Articles in this section

BaaS by Veeam Configuration Best Practices

Updated

Table of Contents


    Overview

    The following are best practices recommended for use when Cloud Connect Backup is being utilized.

     

    Do Not Use Low-End NAS Devices as Repositories

    While it is possible to write backups to a NAS device, this is constantly discouraged by Veeam employees on the R&D Forums. Here is one such example. When a NAS device is used, an iSCSI presentation of the storage is recommended. Instead, Veeam recommends the use of a server with hardware-backed RAID and battery-backed write cache to maximize performance and minimize corruption. Additionally, this allows for the use of ReFS or XFS, which increases merge speed, decreases disk space used for GFS points, and, in the case of XFS, allows for immutable on-prem backups.

     

    Do Not Use Deduplication Appliances for Primary Retention

    While a deduplication appliance can be used to house the entire backup chain on-premises, it is not recommended as it will cause decreased backup and restore performance. Instead, it is recommended that an alternative target be used for short-term primary backups be utilized, with the deduplication appliance storing only long-term retention points. This short-term repository can be all-flash, hybrid-flash, or hardware-backed RAID managing spinning disks. Additionally, a special configuration may be needed for your deduplication appliance to function properly with Veeam. For more information, read this Veeam Knowledge Base article.

     

    Utilize Backup Copy Jobs Instead of Backup Jobs

    While regular backup jobs can target Cloud Connect repositories, it is recommended that backup copy jobs be utilized instead. When writing a backup job off-site, production systems will be impacted for the duration of the job run. When utilizing backup copy jobs, backups are synthesized from existing backup files, reducing strain on production systems. In addition, backup copy jobs have much better logic for retrying failed sessions and the resumption of data transmission after an error. Finally, backup copy jobs can also leverage WAN acceleration with a Cloud Connect repository to reduce processing time. This functionality does not exist for regular backup jobs.

     

    Enable Backup Job Encryption

    It is strongly recommended that encryption be enabled for all backup copy jobs targeting off-site repositories. Encryption ensures that backup data remains secure both in transit and at rest within the service provider infrastructure.

    Without encryption, backup data stored in a offsite repository could potentially be accessed by anyone with administrative access to the storage infrastructure. Encryption prevents unauthorized access by ensuring that only the customer environment possessing the encryption password can decrypt the data.

    Additionally, encryption protects backup data while traversing public networks during transmission to the off-site repository.

    When enabling encryption:

    • Store the encryption password securely.

    • Ensure the password is documented in a secure password manager or rotated automatically using Veeam's KMS integration.

    • Understand that losing the encryption password will make the backups unrecoverable.

    For more information, refer to Veeam documentation regarding backup encryption and password management best practices.

     

    Enable Backup Files Health Check

    Backup file corruption can occur due to underlying storage issues, hardware faults, or unexpected system failures. Enabling Backup Files Health Check allows Veeam to periodically verify the integrity of backup files stored in the repository.

    This process reads the backup file blocks and validates them against their stored checksums to ensure the data remains intact and recoverable.

    Benefits of enabling health checks include:

    • Early detection of backup corruption

    • Assurance that restore points remain usable

    • Prevention of corrupted blocks propagating through synthetic full backups

    It is recommended that health checks be scheduled periodically based on repository performance and capacity. Many environments run health checks monthly or quarterly to balance verification with storage performance impact.

     

    Configure Proper Retention Policies

    Retention policies should be carefully configured to balance recovery capabilities with storage consumption.

    Backup copy jobs targeting Cloud Connect should typically maintain longer retention periods than on-premises backups. This ensures recovery points remain available even if on-premises backup chains are compromised.

    Best practices include:

    • Maintaining multiple restore points across several days or weeks

    • Leveraging GFS (Grandfather-Father-Son) retention for long-term recovery

    • Ensuring retention policies align with organizational recovery objectives and compliance requirements

    Retention policies should also be reviewed periodically to ensure they continue meeting operational and regulatory needs.

     

    Monitor Backup Copy Jobs Regularly

    Backup copy jobs should be monitored to ensure that data continues to be successfully transmitted to the off-site repository.

    Administrators should regularly review:

    • Job success and failure rates

    • Data transfer throughput

    • Repository capacity utilization

    • WAN acceleration performance (if enabled)

    Monitoring can be performed through:

    • Veeam Backup & Replication console

    • Email notifications and alerts

    Regular monitoring helps identify issues early and ensures that off-site backup copies remain current and usable.

    Related articles

    Powered by Zendesk