I’ve just completed watching the Veeam v12 Data Platform Launch Event keynote and one theme I feel is getting a lot of chatter is the new “Direct to object storage” capabilities of the release. What this means is that as I create backups of my production data the first copy that is made is written to object storage. I’ve written quite a bit about v12 and object storage before, both in how to setup and consume it in the performance tier of Scale Out Backup Repositories as well as comparing copy mode object storage and Veeam Cloud Connect Backup, but this is not that. Direct to object storage is the idea that you write your first backup copy of production data to object storage, rather than as a secondary copy.

Anton Gostev himself highlighted this as a favorite feature and outlined that there are limited uses cases where it should be used. As a long time Veeam administrator and of late an architect of their largest Service Provider partner I have some thoughts into what those use cases should and should not be that I’d like to share.

The Do’s

✅ On Premises Backup Repository

The first and in my opinion most exciting use case for direct to object storage capabilities is as a replacement for your old block based on premises backup repositories. Object storage has numerous benefits over traditional storage servers using NTFS, ReFS or even XFS. These include true object-lock backed immutability, real scalability in that you simply continue to add nodes to the cluster as needed and API first, automation driven provisioning.  All these things can combine to a scalable, secure, and durable on premises backup storage location.

✅ Distributed Workforce Agent Backups

As we find ourselves in the world of remote work in 2023 systems administrators have more concerns than in the past about protecting those laptops that our remote workers are using as critical company data further escapes the datacenter. By combining Veeam Backup and Replication v12, Veeam Service Provider Console v7 and public object storage services such as 11:11 Systems’ offering we can create a robust solution for managing these backups securely and at scale with self-service capabilities included.

✅ NAS Backups

As much as cloud-based storage services such as OneDrive, Google Drive and Dropbox have become prevalent in modern IT there are still a lot of traditional Network Attached Storage file servers around. The problem is these are usually measured in 100s of TBs and backups don’t scale well in any case. In this case I believe it’s appropriate to back these up via the NAS backup feature of VBR directly to immutable cloud-based object storage. Recoverability is in terms of files as opposed to needing to write Virtual Machines to a hypervisor so far more appropriate.

The Don’ts

Now that we’ve covered what are good use cases let’s talk about some things that should not be considered from a best practices point of view but are technically possible.

❌ Cloud-Based Object Storage for First Backup

There are going to be people who begin wanting to get rid of the on-premises backups all together and replace them with low-cost cloud object storage. While the immutability and ease of scale are tempting, don’t. Just don’t. Recovery from this for any backup platform would be painful at best, unsuccessful at worst. Further you lose so much of the power of Veeam Backup & Replication by doing this with capabilities such as Instant Recovery and SureBackup instantly going away.

❌ Remote Office/Branch Office (ROBO) Server Backups

One of the use cases specifically called out by Gostev for direct to object storage was the ROBO server. While I respect him very much, I do have to disagree with him here. As someone who’s had to restore this scenario in anger the pressure will be on in most if not all these situations to get that server back up and running as fast as possible, probably in your production datacenter with some creative networking setup, to get that remote location back up and in business as soon as possible. By and large direct to cloud-based backups for virtual machines or server grade agents should not in my opinion be considered as you quickly become limited in recoverability choices. If you cannot either back these up first to a small NAS unit at the ROBO or to storage available in your production location, then VCC-B may be interesting as a first write backup. While definitely not preferred at least things like Instant Recovery to Cloud Director can be an option to get these workloads available sooner.

Conclusion

While writing backups from Veeam Backup & Replication v12 directly to object storage is an exciting innovation to the platform it is a capability that should be given a great deal of consideration before putting into production grade use. Features such as immutability and scalability will drive adoption what you are using it for is far more important than the hype.

With the upcoming version 12 release of Veeam Backup & Replication the platform will start to support object storage as a primary location for backups. This is not a new idea, it feels like we’ve been talking about this forever, but it is a radical shift for the company and frankly one that for reasons many in the Veeam Certified Service Provider community have been dreading. While I believe object storage has its place, even within a VCSP, it should not in general practice be a replacement for Veeam Cloud Connect as VCC-B and VCC-R offer capabilities and enhancements that object storage services all by themselves will never be able to replicate.

What is Veeam Cloud Connect?

It’s appropriate to level set on the technologies at hand first. Veeam Cloud Connect was first announced at VeeamON 2014 and became available through partners shortly thereafter. There are two sides to today’s Cloud Connect Service: Veeam Cloud Connect Backup (VCC-B) and Veeam Cloud Connect Replication (VCC-R).

