VMCA2022 Questions and Answers

The Veeam feature that can be used to help achieve compliance with privacy regulations is location tags on repositories. Location tags are labels that can be assigned to backup repositories to indicate their physical or logical location, such as country, region, or data center1. Location tags can help ensure that backup data is stored and processed in compliance with data residency and privacy laws, such as GDPR or CCPA, by allowing backup administrators to create backup policies based on the location of the source and target data2. The other options are not related to privacy compliance, as they are either used for network optimization (preferred networks), server identification (location tags on Veeam Backup & Replication servers), or backup scope (location tags on subnets). References: Location Tags, Using Location Tags.

The best way to accomplish the goal of ensuring backups are free of malware before data is restored is to ensure a compatible antivirus solution is available on mount servers for secure restores. Secure restore is a feature of Veeam Backup & Replication that allows you to scan backup files for malware before performing a restore operation, using a built-in or third-party antivirus solution1. Mount servers are components of Veeam Backup & Replication that mount backup files to the backup server or backup proxy2. By having a compatible antivirus solution on mount servers, you can leverage the secure restore feature to check the backup data for malware and prevent any infection from spreading to the production environment. The other options are either not feasible (option A and B, as staged restore and Veeam Data Integration API are not designed for malware detection34) or not sufficient (option C, as Veeam Data Integration API alone cannot scan backup files for malware). References: Secure Restore, Mount Servers, Staged Restore, Veeam Data Integration API.

Network traffic rules are settings that allow you to control the network traffic transferred between backup infrastructure components, such as backup proxies, repositories, and WAN accelerators. You can use network traffic rules to throttle or encrypt the network traffic, or to specify preferred networks for data transfer1.

By configuring network traffic rules, you can reduce the bandwidth consumption for the offloading of data to public cloud storage, and avoid affecting the performance of business applications on the branch sites. You can set limits for the network traffic speed, or schedule the offloading tasks to run during off-peak hours2. You can also select the optimal network routes for the offloading tasks, and avoid congested or slow networks3.

You can find more information about network traffic rules and how to configure them in the following resources:

• Configuring Network Traffic Rules
• Enabling Traffic Throttling
• Specifying Preferred Networks

Backup from Storage Snapshots and Direct NFS are the preferred processing modes for NFS datastores, as they offer the best performance and reliability for backup and restore operations12.

Backup from Storage Snapshots is a feature of Veeam Backup & Replication that leverages the native snapshot capabilities of the storage system to create a consistent point-in-time copy of the VM data. Veeam Backup & Replication then reads data directly from the storage snapshot, bypassing the ESXi host and reducing the impact on the production environment3. Backup from Storage Snapshots is supported for NFS datastores on NetApp, Nimble, Dell EMC, HPE, and Pure Storage systems4.

Direct NFS is a proprietary transport mode of Veeam Backup & Replication that uses a native NFS client deployed on the backup proxy to read and write data directly from and to the NFS datastore. Veeam Backup & Replication also bypasses the ESXi host and reduces the load on the production environment. Direct NFS is supported for NFS datastores on any storage system that supports NFS version 3 or 4.1.

The other options are not preferred because:

• B) Network (NBD) mode is a transport mode that uses the VMware VDDK to communicate with the ESXi host over the network. This mode produces additional load on the ESXi host and the network, and may result in slower backup and restore performance.
• C) Virtual Appliance (HotAdd) mode is a transport mode that uses the VMware VDDK to attach the disks of the processed VM to the backup proxy VM. This mode also produces additional load on the ESXi host and the network, and may cause issues with disk alignment or SCSI controller limitations.
• D) Network mode with Encryption (NBDSSL) mode is a transport mode that uses the VMware VDDK to communicate with the ESXi host over the network with SSL encryption. This mode provides an extra layer of security, but also adds more overhead and reduces the backup and restore performance.

