On-premises system offsite backup with Veeam and AWS
Currently, there are many businesses that are using Veeam Backup & Replication to back up data on their server systems. However, the cost of investing and maintaining that hardware for the task of storing backups is enormous. Therefore, businesses are gradually shifting through cloud storage services as an optimal solution, while ensuring data availability (with offsite backups), while saving investment costs for traditional hardware infrastructure.
AWS Shared Responsibility Model
When using public cloud storage, it is important to be aware of the limitations of compliance and security responsibilities. AWS specifically introduced AWS Shared Responsibility Model. You can read more here: Shared Responsibility Model – Amazon Web Services (AWS).
This shared model can help ease the operational burden on customers as AWS will operate, manage, and control components from server operating systems and virtualization layers to the physical security of facilities operating the service. However, for the customer part, they are responsible for the security, protection, and availability of their own data.
This is where Veeam develops his abilities. Customers can leverage Veeam’s strengths to fulfill their cloud data protection management responsibilities. Veeam will help customers minimize worries about data protection (backup, disaster recovery) and spend more time running their business.
Veeam Backup & Replication(VBR)
Veeam Backup & Replication (VBR) provides powerful protection for all types of data. VBR allows customers to automatically tiering backups into Amazon S3 to help reduce the dependence and costs associated with a more expensive on-premises backup storage.
In February 2020, Veeam released Veeam Backup & Replication version 10, adding functionality to the capacity tier. The capacity tier is an additional storage level that can be added to the repository available to scale for backups.
In older versions such as 9.5 Update 4, VBR already has the ability to implement a Disaster Recovery Strategy at a much more economical cost than a traditional DR solution.
Read more about the 10 tips for developing an AWS Disaster Recovery Plan at: https://vticloud.io/10-goi-y-trien-khai-aws-disaster-recovery/
In the next section, VTI Cloud will discuss strategies to help you leverage Veeam Backup & Replication to restore on-premises systems to the AWS cloud as Amazon EC2 instances for DR purposes, and will better understand how to integrate Veeam Backup & Replication with AWS Storage services.
Concepts of VBR in data backup
Let’s take a look at some concepts related to Veeam Backup & Replication
1. Scale-out backup repository (SOBR)
SOBR means an expanded data warehouse, consisting of one or more repository configured as tiers. SOBR is used as a single target for backup and copy jobs.
SOBR consists of 02 tiers: Performance tier and Capacity tier.
- Performance tier provides quick access to data and is stored at on-premises such as NAS or deduplication appliances.
- Capacity tiers are useful for long-term backups, where Amazon S3 is used as a repository.
2. Copy and Move
Customers can choose to configure the capacity tier to send Veeam backups to Amazon S3 in two ways.
- Customers can back up directly to Amazon S3 after the backup job is complete.
- In addition, they can migrate backups from the performance tier to Amazon S3 after the backup chain has been sealed and exceeds the minimum operational restore window defined.
3. Backup chains
A backup chain or backup chain is a method of a backup that includes an early-stage full backup and the next incremental backups. Veeam considers this backup chain process “sealed” when a synthesis of the next full-back cycle is complete.
The copy operation takes place in parallel with the migration operation. When the backup string stops working, Veeam validates whether the data blocks are in Amazon S3; if so, Veeam will delete this block of data on the performance tier, leaving only metadata (note information about that data block).
Since Veeam has stored the metadata of the data block in Amazon S3, in the case of a restore in which the data blocks are in Amazon S3, Veeam will restore the data from Amazon S3 seamlessly without the intervention of the backup administrator.
Best backup options for Using Veeam Backup & Replication with Amazon S3 storage classes
Veeam Backup & Replication version 10 supports the ability to use the following Amazon S3 Class Storage S3 Standard, Amazon S3 Standard-Infrequent Access (Amazon S3 Standard-IA), and Amazon S3 One Zone-Infrequent Access (Amazon S3 One Zone-IA).
Most customers choose to place their data in Amazon S3 Standard or Amazon S3 Standard-IA. These storage classes offer low latency, high through performance, durability designed for 99.999999999% (11 out of 9) across multiple Availability Zones, and low storage costs.