Veeam Cloud Connect Backup allows for a service provider to provision a slice of cloud storage and securely provision that a customer as a tenant. That storage can have further enhancements such as Immutability if on Linux repositories or with v12 object storage and Insider Protection, an out-of-band temporary storage location for deleted cloud backups as part of a ransomware mitigation strategy. Once the tenant is provisioned on the SP side a customer only needs to enter 3 pieces of information to add that storage as a repository or repositories to their backup infrastructure. Afterwards they can simply target that repo for backup copy or in some situations even direct backup jobs.

Veeam Cloud Connect Replication is the same general concept as VCC-B, but just with VMs being stored directly in IaaS. Your Service Provider would provision quotas in a VMware Cloud Director or vCenter environment in which powered off copies of the source VMs are copied. These replicas maintain a shorter maximum number of restore points which are stored as snapshots on the replica.  In conjunction with either a VPN connection or the Veeam Network Extension Appliance you can extend your on-prem environment into your replicated IaaS one and run those systems remotely for several reasons.

Object Storage Review

Veeam has been slowly building support for object storage over a few releases now. In short order the progression has been:

• 9.5u4 (2019): Support for the ability to archive or dehydrate older restore points to object storage, known as move mode. This functionality is powered by the Scale Out Backup Repository (SOBR) construct in VBR, defining performance tier (on-prem block storage) and cloud or archive tier (object storage). With this support cloud tier can only support a single bucket per SOBR which can cause scaling issues.
  
• 10.0 (2020): Copy mode is added which allows that same SOBR to make an immediate copy of any restore point that hits the performance tier to be immediately copied to the cloud tier. This is commonly seen as the capability that best competes with the VCC-B functionality. Support for Immutability and mounting backups regarding cloud tier happens in this release as well.
• 11.0 (2021): Addition of support for Google Cloud Platform (GCP) Storage.
• 12.0  (2023): Host of improvements to object storage support.
  • Object in the performance tier with multiple buckets supported as extents.
  • Support for multiple buckets of the same type in the cloud tier.
  • Reconfiguration of the bucket folder structure to allow for optimized performance especially around API calls.

In all there has been a steady line of improvement and innovation towards object storage making it the first-class citizen it will be with v12’s release.

Verdict

All that begs the question, should I as a Veeam Backup & Replication administrator be migrating my offsite backups from Cloud Connect Backup to object storage? In my opinion, probably not. The compelling use case today regarding offsite backups is the same that’s been around since v10; if you are only sending a copy of backups offsite for the purpose of compliance, checking the box if you will, then object storage may be a good fit for you. It is exceptional in how it supports Object Lock (Immutability). Further it is more efficient than anything else to date in how it writes data which makes it well suited for on-premises storage if available, but for cloud copy usage the capabilities quickly fall off.

In the end my biggest reason why I would still choose VCC-B today is the restore scenarios. With Object Storage unless you are utilizing a VCSP like 11:11 Systems you aren’t going to be able to have the object storage close enough to a VMware native compute to facilitate timely restore. Your other options are the opposite ends of the spectrum; low cost providers who have no compute capabilities and may have extra charges that may apply to your organization depending on deletion.Data egress or API calls along with hyperscalers that do have compute adjacent but are a completely different architecture to vSphere are other concerns. These scenarios require conversion of backups to instances and rely on your IT staff having the skillset to securely create an environment for these workloads to run from.

When you consider the tiered approach to Disaster Recovery, pairing a broad spectrum copy of backups to VCC-B with Tier 0 or 1 targeted VCC-R you gain 2 things by sticking to VCC-B:

1. Support for seeding replicas from VCC Backups
2. A defined DRaaS environment pre-created for your organization that in the event of on-prem not being available that you can boot replicas quickly and less quickly begin restoring backups into.

While not necessarily as important as restorability one other major difference to be aware of is the ability to control how much of your on-prem backups you keep off site. Keep in mind that copy mode works on the principle that you want to keep everything you have on-site in an offsite location, so if you want to have 30 days on prem and 7,14,60, or 90 days offsite there really isn’t a path besides Grandfather-Father-Son (GFS) to get there with just copy mode. Further it’s going to be everything that targets the given repository, if you have VMs you don’t necessarily want to keep off prem (think of like a door control system that does you no good anywhere but in the physical location) your only option is to create separate repositories and jobs. With VCC-B and backup copy all these things can be done in a very granular manner.

