IBM & Red Hat on AWS

Enabling Resilient, Secure, and Agile Workloads with Veeam Kasten and Red Hat OpenShift Virtualization on Red Hat OpenShift Service on AWS (ROSA)

As enterprises accelerate their cloud-native journeys, the need for robust, secure, and flexible data protection solutions becomes paramount. Red Hat OpenShift has emerged as the standard for cloud-native orchestration, offering unified management for both containerized and virtual machine (VM) workloads. With the advent of Red Hat OpenShift Virtualization on Red Hat OpenShift Service on AWS (ROSA), organizations can now run VMs alongside containers, unlocking new levels of agility and choice.

In this blog post , we explore how Veeam Kasten—deployed on Red Hat OpenShift (both on-premises (OCP) and in the cloud via (ROSA))—empowers organizations to protect, migrate, and recover workloads across heterogeneous environments. We’ll highlight Kasten’s cloud-native architecture, security-first design, and its unique capabilities for workload mobility, disaster recovery, and ransomware protection.

The Modern Enterprise Challenge: Unified Workload Management

Modern IT organizations face a dual challenge: supporting legacy applications in VMs while embracing cloud-native, containerized workloads. Red Hat OpenShift Virtualization, a feature of Red Hat OpenShift, bridges this gap, allowing VMs and containers to coexist on a single platform. This unified approach simplifies operations, supports “lift and shift” migrations, and enables future modernization strategies.

Red Hat OpenShift Virtualization leverages the proven Kernel-based Virtual Machine (KVM) hypervisor, integrating it natively into Kubernetes clusters. Whether deployed on-premises or in the cloud via  , Red Hat OpenShift Virtualization provides scalable, secure, and highly available infrastructure for diverse workloads.

Migrating to Red Hat OpenShift Virtualization: A Seamless Journey

Migration from traditional hypervisors to Red Hat OpenShift Virtualization is streamlined by the Red Hat migration toolkit for virtualization, which enables organizations to import VMs from vSphere, Red Hat OpenShift Virtualization, Red Hat OpenStack Services on OpenShift, and other sources directly into Red Hat OpenShift clusters. Once migrated, Veeam Kasten takes center stage, providing comprehensive backup, recovery, and mobility for these workloads.

Storage Considerations: Cloud-Native and Enterprise-Grade

Unlike legacy platforms that rely on datastores, Red Hat OpenShift Virtualization uses Kubernetes Persistent Volume Claims (PVCs) for VM storage. Most enterprise storage vendors offer CSI drivers, allowing organizations to leverage existing investments. For optimal performance and protection, storage should support features like VolumeSnapshots, Read/Write/Many (RWX) access, and Change Block Tracking (CBT).

Veeam Kasten integrates more seamlessly with storage solutions such as Amazon Elastic Block Store (EBS), Amazon Elastic File System (EFS) and Red Hat OpenShift Data Foundation, enabling incremental snapshots and efficient backup/restore operations. For EBS volumes, Kasten has built-in support for Change Block Tracking, delivering enhanced performance for backup and recovery operations. This flexibility helps ensure that organizations can meet performance, scalability, and data protection requirements across hybrid and multi-cloud environments.

Veeam Kasten: Cloud-Native Data Protection for Red Hat OpenShift

Veeam Kasten is purpose-built for Kubernetes, offering enterprise-grade data management for both containerized and VM workloads. Key capabilities include:

  • Backup and Restore: Protects cloud-native applications and business-critical data with policy-driven backups and rapid restores.
  • Disaster Recovery: Manages off-site backups to meet business and regulatory requirements, supporting hot-warm and hot-cold DR architectures.
  • Application Mobility: Enables seamless migration of applications and VMs between clouds and on-premises environments, supporting test/dev, load balancing, and upgrades.
  • Ransomware Protection: Leverages immutable object storage to ensure backup data remains unaltered and indelible.

Kasten’s deep understanding of cloud-native application design allows it to dynamically detect and protect workloads, even as components are added, rescheduled, or removed. Its application-centric approach ensures operational simplicity for both developers and operations teams, with management available via a web portal or Kubernetes-native API/CLI.

Furthermore, with the recent introduction of VM-centric capabilities and user interface, Kasten can help Virtualization and Backup Administrators easily transition their backup of workloads from traditional type-1 hypervisor virtualization backup solutions to Red Hat OpenShift Virtualization’s modern virtualization architecture.

Architecture overview

Architecture overview

Security-First Design: Encryption, Immutability, and Compliance

Security is at the heart of Veeam Kasten’s architecture:

  • Always-On Encryption: Data is encrypted both in-flight and at-rest, using envelope encryption with unique AES-256-GCM keys per application and policy.
  • FIPS 140-3 Compliance: Kasten can operate in FIPS mode, leveraging approved cryptographic algorithms and RNG methods—critical for organizations with stringent security requirements.
  • Object Storage Immutability: Backups stored in Amazon Simple Storage Service (S3), Azure Blob, or S3-compatible storage can be made temporarily immutable, protecting against deletion or manipulation by ransomware or malicious actors.
  • Secure Software Supply Chain: Kasten provides a comprehensive Software Bill of Materials (SBOM) with every release and is available on PlatformOne IronBank, providing a higher level of assurance that their backup infrastructure is secure.
  • Integrated Authentication and Granular RBAC: Kasten empowers Backup Administrators and Security Professionals with a robust Role Based Access Control (RBAC), allowing for extremely granular controls which are implemented using cloud native standards. Furthermore, integrating with Red Hat OpenShift OAuth or any OIDC provider ensures a unified experience for users, eliminating redundancy of otherwise having to use multiple Identity and Access Management providers.

