This guide seeks to help Infinidat customers who own InfiniGuard systems, and who also use Veeam Backup & Replication get the most out of their investment. It is also intended to help Infinidat field sales teams by providing guidance to enhance the installation and integration of Veeam Backup & Replication with Infinidat InfiniGuard systems.
How to use this guide
This document assumes that the reader has basic expertise with Veeam Backup & Replication, basic networking, SAN, Hyper-V, and VMware experience. It also assumes that the reader has an InfiniGuard installed in a working Veeaem Backup & Replication environment.
This document provides key recommendations and useful information for quickly setting up an InfiniGuard system with Veeam Backup & Replication. It expands on these recommendations and discusses the features and performance tuning considerations relevant to NAS attached storage.
This document is organized according to the NAS storage target access methods to be employed with Veeam Backup & Replication. Currently Veeam does not support VTL thus the InfiniGuard will appear as a CIFS or NFS storage repository.
This document was created for Veeam 9.5 u4 and Veeam v10 terminology and configuration screens and will detail the more significant configuration options for both version with InfiniGuard and the DDE. Beyond that it, relies on the user’s expertise with Veeam and Veeam documentation.
The complete InfiniGuard documentation set is available here: https://support.infinidat.com/hc/en-us/articles/360000491457-InfiniGuard-3-0-documentation
- Veeam User Guide VMware
- Veeam User Guide Hyper-V
- Top 10 Best Practices for vSphere Backups
- Veeam Knowledge Base
Summary of tuning parameters for Veeam Backup & Replication
For backup administrators who are well versed with Veeam Backup & Replication and InfiniGuard systems, the following table offers a summary of suggested repository parameters/values. As with any modifications to a system that impacts performance and/or tuning, your results may vary and are not guaranteed.
Veeam Linux Repository Settings
The following repositories settings reflect best practices when InfiniGuard DDE is configured as a Veeam Linux Backup Repository. In some cases, it may be useful to work with both Veeam and Infinidat support to optimize settings for your specific workloads.
|Limit maximum concurrent tasks to|
25-45 per DDE; 50-90 per system. This is the aggregate number of concurrent tasks from all backup proxies.
Each DDE supports 25-45 concurrent tasks (50 to 90 per system) depending on the number and type of backup and restore process. Resources for each of these processes fluctuates so the number of concurrent tasks should be monitored and adjusted to minimized failed jobs and meet objectives.
|Align backup file data blocks||No|
|Decompress backup data blocks before storing|
This improves deduplication ratio
|Use per-VM backup files||Yes|
|vPowerNFS||Recommend vPowerNFS be kept on primary storage.|
Veeam Backup Job Settings
Disable or Enable
Enable is recommended if Synthetic Full is not enabled
Recommend running synthetic full backups periodically and limit restore points to from 7 to 14 (Veeam default). In addition, no more than 30 restore points should be retained before running a synthetic or active full backup.
Synthetic Full backup moves the workload from the backup and proxy servers to the DDE where it will share resources with other backup and restore operations. So, depending on the size, rate of change and number of incremental backups in a set, consider using Active Full backup to balance resources and improve performance.
|Reverse Incremental||Not recommended|
|Enable Inline data deduplication||No|
Do not enable backup file encryption.
While Veeam Backup & Replication supports encryption, for best performance utilize the hardware encryption provided by the InfiniGuard. For additional detail see Veeam Backup & Replication Storage Settings and Tuning Considerations, below.
Local target (large blocks) Veeam 9.5.3 labeled this option " Local target+16TB"
|Change block tracking||Yes|
The following are minimum requirements from Veeam, and it should be understood that minimum requirements typically deliver minimal performance. Our recommendation is to use the following as a baseline to size server resources appropriately to meet service demand.
|Veeam Backup Server|
CPU: x86-64 processor (4 cores recommended).
Memory: 4 GB RAM plus 500 MB RAM for each concurrent job. Memory consumption varies according to number of VMs in the job, size of VM metadata, size of production infrastructure, etc.