Finally, you have the issue of expertise. While many of us might be conversant in object storage and how it works you may not necessarily know the ins and outs of bucket policy, ACLs, versioning, etc. It’s a technology you do need to know but when it comes to backups and especially the need to restore them in anger using Veeam Cloud Connect not only gets you an easy path to restore. VCSP employs experts in Veeam software and access to this expertise with best practices for Veeam backups and replicas can be critical, ensuring a more seamless restoration of services when the pressure is already on.

Conclusion

While the promise and the capabilities of object storage are exciting as of the v12 release Veeam Cloud Connect Backup offers many more options when it comes to the restore and management of your backup data and for that reason should still be the go-to for offsite backup copies. If you are wanting to begin leveraging the technology an on-premises object storage platform for your local backups is a far better solution and can give you an out of the box upgrade to what you are using today.

In the time of ransomware and and cybersecurity attacks being in the news almost daily things like our disaster recovery applications have to start taking those protections very seriously. Often the easiest rung to reach in terms of good application security is having Multi-Factor Authentication (MFA) required for logins. For most MFA is old hat but for those unfamiliar modern MFA can take various forms including:

• SMS One Time Passcode (OTP): codes that are pushed from the website to you via SMS text messages. Better than nothing but easily spoofable.
• OTP Apps: apps such as Google Authenticator, Authy or 1password that provide the codes based on scanning a QR code typically to setup then using your mobile device to generate the code
• Push MFA: apps such as Duo or Gmail that when you authenticate it triggers a push notification to a particular instance of a mobile app that is also authenticated

With Veeam’s upcoming v12 release of Veeam Backup and Replication they are now supporting OTP App MFA in their console application. This takes a little bit of setup and in my particular case is a little quirky to setup but it does definitely work. Let’s walk through how to put this in effect.

Enable MFA in VBR v12

1. Once you have v12 Console installed, either the local or remote version, open it and navigate to Users and Roles

2. MFA in VBR is not supported with any use of groups. By default members of the local Adminstrators group are given the Veeam Backup Administrator role so we need to start by adding your own login first. You can do this with the Add… button.

If you weren’t already aware you’ll notice that there are number of roles that can be selected. More information about what each of these can do is available in the helpcenter documentation.

Bug: One other thing I’ll add here is that I noticed a quirk in some of our setups. If you use the browse method and if for some reason the NetBIOS domain is not just the portion before the first dot in the FQDN domain (for example prem for prem.lab.internal) then by default the User or group in the blank above is filled in incorrectly. In a few of our test environments we use the full FQDN without the dots as the NetBIOS name and it led to some issues that were easily fixed by just typing the correct domain in the blank. This feedback has been shared and I imagine it will be fixed before GA.

2a. If by chance you do not remove the groups before enabling MFA and hitting OK you will be presented with an error. Again, simply remove the groups to get past this.

3. It is important to understand that once you protect an account with MFA you will not be able to use it with automation methods such as PowerShell. To allow for this you will need to create an automation specific user, preferably with a very robust and often changed password, and set it in VBR as a service account to disable MFA. Complete adding your needed users and check the “Require two-factor authentication for interactive logon” to complete the server setup portion.

4. Once you setup your accounts in Veeam Console you will need to close out and relaunch to get into the MFA registration wizard. You would do this as you normally would, either using Windows session authentication or filling in the username and password.

5. Once you hit Connect you will get the standard MFA QR code for registration. Simply open the app of your choice and add by scanning the QR code then supply an active confirmation code to complete setup.

And with that you have now enabled 2 factor authentication for your Veeam Backup and Replication Users. You can potentially increase this further by not giving permissions to the user’s Windows logon account but instead doing a secondary, application specific account making them type in a username and password in step 4 above. With that you would have to authenticate to Windows, authenticate to Veeam and then provide an MFA code. That would all just depend on your organization’s security needs.

Conclusion

At the end of the day security practices should be a part of everything we do as IT and Disaster Recovery administrators. Little things like requiring MFA for our critical backups add up to a well design, layered security model.

As we come upon the end of the year, we are also getting closer and closer to Veeam’s latest release of their flagship product, Veeam Backup & Replication v12. Here at 11:11 Systems we have been testing quite a bit with the beta code as it has been released because there are quite a few features to really be excited about here. For me personally the biggest is being able to use object storage as a first hit repository and to be able to scale them out.