You can find more information about the processing modes and how to choose the best one for your environment in the following resources:

• Transport Modes
• Selecting a Transport Mode
• Backup from Storage Snapshots
• Storage Systems Supported for Backup from Storage Snapshots
• [Direct NFS Access]
• [Network Mode]
• [Virtual Appliance Mode]
• [Network Mode with Encryption]

The information that is still needed for a complete architectural design is how often backups are required for silver machines. This is not stated in the technical requirements, where only the recovery time objective and recovery point objective are given for the silver tier. The backup frequency affects the backup storage consumption, the backup window, and the restore point granularity. The other options are either already provided in the technical requirements (daily backup retention, amount of time required for a successful restore for gold machine) or not relevant for the architectural design (RMAN configuration guidelines). References: Veeam Certified Architect 2022 Exam Guide, page 10; Veeam Backup & Replication v11: Architecture and Design course, module 4.

Backup from storage snapshot is a feature of Veeam Backup & Replication that leverages the native snapshot capabilities of the storage system to create a consistent point-in-time copy of the VM data. Veeam Backup & Replication then reads data directly from the storage snapshot, bypassing the ESXi host and reducing the impact on the production environment1. Backup from storage snapshot is supported for VSAN datastores on NetApp, Nimble, Dell EMC, HPE, and Pure Storage systems2.

Using backup from storage snapshot for the virtualized stock trading application servers can improve the backup performance and reduce the latency, as it minimizes the time that the VM is running on a snapshot and avoids the network overhead of other transport modes3.

The other options are not recommended because:

• B) Implementing Veeam Agent on the virtualized stock trading application servers is not necessary, as Veeam Backup & Replication can protect VMware VMs without agents. Veeam Agent is mainly used for physical servers, workstations, or cloud instances4.
• C) Using Veeam Replication to create replicas of the virtualized stock trading application servers at the remote site, then back up the replicas is not optimal, as it adds more complexity and cost to the backup process. Veeam Replication is mainly used for disaster recovery purposes, not for backup5.
• D) Turning off application-aware processing for the virtualized stock trading application servers is not advisable, as it may compromise the consistency and recoverability of the application data. Application-aware processing is a feature of Veeam Backup & Replication that ensures that the application data is in a consistent state before the backup or replication job starts.

You can find more information about backup from storage snapshot and other backup options for VSAN in the following resources:

• Backup from Storage Snapshots
• Storage Systems Supported for Backup from Storage Snapshots
• Optimizing Veeam Backup & Replication Configuration for VMware VSAN
• Veeam Agent Management
• Veeam Replication
• [Application-Aware Processing]

The method that can be used to validate that the design meets target SLAs and does not exceed repository growth projections is to ensure job throughput matches extensions and cross-compare with available network throughput, disk speed and initial sizing calculations. Job throughput is the measure of how much data is processed and transferred by a backup job per unit of time. Job throughput can be affected by various factors such as network bandwidth, disk performance, compression, deduplication, encryption, etc. By ensuring job throughput matches extensions, you can verify that your backup jobs are running as expected and meeting the SLAs. By cross-comparing job throughput with available network throughput, disk speed and initial sizing calculations, you can identify any bottlenecks or discrepancies that might affect your backup performance or storage consumption.

The areas that would benefit from additional analysis on areas mentioned in the case study are MSSQL, NAS, and PostgreSQL. These areas have specific backup and restore requirements that need to be considered and addressed in the design and sizing of the Veeam backup infrastructure. For example, MSSQL requires transaction log backup and application-aware processing to ensure consistent backups and point-in-time recovery. NAS requires file-level backup and storage integration to optimize backup performance and storage efficiency. PostgreSQL requires pre-freeze and post-thaw scripts to quiesce the database before backup and resume it after backup.

References: [MSSQL Server Backup], [NAS Backup], [PostgreSQL Backup]

The component that should be deployed based on the customer’s security requirements around restore capabilities is Enterprise Manager with granular RBAC policies defined. Enterprise Manager is a web-based interface that allows centralized management of multiple Veeam backup servers. It also provides granular RBAC policies that enable control over user permissions and access to restore data. For example, you can assign different roles to different users or groups based on their responsibilities and needs, such as backup administrator, restore operator, security officer, etc. You can also define custom scopes and rules for each role to limit their access to specific objects, jobs, or actions.

The assumption that can be made for the conceptual design is that Veeam Agent backups of sale staff laptops should be managed by the backup server. This assumption is based on the best practice and recommendation for using Veeam Backup & Replication. Veeam Agent backups of sale staff laptops should be managed by the backup server to enable centralized management, monitoring, and reporting of all agent-based backups. This can also simplify the backup configuration, scheduling, and retention for the laptop agents.