Integration with Red Hat Advanced Cluster Security for Kubernetes further enhances protection, allowing organizations to monitor, alert, and enforce policies around Kasten’s configuration and secrets.

Hybrid and Multi-Cloud Architectures: Flexibility Without Compromise

In collaboration with Red Hat and AWS, Veeam Kasten enables and empowers a hybrid approach: an on-premises Red Hat OpenShift cluster with Red Hat OpenShift Virtualization, paired with a secondary cluster on ROSA. Kasten Disaster Recovery exports catalog and configuration data hourly, with credentials stored securely in HashiCorp Vault or Amazon Key Management Service (KMS). Authentication is unified via Red Hat OpenShift OAuth, often backed by Okta, helping ensure more consistent identity management across clusters.

In the event of a disaster, workloads can be restored to the ROSA cluster, maintaining business continuity. When the primary site is restored, workloads can be migrated back, leveraging Kasten’s import policies for seamless transitions. This architecture can be extended to support on-premises-only, public cloud-only, or multi-site deployments, providing resilience against infrastructure failures and cloud provider outages.

Recovery use cases

Recovery use cases

Policy-Driven Protection: Backup, Recovery, and Mobility

Kasten uses policy-based constructs to define backup frequency, retention, and lifecycle management. Policies can target assets by namespace, label, or cluster scope, supporting granular protection for diverse workloads. Snapshot policies perform storage snapshot operations and capture application metadata, with backups stored both on-cluster and off-cluster in protocols such as S3 or NFS.

Disaster recovery is focused on the application and its data, rather than the underlying infrastructure. In hot-cold DR scenarios, a new Kasten instance is deployed on a greenfield Red Hat OpenShift cluster, and recovery is performed by restoring Kasten configuration and protected applications. Hot-warm architectures use scheduled import policies to minimize Recovery Time Objective (RTO).

Application and VM Mobility: Enabling Heterogeneous Environments

Kasten’s Transform Engine allows applications and VMs to be cloned or migrated within or across Red Hat OpenShift clusters. As workloads are restored in new environments, Kasten can adjust configurations—such as StorageClass, annotations, or replica counts—to accommodate infrastructure differences. This capability empowers organizations to leverage heterogeneous infrastructure for primary and secondary data centers, perform upgrades with minimal downtime, and support multi-cloud strategies.

Heterogeneous Environments

Heterogeneous Environments

Ransomware Protection: Defense in Depth

Kasten’s security-first design includes:

  • Encryption: Always-on, with policy-unique keys and support for external Key Management Systems (KMS).
  • Immutability: Object Lock on supported storage systems prevents backup deletion or manipulation.
  • Monitoring: Integration with RHACS enables policy enforcement and alerting for unauthorized operations.

These features ensure that even if production data is compromised, backups remain secure and recoverable.

Deployment Patterns: On-Premises, Cloud, and Beyond

Kasten and Red Hat OpenShift support multiple deployment patterns:

  • Hybrid: On-premises Red Hat OpenShift with Red Hat OpenShift Virtualization, paired with ROSA for DR.
  • On-Premises Only: Secondary site in an independent data center, with additional sizing considerations.
  • Cloud Only: Primary and secondary sites in different AWS regions or even clouds mitigating provider outages.
  • Multi-Site: Hot-warm-cold or hot-hot-warm architectures, with synchronous replication and Kasten backup/recovery.

Each pattern can be tailored to meet organizational requirements for resilience, cost, and scalability.

Conclusion: Empowering the Cloud-Native Enterprise

Veeam Kasten, in conjunction with Red Hat and AWS delivers a powerful, secure, and flexible solution for protecting, migrating, and recovering workloads across hybrid and multi-cloud environments with Red Hat OpenShift Virtualization on ROSA. Its cloud-native architecture, security-first design, and policy-driven management enable organizations to meet the demands of modern IT—ensuring business continuity, compliance, and agility.

Whether you’re modernizing legacy applications, embracing cloud-native development, or building resilient multi-cloud architectures, Veeam Kasten provides the foundation for success.

References and Resources:

Ryan Niksch

Ryan Niksch

Ryan Niksch is a Partner Solutions Architect focusing on application platforms, hybrid application solutions, and modernization. Ryan has worn many hats in his life and has a passion for tinkering and a desire to leave everything he touches a little better than when he found it.

Matt Slotten

Matt Slotten

Matt Slotten is a Principal Solutions Architect at Kasten by Veeam, bringing over 15 years of experience in cloud computing, DevSecOps, and IT infrastructure. He designs and implements cloud‑native data protection solutions that help organizations modernize and secure their environments across Kubernetes, virtualization, and hybrid cloud platforms. With deep technical expertise in cloud infrastructure, infrastructure‑as‑code (IaC), and web application development, Matt is passionate about learning, leveraging, and building open‑source technologies both professionally and in his spare time. He contributes actively to the community through technical content and education, including publishing on veeamkasten.dev and speaking at major industry events such as Nutanix .NEXT, Intel IT Modernization Summit, SUSECON, and VeeamON. Before joining Kasten by Veeam, Matt held several senior and leadership roles, including Director of Technical Marketing at Nutanix, Director of Technical Marketing at Checkmarx, Senior Manager of Nutanix Services, and Senior Consultant at Accenture. His background spans enterprise architecture, security modernization, and developer enablement, giving him a unique perspective on uniting infrastructure, operations, and security practices. Matt’s areas of expertise include Kubernetes, virtualization, cybersecurity, AI, and DevSecOps. Beyond his professional work, he remains committed to advancing the open‑source ecosystem and helping teams adopt technologies that improve resilience, agility, and innovation.