Customers can also choose to use Amazon S3 One Zone-IA to store less frequently accessed data, but require quick access as needed. Unlike other Amazon S3 storage classes that store data for at least three Availability Zones, Amazon S3 One Zone-IA stores data only in a single AZ. This resulted in 20% lower costs than Amazon S3 Standard-IA.
Amazon S3 One Zone-IA is ideal for customers who want a lower cost option for data that is accessed in an insular way but does not require the availability and viability of Amazon S3 Standard or Amazon S3 Standard-IA. It is a good option to store the backups of the data from on-premises or the data can be recreated easily.
Customers should consider access needs and data availability to choose the appropriate Amazon S3 storage class when using Veeam Backup & Replication.
Veeam Capacity Tier does not support Amazon S3 Glacier and Amazon S3 Deep Glacier Archive during this time
If the use of these Amazon S3 storage classes is required, customers are encouraged to use AWS Storage Gateway’s Tape Gateway, which is mentioned in the next section.
Additionally, Veeam does not support Lifecycle policies in Amazon S3 to convert or expire objects in Amazon S3 buckets. Activating these policies can lead to backups and restore failures if the necessary data has expired.
It is also important to ensure sufficient WAN bandwidth is available between Veeam backup servers at on-premises and Amazon S3 (in Vietnam is international bandwidth). Meeting sufficient WAN bandwidth ensures that backup and restore work can be completed within the time period that is right for your organization.
Use Veeam object immutability
Another improvement to Version 10 of Veeam Backup & Replication is the object immutability feature by leveraging Amazon S3 Object Lock in Compliance Mode.
This is a common feature in which Veeam backups are stored in Amazon S3 using the Write-Once-Read-Many model. This prevents backups from being deleted, modified, or overwritten (accidentally or intentionally), such as a ransomware attack.
It is important to note that the Amazon S3 bucket must be activated object lock mode at the time of creating the new S3 bucket.
AWS Storage Gateway: Tape Gateway
Veeam Backup & Replication version 10 also supports direct backup to AWS Storage Gateway in virtual tape library (VTL) mode. Tape Gateway presents a VTL consisting of virtual tapes and a virtual media changer for Veeam with iSCSI.
Using Tape Gateway allows customers to take advantage of Amazon S3 Glacier and Amazon S3 Glacier Deep Archive. These storage classes are only useful when backup data does not need to be recovered regularly and takes time to retrieve.
3-5 hours typically 3-5 hours for tapes stored in S3 Glacier and typically within 12 hours for tapes stored in the S3 Glacier Deep Archive. Customers also use Tape Gateway with Veeam to replace the use of physical tape at on-premises with virtual tape in AWS without changing the backup workflow in Veeam.
Tape Gateway is typically deployed on-premises as a virtual device or hardware. Tape Gateway stores virtual tapes in S3 buckets and caches virtual tapes at on-premises to access data with low latency.
Tape Gateway converts virtual tapes between Amazon S3 and Amazon S3 Glacier or Amazon S3 Glacier Deep Archive when you eject and export virtual tapes from Veeam.
Disaster prevention on AWS with Veeam
Customers can also leverage Veeam Backup & Replication to restore on-premises workloads to the AWS cloud as Amazon EC2 instances in the event of a disaster.
Veeam Backup & Replication version 10 allows customers to import Veeam backup metadata from Amazon S3 without creating and scanning the entire SOBR. This ability reduces recovery time objectives by correctly reading the data to be restored and moving quickly to ec2 instances that Veeam manages.
Customers can choose to install Veeam Backup & Replication on the Amazon EC2 instance at the time of the disaster. Veeam Backup & Replication can also be pre-installed on an EC2 instance and leave that instance in a power-off state, turning it on only when there are updates from Veeam or the operating system, but this does not happen very often.
This can help customers minimize the time in restoring systems and not spend too much effort to bring the system to an online state.
In order for a disaster prevention system to work as expected, customers should have regular DR plan testing sessions, quarterly or semi-annually.
Note when performing a DR test
When performing DR testing using the Veeam Backup & Replication server on AWS and when the repository contains backups of the system at on-premises, it is important to ensure that the Veeam backup server at on-premises does not have any active jobs while the Veeam backup server on AWS is accessing backup data in Amazon S3.
This will cause 02 Veeam’s servers to write data together into the same Amazon S3 bucket, causing patterns and data to damage the system’s then backup job at on-premises.