EN 
17.01.2025 Drahoslav WELCOME IN MY WORLD

This website is originally written in the Czech language. Only part of the content is machine (AI) translated into English. The translation may not be exact and may contain errors.

Tento článek si můžete zobrazit v originální české verzi. You can view this article in the original Czech version.
Veeam Backup & Replication - Object Storage Repository a Immutability

Veeam Backup & Replication - Object Storage Repository and Immutability

| Petr Bouška - Samuraj |
This article deals with the use of Object Storage as a primary backup repository. It can also be used to store a secondary backup copy. The goal is to use the immutability property of object storage to secure backed up data against Ransomware, etc. In practice, we will describe two variants. The first is when the object storage is S3 compatible (in our case NetApp ONTAP). And the second is Microsoft Azure Blob Storage (Storage account).
displayed: 340x (289 CZ, 51 EN) | Comments [0]

Note: The description in the article is based on Veeam Backup & Replication 12.3, licensed using Veeam Universal License (VUL), which is similar to Enterprise Plus.

Immutable Backups and Object Storage

The principle of Immutability and ways to achieve it in Veeam Backup & Replication is described in detail in the article Veeam Backup & Replication - Immutable Repositories and Secure Backups. It ensures that data (backups) cannot be modified or deleted for a specified period (Immutability Period) after their creation. It's the principle of Write Once Read Many (WORM), where we can write data once and read it unlimited times.

The largest group of storage systems that support Immutability are (certain) object storage systems. And their main category is S3 compatible storage with the S3 Object Lock feature. A general description and functioning of object storage systems is contained in the article What is Object Storage?

S3 Compatible Object Storage Repository

Preparing S3 Object Storage on ONTAP

We can use NetApp ONTAP as S3 compatible object storage. We described the configuration in the previous article NetApp ONTAP S3 Object Storage.

  • configure SVM with S3 protocol
  • create an S3 bucket where backups will be stored; since we want to use Immutability, we must enable object locking
  • for access, we need a user with set permissions, specifically their access and secret key

Documentation

Creating Backup Repository S3 Compatible

  • Veeam Backup & Replication Console
  • Backup Infrastructure - Backup Repositories - Add Repository
  • select Object Storage - S3 Compatible - S3 Compatible
Veeam Backup & Replication - Add S3 Compatible Object Repository
  • Name - unique name and description of the storage
  • Account
    • Service Point - enter FQDN (ideally for certificate) or IP address of the object storage (uses https, we can also specify port)
    • Region - probably not important for OnPrem storage, us-east-1 works
    • Credentials - select or add access credentials to object storage (Access key and Secret key)
    • Connection mode - choose the method of data transfer to object storage, either direct or through gateway
Veeam Backup & Replication - Add Object Storage Repository - Account
  • Bucket
    • Bucket - select a pre-prepared bucket for storing backups
    • Folder - select an existing folder or create a new one
    • Limit object storage consumption to - we can set a soft limit for storage usage, if the limit is exceeded, the running task will complete but a new one won't start
    • Make recent backups immutable - we can set the immutability period, the time during which stored data cannot be modified or deleted, GUI allows setting 1 to 90 days, longer periods can be set using PowerShell
Veeam Backup & Replication - Add Object Storage Repository - Bucket
  • when moving to the next step, we might get some warnings or errors (like missing license on NetApp and thus inability to use the S3 Object Lock feature)
Veeam Backup & Replication - Add Object Storage Repository - errors
  • Mount Server - select mount server and its parameters for file and application item recovery
  • Review - click Apply and installation and configuration of all required components will proceed

Azure Blob Storage Repository

Azure Blob Storage is Microsoft's cloud solution providing object storage. It uses three types of resources: Storage account, Container, and Blob.

Limitations and Support

Azure Blob Storage supports Immutability, which can be activated either at the Storage account, Container, or Version level. For use with Veeam Backup & Replication, we have several limitations that must be followed for immutability to work correctly and for Veeam to manage it (Azure policy management is not used).

  • we must activate versioning for Storage account
  • Immutability must be set at the container level (not for Storage account)
  • Default immutability policy is not supported (must not be enabled)
  • Soft delete for blobs is not supported (must not be enabled)
  • we must not configure Lifecycle management policies for container data
  • we must not enable immutability for an existing container (must create a new one)

Creating Azure Blob Storage

Creating Storage account

  • Microsoft Azure portal
  • within our Azure subscription and specific Resource group, we create (Create) a Storage account
  • on several tabs, we fill in parameters for the created Storage account (only main items are listed here)
  • Basics
    • Storage account name - name that must be globally unique within Azure (Storage account already taken)
    • Performance - performance Standard for regular general-purpose v2 storage account
    • Redundancy - as needed, cheapest is Locally-redundant storage (LRS)
Azure portal - Create Storage account - Basics
  • Advanced
    • Security - Allow enabling anonymous access on individual containers - disable
    • Security - Enable storage account key access - enable if we want to allow authorization using access key
    • Blob storage - Access tier - based on needs and costs, choose Hot, Cool, or Cold
  • Networking
    • Network connectivity - Network access - select Enable public access from all networks
  • Data protection
    • Recovery - Enable soft delete for blobs - disable, must be turned off
    • Tracking - Enable versioning for blobs - enable, it's a condition for using immutability
    • Access control - Enable version-level immutability support - disable, Veeam recommends using immutability at container level
Azure portal - Create Storage account - Data protection

Creating Container

  • open the created Storage account
  • Data storage - Containers - New container
  • Name - container name (lowercase letters, numbers, and hyphen)
  • click on Advanced
  • Enable version-level immutability support - enable for using immutability
Azure portal - New container

Getting Access key

We can access the storage using an access key or Entra ID account.

