INTRODUCTION
One topic that I believe is still underestimated is recovery verification: it’s good to have a backup of our data, but are we sure that backup is valid and functional when we need to use it?
If no tests are performed, we could encounter potential latent problems with backup data corruption and be unable to use it when needed.
Many companies are required to perform periodic restore tests for compliance reasons.
Many others, however, do not always pay the same attention to this.
While before the advent of ransomware the rule was “have a backup, preferably in a storage location other than the production one,” nowadays a solid data protection strategy cannot ignore the best practices outlined in the Golden Rule 3-2-1-1-0:
As we can see, backup recoverability is a must, and it is our responsibility to put it in place!
In this post, we will discover that configuring verification tests using Veeam Backup & Replication is quick and easy, so why not do it?
SURE BACKUP
The Veeam SureBackup feature allows you to set up a scheduled or manual task to verify the actual restorable state of your backup data.
The SureBackup job can be set up in two different modes:
- Full recoverability testing: allows you to restore VMs from backup and restart them in an isolated environment so that you can test the full functionality of the applications
- Backup verification and content scan only: allows you to perform an integrity check of the backup files, as well as a content analysis to check for malware or sensitive data
Full recoverability testing
This approach is essentially based on two Veeam features: instant recovery and virtual lab.
Thanks to the first feature, VMs can be restarted in our hypervisor while keeping virtual disks and configuration files directly in the backup repository, without having to copy them to production storage beforehand.
The second feature, on the other hand, creates an isolated virtual environment on demand, automating the configuration in our hypervisor of virtual switches and virtual networks dedicated to restore testing. We will discuss the correct configuration of the virtual lab in a later post.
A key concept in this modality is application groups, which are objects containing one or more VMs with dependencies between them, so that the recovery of a complete application stack can be tested (e.g., database server/application server, primary domain controller/secondary domain controller, etc.).
Our Sure Backup job will therefore consist of:
- 1 application group
- 1 virtual lab
Another important aspect is definitely the customization of verification tests: Veeam allows you to select different types of automatic checks on VMs within the Sure Backup job, from standard ones such as heartbeat, ping, and predefined applications/ports (DNS, Domain Controller, SQL Server, etc.) to the possibility of executing custom scripts to verify specific applications.
Prerequisites: Valid VUL license, or at least Enterprise socket (with a Standard license, only manual tests will be possible).
Note: Recovery verification can also be performed on VM replicas using SureReplica jobs, which are always based on the concepts of virtual labs and application groups.
Backup verification and content scan only
By choosing this option, the virtual lab and application group are no longer necessary, as the goal is simply to verify data consistency and check for malware or sensitive data that you want to keep track of.
Veeam checks the VMs sequentially, using the native Veeam Threat Hunter engine or the antivirus software on the mount server to prevent malware.
Optionally, you can also choose to use fully customizable YARA rules to identify traces of possible malicious activity on the VMs being checked or simply sensitive data on the server.
CONCLUSION
As we have just seen, the Sure Backup job allows us to test the correct recovery of our backup data in a simple and automated way.
Come on, let’s all hurry up and configure this fantastic feature! 💚