#1 Global Leader in Data Resilience

Using Object Storage with Veeam Products

KB ID: 4241
Product: Veeam Backup & Replication
Veeam Backup for Microsoft 365
Veeam Backup for AWS
Veeam Backup for Microsoft Azure
Published: 2021-11-18
Last Modified: 2024-08-13
mailbox
Get weekly article updates
By subscribing, you are agreeing to have your personal information managed in accordance with the terms of Veeam's Privacy Notice.

Cheers for trusting us with the spot in your mailbox!

Now you’re less likely to miss what’s been brewing in our knowledge base with this weekly digest

error icon

Oops! Something went wrong.

Please, try again later.

Summary

Veeam Backup & Replication supports object storage as a destination for long-term data storage. Similarly, Veeam Backup for Office 365 and cloud-specific offerings, such as Veeam Backup for AWSVeeam Backup for AzureVeeam Backup for Google Cloud Platform all support object storage.

This article lists some general guidance for using object storage in combination with these Veeam products.

Considerations and Limitations

General Limitations

As documented in Object Storage Repository > Considerations and Limitations:

Object storage gateway appliances used to store backup data, emulating disk or CIFS/NFS, iSCSI/FC/SAS are not supported if the backup data is offloaded to object storage and is no longer stored directly on the appliance.

Gateway appliances are only supported in the following cases:

  • All backup data is stored and remains on the actual storage appliance, and data is only copied to object storage.

    or
  • The appliance emulates a tape system (VTL) as an access protocol for Veeam Backup & Replication.

Amazon S3 and S3 Compatible Object Storage

Support for Amazon S3 and S3-compatible object storage varies between products. The following limitations apply:

  • Versioning is not required unless object lock is enabled.
  • Support for AWS Signature v4 is required.

Specific Veeam products can manage immutability for data stored within AWS S3. Immutability can only be used with new buckets. Automatic settings for objects uploaded with object lock are not supported, and configuring these features outside of how Veeam uses them can result in data loss. 

Veeam manages the entire data lifecycle of backups stored within AWS. As such, Lifecycle policies are not supported nor needed, and doing so can result in data loss.

For AWS, it is recommended that you use S3 bucket policies to restrict access to specific endpoints or IP addresses.

Azure Blob Object Storage

Support for Azure Blob object storage varies between products. The following limitations currently apply to all Veeam products:

Specific Veeam products can manage immutability for data stored within Azure. Immutability can only be used with new storage account containers and cannot be used with existing backup data where immutability was not applied previously. Default immutability policies are not supported, and configuring these features outside of how Veeam uses them can result in data loss. Learn more...

Veeam manages the entire data lifecycle of backups stored within Azure. As such, configuring the storage account with these features is unnecessary, and doing so can result in data loss. More details are available in the Object Storage Repository Considerations and Limitations section of the Veeam Backup & Replication user guide.

For Azure, it is recommended that you use Azure Storage Firewall policies to restrict access to specific IP addresses.

Microsoft Defender for Storage is Unsupported

Using Microsoft Defender for Storage with Veeam backup data is ill-advised and unsupported.

  • Veeam backup data is stored in individual blocks that are chunked and potentially encrypted, which means the content of the backup data is unreadable by security software.
  • Because the content of the backups cannot be read by Microsoft Defender for Storage, features such as 'sensitive data threat detection'  and 'malware scanning' will not function properly.
  • Enabling Defender for Storage would not impact Veeam software or the backups and could be utilized to detect activity anomalies. However, due to its chunked nature, a block of Veeam backup data may, by coincidence, have strings that match regex logic or have a hash that is associated with a known indicator of compromise (IOC), resulting in a false positive.
  • Enabling Defender for Storage may effectively double the costs associated with your storage account, with little to no real benefit because it cannot actually scan or read the contents of the Veeam backup data blocks.
To submit feedback regarding this article, please click this link: Send Article Feedback
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.

Spelling error in text

This site is protected by hCaptcha and its Privacy Policy and Terms of Service apply except as noted in our Privacy Policy.
Thank you!

Thank you!

Your feedback has been received and will be reviewed.

Oops! Something went wrong.

Please, try again later.

You have selected too large block!

Please try select less.

KB Feedback/Suggestion

This form is only for KB Feedback/Suggestions, if you need help with the software open a support case

By submitting, you are agreeing to have your personal information managed in accordance with the terms of Veeam's Privacy Notice.
This site is protected by hCaptcha and its Privacy Policy and Terms of Service apply except as noted in our Privacy Policy.
Verify your email to continue your product download
We've sent a verification code to:
  • Incorrect verification code. Please try again.
An email with a verification code was just sent to
Didn't receive the code? Click to resend in sec
Didn't receive the code? Click to resend
Thank you!

Thank you!

Your feedback has been received and will be reviewed.

error icon

Oops! Something went wrong.

Please, try again later.