  • open the created Storage account
  • Security + networking - Access key
  • for Veeam, we need Storage account name and one of the keys

Creating Backup Repository Azure Blob Storage

Adding Azure Blob Storage

  • Veeam Backup & Replication Console
  • Backup Infrastructure - Backup Repositories - Add Repository
  • select Object Storage - Hyperscalers - Microsoft Azure Storage - Azure Blob Storage
  • Name - unique name and description of the storage
  • Account
    • Credentials - select or add access credentials to the Storage account (we can use Access key, here called Shared key)
    • Region - typically Azure Global (Standard)
    • Connection mode - choose the method of data transfer, either direct or through gateway
Veeam Backup & Replication - Add Object Storage Repository - Account
  • Container
    • Container - select a pre-prepared container for storing backups
    • Folder - select an existing folder or create a new one
    • Limit object storage consumption to - we can set a soft limit for storage usage, if the limit is exceeded, the running task will complete but a new one won't start
    • Make recent backups immutable - we can set the immutability period, the time during which stored data cannot be modified or deleted, GUI allows setting 1 to 90 days, longer periods can be set using PowerShell
    • Use cool blob storage tier (may result in higher cost) - for certain situations we can use this option, but we must consider costs vs. usage
Veeam Backup & Replication - Add Object Storage Repository - Container
  • Mount Server - select mount server and its parameters for file and application item recovery, using the Configure button we can set up a Helper Appliance that will be temporarily deployed in Azure for health check and retention application
Veeam Backup & Replication - Add Object Storage Repository - Mount Ser
  • Review - click Apply and installation and configuration of all required components will proceed

Backup Job

Backup Repositories

Overview of created repositories.

Veeam Backup & Replication - Backup Repositories

Creating Backup Job

We create a backup job in the standard way, for example according to Veeam Backup & Replication - Backup Job. As Storage - Backup repository we select our Azure Blob Storage Repository or S3 Compatible Repository. Backup immutability will be at least as long as the Immutability period set on the storage (Backup Repository).

Veeam Backup & Replication - New Backup Job - Storage

Backups - Object Storage

After performing a backup job, we will see created backups in the Object Storage folder.

Veeam Backup & Replication - Backups - Object Storage

Attempting to Delete Backup Files

When we try to delete a backup in Veeam Backup & Replication, the deletion won't occur and we'll receive information that Immutability is set until a certain date. For testing, I set the Immutability period to only 1 day, yet it shows that the file is immutable for 11 days. The explanation is in Block Generation.

Veeam Backup & Replication - Immutability - delete from backup

Object Storage

Storing Backups

Object storage doesn't work with files but with objects. Veeam divides backup files into blocks of certain size and uploads them as objects. Immutability is set for each object. By default, it works with a block size of 1 MB, each block is then compressed. The result is many files up to 1 MB in size.

During incremental backup, only new or changed data is uploaded as new objects. For existing data, only the immutability date is updated. To save I/O operations, Veeam adds several days to the immutability expiration date. This is referred to as Block Generation.

S3 Browser - Veeam backup files - objects

Accessing Objects on S3 Compatible Object Storage

As a tool for managing S3 storage, we can use for example AWS CLI, S3 Browser GUI, or Rclone. S3 Browser is recommended in many places as it's handy and convenient. The website states that a freeware version is available, but after installation, it's indicated that it's only for non-commercial use. It also has various limitations, for example, it doesn't allow deleting multiple objects at once.

S3 Browser allows deleting object versions on the Versions tab. And it also allows deleting the entire bucket, even if it contains objects or their versions.

S3 Browser

Accessing Objects on Azure Blob Storage

Directly in the Microsoft Azure portal under Storage account there is a Storage browser (or we can directly open a specific container) that allows working with objects. More options are offered by the Azure Storage Explorer application.

Below is shown an unsuccessful attempt to delete backup data.

Azure portal - Storage account - Storage browser
Author:

Related articles:

Veeam Backup & Replication

Articles that focus on Veeam Software's backup solution. It is a platform for Backup, Replication and Restore. In other words, a Data Protection and Disaster Recovery solution.

Backup

Articles dedicated to backup (Backup), replication (Replication) and restoration (Restore) of data. That is, data protection (Data Protection) using backup copies and recovery after a crash (Disaster Recovery).

If you want write something about this article use comments.

Comments

There are no comments yet.

Add comment

Insert tag: strong em link

Help:
  • maximum length of comment is 2000 characters
  • HTML tags are not allowed (they will be removed), you can use only the special tags listed above the input field
  • new line (ENTER) ends paragraph and start new one
  • when you respond to a comment, put the original comment number in squar brackets at the beginning of the paragraph (line)