If you are not yet familiar with object storage now is the time. Object storage provides a good deal of native capabilities we’ve never had when using block-based storage (like volumes and partitions). These include:

• Immutability
• Versioning
• Consumption based pricing model

What this means to your backup plans is that you will have more capabilities, while being more agile in pricing.

Flavors of Object Storage

There are several ways to purchase and consume object storage. The hyperscale cloud names you are probably most familiar with: Amazon’s AWS (Amazon Web Services) S3 and Microsoft’s Azure Blob. But these providers can have several potentially unexpected costs around data egress, API call limits, and in some cases how long you store the data. As we all know with IT and disaster recovery, a good deal of our decisions come down to cost and budgeting, so having unexpected bursts can be a challenge.

With 11:11 Object Storage, you get access to a robust, performant object storage service that while competitively priced is flat rated with nothing hidden. Our service and others that use the AWS S3 API structure are commonly called S3 compatible. This means that they support the same calls and automation capabilities as S3 but may have differing architecture.

Finally, there are also a few physical device manufacturers such as Pure Storage, Cloudian and Object First that will sell you arrays for on-premises object storage. With the 3-2-1 backup model it may be worth considering an on-prem option for your first hit of backups before copying to the cloud.

Optimizing for Performance

One consideration as we begin to look at object storage for backup data is that depending on the platform the service is built on, there may be performance considerations as buckets scale in number of objects. In previous versions of VBR only a single bucket was supported for the capacity or archive tier. In this latest version, multiple buckets will be supported per tier, a move that is anticipated to enhance performance.  At 11:11 Systems,  we have put a great deal of work into overcoming limitations both in object storage itself but also how Veeam software integrates with it to the point that we consider it as performant if not more so than most other offerings in this space. This includes taking an active role in the open source Ceph project that powers our service.

As I began working on testing this capability, I realized that I was spending a lot of time creating buckets, creating repositories, and then ultimately creating SOBRs full of repositories. In speaking with my friend Joe Houghes we realized we were both doing the same things and so we collaborated on scripting this capability, the final product of which can be found in this GitHub repository. If you do choose to use this, please provide feedback through GitHub.

While the code is great, the takeaway you should consider here is that Object Storage as the repository portion of your VBR Infrastructure is coming. With that great capability comes great consideration and you should look to work with experts to assist you with these changes. You should also begin to educate yourself on the key capabilities and differences.

In the past few years Immutability, the concept of making data unable to be deleted or modified, has been a core tenant of disaster recovery design and has driven the rise of Object Storage for backup purposes. To this point in the Veeam ecosphere immutability has been contained to traditional Infrastructure backups, virtual machines, and cloud native instances, but there has been a great appetite for this capability to apply to SaaS backups as well.

With the upcoming v7 release of Veeam’s Backup for Microsoft365 (VB365) the product now has a method of allowing true, verifiable immutability or object-lock on backup sets. In their interpretation of how to make this capability happen Veeam has incorporated a long known best practice for all things backup, adhering to the 3-2-1 backup methodology where there are 2 copies of the backup. This happens because immutability can only occur on the secondary copy of the backup set, leaving the primary set on unlocked, performant object storage to ensure that recovery operations are capabilities in a optimized manner.

So What’s Changed?

Starting with VB365 v6 support for backup copies have been available but only in very limited situations. First the backups must land in Azure Blob or Amazon S3 for the first copy, second the copies could only go to related secondary locations. For example, backups residing in AWS S3 could only be copied to S3, S3 Infrequent Access or AWS Glacier storage. Further while these backups could be encrypted, they could not have the object-lock attribute, the object storage attribute that powers immutability, set.

With VB365 v7 both statements have changed. First backup copies can now land on Azure, S3 or any S3 compatible backup storage that supports the necessary functions of the S3 API. Further those backups can now optionally have the object-lock attribute set at the object repository level, with the immutability expiration automatically set to the duration of the retention period. In other words, unlike Veeam Backup and Replication where retention points are set at the job level and immutability is set at the repository level, with VB365 both are set together at the repository level.

VB365 Immutability in Action

1. Add primary object storage and backup repository. On this repository is when you want to set your long-term retention as needed.  Repeat the process until you have repositories to support your organization’s backup needs in accordance with best practices for maximum supported objects per repository.

2. Add your secondary object storage and VBO repositories. These should arguably be setup in a different object storage environment as your primary copy but still well connected. Because you will be writing data that is set to object-lock for the retention period of the repository you should consider the shortest retention period here in accordance with your organization’s data policy and standards.