The gold tier backup jobs have the most stringent recovery point objective (RPO) of one hour for image backup and 15 minutes for transaction log backup. This means that they need to run more frequently than the other backup jobs and create more restore points per day. Therefore, to properly plan the backup copy job settings, you will need more information on the gold tier backup jobs, such as the number of VMs, the size of backups, the change rate, the retention policy, and the bandwidth available for copying backups to the offsite location.

References: [Backup Copy], [Backup Methods], [Continuous Data Protection]

The best way to accomplish the recoverability testing of backup files for gold tier virtual machines to meet the customer’s requirements is to create a virtual lab in the customer’s environment, and then use SureBackup jobs to verify backups. A virtual lab is an isolated environment where you can run your backups or replicas without affecting the production environment. A SureBackup job is a process that allows you to automatically verify the recoverability of your backups by running them in a virtual lab. By using these features, you can ensure that your backups are consistent, functional, and compliant with SLAs and regulations.

The methods that should be used to scope virtual machine backups based on customer requirements are to create backups based on tags and to create backup jobs with same retention requirements. Creating backups based on tags allows dynamic scoping of backups based on VMware tags assignedto virtual machines. This can simplify backup management, as new or modified virtual machines will be automatically included or excluded from backup jobs based on their tags. Creating backup jobs with same retention requirements allows consistent application of backup policies based on the backup tiers defined by the customer. This can ensure compliance with regulatory and business needs, as different tiers of virtual machines will have different retention periods and restore points.

The types of jobs that do not support using immutability from S3 Object Lock or hardened repositories are NAS backups and Agent for Mac backups. These types of jobs do not have the option to enable immutability in their settings, unlike VMware, Hyper-V, Linux Agent, or Windows Agent backup jobs. Therefore, they cannot leverage the immutability feature of S3 Object Lock or hardened repositories to protect their backups from ransomware or malicious deletion.

References: [S3 Object Lock Immutability], [Hardened Linux Repository], [NAS Backup], [Agent for Mac]

The component that can help meet the requirement of alternative decryption capabilities on encrypted backups in the event of lost passwords is Veeam Backup Enterprise Manager. Veeam Backup Enterprise Manager is a web-based interface that allows centralized management of multiple Veeam backup servers. It also provides a password loss protection feature that enables authorized users to restore encrypted backups without entering passwords if they forget or lose them. This feature requires enabling password loss protection in Veeam Backup Enterprise Manager settings and assigning a security officer role to a user who can approve password recovery requests.

References: [Veeam Backup Enterprise Manager], [Password Loss Protection]

The transport modes that could be used during the redesign for gold tier virtual machines with a one-hour RPO are Virtual Appliance (HotAdd) and Backup from Storage Snapshots. A transport mode is a method of retrieving VM data from the source storage during backup or replication. Virtual Appliance (HotAdd) is a transport mode that allows a proxy server running on a VM to attach disks of another VM to itself via hot-add SCSI commands and read data directly from these disks. Backup from Storage Snapshots is a transport mode that allows a proxy server to retrieve data from storage snapshots created by supported storage systems without affecting the production VMs or hosts. Both transport modes can improve backup performance, reduce backup window, and minimize impact on the production environment.

•Backup copy jobs with GFS enabled. This type of job does not support using immutability from S3 Object Lock because it uses synthetic full backups, which require modifying existing backup files. Synthetic full backups are not compatible with immutability settings, as they violate the principle of not changing the backup files.

To design a solution that meets the NAS environment requirements for Veeam University Hospital, you need to collect some information during the discovery phase. This information will help you to understand the characteristics and performance of the NAS systems, the size and type of the data, and the backup and recovery objectives.

According to the Veeam Backup & Replication Best Practice Guide, some of the information that you should collect from the customer about the data stored on the NAS per site are:

•Total number of files (in millions) to be backed up. This information will help you to estimate the backup storage requirements, as well as the backup performance and scalability, based on the number and distribution of files.

•Largest file size. This information will help you to determine the optimal backup block size and alignment, as well as the backup compression and deduplication ratios, based on the size and type of files.