Disk Space: 5 GB for product installation and 4.5 GB for Microsoft .NET Framework 4.6 installation. 10 GB per 100 VM for guest file system catalog folder (persistent data). Additional free disk space for Instant VM Recovery cache folder (non-persistent data, at least 10 GB recommended).Network: 1 Gbps or faster for on-site backup and replication, and 1 Mbps or faster for off-site backup and replication. High latency and reasonably unstable WAN links are supported.
CPU: modern x86 processor with minimum of 2 cores (vCPUs), plus 1 core (vCPU) for each additional concurrent task. Using faster processors improves data processing performance. For more information, see Veeam User's Guide: Limitation of Concurrent Tasks.
Memory: 2 GB RAM plus 200 MB for each concurrent task. Using faster memory (DDR3/DDR4) improves data processing performance.
Disk Space: 300 MB.
Network: Veeam minimum recommendations are 1 Gbps or faster for on-site backup and replication, and 1 Mbps or faster for off-site backup and replication. High latency and reasonably unstable WAN links are supported.
InfiniGuard best practice is to use VMXNET3 and 10Gb infrastructure.
Processor: x86/x64 processor. Memory: 2 GB RAM.
Hard Disk Space: 2 GB for product installation plus sufficient disk space to store guest file system catalog from connected backup servers (according to data retention policy).
Network: 1Mbps or faster connection to Veeam Backup & Replication servers.
|Transport Method||Virtual Appliance -HotAdd is recommended or Network|
Use only standard ANSI characters for the computer name of the computer on which you want to install Veeam Backup & Replication.
Windows OS options
Apply the following Microsoft Windows 2008/2008R2 Server hot fixes to improve performance:
Consult any of the following resources on the Help menu if you have questions or difficulties:
- Use the Veeam Backup & Replication User Guide for comprehensive information about Veeam Backup & Replication.
- Use the Veeam Backup & Replication help center for searchable, topic-based documentation.
- Use the Veeam Backup & Replication built in help for access to offline searchable documentation.
Configuring Veeam Backup & Replication with the InfiniGuard
Configuring Veeam Backup & Replication with InfiniGuard NAS
A Network Attached Storage (NAS) unit is essentially a self-contained computer connected to an Ethernet network, with the sole purpose of supplying data storage services to other devices on the network.
InfiniGuard presents as a NAS appliance for backup purposes and support NFS and CIFS. In the Veeam environment, the InfiniGuard DDE is configured as a Veeam Linux Backup Repository where it’s not actually using NFS but where Veeam deploys a data mover on the DDE and moves data directly from the backup proxy using SCP. This is a high-performance transport and should be used instead of CIFS (SMB) share.
The InfiniGuard is NOT a Network Attached Storage device to be used to store customer data. The InfiniGuard only emulates a NAS device for the sole purpose of being a Backup-to-Disk target for backup applications such as Veeam. Do not use the InfiniGuard NAS share as “Drag-and-Drop” file storage.
NAS Device Path Considerations
Network segmentation is the process of splitting a single network into several sub-networks or segments. The advantages of a segmented network are improved performance and security. Performance is improved because there are fewer hosts on the segmented network, which in turn minimizes local traffic. Security is improved because the data traffic is contained on this segment and is not visible to the outside network.
If you are using network segmentation and Automated Deployment Services (ADS), you must use the data segment IP information for ADS management, NOT the management segment. ADS uses the Server Message Block (SMB) data protocol to manage the NAS shares on your system, which requires that the management traffic use the data segment.
InfiniGuard systems allow you to configure your network for separate segment types. The three primary segments are defined by the type of network traffic that can be used on that segment. The three types of network traffic are:
- Replication traffic - This segment is used exclusively for replication data movement.
- Management traffic - This segment is used exclusively for InfiniGuard remote management (Web page access).
- Data traffic - This segment is used exclusively for NAS data movement.
Each network segment has its own network interface (IP address, network mask, and default gateway). In this way, the segment is separated from other network segment traffic.
Note on Bonding
For Mode 0 Bonding, whether or not Round Robin or LACP is used, the ports on the Ethernet switch that the InfiniGuard are connected to must be in a matching group type as the Bond 0 group on the InfiniGuard.
