Veeam Backup and Replication Version 11 Release: So Many New Features, Where do We Start?

Storcom’s Assessment of Veeam Backup & Replication Version 11 (v11)

By: Dave Kluger

Storcom CTO


What’s New in Veeam Version 11 (v11)?

There are a ton of new features and updates with Veeam version 11, over 200 to be exact. There are already many articles that simply list the new features. As Storcom’s CTO, I want to talk about what’s new in Veeam Version 11 (v11) and what I think the main updates are and WHY they are useful. 


Ransomware Protection 

At the top of everyone’s list is that Veeam’s version 11 contains more ransomware protection features than ever before.  Everyone in IT knows that ransomware and malware are at the forefront of security concerns. We are all trying to find better ways to protect our organizations’ most valuable assets: our data. Data protection starts at the source. There is no substitute for putting in the right technology at the endpoint or on your network to stop malicious activity where it begins.

Storcom certainly does not discount the capabilities that security vendors like Arctic Wolf, CrowdStrike or Carbon Black bring to the table. However, we also need to be realistic and accept that even the best technologies can be thwarted and data breaches can occur. Backup technologies like Veeam can be targeted. With that said, Veeam version 11 has done a great job of adding some new features that really focus on data immutability. Veeam also added the ability to protect your secondary and tertiary copies data safe from being altered. 


Hardened Linux Repository 

Hardened Linux repository is another great feature in v11. Veeam focused a lot of resources on adding onto what it had already built in version 10 to protect against ransomware. Storcom is really excited about the ransomware protection that Veeam will get from Linux and the native Linux immutable flag as a way of being able to protect your backup files. Veeam works together with the Linux kernel to make sure that the flag is set to the appropriate retention period that you’ve set on your backup jobs.

For redundancy, the immutability expiration timestamp is stored twice. It is stored first in the special configuration file and secondly in the extended attribute of each backup file. The first is extended automatically as dependent incremental restore points are added into the backup chain but can also be increased (but never reduced) manually for legal hold purposes using PowerShell. A second timestamp remains as originally set, due to being a part of the immutable file already. The immutability flag is only removed from the backup file when the local timestamp on the repository server exceeds both values. 

Veeam introduced ransomware protection for backup data sent to an S3-compatible capacity tier in Backup and Replication version 10 via support for S3 Object Lock. Storcom supports this today with our object storage tier for off-site backup. Hardened repository uses a Linux file system features and another layer of protection by locking storage blocks written to the primary backup solution. Now we can protect the primary 7, 14, or 30-day type of on-prem retention from malicious activity and ransomware.


No Vendor Lock-In

Veeam did not want to lock in its customers by selling an appliance to provide ransomware protection for primary backups (e.g. Data Domain, HPE StoreOnce). Veeam left the choice open, so customers would have options. Storcom can now deploy our purpose-built open systems backup appliances using Veeam software and provide these protection capabilities using a  server vendor’s hardware to maximize the value for our clients. 


Single-Use Credentials 

Another feature of the hardened Linux repository is the addition of single-use credentials. The single-use credentials, required for the hardened Linux repository, are interactively supplied by the user at the initial deployment time and also when installing product updates. It is important to note that they are never stored in the configuration databases. This eliminates any possibility for hackers to extract these credentials from a compromised backup server and use them to connect to the repository.


SSH Protocol

Lastly, Veeam changed the dependency on SSH Protocol. All former SSH protocol usage has been encapsulated into the expanded transport protocol. As a result, SSH connectivity is required only at the initial deployment time and when installing product updates. This allows customers to secure SSH with interactive multi-factor authentication (MFA) or even disable the SSH server completely to protect their repository from future zero-day vulnerabilities.  

These are some of the areas that Veeam has really taken its approach to the ongoing problems surrounding ransomware and malicious activity very seriously in v11. I expect to see a lot of benefits for both Storcom’s clients as well as for our own internal Cloud Connect Managed Services. Storcom will make sure to take full advantage of these features alongside a lot of what came from previous iterations of Veeam software with Veeam Labs, SureBackup, scale out repositories and object storage, as well as insider threat protection features.  


Continuous Data Protection 

Continuous data protection, also known as “CDP,” is not new to the IT data protection world. Storcom has worked with many different replication technologies over the years. CDP has always been associated with the top tier of data protection options. If you think of SAN-based synchronous data replication being #1 for data loss prevention, then CDP is the next closest providing a near zero recovery point objective (RPO). Storcom has deployed, and is still deploying, a number of the best technologies out there with a proven track record in IT to provide for our clients who need the lowest RPO and recovery orchestration for business continuity needs.


