Welcome 192TB to the Ootbi Family | Learn more here >>
How to BuyRequest a demo
  • Blog
  • Disaster Recovery Testing with Veeam and Ootbi by Object First
Technical

Disaster Recovery Testing with Veeam and Ootbi by Object First

Disaster recovery is about more than just having backups—it's about ensuring you can restore your data when it matters most. But are you confident your system will perform when disaster strikes? 

In this blog, we'll guide you through the critical steps of testing your Veeam backups with Ootbi so you can sleep easy knowing your recovery process is rock-solid. 

What Is Disaster Recovery Testing 

Disaster recovery testing is the process of simulating different failure scenarios to ensure that data, applications, and infrastructure can be recovered efficiently and effectively after an unexpected disruption.  

DR testing involves validating the reliability of your backup systems, recovery procedures, and overall disaster recovery plan to minimize downtime and ensure business continuity

As the saying goes, "People don't care about successful data backups; they care about successful recoveries." There's no room for uncertainty in your organization's hour of need, whether late at night or early in the morning. 

You need confidence that your workloads can be fully restored from your backup infrastructure, minimizing downtime and protecting your business from costly disruptions. 

Ensuring Resilience in Object Backup Storage 

When it comes to object backup storage, there is no exception to the "test and be the best" rule. To simulate a complete disaster where you also lose your VBR server, you need a backup VBR server that is ready and available to perform quick restores. 

Losing your VBR server is not a show-stopper during a disaster as long as you follow Zero Trust Data Resilience and segregate your backup storage from your Veeam server. 

However, if you simply add your existing repository to the standby VBR server, the latter will attempt to take complete ownership of the repository. This, in turn, could cause issues with the VBR production server. 

Step-by-Step Instructions for Veeam DR Testing with Ootbi 

In this guide, we'll walk through the step-by-step process of testing your backups using an IAM read-only policy and a standby VBR disaster recovery (DR) server. 

Before proceeding, ensure that your object storage supports IAM/STS. For this setup, we'll leverage Ootbi (Out-of-the-Box Immutability) by Object First, which fully supports IAM/STS integration. 

  • VBR Production Server: 192.168.0.122 
  • DR Standby VBR Server: 192.168.0.34 
  • Object Storage (Ootbi): 192.168.0.162 

We'll also utilize PowerShell and the AWS CLI to set up our DR user and a restricted DR IAM policy. 

Step One: Setup AWS CLI 

We’ll use the AWS CLI tool to configure the necessary settings. To install it, run the following command: 

msiexec.exe /i https://awscli.amazonaws.com/AWSCLIV2.msi 

To remove any certificate warnings, we’ll need to download the Ootbi root CA and place it in the AWS botocore folder for certificate verification. 

  1. In the Ootbi settings, navigate to Security, then click Manage under the SSL Certificate tab. 
  2. Click Export CA Root Certificate to download the root certificate. 
Ootbi Settings page under the Security tab displaying SSL certificate options, including exporting the CA root certificate for cluster Ootbi1.

 

Next, copy the downloaded ca.cert file to: 

C:\Program Files\Amazon\AWSCLIV2\awscli\botocore\cacert.pem 

Make sure to rename ca.cert to cacert.pem. 

AWS Profile Setup 

Now, we’ll create an AWS profile using the Ootbi admin credentials

aws configure --profile admin 

Insert your access key, followed by your secret key. You can leave the other two prompts blank. 

If you’ve forgotten your Ootbi access or secret key, you can create new ones in the Ootbi settings

S3 Access Keys screen in Ootbi interface showing options to create or delete S3 access keys, with columns for name, type, access key ID, and username.

 

Step Two: Create an IAM User in Ootbi 

We’ll start by creating an IAM user in Ootbi and applying the restricted policy to this user. After the policy is applied, we’ll create an access key and secret key for the user. 

These keys will be used as credentials when connecting the Ootbi repository to the standby DR server. 

1. To create the user, use the following command: 

aws iam --profile admin --endpoint https://192.168.0.162 --region default create-user --user-name druser 

Command prompt showing the creation of a new IAM user named 'druser' using the AWS CLI with the profile admin and endpoint 192.168.0.162. The output displays the user details, including the username, user ID, ARN, a

2. You can verify the created users with this command: 

aws iam --profile admin --endpoint https://192.168.0.162 --region default list-users 

Command prompt displaying the output of an AWS CLI command to list IAM users on the server 192.168.0.162. The list includes users 'druser,' 'geofflist,' 'geoffro,' 'objectfirst-system,' and 'readonlyuser,' along with

Step Three: Set Up a Restricted IAM Policy 

We need to set up a restricted IAM policy to prevent the standby VBR DR server from taking ownership of the production repository during disaster recovery testing. 