The InfiniGuard also supports Mode 1 Bonding (active/backup) which does not require any special switch configuration. With a Mode 1 bond only one interface in the bond is active. If that interface loses connectivity, the MAC address is moved to another interface in the bond which then becomes active. Typically, this is used when connections to the InfiniGuard are routed through two completely separate switches for redundancy / failover.
Veeam Backup & Replication seamlessly integrates with an InfiniGuard disk backup system using the NAS (CIFS or NFS) interface. Once installed and configured, Veeam can manage backups through the InfiniGuard and take advantage of the system’s capabilities, such as data deduplication and replication.
Installing and configuring the InfiniGuard and Veeam for NAS operation consists of the following major steps, which are discussed below.
Configure the InfiniGuard for NAS
In the InfiniGuard Remote Management Console (the GUI); the Configuration page allows you to configure many of the features of the InfiniGuard, including storage presentation. Configuring the InfiniGuard for NAS lets you choose which network protocol will be used as the transport method to the InfiniGuard.
InfiniGuard - Veeam Linux Backup Repository
The InfiniGuard provides integrated support with the Veeam Linux backup repository. In this scenario, Veeam uses two Data Mover Services that are responsible for data processing and transfer:
- Veeam Data Mover on the backup proxy
- Veeam Data Mover on the InfiniGuard DDE Linux repository
The Data Mover Service establishes a connection with the source-side Data Mover Service on the backup proxy, enabling efficient data transfer over LAN or WAN. It also makes connection to the DDE Linux repository and deploys a data mover on the DDE with each data stream to or from the backup proxy. Each data mover is removed when the job is complete.
To support this service the InfiniGuard DDE Linux repository must be added to the Veeam console as a managed server. See configuration details below.
InfiniGuard – Veeam CIFS (SMB) share.
You can also configure the DDE to present CIFS shares that can be configured with Veeam as a backup repository. This is not an optimal solution, so for best performance and scale the Veeam Linux backup repository is recommended.
Configuring InfiniGuard for a Veeam Linux Repository
InfiniGuard DDE configuration
In the InfiniGuard Management Console, select Dedup Engines and DDE that will host the Linux repository. On the DDE select, Configuration > System > App Environment.
The Application Environment page is displayed.
- Enabling Veeam for the first time requires a password
- Public keys can be configured only after Veeam was enabled and the system was rebooted
To enable Veeam:
- Select the Enable Veeam checkbox
- Select the Allow login with password checkbox
- Enter a new password
- Passwords can be up to 32 characters long. Alphanumeric characters and special characters are allowed
- Confirm the new password
- Click Apply
- Click Yes to reboot the system. InfiniGuard login screen will re-appear with Veeam enabled
Veeam Linux repository configuration with the DDE
Once InfiniGuard is enabled for Veeam services, configure a Veeam Linux Server to host the repository:
- Select Backup Infrastructure
- Select Managed Servers > Add Server. The Add Server dialog box appears
3. Select Linux. The new Linux Server dialog box appears
4. Enter the DNS or IP Address of the DDE that is configured to work with Veeam
5.Click Next. The SSH Connection screen appears
6. Select Add > Linux Account. The Credentials dialog box is displayed.
7. Enter the Username and Password that were created when Veeam was enabled to work with InfiniGuard
8. Check the Elevate the specified account to root box for v9.5.3 or Elevate account privileges automatically in v9.5u4 and later.
9. Select OK and confirm settings in the Summary
10. Select Advanced. The SSH Setting dialog box appear
11. Set the Port range from 2500 to 3090
12. Click OK to close the SSH Settings dialog box
13. Click Apply to close the New Linux Server dialog box
14. In Backup Infrastructure, select Backup Repositories > Add Backup Repositories.
The New Backup Repository dialog box appears
15. Select Direct Attached Storage to configure InfiniGuard DDE Linux repository
16. Select Linux for the InfiniGuard DDE server
17. Enter a Name for the new DDE backup repository.
18. Click Next. The New Backup Repository - Server screen appears
19. Select the Linux server just created from the repository server dropdown.
20. Click Next. The New Backup Repository - Repository screen appears
21. Click Browse.
The Select Folder dialog box appears
22. Navigate to /shares/<share created in DDE >
- The NAS share must be created on the DDE system
- The NAS share must be located in the
/sharesdirectory to deduplicate properly.
