New backup infrastructure requirements

We have used Veeam Backup & Replication for years with our VMware environment. We recently have had our cyber insurance asking new questions (which are all good) and they are requiring us to have segregated, air-gapped, or immutable backups to get the best rates. We do not currently have that implemented in our environment. We also backup about 8 TB of “Critical” storage but also have about 20 TB of video archive that we are trying to figure out the best way to backup.

So with that in mind, this is my question.

What are my best options for backup in a segregated, air-gapped, or immutable way that is both affordable and has a short (8 hour) restore window for the “Critical” vm storage?

We currently backup to a number of aging NAS and DAS. Thanks!

Jeremy, I don’t have enough time to go into depth right now on this (and I’m learning and asking some of the same questions as you). But I can tell you some about our environment, and where we are also hopefully headed…

  • We also use Veeam for our VMware environment
  • We have an LTO 8 tape system
  • We backup to local storage on a server and then to tape
  • We copy backups to storage at remote campus locations
  • Critical VMs have shorter backup cycles, including replication to remote campus locations
  • We backup a NAS to a tape library (this is ‘file to tape’ in Veeam parlance)
  • I’m hoping I can start on a project to have an immutable Veeam repository soon

Based on what you mentioned, I think we’re doing what your insurance company asks for besides the immutable repository (but our tape strategy helps with that some too). All the credit for this goes to @jimmichael as he set it all up

Happy to chat or just go back and forth here and learn from each other

I’d also tell you that you that I think it’s best to think of your requirements in separate pieces (knowing that they may be the same thing, but you don’t want to by default link them), so for example that could include:

  • Immutable to protect from compromise
  • Short RTO for rapid recovery

Those two things might be served by the same thing, but linking/tying them to each other significantly changes the approach for your solutions

Hey Shawn. Thank for sharing! That is helpful. We’ve been tape free for a while but I think that may actually be the easier & cheaper option to meet these requirements. Would you mind sharing what you have for a tape system?

MBS offers a cloud backup solution, using Veeam that will give you what you want for $60 per TB per month. All online, quick restore, no tapes, data stored in our private cloud in US datacenter. DM or email for more details.

Would anyone be interested in a Teams meeting sometime in a few weeks to go over large backups like this?

I’m also in a similar boat and currently have Veeam B&R backing up VM’s to local disks, then copying those backups to an encrypted volume on our NAS, but we’re working on getting file to tape to work (it is failing to enumerate, referencing non-objects, and all kinds of fun stuff that BEMA is working through with Veeam on our behalf).

We also bought another Synology to do snapshot replications across campus in a different building for immutable backup of large media with a rapid recovery.

Everything is in the “theory and planning” phase, but I’d love to chat with those of you also pursuing this or who are already doing this.

I’d be interested Chris! I’m also interested in how you’re doing Immutable backup with Veeam because I thought the only way it supported it was to S3 buckets. We too are looking to leverage our existing Synology NAS’s and maybe add another.
We’d also like to start backing up O365 data with the Synology Active Backup. It seems to be one of the most cost effective ways.

What I’m calling immutable is my wishful thinking of how snapshot replication works in Synology. The plan is to have snapshots replicated throughout the day from the source Synology NAS to the backup Synology NAS with a longer retention period, so even if all the files get encrypted at the source the destination can’t be altered until the retention period expires.

I’m tempted to set up the other synology so the ports for SSH, HTTPS, HTTP, etc. are all only available over a management port that is normally disconnected, then have a dedicated network that only allows whatever port is required for snapshot replication. We’ll see how well that pans out. Ideally, checking on statuses at the destination will be a pain, but will also be as close to air-gapped as we can get without actually air-gapping it.

I’m also hoping to cycle our file-to-tape off-site every 3 to 6 months for a more “real” air gap.

For M365 we’re just using a cloud-to-cloud backup solution.

So I’ve got my new veeam server setup and my tape drive and everything is working! And much faster than before. Now, I’m trying to wrap my brain around how the GFS pool option works and how I can use it to have a weekly and monthly tapes to take off-site. What I’m not understanding is how can I set this up so that only those jobs are on a tape so that I’m taking the right jobs off-site? Some advice I read was not using the GFS pool and just creating my own. Like Weekly (Add only a few tapes), Monthly (Add only a few months), Yearly (add only a few tapes). What are people out there doing for off-site tapes and Veeam? Thanks!


We use Azure backups for all VM’s and Barracuda Cloud- to- cloud backup for our O365 environment. We also use Azure Blob storage for media. Happy to talk.