3. Create backup jobs targeting your primary backup repositories. These will automatically copy to the secondary repository and become immutable as it is written.

Conclusion

This capability is going to be a game changer for everyone who uses VB365 to protect their M365 workloads. While this capability is only supported for VB365 data residing on object storage there’s an argument to be made that if you haven’t already moved or reseeded that data to object by now you should be working on it. Customers will be able to maintain a secondary copy of their backup sets on disparate systems to ensure the durability of their backups. If you can’t tell I’m actually very excited by this capability and look forward to using it in production!

Unless you’ve had your head stuck in the sand you probably have heard at this point that Microsoft has been trying numerous times to kill the Basic Authentication method for application integration into M365. While they tried and then delayed quite a few times the latest date of October 1, 2022 seems to be sticking so you do need to prepare for this. 

As someone who fortunately/unfortunately has to think far too much about data protection of things like M365 this is something that has been a big part of my day to day conversations as I tend to work a good deal with this in regards to Veeam’s Backup for Microsoft365 product. 

Let’s start with the good news: Working with what  in Veeam vocabulary is “Modern Only” authentication is probably the easiest and most robust way to let  Veeam organization configuration interact with your Microsoft365 organization. No more need to manually create and register Azure applications, no need to go through a laundry list of Exchange, Sharepoint and Graph API permissions, all of that is automatically created and managed through the registration process. Further modern application authentication also allows for MFA authentication at registration with any administrator level account in your organization without Veeam ever needing to record or manage those accounts. So all that is great but there are some drawbacks as well.

Unfortunately there are still a few things where Microsoft hasn’t achieved feature parity with the old method of authentication, most notably support for protecting Exchange Public Folders. This and other limitations of the API only method are outlined in Veeam’s handy KB3146.

In my day job at iland cloud we’ve been able to extend support for Modern Authentication to our own console that leverages the Veeam VB365 APIs. It’s relatively easy to and in short you

1. Choose to Update MS Credentials from the Action menu of your M365 Organization in the iland console.
2. Choose Modern Application Authentication Only, select the data types you wish to protect and then provide a name for your application that will be created in Azure Active Directory.
3. Login to Microsoft’s device authentication portal using your M365 administrator credentials and the provided device code.
4. Confirm that you are authenticating with Azure CLI.
5. Close the device authentication portal window when prompted and hit submit in the iland console.

This isn’t some magical black box, messing with your organization’s security without any ability to see what is happening. If you navigate to Azure Active Directory and Enterprise Applications you will find your created application there and you can review and document as needed any permissions and roles added. Understand that future builds/versions of Veeam Backup for M365 may require new permissions (the new Graph Teams Export API coming in 6a immediately comes to mind) so this will not be a completely static list but you will need to authenticate to the application any time changes will need to be made, we have no ability or rights to do this on our own.

And that’s it! Once you authenticate the created application’s token is saved to the underlying VB365 server and your jobs will continue working as they always have. This will also be the methodology for any restores you need to perform to M365 going forward, giving you an additional level of security in that any restores will require not only a user with administrative rights but also have Multi-Factor Authentication enabled as well. Enjoy and happy data protecting!

Microsoft has recently created documentation about changes coming to the Microsoft Graph API relating to Teams chat. In short the current method of backing up Teams chat will be decommissioned and it will be replaced by what is called the Teams Export API. This API will have fees associated with its use and those fees will be assessed directly by Microsoft against the M365 account in a burst method. 

In response to that Veeam has released guidance as to how this will be handled with their Veeam Backup for Microsoft365 product on which our Secure Backup for Microsoft365 product is based. This will take effect on the Veeam side from version 6a forward. It is anticipated that 6a will be released July/August 2022 time frame. It is unknown at this time when iland will be installing this to our VB365 environments.

While I’m writing this post with Veeam Backup for Microsoft365 in mind because they’ve released KB 4322, it’s important to note that this isn’t just a problem for Veeam, any vendor doing chat level backup for M365 is going to be running into this.

Costs

Microsoft has outlined a number of models in their document for how costs will be incurred for consuming this API. Due to Microsoft’s not considering data protection a Security & Compliance use case Veeam and any other M365 backup vendor will need to use the “Model B” as outlined here. This model provides access to backup channel based chat messages across the platform. Veeam does not at this time support backup of 1:1 or 1:many direct messages so this use case is out of scope.