23. Click OK to close the Select Folder dialog box
25. In the New Backup Repository - Repository screen, set the Limit maximum concurrent tasks - See recommendations in “Repository Settings” above.
26. Click Advanced to customize repository settings. The Storage Compatibility Settings dialog box appears
27.Select the Decompress backup data blocks before storing checkbox
37. Select the Use per-VM backup files checkbox.
28 Click OK to close the Storage Compatibility Settings dialog box.
29. Click Next. The New Backup Repository - Mount Server screen appears
30. Do not change the Mount Server default settings. Click Next. The New Backup Repository - Review screen appears
31. Review the backup repository changes.
32. Click Apply to save and apply the changes. The repository is now ready for backup and restoration operations.
Best Practices Guide with InfiniGuard NAS
Number of Shares considerations
Infinidat InfiniGuard systems support both CIFS (Windows-based) and NFS shares. Each system can support multiple NAS shares, with a maximum of 128 shares. It is recommended that users create only the required number of shares for each backup proxy.
When using NAS shares on InfiniGuard systems, it is recommended to create at least one share for each backup proxy to use. Backup proxies should not share the NAS shares during normal backup operations.
Network Share Access Control Considerations
In Windows Active Directory environments, the share acts as the target for Veeam Backup & Replication. The share is not intended as primary storage or drag-and-drop storage. A best practice is to create a new account and workgroup, as opposed to joining the domain, to limit access and prevent accidental file deletion by another user. It is recommended that you DO NOT reconfigure or delete NAS shares while data is being written. There is no mechanism to detect the I/O and provide a warning to the user.
In NFS environments, root access to an NFS share is not allowed, and the access rights will be changed to
nfsnobody as a security precaution. This does not impact the access to the share from the backup application.
Some network considerations include:
Use a dedicated network for backup data, or use QoS features that guarantee network bandwidth. Another option would be to use virtual networks (VLANs) to segregate backup from production network traffic.
- Configure network interface cards (NICs) in the server and clients, and set routers to full duplex.
- Use only CAT5e or CAT6 cables (1Gb/s rated cables).
- Use only OM3 or OM4 (Aqua) Fibre Optic cables (10Gb/s rated FC).
- If you are using a DNS server, verify that the DNS server configuration settings are correct by using nslookup on the host name, as well as the IP address.
- It is also a good idea to add the HOSTNAME and IP Address to the host file.
- Use multiple InfiniGuard ports when connecting to the network. The more InfiniGuard Ports used, the better the performance capability will be across the ports.
- Install and configure multiple network ports on the Backup Proxy servers. Dedicate multiple ports for the transfer of data to the InfiniGuard.
- For redundancy, connect at least two InfiniGuard ports to an Ethernet switch.
- Leverage InfiniGuard’s ability to setup multiple networks. The InfiniGuard network configuration allows for integration into nearly any networked environment.
- Set each switch port used by the InfiniGuard to auto-negotiate/auto-sensing. The InfiniGuard network interface cards are preset to auto/auto and cannot be changed.
Veeam Backup & Replication Storage Settings and Tuning Considerations
When Veeam Backup and Replication is registered with vCenter it will discover all VM, datastores, and networks and will configure Veeam to assure backups and recoveries occur as scheduled and without failing. Veeam will attempt to optimize data paths, if however optimal resources are unavailable or oversubscribed for a scheduled backup, Veeam will find an alternate path which may result in the job taking longer than expected. So, the following defines terminology and concepts that provide a basic understanding for the various transport modes Veeam uses to move data from source to the InfiniGuard DDE. For additional detail please refer to the Veeam User’s Guide.
A backup proxy is a component that sits between the backup server and DDE. While the backup server administers tasks, the proxy processes jobs and retrieves data from production storage and moves it to the target DDE. Effectively deploying backup proxies allows the backup infrastructure to scale based on demand. Backup proxies can be deployed on VM or physical server.
