Using Veeam with AWS Storage services to store offsite backups
Many customers are using Veeam Backup & Replication to protect their on-premises infrastructure and want to reduce the amount of physical backup infrastructure that they need to purchase and maintain. They also want to ensure that their backups reside in highly durable, cost effective storage. AWS Storage services such as Amazon S3, AWS Storage Gateway, and AWS Snowball Edge seamlessly integrate with Veeam Backup & Replication to meet these needs.
Veeam Backup & Replication enables customers to automatically tier backups to Amazon S3 to help reduce their reliance and costs associated with more expensive on-premises backup storage. Initially released in January 2019 in version 9.5 Update 4, Veeam Backup & Replication has been used by customers such as Best Friends Animal Society (case study) to enhance their DR strategy while providing cost savings. In February 2020, Veeam released Veeam Backup & Replication Version 10, adding additional functionality to capacity tier. Capacity tier is an additional tier of storage that can be attached to a scale-out backup repository.
In this blog post, we review the options and best practices available to Veeam customers looking to integrate with AWS Storage services based on knowledge learned both in the lab and in the field. In addition, we discuss strategies to help you leverage Veeam Backup & Replication to recover your on-premises workloads in AWS as Amazon EC2 instances for disaster recovery (DR) purposes. By the end of this post, you should have a better understanding of how the integration between Veeam Backup & Replication with AWS Storage services works. You will also have information to decide on which approach would work best for your organizations use case, including any caveats to watch out for when implementing these integrations.
Let’s look into some of the concepts involved with Veeam Backup & Replication.
Scale-out backup repository (SOBR): A SOBR is a logical entity that consists of one or more backup repositories that are configured as tiers. A SOBR is used as a single target for backup and copy jobs. Customers must configure a SOBR that contains a performance tier that provides fast access to data with locally hosted backup repositories as direct-attach block storage, NAS storage, or a deduplication appliance. The SOBR also enables customers to define a capacity tier that is useful for long-term storage, where Amazon S3 is used as the object storage repository.
Veeam customers can also leverage AWS Snowball Edge as an object storage repository to seed large initial backups to Amazon S3. Snowball Edge is a small, rugged, and secure portable storage and edge computing device used for data collection, processing, and migration. Snowball Edge devices are purpose-built for moving multiple terabytes of data offline to AWS to overcome the challenge of limited bandwidth.Snowball Edge encrypts all data at rest with 256-bit encryption with keys provided by the customer using the AWS Key Management Service (AWS KMS). This can be helpful for customers with large volumes of on-premises backups who may not have the WAN bandwidth to complete the data seeding within an acceptable amount of time. Veeam customers who want to use Snowball Edge must be running Veeam Backup & Replication 10a, which was released in July 2020. For more information on how to set up Snowball Edge as an object storage repository, please review the relevant Veeam documentation.
Copy and move operations: Customers can choose to configure their capacity tier to have Veeam backups sent to Amazon S3 in two ways. Customers can immediately copy backups to Amazon S3 after the backup job has completed. Alternatively, they can move backups from the performance tier to Amazon S3 once the backup chain has been sealed and it is outside of a defined operational restore window.
|Copy operation to capacity tier
|Move operation to capacity tier
|Any backup (full, incremental, etc.)
|Sealed backup chains
|Upon completion of backup job
|Outside operational restore window
|Every four hours or on-demand
Backup chains: A backup chain consists of a full backup and any incremental backups taken after the full backup. Veeam considers a backup chain “sealed” when a new synthetic of an active full backup job completes.
Copy operations work in tandem with move operations. Once a backup chain is inactive, Veeam validates that data blocks reside in Amazon S3, and removes any data blocks residing on the performance tier, leaving behind only the metadata. In the event of a restore where the data blocks reside in Amazon S3, Veeam seamlessly recovers the data from Amazon S3, with no intervention required by the backup administrator.
Supported Amazon S3 storage classes and best practices
Veeam Backup & Replication Version 10 supports the ability to use the following Amazon S3 storage classes: Amazon S3 Standard, Amazon S3 Standard-Infrequent Access (S3 Standard-IA), and Amazon S3 One Zone-Infrequent Access (S3 One Zone-IA). Most customers choose to place their data in Amazon S3 Standard or Amazon S3 Standard-IA. These storage classes offer low latency, high throughput performance, durability designed for 99.999999999% (11 9’s) across multiple Availability Zones, and low storage cost.
