Backup Immutability

If you store your backup files in an object storage repository, Veeam Backup & Replication allows you to protect backup data from deletion or modification by making that data temporarily immutable. It is done for increased security: immutability protects data in your recent backups from loss as a result of attacks, malware activity or any other injurious actions.

Important

Backup immutability uses native capabilities of object storage. Enabling this feature may result in additional API and storage charges from the storage provider.

Supported Object Storage Types

Veeam Backup & Replication supports database backup immutability for all supported object storage types:

Amazon S3
S3 compatible
Google Cloud Storage
Microsoft Azure Blob Storage
IBM Cloud Object Storage
Wasabi Cloud Storage
Veeam Data Cloud Vault
11:11 Cloud Object Storage

Before You Begin

Before you configure immutability for database backups, you must prepare the target storage account. Depending on the selected object storage type, perform the following actions:

[S3 Compatible and Amazon S3 storage] When you create an S3 bucket, you must enable the S3 Versioning and S3 Object Lock features for the bucket. For more information, see AWS documentation.

[S3 Compatible and Amazon S3 storage] After you create an S3 bucket with Object Lock enabled, make sure that the default retention is disabled to avoid unpredictable system behavior and data loss. To disable the default retention, edit the Object Lock retention settings as described in AWS documentation.

[Microsoft Azure Blob storage] You must enable blob versioning and version-level immutability support for the Azure container. For more information, see Microsoft documentation.
[Google Cloud Storage] When you create a bucket, you must enable the Object Versioning and Object Retention Lock features for the bucket. For more information on Object Versioning, see Google Cloud documentation. For more information on Object Retention Lock, see Google Cloud documentation.

Consider the following about backup immutability:

[S3 Compatible and Amazon S3 storage] Veeam Plug-In will use the compliance retention mode for each uploaded object. For more information on retention modes of S3 Object Lock, see AWS documentation.
[Microsoft Azure Blob storage] Do not enable immutability for already existing containers in the Microsoft Azure Portal. Otherwise, Veeam Backup & Replication will not be able to process these containers properly and it may result in data loss.
After you specify a minimum immutability period for a backup and run the backup job for the first time, Veeam Backup & Replication will append the block generation period to the specified immutability period. To learn more, see Block Generation Period.

Increasing the minimum immutability duration in the object storage repository settings updates immutability locks for all objects in this repository to match the block generation period of the current generation. As a result, this change may cause additional costs as it results in requests generated for each object in the object storage repository.

Backup Immutability and Retention Policy

Veeam Backup & Replication removes obsolete restore points based on the defined backup retention policy, but only if such restore points are no longer immutable. If data associated with an obsolete restore point is still immutable, such restore point will remain in the backup chain and in the repository until its immutability period is over. After that, such restore point is automatically removed from the backup chain and storage.

Block Generation Period

When you specify an immutability period in the object storage repository settings, Veeam Backup & Replication will automatically calculate an effective immutability period as a sum of the following periods:

minimum immutability period

You can specify the minimum immutability period in the object storage repository settings. To learn more, see Adding Object Storage Repositories.

block generation period

The block generation period serves to reduce the number of requests to the object storage repository, which results in lower traffic and reduced storage costs. During this block generation period, all of the transferred data objects will have the same immutability.

The block generation period is predetermined depending on the object storage that you use:

30 days — for repositories in Amazon S3 and Google Cloud Storage IBM Cloud and 11:11 Cloud Object Storage.
10 days — for repositories in S3 compatible storage, Microsoft Azure Blob Storage and Veeam Data Cloud Vault.

Note

You may configure a backup repository in IBM Cloud and 11:11 Cloud Object Storage using the S3 Compatible wizard. In this case, Veeam Backup & Replication will append the block generation period of 10 days.
You can change the predetermined block generation period with the registry key. For more information, submit a support case on the Veeam Customer Support Portal.

As Veeam Plug-In for Microsoft SQL Server supports backup chains, the logic behind the effective immutability period is different from other Veeam Plug-Ins. For database backups created with Veeam Plug-In for Microsoft SQL Server, if the block generation period is over but the backup chain remains active, an effective immutability period will be extended until a new backup chain is started.

To learn more about backup chains, see Backup Chain.

Example

You create a backup with Veeam Plug-In for Microsoft SQL Server on IBM Cloud Object Storage on July 1st with immutability set for 7 days.

The effective immutability period for the first generation is July 1st + 7 days (minimum immutability period) + 10 days (default block generation period for IBM Cloud Object Storage). If the block generation period ends but the backup chain remains active, Veeam Backup & Replication extends the immutability locks for all objects created during this block generation period. Veeam Backup & Replication continues to extend the immutability locks until the next full backup is created, which starts a new backup chain. As a result, database backups created during the first block generation period should be by default the backups created from July 1st to July 10th, but the July 10th is not the final end date, the block generation period can be extended until a new backup chain is started. Suppose that the next full backup is created 5 days later on July 15th. As a result, July 15th is the end date for the first block generation period, and database backups created from July 1st to July 15th will be immutable until July 22th.

The second block generation starts on July 16th. The effective immutability period for the second block will be July 16th + 7 days (minimum immutability period) + 10 days (default block generation period for IBM Cloud Object Storage). Note that the second block generation period can be also extended if the block generation period ends but the backup chain remains active.