Backup Proxy Transport Modes
Transport modes directly affect performance. The transport mode is a method used by the proxy data mover to retrieve VM data from the source and write that data to the target. For retrieving source data, Veeam offers the following modes in order of speed and efficiency: Direct Storage Access, Virtual Appliance, then Network.
Direct Storage Access
InfiniGuard DDE running VDMS does not support the Direct Storage Access mode.
The Virtual appliance mode is not as efficient as the Direct storage access mode but provides much better performance than the Network mode. In the Virtual appliance mode, Veeam uses the VMware SCSI HotAdd capability that supports attaching devices to a VM while the VM is running. During backup, replication or restore, disks of the processed VM are attached to the backup proxy. In this scenario, VM data is retrieved or written directly from and to the datastore, instead of going through the network.
The Network mode is lease desirable but available with any infrastructure configuration. In this mode, data is retrieved leveraging ESX host resources over the LAN using the Network Block Device protocol (NBD). Network mode is not recommended due to LAN performance limitation.
Backup job and Backup Proxy considerations
When configuring the backup proxy, you can manually select the transport mode, or let Veeam select the best transport mode based on analysis of the infrastructure. If the infrastructure supports several transport modes for the same backup proxy, Veeam will select the best mode in the following order: Direct storage access, Virtual appliance, then Network.
Each backup proxy can be configured for specific transport mode and number of concurrent tasks. And, each backup job can be configured to direct data to one or more backup proxy. Alternatively, this can be left to Veeam to configure and load balance with available resources. Veeam progress and job reports details the configuration and results of each backup so you can identify the backup proxy and transport mode for each backup job.
When using an InfiniGuard as NAS for a backup repository, consider the following
- Install one or more Backup Proxy Virtual Appliance on each ESXi host connected to the storage. Use separate VMXNET3 networks to the ESXi host and DDE. The E1000 vNIC is not recommended for this purpose.
- Confirm that the backup proxies are sized for the Max Concurrent Tasks they are expected to support: Minimum of 2 core or vCPU plus 1 core or vCPU per concurrent task.
- Monitor backup and restore jobs to confirm that Veeam is not using Network mode. If adequate resources are provided and jobs scheduled appropriately Virtual Appliance mode will be utilized with better performance.
- In cases where the Veeam Repository Management account is escalated to root, each DDE supports 25-45 concurrent streams (50 to 90 per system) depending on the number and type of backup and restore process. Resources for each of these processes fluctuates so stream counts need to be monitored and adjusted to minimized failed jobs and meet objectives.
- In cases where the Veeam Repository Management account is not escalated to root, do not exceed 15 concurrent streams per DDE (30 for the entire system)
- Data Encryption consumes resources and can reduce deduplication ratios, so consider the following:
- InfiniGuard supports data-at-rest encryption.
- Do not enable backup file encryption at the job level. This will send encrypted data to the DDE; consuming backup proxy resources and reducing deduplication ratios.
- Best practice is to use secured networks.
- An alternative is to use Veeam backup proxy traffic rules to encrypt data-in-flight
- If Veeam backup data is directed over open public networks Veeam will encrypted data-in-flight by default.
- Recommend using Veeam advanced deployments and distributed deployments.
Common Operational Considerations for Veeam
Deduplication Data Considerations
Deduplication results can be negatively impacted by compression, encryption, software deduplication, and multiplexing. These functions all change the data stream in a way that obscures patterns in the data content. They will reduce the performance and deduplication from any downstream appliance, including InfiniGuard systems. To obtain effective deduplication rates, you should NOT encrypt, deduplicate, or compress your backup data before sending it to an InfiniGuard DDE.
Good Candidates for Data Deduplication
Data deduplication can work well with virtual machines, large databases and unstructured data such as Microsoft Office documents (PowerPoint presentations, Word documents, and Excel spreadsheets), SQL, Oracle and Exchange databases and source code.
