Using Object Storage with Veeam Products

Summary

Veeam Backup & Replication supports object storage as a destination for long-term data storage. Similarly, Veeam Backup for Office 365 and cloud-specific offerings, such as Veeam Backup for AWS, Veeam Backup for Azure, Veeam Backup for Google Cloud Platform all support object storage.

This article lists some general guidance for using object storage in combination with these Veeam products.

Considerations and Limitations

General Limitations

As documented in Object Storage Repository > Considerations and Limitations:

Object storage gateway appliances used to store backup data, emulating disk or CIFS/NFS, iSCSI/FC/SAS are not supported if the backup data is offloaded to object storage and is no longer stored directly on the appliance.

Gateway appliances are only supported in the following cases:

• All backup data is stored and remains on the actual storage appliance, and data is only copied to object storage.

or

• The appliance emulates a tape system (VTL) as an access protocol for Veeam Backup & Replication.

Amazon S3 and S3 Compatible Object Storage

Support for Amazon S3 and S3-compatible object storage varies between products. The following limitations apply:

• Versioning is not required unless object lock is enabled.
• Support for AWS Signature v4 is required.

Specific Veeam products can manage immutability for data stored within AWS S3. Immutability can only be used with new buckets. Automatic settings for objects uploaded with object lock are not supported, and configuring these features outside of how Veeam uses them can result in data loss.

Veeam manages the entire data lifecycle of backups stored within AWS. As such, Lifecycle policies are not supported nor needed, and doing so can result in data loss.

For AWS, it is recommended that you use S3 bucket policies to restrict access to specific endpoints or IP addresses.

Azure Blob Object Storage

Support for Azure Blob object storage varies between products. The following limitations currently apply to all Veeam products:

• Versioning is not required unless Azure Blob Immutability is enabled.

• Use of the following Azure features is not supported:
  Hyperlinks to Azure documentation are provided for context only.

  • Soft delete

  • Blob change feed

  • Point-in-time restore for block blobs

Specific Veeam products can manage immutability for data stored within Azure. Immutability can only be used with new storage account containers and cannot be used with existing backup data where immutability was not applied previously.Default immutability policies are not supported, and configuring these features outside of how Veeam uses them can result in data loss. Learn more…

Veeam manages the entire data lifecycle of backups stored within Azure. As such, configuring the storage account with these features is unnecessary, and doing so can result in data loss. More details are available in the Object Storage Repository Considerations and Limitations section of the Veeam Backup & Replication user guide.

For Azure, it is recommended that you use Azure Storage Firewall policies to restrict access to specific IP addresses.

---

Microsoft Defender for Storage is Unsupported

Using Microsoft Defender for Storage with Veeam backup data is ill-advised and unsupported.

• Veeam backup data is stored in individual blocks that are chunked and potentially encrypted, which means the content of the backup data is unreadable by security software.
• Because the content of the backups cannot be read by Microsoft Defender for Storage, features such as ‘sensitive data threat detection’ and ‘malware scanning’ will not function properly.
• Enabling Defender for Storage would not impact Veeam software or the backups and could be utilized to detect activity anomalies. However, due to its chunked nature, a block of Veeam backup data may, by coincidence, have strings that match regex logic or have a hash that is associated with a known indicator of compromise (IOC), resulting in a false positive.
• Enabling Defender for Storage may effectively double the costs associated with your storage account, with little to no real benefit because it cannot actually scan or read the contents of the Veeam backup data blocks.

To submit feedback regarding this article, please click this link: Send Article Feedback
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.