even if it contains objects or their versions.
Accessing Objects on Azure Blob Storage
Directly in the Microsoft Azure portal under Storage account there is a Storage browser (or we can directly open a specific container) that allows working with objects. More options are offered by the Azure Storage Explorer application.
Below is shown an unsuccessful attempt to delete backup data.
There are no comments yet.