Customers may also choose to use S3 One Zone-IA. S3 One Zone-IA is for data that is accessed less frequently, but requires rapid access when needed. Unlike other Amazon S3 storage classes that store data in a minimum of three Availability Zones, S3 One Zone-IA stores data in a single Availability Zone. This results in costs 20% less than S3 Standard-IA. S3 One Zone-IA is ideal for customers who want a lower-cost option for infrequently accessed data but do not require the availability and resilience of S3 Standard or S3 Standard-IA. It’s a good choice for storing secondary backup copies of on-premises data or easily re-creatable data.
Customers should weigh the cost differences based on their need for access and requirement for availability when planning to use Amazon S3 with Veeam Backup & Replication. This Veeam whitepaper helps you take these costs into consideration when planning and budgeting for using Amazon S3 storage with Veeam Backup & Replication.
Note: Capacity tier does not support Amazon S3 Glacier and Amazon S3 Glacier Deep Archive at this time. If these Amazon S3 storage classes are required, customers are encouraged to use AWS Storage Gateway’s Tape Gateway, which is covered in the next section. In addition, Veeam does not support S3 Lifecycle policies to transition or expire objects in Amazon S3 buckets used in the capacity tier. Enabling these policies could result in backup and restore job failures if needed data has expired. It is also important to ensure that sufficient available WAN bandwidth exists between your on-premises Veeam Backup server and Amazon S3. Sufficient WAN bandwidth ensures that backup and restore jobs can complete within a time window that is appropriate for your organization.
Veeam object immutability
Another enhancement to Veeam Backup & Replication Version 10 is the object immutability feature that leverages Amazon S3 Object Lock in compliance mode. This feature can be enabled when defining an Amazon S3 storage repository in Veeam, and it enables customers to make backups immutable for a given number of days. This is a popular feature in that your Veeam backups are stored in Amazon S3 using a write-once-read-many (WORM) model. This prevents backups from being deleted, modified, or overwritten – either accidentally or willingly, such as a ransomware attack. It’s important to note that Amazon S3 buckets must have Object Lock enabled at the time of S3 bucket creation. If there is a need to enable Object Lock on an existing bucket, please open a case with AWS Support who can assist you further.
AWS Storage Gateway: Tape Gateway
Veeam Backup & Replication Version 10 also supports the ability to back up directly to an AWS Storage Gateway in virtual tape library (VTL) mode. Tape Gateway presents a VTL consisting of virtual tape drives and a virtual media changer to Veeam using iSCSI. Using Tape Gateway enables customers to take advantage of the Amazon S3 Glacier and Amazon S3 Glacier Deep Archive storage classes. These storage classes can be useful when data is expected to be recovered infrequently and if you can tolerate non-immediate retrieval times. Retrieval times are typically between 3-5 hours for tapes archived in S3 Glacier, and typically within 12 hours for tapes archived in S3 Glacier Deep Archive. Customers also use Tape Gateway with Veeam to seamlessly replace using physical tapes on premises with virtual tapes in AWS without changing backup workflows in Veeam.
Tape Gateway is typically deployed on premises as a virtual or hardware appliance. Tape Gateway stores virtual tapes in service-managed S3 buckets and caches virtual tapes on premises for low-latency data access. Tape Gateway transitions virtual tapes between Amazon S3 and Amazon S3 Glacier or Amazon S3 Glacier Deep Archive when you eject and export virtual tapes from Veeam.
Customers like Reiden Technik AG have successfully used Veeam Backup & Replication with Tape Gateway to simplify their backup process and reduce their legacy backup infrastructure. By archiving virtual tapes in S3 Glacier Deep Archive, they also save on their storage costs:
“We run an extensive IT environment that is constantly growing. With our old backup infrastructure, comprised of large external spinning disks, manual handling, and rotation of USB drives to an offsite vault, we hit our limits with regards to storage size. We found AWS Storage Gateway’s Tape Gateway capability to be the ideal solution for us as it integrates well with our VEEAM backup. The Tape Gateway installation was fast and easy, and we were able to automatically save and archive our entire infrastructure on a weekly basis. All our backups are now stored safely, securely, and in a more efficient and scalable manner. Tape Gateway is the perfect solution for us because after VEEAM ejects the virtual tape, the tape is then offline and inaccessible for anybody with access to our backup servers or VEEAM. With virtual tapes then archived to Amazon S3 Glacier Deep Archive, we are able to securely and durably store hundreds of terabytes of data at a very low price, allowing us to apply more budget toward business innovation rather than managing tapes. With Tape Gateway, we experienced easy integration, fully automated “offline” backups for peace of mind, no more manual physical transport of USB drives to our vault, direct integration with VEEAM Backup & Replication, and no additional licensing fees for separate VTL software.”