When you get down to it what any Microsoft 365 customer are going to care about is cost. Once your organization begins being processed by the new API you charges will be paid through your organization’s Microsoft account on a per message rate directly to Microsoft. It is known that the cost per message will be $0.00075 per message and it is anticipated at this time that messages being sent to a channel will be considered “Group” data and as such will only incur cost on a per message basis. If at some point in the future Veeam supports protecting direct 1:1 and 1:many chats then these will be charged as per message x # of users who receive it.

So, When?!?

Tentatively I’m hearing that this should take full effect and the cutoff of the old method will begin on October 1, 2022 just like Basic Authentication depreciation. As for when costs will begin being incurred for the “Model B” API hits starting on July 5, 2022. At some point between those 2 VB365 6a will be released.

It is worth noting that regardless of if you have opted in or not Veeam will not be able to enable the Teams Chat option for you upon upgrade of 6a because it requires new permissions. They will notify you upon install if it detects you were backing up Teams Chat before so that you can investigate what you need to do.

Microsoft 365 Customer Responsibility

With this new model Customers will be required to “opt-in” as described in Veeam KB 4322 by requesting access to the Graph Export API. It is anticipated that from the beginning of requesting access to the API and then Microsoft granting it may take take up to 2 weeks.

Further once this process has been completed customers will need to access their organization in VB365 and re-authenticate to the organization to enable Teams Chat support and grant the new permissions necessary. As Microsoft is also beginning to depreciate the Basic Authentication method in the same time frame you may have to do this anyway.

Finally as mentioned above once and if a customer chooses to backup Teams chat the customer will need to access their jobs and select to backup Chats on a per job, per channel basis. Any existing jobs prior to the upgrade will have this new, granular Chats option available per channel but disabled, having the effect of turning off Teams Chat backup. This option was not available before as Chat was just a portion of the overall service. This is actually a positive in that they will have more granular ability to choose when and where to enable chat backup to minimize costs.

Conclusion

In the end this stinks horribly and Microsoft has made some changes that I’m sure are going to have their customers in a bind and thinking about options. Beginning with not considering data protection to be a Security and Compliance need (thus excluding partners from considering the Model A option) and carrying through the “I’ve got to go fill out an Office Forms doc and in a couple of weeks somebody will grant me access” workflow all of this screams “I don’t really care about you.” For those of us in a Service Provider or large enterprise space this hasn’t exactly been a long runway of potentially large scale impact on the cost of our services.

In my last post, Configuring Veeam Backup & Replication SOBR for Non-immutable Object Storage, I covered the basics of how to consume object storage in Veeam Backup & Replication (VBR). In general this is done through the concept of Scale-out Backup Repositories (SOBR). In this post we are going to build upon that land layer in object storage’s object-lock features which is commonly referred to in Veeam speak as Immutability.

First, let’s define immutability. What the backup/disaster recovery world thinks of as immutability is much like the old Write Once, Read Many (WORM) technology of the early 00’s, you can write to it but until it ages out it cannot be deleted or modified in any way. Veeam and other backup vendors definitely treat it this way but object-lock under the covers actually leverages the idea of versioning to make this happen. I can still delete an object through another client but the net effect is that a new version of that object is created with a delete marker attached to it. This means that if that were to occur you could simply restore to the previous version and it’s like it never happened.

With VBR once Immutability is enabled objects are written with Compliance mode retention for the duration of the protected period. It recognizes that the object bucket has object-lock enabled and then as it writes it each block is written with the policy directly rather than assuming a bucket level policy. If you attempt to delete a restore point that has not yet had its retention policy expire it won’t let you delete but instead gives you an error.

Setting up immutability with object storage in Veeam is the same as with non-immutability but with a few differences. This starts with how we create the bucket. In the last post we simply used the s3 mb command to create a bucket, but when you need to work with object-lock you need to use the s3api create-bucket command.

% aws --endpoint=https://us-central-1a.object.ilandcloud.com --profile=premlab s3api create-bucket --bucket premlab-sobr-locked-copy --object-lock-enabled-for-bucket

Once your bucket is created you will go about adding your backup repository as we’ve done previously but with one difference, when you get to the Bucket portion of the New Object Store Repository wizard you are going to check the box for “Make recent backups immutable” and set the number of days desired.

You now have an immutable object bucket that can be linked to a traditional repository in a SOBR. Once data is written (still the same modes) any item that is written is un-deleteable via the VBR server until the retention period expires. Finally if I examine any of the objects in the created bucket with the s3api get-object-retention command I can see that the object’s retention is set.

