How Immutability Works
Veeam Backup for AWS allows you to protect data stored in backup repositories from deletion by making the data temporarily immutable. To do that, Veeam Backup for AWS uses Amazon S3 Object Lock — once imposed, S3 Object Lock prevents objects from being deleted or overwritten for a specific immutability period. The immutability period is set based on the retention policy configured in the backup policy settings.
Considerations and Limitations
When adding a repository with immutability enabled, consider the following:
- You cannot store indexes of EFS file systems and backups of the appliance configuration database in the repository with immutability enabled.
- You cannot remove immutable data manually using the Veeam Backup for AWS Web UI, as described in sections Removing EC2 Backups and Snapshots and Removing VPC Configuration Backups.
- You can neither remove immutable data from AWS using any cloud service provider tools nor request the technical support department to do it for you. Since Veeam Backup for AWS uses S3 Object Lock in the compliance mode, none of the protected objects can be overwritten or deleted by any user, including the root user in your AWS account. For more information on S3 Object Lock retention modes, see AWS Documentation.
If you choose a repository with immutability settings enabled as the target location for image-level backups, Veeam Backup for AWS creates an immutable backup chain in the repository instead of a regular backup chain. Immutable backup chains are built the same way as EC2 standard and archive backup chains, which means that each immutability chain is composed of a set of backups produced during a sequence of backup sessions, and that the same retention policies apply to these chains. The only difference is that files in immutable backup chains can be neither removed nor modified until the immutability period is over. Therefore, every time Veeam Backup for AWS creates a new incremental backup containing modified data blocks, the retention period of the dependent unchanged data blocks (in the preceding incremental and full backups) is supposed to be extended. This can cause a substantial increase in I/O operations and associated costs incurred by Amazon S3.
To reduce the number of requests to the repository, thus to save traffic and to reduce transaction costs, Veeam Backup for AWS leverages the Block Generation mechanism. A generation is a period of up to 10 days that extends the retention period configured for backups composing the immutable backup chain. This means that the retention period is not explicitly extended for each dependent data block every time Veeam Backup for AWS creates a new incremental backup in the chain within one generation (during these 10 days).
Veeam Backup for AWS initiates a dedicated generation for each type of the backup schedule configured in the backup policy settings.
Block Generation works in the following way:
- During the first backup session, Veeam Backup for AWS creates a full backup in a backup repository and adds 10 days to its retention period. The full backup becomes a starting point in the first generation of the immutable backup chain.
- During subsequent backup sessions, Veeam Backup for AWS copies only those data blocks that have changed since the previous backup session, and stores these data blocks to incremental backups in the backup repository. The content of each incremental backup depends on the content of the full backup and the preceding incremental backups in the immutable backup chain. Veeam Backup for AWS adds <10 - N> days to the retention period of these backups, where N is the number of days since the first backup in the generation was created.
As a result, all backups within one generation will have the same retention date, and will not be removed by the retention policy before this date.
- On the 11th day a new block generation period is initiated. Veeam Backup for AWS creates a new incremental backup and adds 10 days to its retention period. This backup becomes a starting point in the second generation of the immutable backup chain. The new generation is automatically applied to all dependent data blocks from the preceding backups.
- Veeam Backup for AWS repeats step 2 for the second generation.
- Veeam Backup for AWS continues keeping dependent data blocks immutable by applying new generations to these blocks, thus continuously extending their retention period.
As soon as a block generation is initiated, the immutability period of data blocks in the generation cannot be reduced. Even if you change the retention period configured for image-level backups in the backup policy settings, this will not affect the expiration date of the restore points that have been already created.
Consider the following example. You want a backup policy to create image-level backups of your critical workloads once a day starting from March 1, and to keep the backed-up data immutable for 5 days. In this case, you do the following:
- In the policy target settings, you set the Enable backups toggle to On, and select a backup repository with immutability enabled as the target location for the created backups.
- In the daily scheduling settings, you select an hour when backups will be created (for example, 7:00 AM), and specify the number of days for which Veeam Backup for AWS will retain the created backups (5 days).
According to the specified scheduling settings, Veeam Backup for AWS will create image-level backups in the following way:
- On March 1, a backup session will start at 7:00 AM to create the full backup in the immutable backup chain. Veeam Backup for AWS will add 10 days to the retention period specified in the backup policy settings. Thus, the retention period of the backup will be prolonged to 15 days, and the immutability expiration date will become March 16.
- On March 2, Veeam Backup for AWS will create a new incremental backup at 7:00 AM and add 9 days to the retention period specified in the backup policy settings. Thus, the retention period of the incremental backup will be prolonged to 14 days, and the retention date will become March 16.
- On March 3-10, Veeam Backup for AWS will continue creating incremental backups and extending their retention period so that the retention date will still remain March 16.
- On March 11, Veeam Backup for AWS will create a new backup at 7:00 AM. During the backup session, Veeam Backup for AWS will initiate a new block generation period, and apply the new generation to the newly created backup and all dependent data blocks. The retention period of this backup will be prolonged to 15 days, and the immutability expiration date will become March 26.
Then, all data blocks of the preceding backups whose retention period has not been extended will be removed by a retention session due to the immutability period expiration.