This policy ensures that the DR server has read-only access and cannot write to the production repository, avoiding any conflicts with the production backup server. 

Follow these steps: 

  1. Open Notepad or Notepad++
  2. Copy the following code and save it as dr-policy.json

"Version": "2012-10-17", 

"Statement": [ 

"Action": [ 

"s3:GetBucketLocation", 

"s3:GetObject", 

"s3:ListAllMyBuckets", 

"s3:GetObjectVersion", 

"s3:GetObjectVersionAcl", 

"s3:GetBucketVersioning", 

"s3:GetBucketObjectLockConfiguration", 

"s3:GetObjectRetention", 

"s3:GetObjectLegalHold", 

"s3:List*" 

], 

"Effect": "Allow", 

"Resource": "arn:aws:s3:::*" 

Notepad++ window showing the contents of a JSON file named 'dr-policy.json.' The file defines an IAM policy, including actions like 's3

3. Make sure to save this file in the same directory where you're running your AWS commands in PowerShell. 

PowerShell window displaying the contents of the Csource directory. The directory contains two files 'ca.crt' with a size of 1107 and 'dr-policy.json' with a size of 525. The command 'pwd' shows the current directory
 

Step Four: Attach the Restricted IAM Policy to the DR User 

Now that we’ve set up the restricted DR policy, the next step is to attach it to our DR user

  1. Run the following command to attach the policy to the DR user

    aws iam --profile admin --endpoint https://192.168.0.162 --region default put-user-policy --user-name druser --policy-name dr-policy --policy-document file://dr-policy.json 

  2. Verify that the policy has been properly attached by running: 

    aws iam --profile admin --endpoint https://192.168.0.162 --region default list-user-policies --user-name druser 

You should see an output like this: 

PowerShell window showing the result of the 'aws iam list-user-policies' command for the user 'druser'. The output displays one policy attached to the user, named 'dr-policy'.
 

Step Five: Generate Access and Secret Keys 

The final step is creating the credentials to connect Veeam to your production backup repository. These credentials will belong to the DR user and will be governed by the restricted IAM policy we've applied. 

  1. To create the access and secret keys, run the following command: 

aws iam --profile admin --endpoint https://192.168.0.162 --region default create-access-key --user-name druser 

PowerShell window displaying the result of the 'aws iam create-access-key' command for the user 'druser'. The output shows the generated access key ID, secret access key, and the creation date for the access key.

 

Step Six: Connect the Veeam Standby DR Server to the Repository 

Now, on your VBR DR standby server, you’ll attach the repository using the read-only credentials we created earlier. 

  1. Right-click on Backup Repositories, then select Object Storage. 

    Veeam Backup & Replication interface showing the 'Add Backup Repository' window with options to select a backup repository type, including Direct Attached Storage, Network Attached Storage, Deduplicating Storage Appli

  2. Choose S3 Compatible. 

    Veeam Backup & Replication interface showing the 'Object Storage' selection window with options to add Veeam Data Cloud Vault, S3 Compatible, Hyperscalers, or Additional Providers as object storage for backup reposito

  3. Ad the service point and, most importantly, input the credentials (access key and secret key) that were created in the previous steps. Click OK, then Next to proceed. 

    Veeam Backup & Replication interface showing the 'S3 Compatible' selection window with options to add S3 Compatible object storage or S3 Compatible with Data Archiving for backup repository.
    Veeam Backup & Replication interface showing the 'New Object Storage Repository' setup window, with 'Ootbi' entered as the repository name and description field filled in.

  4. Select the repository bucket you need for the restores and specify the folder. 

    Veeam Backup & Replication interface displaying the 'Select Folder' window for choosing a folder within the object storage bucket 'veeamdr.' Options include limiting object storage consumption and enabling immutabilit

  5. Continue through the steps, ignoring the warning about taking repository ownership—it will not happen due to the restricted policy. Once the repository is added, perform a rescan

    Veeam Backup & Replication interface showing the Backup Repositories tab. The repository 'ootbi' (S3-integrated) is highlighted with a right-click menu open, displaying options like 'Rescan,' 'Proxy affinity,' and 'Ac
  6. You should now be able to see your backups. 
Veeam Backup & Replication interface displaying the 'Object Storage (Imported)' section. Four backup jobs are listed 'cks01,' 'cks-2022-kubeadm-new,' 'Proxmox_vms,' and 'vbr.' The repository for all jobs is 'ootbi,' a
 

Step Seven: Test the Restore Process 

Now comes the moment of truth since backups are only as good as your ability to restore them