Not So Good Candidates for Data Deduplication
Data deduplication does not work well with encrypted data, inline compressed data, SQL with LiteSpeed (inline compression), Oracle with multi-channel RMAN (inline multiplex), Exchange 2010, and compressed or uncompressed music files or movies/videos.
For long-term archiving, it is recommended to vault the data to a physical tape device.
For first-time replication setups, when the InfiniGuard share is first created, it is highly recommended to manually initiate a Replication while that share is empty. This facilitates the first replication following the first backup to that share/partition.
- The replication is only available to NAS shares with deduplication enabled.
- The InfiniGuard supports 128-bit AES encryption for replication.
- Data is only encrypted while in transit between the replication source and replication target.
- Data is unencrypted upon arrival at the replication target.
- Encryption may affect replication performance. You should disable encryption if your WAN is already secured.
For more information, please refer to INFINIDAT’s InfiniGuard User's Guide.
Oversubscription of Space on the InfiniGuard
The Disk Usage overview on the Home page of the InfiniGuard Management GUI displays the following information about disk usage on the system (Note: values are displayed as an amount and as a percentage of the total capacity in the system):
- Disk Capacity - The total usable disk capacity of the InfiniGuard.
- Available Disk Space - The disk space available for data storage (free space).
- I/O Write Low Threshold state (Yellow) - Free disk space is equal to or less than 500GB + [10GB * (Total system capacity in TB)]
- Stop Write state (Red) - Free disk space is equal to or less than 250GB
- Stop I/O state (Red) - Free disk space is equal to or less than 10GB
- For optimal system performance, Infinidat recommends keeping the amount of Available Disk Space (free space) at 20% or more.
- When disk capacity is low, target replication to the system is paused. In addition, space reclamation is automatically started to free up disk space.
Backup Stream Considerations
Limiting the number of Concurrent backups and data ingestion rate will help control the load on the repository and can prevent possible timeouts.
Advanced Deployment and Distributed Deployment can greatly relieve the load on the Veeam Backup Server.
Resource Scheduling can automatically select and use optimal resources for configured jobs. Setup multiple networks where possible so each Veeam proxy will have its own data path to the InfiniGuard.
InfiniGuard Backup I/O Guidance
The Reversed Incremental Backup first runs a full backup on the VM and then all subsequent backups are incremental. It is a backup method that allows you to perform a forever-incremental backup strategy. During the Reversed Incremental Backup Veeam injects changes into the .vbk file and then rebuilds it to the most recent state of the VM. This will cause simultaneous read and write operation on the InfiniGuard. This can negatively impact performance causing an I/O performance bottleneck on the InfiniGuard. To avoid this situation consider running a standard incremental backup and then use the Active Full Backup method thus preventing any I/O bottlenecks within the storage device. Multiple Full backups will not consume as much space on InfiniGuard storage because all similar blocks will be deduplicated by the InfiniGuard.
The Synthetic Full Backup is a method that synthesizes a backup from the first Full Backup and subsequent Incremental Backups. The underlying difference between an Active Full Backup and Synthetic Full Backup is how the VM data is retrieved. With the Synthetic Full Backup Veeam will not retrieve the VM data from the source but rather synthesize a full backup from the repository. This causes the workload to shift from the source and proxy to the InfiniGuard repository storage. This method can negatively impact performance causing an I/O bottleneck on the InfiniGuard. To avoid this situation consider running a standard incremental backup and then use the Active Full Backup method thus preventing any I/O bottlenecks within the storage. Multiple Full backups will not consume as much space on InfiniGuard storage because all similar blocks will be deduplicated by the InfiniGuard.
Instant VM Recovery allows the Veeam user to immediately restore a VM back into production from the InfiniGuard storage repository. This allows the Veeam user to minimize recovery time objectives and minimizes disruption from production downtime. The booting of the virtual machines from the InfiniGuard repository is similar in performance to the Reversed Incremental and Synthetic Full Backup. This method of restore could negatively impact performance causing an I/O bottleneck at the InfiniGuard. The InfiniGuard works well with the Instant VM Recovery method although it is not designed as primary storage. Thus Instant VM Recovery should be viewed only as a temporary solution until primary storage is available.