Michael Müller, CIO – Reiden Technik AG
Disaster recovery in AWS
In addition to the low cost and durability of storing Veeam backups in Amazon S3, customers can also leverage native functionality within Veeam Backup & Replication to recover on-premises workloads. On-premises workloads can be recovered in AWS as Amazon EC2 instances as part of a broader DR strategy. Veeam Backup & Replication Version 10 enables customers to import Veeam backup metadata from Amazon S3 without the need to create and rescan the entire SOBR. This capability helps lower recovery time objectives (RTO).
Customers can choose to install Veeam Backup & Replication on an Amazon EC2 instance at the time of disaster. They can also choose to preinstall Veeam Backup & Replication on an EC2 instance and leave the instance in a powered-down state, powering on only for occasional operating system and Veeam updates. This enables customers to have a true “pilot light” DR strategy with little effort. As with any DR strategy, we encourage customers to regularly test their DR plans to ensure that the outcomes match the expectations of your organization, and iterate as necessary.
When performing a DR test using a Veeam Backup & Replication server in AWS, and when the object storage repository contains backups of on-premises systems, it is important to ensure that the on-premises Veeam backup server does not have any active jobs running while the Veeam Backup Server in AWS is accessing backup data in Amazon S3. Therefore, it is recommended to shut down the on-premises Veeam backup server to ensure that any testing does not negatively impact on-premises backup jobs, which could occur if both Veeam Servers are writing to the same Amazon S3 Bucket at once.
Veeam Backup for Microsoft Office 365
Customers have requested the ability to leverage Amazon S3 to protect their Office 365 backups outside of their Office 365 environment. Veeam Backup for Microsoft Office 365 enables customers to protect their Microsoft Office 365 data including Microsoft Exchange, SharePoint, OneDrive, and Teams by storing Microsoft Office 365 data in Amazon S3. This enables customers an additional air-gapped layer of protection if data corruption or data loss occurs. Customers can choose to store data in Amazon S3 Standard or S3 Standard-IA. S3 Standard-IA would be more appropriate for backups that require longer retention periods and lower probability of restore.
In this blog post, we discussed how customers can use Veeam Backup & Replication with different Amazon S3 storage classes and AWS Storage Gateway. We also covered use cases and differences between them. In addition, we’ve shown how customers can leverage Veeam Backup & Replication to provide DR functionality in AWS by recovering to Amazon EC2 instances.
The information contained in this post also showed how to plan for extending your on-premises Veeam Backup & Replication environment into AWS using different approaches. This enables you to reduce your on-premises backup infrastructure, which helps to reduce costs and the undifferentiated heavy lifting involved in operating and maintaining on-premises backup infrastructure. Veeam integrations with AWS also provide additional benefits such as leveraging S3 Object Lock to guard against events like ransomware attacks.
Thanks for reading this blog post! If you have any comments or questions, please leave them in the comments section.
The following links provide some additional resources for further reading on the topics covered in this blog post:
- Video: AWS re:Invent 2019: Shift your tape backups to AWS to save time and money
- Blog: How to achieve on-demand disaster recovery with VMware Cloud on AWS and Veeam Cloud Tier
- Blog: How to easily replace physical tape-based backups with Tape Gateway
- Whitepaper: Veeam Backup & Replication using AWS VTL Gateway – Deployment Guide
- Whitepaper: Designing a Veeam Backup & Replication deployment in Amazon EC2
- Whitepaper: Designing and Budgeting for AWS Object Storage with Veeam Cloud Tier
The content and opinions in this post are those of the third-party author and AWS is not responsible for the content or accuracy of this post.