Introduction

This document is intended to provide Veeam Cloud & Service Providers (VCSP) and Managed Service Providers (MSPs) a guide for building a Veeam branded appliance. Since Veeam does not have a hardware backup appliance and is just a software offering, providers can choose to build a Veeam branded appliance by using the hardware of their choice. By using the information in this guide, hopefully it will give an idea of what is possible, some possible options to pick from, and can decide which option will work for you and your customers.

Based on asking several providers that offer this type of Appliance offering currently, there are basically 3 different architecture options. First let’s look at the 3 options, then dig into possible builds of those options.

• Option 1 – All in One physical Server Appliance
• Option 2 – Physical server as virtual host with multiple VMs installed.
• Option 3 – One physical server and a storage appliance

Each of these has pros and cons and you need to decide which makes sense for your deployment and ongoing administration.

Option 1 – All in One Physical Server Appliance

• Current version of Veeam – v12, this must be a Windows server.
• All Veeam roles running on this server.
• Windows based ReFS or NTFS repository
  • Partition hard drives into 2 – 1 for OS and Veeam, 1 – as repository
• Need to have enough compute for all roles for the overall size of environment.
  • https://helpcenter.veeam.com/docs/backup/vsphere/system_requirements.html?ver=120

Pros:

• Simple deployment – just need an IP address from customer.
• Ease of management as just 1 OS to patch.
• Ease of pricing – server and Windows OS license plus Veeam.
• Small footprint if using offsite backup for long term backups.

Cons:

• One OS is Veeam server and backup data.
  • If compromised on hardware failure, can lose backup data.
• No Immutability protection with Windows repository as of v12.
• No additional resources for testing restore.

This would be considered a good solution however without immutability, there is higher risk of losing backup data.

Highly recommend 3-2-1 rule of sending backups to an offsite location using either a backup copy job with Immediate Copy(mirroring) or a SOBR Capacity tier with Copy mode enabled. This will help protect from data loss.

For best security practice, the offsite copy should be placed onto an Immutable repository.

Option 2 - Physical server as virtual host with multiple VMS installed.

• Can be any Hypervisor.
• 1 Windows VM as Veeam BNR server role.
• Other VMs as needed for other roles, can be Linux for proxies, repository.
• Can use Linux Hardened Repo

Pros:

• Can setup with additional resources to allow for SureBackup/DataLab testing.
• Local backup Immutability with Linux Hardened Repo.

Cons:

• Additional overhead of hypervisor.
• Still a single hardware server which could be compromised.
  • Even though Linux hardened repo, it is inside a VM so if Hypervisor compromised, VM disk can be deleted.

This would be considered a better solution with the Linux Hardened Repo as it gives local immutability, however the data is inside a virtual disk which can be compromised at the Hypervisor level. Adding resources to setup SureBackup /DataLab is definitely a great additional add on.

Still follow 3-2-1 rule of sending backups to an offsite location using either a backup copy job with Immediate Copy(mirroring) or a SOBR Capacity tier with Copy mode enabled. This will help protect from data loss.

For best security practice, the offsite copy should be placed onto an Immutable repository.

Option 3 – One physical server and a storage appliance

• Physical server (or VM in customer environment).
  • Runs Veeam BNR and Proxy role.
• Choose repository appliance.
  • Could be a dedupe, NAS, SAN, On-prem Object.

Pros:

• Separation of management and storage.
  • If BNR compromised, backups still usable with new BNR
• Possible Immutability depending on storage.

Cons:

• Higher overhead of multiple systems.
• No additional resources for testing restore.

This would be considered the best solution with the separation of components. Storage option with immutability would provide best security option.

Still follow 3-2-1 rule of sending backups to an offsite location using either a backup copy job with Immediate Copy(mirroring) or a SOBR Capacity tier with Copy mode enabled. This will help protect from data loss.

For best security practice, the offsite copy should be placed onto an Immutable repository.