% aws --endpoint=https://us-central-1a.object.ilandcloud.com --profile=premlab s3api get-object-retention \
--bucket premlab-sobr-locked-copy \
--key "Veeam/Archive/premlab-sobr-locked-copy/cc846946-5315-4d7a-bb3d-22bac6da3102/2f906844-5990-4485-a59b-6dd6ade9afd7/blocks/6da2de41248d47446cd3609625a8b69e/1035.371def52c773e7d026675a6f17ec9016.00000000000000000000000000000000.blk"
{
    "Retention": {
        "Mode": "COMPLIANCE",
        "RetainUntilDate": "2022-03-06T18:30:06+00:00"
    }
}

Veeam Backup & Replication (VBR) currently makes use of object storage through the concept of Scale-Out Backup Repositories, SOBR. A SOBR in VBR version 11 can contain any number of extents as the performance tier (made up of traditional repositories) and a single bucket for the capacity tier (object storage). The purpose of a SOBR from Veeam’s point of view is to allow for multiple on-premises repositories to be combined into a single logical repository to allow for large jobs to be supported and then be extended with cloud based object storage for further scalability and retention.

There are two general modes for object storage to be configured in a SOBR:

• Copy Mode- any and all data that is written by Veeam to the performance tier extents will be copied to the object storage bucket
• Move Mode- Only restore points that are aged out of a defined window will be evacuated to object storage or as a failure safeguard only when the performance tier extents reach a used capacity threshold. With Archive mode within the Veeam UI the restore points all still appear as being local but the local files only contain metadata that points to where the data chunks reside in the bucket. The process of this occurring in Veeam is referred to as dehydration.

In this post let’s demonstrate how to create the necessary buckets, how to create a SOBRs for both Copy and Move modes without object-lock (Immutability) enabled. If you haven’t read my previous post about how to configure aws cli to be used for object storage you may want to check that out first.

1. Create buckets that will back our Copy and Move mode SOBRs. In this example I am using AWS CLI with the s3 endpoint to make the buckets.

% aws --endpoint=https://us-central-1a.object.ilandcloud.com \
      --profile=premlab s3 mb s3://premlab-sobr-unlocked-copy
make_bucket: premlab-sobr-unlocked-copy
% aws --endpoint=https://us-central-1a.object.ilandcloud.com \ 
      --profile=premlab s3 mb s3://premlab-sobr-unlocked-move
make_bucket: premlab-sobr-unlocked-move

2. Now access your VBR server and start with adding the access key pair provided for the customer. You do this in Menu > Manage Cloud Credentials.

3. Click on Backup Infrastructure then right click on Backup Repositories, selecting Add Backup Repository.

4. Select Object Storage as type.

5. Select S3 Compatible as object storage type

6. Provide a name for your object repository and hit next.

7. For the Account Settings screen enter the endpoint, region and select your created credentials.

8. In the Bucket settings window click Browse and select your created bucket then click the Browse button beside the Folder blank and create a subfolder within your bucket with the “New Folder…” button. I’ll note here do NOT check the box for “Make recent backups immutable for…” here as the bucket we have created above does not support object-lock. Doing so will cause an error.

9. Click Apply.

10. Create or select from existing traditional, Direct Storage repository or repositories to be used in your SOBR. Note: You cannot choose the repository that your Configuration Backups are targeting.

11. Right click on Scale-out Backup Repositories and select “Add Scale-out Backup Repository…”

12. Name your new SOBR.

13. Click Add in your Performance Tier screen and select your repository or repositories desired. Hit Ok and then Next.

14. Leave Data Locality selected as the Placement Policy for most scenarios.

15. In the Capacity Tier section check to Extend capacity with object storage and then select the desired bucket.

16. (Optional but highly recommended): Check the Encrypt data uploaded to object storage and create an encryption password. Hit Apply.

17. This will have the effect of creating an exact copy of any backup jobs that target the SOBR both on premises and into the object store. To leverage Move mode rather than Copy you simply check the other box instead/in addition to and set the number of days you would like to keep on premises.

Now you simply need to target a job at your new SOBR to have it start working.

In conclusion let’s cover a bit about how we are going to see our data get written to object storage. For the Copy mode example it should start writing to data to the object store immediately upon completion of each run. In the case of leveraging Move mode you will see objects written after the run after the day specified to move archive. For example if you set it to move anything older than 7 days on-prem dehydration will occur after the run on day 8. These operations can be seen in the Storage Management section of the History tab in the VBR console.