So Why is this So Important for Veeam?

Because up until now, the best Veeam could do was Veeam Replication. Veeam Replication, although it is great for many workloads, has some downsides. The number one pitfall is it’s a VMware snapshot-based technology.  It’s been long known that VMware snapshots cause stunning and this can cause problems for transactional databases. A pause in IO on an OLTP database can cause database blocking or even disconnects. And that alone, regardless of the RPO, may be the reason to use a CDP solution.

Storcom has clients who just use CDP for a handful of database servers because they just don’t want the VM itself being touched. The second downside is RPO. If you want less than 1-hour, then CDP is the only way to go. If you start snapping a VM, especially using application-aware snapshots more than once per hour on applications like a database, then you are most likely going to have issues. 


CDP is Not New and it is a Great Option…but it is Just That: an Option

In v11, Veeam built a non-snapshot-based CDP solution that is centered around using the VAIO filter which splits the IO at the same point it writes to the primary disk. This means that you’re not waiting for VMware’s snapshots. It also means that you don’t need multiple solutions. Now you can have one solution for all levels of RPO and RTO. You may decide to use CDP for databases (lowest RPO). You could also choose Veeam replication for tier 1 VMs and servers where you want a lower RPO as well as a lower RTO. Or even select Instant Recovery for your least critical data as it pertains to big data changes where you don’t want to have to wait for a full restore.

This is a mix-and-match approach that really makes sense. I am super excited that this is finally out so Storcom can create the right match and not have to use multiple products when we’re building out our clients’ business continuity plans. 


Protect Any App and OS

Another big benefit of Veeam CDP is that now your replication is not dependent on the OS version or application. You can protect ANY OS and application if it can run within a vSphere VM. They are protected and Veeam CDP works across non-matching storage arrays, hyperconverged storage solutions, and even local vSphere ESXi storage unlike storage-based replication. 


Expanded Instant VM Recovery Features and Enhancements

CDP provides the lowest RPO and RTO. Veeam replication-based VMware snapshots provides better RPO than a normal backup schedules (eg. nightly backups with low RTOs). But what about data sets that don’t require low RPO that you still want to ensure you can recover quickly? Unfortunately, in the days of restoring from backups regardless of your RPO, the time it took to restore your backup was dependent on two main factors: the size of the restore and the speed of the technology you were using to restore from.

If you were using tape, then this was a very slow process. With D2D2D, this potential was sped up if the data was written in a format that could be effectively retrieved. Some D2D2D backup technologies, even though they restored from disk, wrote the data out in a format that was slower than tape to restore in some cases.

But what if you could actually take the backup itself and be able to use that data in a live format? That is what Instant Recovery is! Veeam, along with other information technology vendors, has been working to perfect this technology over the past few years. Veeam has made a number of enhancements in version 11 that make this a very viable method of recovery as part of an organization’s business continuity plan. Storcom has built a number of our clients’ disaster recovery runbooks building a large portion of the business continuity plan from this methodology.   


A Bit of Insight into Instant VM Recovery

Why would you use it? Well, that comes down to cost. If you use CDP or Veeam Replication, then it’s all about operational recovery. If you have 10TB of data that make up 15 VMs in production, then you need at least 10TB for backups (e.g. long-term archive GFS rotation- “grandfather, father, son” rotation). You also need 10TBs of capacity on a premium storage tier for the operational recovery.  What if 50% of that 10TB you need is a file server that you need up and running in a reasonable amount of time, and a recovery point objective of 1-day using nightly backups is just fine? Well, this is where Veeam Instant VM Recovery comes in.

You can still do the normal nightly backups in Instant VM Recovery. You can also recover this resource instantly within the backup repository for immediate access. In the background, you use technologies like storage vMotion on VMware to move this VM or application out of the repo storage over to the premium storage only at the time of a disaster. This is a potentially significant cost savings in the right scenario. As I have said before, this technology is not new to version 11. However, Veeam is a pioneer in its implementation of Instant VM Recovery and has added a number of new features to this underlying component of Veeam Backup and Replication v11


Instant VM Recovery of Microsoft SQL Server and Oracle Databases

Veeam released a number of new features and enhancements to what was already a powerful platform. First we have Instant Recovery of Microsoft SQL Server and Oracle databases. This can be a huge time saver. Database won’t start? Developers accidentally dropped a critical table? No problem! You can recover any database from backup to the latest state, or to an earlier point-in-time, to any production database server or cluster (physical or virtual) in minutes, regardless of its size. 