  1. Attempt to restore the entire cks01 VM back to Proxmox by following the instructions below. 

    Veeam Backup & Replication interface showing 'Object Storage (Imported)' with multiple backup jobs, including 'cks01,' 'cks02,' and 'Proxmox_vms.' The selected job is 'cks01,' created on 1012024 with two restore point
    Veeam Backup & Replication interface showing the 'Entire VM Restore' process. The 'cks01' virtual machine is selected for restoration, with a size of 100 GB and a restore point timestamped 1012024 at 22520 PM. The 'Ne
    Veeam Backup & Replication interface displaying the 'Entire VM Restore' wizard at the 'Restore Mode' step. The option 'Restore to a new location, or with different settings' is selected, allowing customization of the
    Veeam Backup & Replication interface showing the 'Entire VM Restore' wizard at the 'Host' step. The virtual machine 'cks01' is selected for restoration to the host with the IP address 192.168.0.12. The option to 'Rest
    Veeam Backup & Replication interface displaying the 'Entire VM Restore' wizard at the 'Storage' step. The virtual machine 'cks01' with a disk size of 100 GB using 'nfs' storage is selected for restoration. The interfa

  2. When restoring back to the production server, go to the Naming section and make sure to add either a prefix, suffix, or both to the VM name. 

    Veeam Backup & Replication interface displaying the 'Entire VM Restore' wizard at the 'Name' step. The virtual machine 'cks01' is selected for restoration. A pop-up window allows users to modify the VM name by adding
    Veeam Backup & Replication interface showing the 'Entire VM Restore' wizard at the 'Name' step. The original virtual machine 'cks01' has been renamed to 'new-cks01-restored' in the 'New name' column. The interface all

  3. Before booting the restored VM, disconnect the network card in the VM settings. This can be done in the Network tab during the restore process or manually after the restore. 

    Veeam Backup & Replication interface displaying the 'Entire VM Restore' wizard at the 'Network' step. The original VM 'cks01' is mapped to the network 'vmbr0' under both the 'Source' and 'Target' columns, indicating t
    Veeam Backup & Replication interface displaying the 'Entire VM Restore' wizard at the 'Reason' step. The user has entered 'DR Test 1062024' in the 'Restore reason' field, which will be logged in the restore session hi

  4. Ensure that the option to automatically power on the VM after restore is disabled

    Veeam Backup & Replication interface showing the 'Entire VM Restore' wizard at the 'Summary' step. The summary includes details such as the original VM name 'cks01,' the new name 'new-cks01-restored,' the restore poin
    Veeam Backup & Replication interface showing a 'Restore Session' window for the VM 'cks01.' The restore type is 'Restore,' and the status is 'Starting' with a start time of '1062024 104855 AM.' The log displays messag
  5. Once the job is completed:  
  • Boot up the VM and verify that everything is functioning as expected. 
  • If needed, you can shut down the production VM to avoid conflicts, or if that's not possible, ensure the network card remains disconnected. 
Veeam Backup & Replication interface showing a 'Restore Session' window for the VM 'cks01.' The restore type is 'Restore,' with a status of 'Success.' The start time is '1062024 111253 AM,' and the end time is '106202
Proxmox Virtual Environment interface displaying the console of a restored virtual machine (VM) named 'new-cks01-restored.' The console shows an Ubuntu 24.04.1 LTS login prompt for 'cks01.' The VM is listed on the lef

 

Step Eight: Ensure the Production VBR Server Remains Unaffected 

The most important outcome of this test is that the production VBR server remains unaffected. When you try to set up a backup job on the DR server, it will fail with the message: 

"The object storage repository is managed by a different backup server." 

It confirms that the DR server has not taken ownership of the repository because it was accessed with restricted rights through the IAM policy

Veeam Backup & Replication job progress screen showing the status of a failed job titled 'testFromDR.' The summary section shows a duration of 118 minutes and 1 error. Actions detail includes a message 'The object sto

 

Strengthen Your Backup Strategy with Disaster Recovery Testing 

Regular testing of your data protection systems ensures you're fully prepared when disaster strikes. The last thing you want is to face unexpected issues during recovery, so you must be familiar with every step of the process. 

By using restricted IAM policies, you can safely test your backups and restore them without risking any impact on your main VBR server. 

As a bonus, this process also provides valuable hands-on experience with IAM, which can be useful in other aspects of Veeam Data Protection. Stay tuned for more ways to leverage IAM policies with Veeam in the upcoming blogs. 

Product news

By subscribing, you are agreeing to have your personal information managed in accordance with the terms of Object First Privacy Policy.

You might also like