Backup Immutability

If you store your backup files in an object storage repository, Veeam Agent allows you to protect backup data from deletion or modification by making that data temporarily immutable. It is done for increased security: immutability protects data in your recent backups from loss as a result of attacks, malware activity or any other injurious actions.

Backup Immutability Important

Backup immutability uses native object storage capabilities. You may incur additional API and storage charges from the storage provider.

Supported Object Storage Types

Veeam Agent supports backup immutability for the following object storage types:

Amazon S3
S3 compatible storage that supports S3 Object Lock (including Wasabi)
Microsoft Azure Blob Storage

Backup Immutability Note

Veeam Agent does not support backup immutability for the Google Cloud storage.

Before You Begin

Before you configure immutability for Veeam Agent backups, you must prepare the target storage account. Depending on the selected object storage type, perform the following actions:

[S3 Compatible and Amazon S3 storage] When you create the S3 bucket, you must enable versioning and the S3 Object Lock feature for the bucket. For more information, see AWS documentation.

[S3 Compatible and Amazon S3 storage] After you create the S3 bucket with Object Lock enabled, make sure that the default retention is disabled to avoid unpredictable system behavior and data loss. To disable the default retention, edit the Object Lock retention settings as described in AWS documentation.

[Microsoft Azure Blob storage] You must enable blob versioning and version-level immutability support in the storage account. For more information, see Microsoft Azure documentation.

Consider the following about backup immutability:

The effective immutability period consists of the user-defined immutability period and the block generation period automatically appended by Veeam Agent. For more information, see How Backup Immutability Works and Block Generation.
[S3 Compatible and Amazon S3 storage] Veeam Agent will use the compliance retention mode for each uploaded object. For more information on retention modes of S3 Object Lock, see AWS documentation.
[Microsoft Azure Blob storage] Do not enable immutability for already existing containers in the Microsoft Azure Portal. Otherwise, Veeam Agent will not be able to process these containers properly and it may result in data loss.

Configuring Backup Immutability

Depending on how you create the backup job and configure connection to an object storage repository, you can define backup immutability settings in one of the following ways:

[Backup Job wizard] You must specify the immutability period at the Bucket step of the wizard. For more information, see Object Storage Settings.

[Command line interface] You must specify the immutability period in the advanced options of the command for creating the backup job. For more information, see Creating Backup Job with Command Line Interface.

Backup Immutability Note

If you want to create the backup job in command line interface, you must create the object storage repository first. For details, see Creating Repository in Object Storage.

If you create the backup job that is targeted at an object storage repository configured as a Veeam backup repository or Veeam Cloud Connect repository, the immutability period in the settings of the repository must be specified in Veeam Backup & Replication. For details, see the Adding Object Storage Repositories section in the Veeam Backup & Replication User Guide.

Backup Immutability and Retention Policy

Backup immutability operates with backup data and related metadata (checkpoints) on the object storage side. Retention policy operates with logical representation of the stored data, or restore points, on the Veeam Agent side. These two mechanisms act independently from each other.

Veeam Agent will remove the irrelevant restore points per the defined backup retention policy. If the data associated with the removed restore point is still immutable, such data will remain in the repository until expiration of the immutability period. After that it will be automatically removed from the storage.

Limitation of Backup Immutability

If you use Veeam Agent in the standalone mode, you can restore the immutable data that is associated with a restore point removed by retention policy only in Veeam Backup & Replication console. In Veeam Backup & Replication, you must perform the following actions:

Add the object storage repository that contains the necessary data to Veeam Backup & Replication. For more information, see the Adding Object Storage Repositories section in the Veeam Backup & Replication User Guide.
Roll back to the necessary checkpoint. For more information, see the Immutability section in the Veeam PowerShell Reference.
Remove the repository from the Veeam Backup & Replication infrastructure. For more information, see the Removing Backup Repositories section in the Veeam Backup & Replication User Guide.

After that, you will be able to use Veeam Agent to restore data from the object repository in a regular manner.