Select databases are available to production applications and database clients instantly. They can be modified normally with all changes preserved in cache — while the backup itself is never changed. In the background, Veeam automatically restores database files to the production storage and then keeps syncing the actual (modified) database state to the production storage. To finalize the recovery, you will need to switch the database over to running from the production storage. This is done with minimal downtime that’s equivalent to simply restarting the database. This switchover can be executed manually or scheduled to occur automatically — either as soon as the synchronization catches up or during your next maintenance window.  


Service-Based Architecture

Unlike the interactive publish functionality, database Instant VM Recovery uses a service-based architecture that is not dependent on running Veeam Explorer’s user interface. Should any backup infrastructure component reboot or fail during the instant recovery, then the Instant VM Recovery conveyor will automatically recover itself when all required servers come back online. In case of extended outages longer than one hour, then you can resume Instant VM Recovery manually in Veeam Explorer. 


NAS Protection

The next feature is very useful if you are using a NAS like Dell EMC Unity. Veeam has had support for protecting NAS without using NDMP for some time now. With this new enhancement, it allows clients who have a NAS in production to have an easy way to recover that data to a DR or secondary site without the same equipment. This was an issue for NAS, but Veeam stepped up their Instant VM Recovery with a way to solve this challenge. 

Just publish SMB file shares from backup to the latest state, or to an earlier point-in-time, on the  selected mounted server. This enables your users to instantly access their data in this temporary SMB file share while you’re getting the problem fixed or data restored. 


Third-Party Applications and Scripts

Other use cases discovered by Storcom’s version 11 testing involve enabling third-party applications and scripts to instantly access the content of any NAS backup for data mining and other data reuse scenarios. This allows you to avoid locked files and impacts to your production environment thanks to offloading this activity to backup storage hardware that usually remains idle during production hours. 

Prototypes were created by community members specializing in the following fields: machine learning (ML), searching for personally identifiable information (PII) to aid in compliance processes and GDPR requirements, malware detection (automated security analysis of files for sleeping malware with additional antivirus applications), and more.


Instant Recovery of ANYTHING to Microsoft Hyper-V

Veeam version 11 enables additional data recovery and portability use cases by letting you instantly recover ANY physical server, workstation, virtual machine and cloud instance backups to a Microsoft Hyper-V VM. This is done regardless of which Veeam product was used to create the backup.  There is no learning curve, since the recovery just works thanks to the built-in P2V/V2V conversion logic. This enables restores and migrations with new levels of speed and flexibility. Thus, making hybrid-cloud disaster recovery a reality. 

The Hyper-V host is effectively directly built-in to the backup server because the Veeam backup server runs on Microsoft Windows. This means it’s readily available for every existing customer to use! Veeam even supports Windows 10 Hyper-V as the target for this functionality, which, in particular, enables IT managed services providers (MSP) like Storcom to build ultra-low-cost Veeam-powered all-in-one DR appliances based upon Windows 10 to deploy at our client sites.  

The ability to perform an Instant VM Recovery of any workload backed up into a Veeam repository to Hyper-V matches the v10 feature. The ability to leverage Hyper-V on Windows desktops for this purpose is of interest here. This feature allows instant restores of any image-based backup (physical and cloud agents, VMware, Hyper-V, AHV, AWS and Azure) to a Windows desktop running the Hyper-V role.


In Conclusion… 

Like I said at the beginning of this post, there are more than 200 features and updates in Veeam v11 — way too many for one blog post. I wanted to take the most popular and explain why I think they are a benefit and how they can be leveraged. There are so many other updates to capabilities around scale-out repositories and better object storage integration. There are other overall performance benefits that Storcom is very excited about for our clients and for our own Veeam Cloud Connect Backup managed services solution to support more options for backup proxies for Linux plus storage snapshots for Linux proxies. We leverage Veeam as our backbone for our practice at Storcom and we will certainly make use of the new enhancements for our clients.

One important point to make is to make sure you understand which features are available with each edition of Veeam. Now, most features are included in Veeam Universal License. However, a lot of these features we are talking about do still require Enterprise Edition or higher when using a legacy socket-based license. Storcom can help guide you through the process of making sure you have the right license version to suit your organization’s needs.

Learn more about Veeam Backup and Replication v11. 

Until next time…

Dave Kluger


Learn More About Veeam v11 Today!

  • This field is for validation purposes and should be left unchanged.

Learn What’s New in Veeam v11

All Articles

Operational Recovery Replication vs. CDP (Continuous Data Protection)

Both operational recovery replication and CDP serve a similar purpose, but they achieve their goals very differently. Read more…

View blog

Disaster Recovery-as-a-Service: Why it Makes Sense

View disaster recovery