Backup Immutability

If you store your backup files in an object storage repository, Veeam Agent allows you to protect backup data from deletion or modification by making that data temporarily immutable. It is done for increased security: immutability protects data in your recent backups from loss as a result of attacks, malware activity or any other injurious actions.

Supported Object Storage Types

Veeam Agent supports backup immutability for the following object storage types:

• Amazon S3
• S3 compatible storage that supports S3 Object Lock (including Wasabi)
• Microsoft Azure Blob Storage

Before You Begin

Before you configure immutability for Veeam Agent backups, you must prepare the target storage account. Depending on the selected object storage type, perform the following actions:

• [S3 Compatible and Amazon S3 storage] When you create the S3 bucket, you must enable versioning and the S3 Object Lock feature for the bucket. For more information, see AWS documentation.

• [S3 Compatible and Amazon S3 storage] After you create the S3 bucket with Object Lock enabled, make sure that the default retention is disabled to avoid unpredictable system behavior and data loss. To disable the default retention, edit the Object Lock retention settings as described in AWS documentation.

• [Microsoft Azure Blob storage] You must enable blob versioning and version-level immutability support in the storage account. For more information, see Microsoft Azure documentation.

Consider the following about backup immutability:

• The effective immutability period consists of the user-defined immutability period and the block generation period automatically appended by Veeam Agent. For more information, see How Backup Immutability Works and Block Generation.
• [S3 Compatible and Amazon S3 storage] Veeam Agent will use the compliance retention mode for each uploaded object. For more information on retention modes of S3 Object Lock, see AWS documentation.
• [Microsoft Azure Blob storage] Do not enable immutability for already existing containers in the Microsoft Azure Portal. Otherwise, Veeam Agent will not be able to process these containers properly and it may result in data loss.

Configuring Backup Immutability

When you create the backup job that is targeted at an object storage, the immutability period must be specified in the settings of the object storage repository. For more information, see the Adding Object Storage Repositories section in the Veeam Backup & Replication User Guide.

Backup Immutability and Retention Policy

Backup immutability operates with backup data and related metadata (checkpoints) on the object storage side. Retention policy operates with logical representation of the stored data, or restore points, on the Veeam Agent side. These two mechanisms act independently from each other.

Veeam Agent will remove the irrelevant restore points per the defined backup retention policy. If the data associated with the removed restore point is still immutable, such data will remain in the repository until expiration of the immutability period. After that it will be automatically removed from the storage.

Limitation of Backup Immutability

You can restore the immutable data that is associated with a restore point removed by retention policy only in Veeam Backup & Replication console. In Veeam Backup & Replication, you must perform the following actions:

1. Add the object storage repository that contains the necessary data to Veeam Backup & Replication. For more information, see the Adding Object Storage Repositories section in the Veeam Backup & Replication User Guide.
2. Roll back to the necessary checkpoint. For more information, see the Immutability section in the Veeam PowerShell Reference.
3. Remove the repository from the Veeam Backup & Replication infrastructure. For more information, see the Removing Backup Repositories section in the Veeam Backup & Replication User Guide.

After that, you will be able to use Veeam Agent to restore data from the object repository in a regular manner.