Further if I recursively list my bucket via command line I can see lots of data now, data is good. 😉

% aws --endpoint=https://us-central-1a.object.ilandcloud.com --profile=premlab s3 ls s3://premlab-sobr-unlocked-copy/ --recursive

In my last post I worked through quite a few things I’ve learned recently about interacting with S3 Compatible storage via the CLI. Now that we know how to do all that fun stuff it’s time to put it into action with a significant Service Provider/Disaster Recovery slant. Starting with this post I’m going to highlight how to get started with some common use cases of object storage in Backup/DR scenarios. In this we’re going to look at a fairly mature use case, with it backing Veeam Backup for Office (now Microsoft) 365.

Veeam Backup for Microsoft 365 v6, which was recently showcased at Cloud Field Day 12, has been leveraging object as a way to make it’s storage consumption more manageable since version 4. Object also provides a couple more advantages in relation to VBM, namely an increase in data compression as well as a method to enable encryption of the data. With the upcoming v6 release they will also support the offload of backups to AWS Glacier for a secondary copy of this data.

VBM exposes its use of object storage under the Object Storage Repositories section of Backup Infrastructure but it consumes it as a step of the Backup Repository configuration itself, which is nested within a given Backup Proxy. I personally like to at a minimum start with scaling out repositories by workload (Exchange, OneDrive, Sharepoint, and Teams) as each data type has a different footprint. When you really need to scale out VBM, say anything north of 5000 users in a single organization, you will want to use that a starting point for how you break down and customize the proxy servers.

Let’s start by going to the backup proxy server, in this case the VBM server itself, and create folder structure for our desired Backup Repositories.

Now that we have folders let’s go create some corresponding buckets to back them. We’ll do this via the AWS S3 CLI as I showed in my last post. At this point VBM does not support advanced object features such as Immutability so no need to be fancy and use the s3api, but I just prefer the command structure.

Ok so now we have folder and buckets, time to hop in to Veeam. First we need to add our object credentials to the server. This is a simple setup and most likely you will only need one set of credentials for all your buckets. Because in this example I will be consuming iland Secure Cloud Object Storage I need to choose the “S3 Compatible access key” under the “Add…” button in Cloud Credential Manager (menu> Cloud Credentials). These should be the access key and secret provided to you by your service provider.

Now we need to go to Backup Infrastructure > Object Storage Repositories to add our various buckets. Start by right clicking and choose “Add Object Storage.”

Now simply repeat the process above for any and all buckets you need for this task.

Now that we have all our object buckets added we need to pair these up with our on premises repository folders. It’s worth noting that the on-prem repo is a bit misleading, no backup data as long as you use the defaults will ever live locally in that repository. Rather it will hold a metadata file in the form of a single jetDB file that service as pointers to the objects that is the actual data. For this reason the storage consumption here is really really low and shouldn’t be part of your design constraints.

Under Backup Infrastructure > Backup Repositories we’re going to click “Add Repository..” and let the wizard guide us.

One note on that final step above. Often organization will take the “Keep Forever” option that is allowed here and I will say I highly advise against this. You should specify a retention policy that is agreed upon with your business/organization stakeholders as keeping any backup data longer than needed may have unintended consequences should a legal situation arise; data the organization believes to be long since gone is now discoverable through these backups.

Also worth noting item-level retention is great if you are using a service provider that does not charge you on egress fees because it gives you more granular control in terms of retention. If you use a hyperscaler such as Amazon S3 you may find this option will drive your AWS bill up because of a much higher load on egress each time the job runs.

Once you’ve got one added again, rinse and repeat for any other repositories you need to add.

Finally the only step left to do is create jobs targeting our newly created repositories. This is going to have way more variables based on your organization size, retention needs, and other factors than I can truly do justice in the space of this blog post but I will show how to create a simple, entire organization, single workload job.

You can start the process under Organizations > Your Organization > Add to backup job…

Once again you’d want to repeat the above steps for all your different workload types but that’s it! If we do a s3 ls on our s3://premlab-ilandproduct-vbm365-exch/Veeam/Backup365/ilandproduct-vbm365-exch/ full path we’ll see a full folder structure where it’s working with the backup data, proving that we’re doing what we tried to do!

In conclusion I went way into depth of what is needed here but in practice it isn’t that difficult considering the benefits you gain by using object storage for Veeam Backup for Microsoft365. These benefits include large scale storage, encryption and better data compression. Hope you find this helpful and check back soon for more!