To design a solution that meets the replication requirement for Veeam University Hospital, you need to consider some of the mitigating techniques that might be required for the virtual machines that have several separate large VMDKs with a high change rate per virtual machine on the same datastore. This will help you to overcome some of the challenges and limitations that may affect the replication performance and efficiency, as well as the recovery point objective (RPO) of the organization.

According to the Veeam Backup & Replication Best Practice Guide, some of the mitigating techniques that might be required are:

•Implement WAN accelerator. This technique can help you to reduce the amount of data that needs to be transferred and processed between the source and target sites, by using caching, deduplication, compression, and encryption. You need to deploy a pair of WAN accelerators, one at the source site and one at the target site, and configure them in the replication job settings. This technique can improve the replication speed and efficiency, as well as save network bandwidth and storage space.

•Recommend migrating some of the VMDKs to alternative datastores. This technique can help you to avoid performance degradation and resource contention on the source datastore, by distributing the load and I/O across multiple datastores. You need to use VMware tools or commands, such as Storage vMotion or svmotion, to migrate some of the VMDKs to other datastores that have enough capacity and performance. This technique can improve the replication stability and reliability, as well as reduce the impact on the production environment.

Therefore, based on these techniques, the answer that describes which mitigating techniques might be required is A and C.

To perform backup from storage snapshots for a Fibre Channel SAN, you need to deploy one or more physical servers that will act as backup proxies and connect them to the SAN fabric. This is because Veeam Backup & Replication needs to access the storage system over the Fibre Channel protocol, which is not supported by virtual machines. The backup proxies will read data from the storage snapshots and transfer it to the backup repositories1

The gateway is a component that acts as a data mover between the backup proxy and the backup repository. If the gateway does not have enough CPU, RAM and task slots assigned, it may not be able to handle the incoming data from the backup proxy efficiently, and cause a bottleneck at the target. By increasing the resources and task slots for the gateway, you can improve its performance and throughput, and reduce the load on the target2

According to the Veeam Backup & Replication Best Practice Guide1, some of the reasons why it is recommended to have a Veeam backup server at each of the three sites are:

•Each site has production data. This reason is based on the principle of locality, which states that backup data should be stored as close as possible to the source data, to reduce network traffic and latency, and to improve backup and restore speed and efficiency. Having a Veeam backup server at each site allows you to perform local backups of the production data at each site, without having tocross the WAN or VPN connections between sites.

According to the Veeam Backup & Replication Best Practice Guide1, the proxy and repository servers are the components that should be sized correctly to ensure that synthetic operations and backup copy jobs can be completed in the desired window. This is because:

•The proxy server is responsible for retrieving data from the source and sending it to the target. The proxy server performance depends on the CPU, memory, network, and storage resources available. The proxy server should have enough CPU cores and memory to handle concurrent tasks, as well as sufficient network bandwidth and storage throughput to transfer data efficiently.

•The repository server is responsible for storing backup files on the target storage. The repository server performance depends on the CPU, memory, network, and storage resources available. The repository server should have enough CPU cores and memory to handle concurrent tasks, as well as sufficient network bandwidth and storage throughput to write data efficiently. The repository server should also support the backup format and retention policy chosen for the backup copy job.

References: 1: Backup copy jobs - Veeam Backup & Replication Best Practice Guide

To make backup files immutable in a Scale-out Backup Repository, you need to use XFS extents with the reflink attribute enabled. This attribute allows Veeam Backup & Replication to create immutable backup files using the fast clone technology. If some of the XFS extents do not have this attribute enabled, they will not support immutability and the backup files stored on them will not be protected from deletion or modification1

To design a solution that meets the backup retention requirements for Veeam University Hospital, you need to consider the minimum requirement for on-premises backup retention for this project. This will help you to ensure the availability and reliability of your backup data, as well as the compliance and security of your backup storage.

According to the case study, the minimum requirement for on-premises backup retention for this project is B. On-premises retention must be 14 daily, and two weekly backups.

This requirement means that:

•The on-premises backup retention is the policy that defines how long the backup data should be kept on the local backup storage, such as NFS storage, deduplication appliance, etc.

•The on-premises backup retention must be 14 daily and two weekly backups, which means that you need to keep at least 14 copies of the daily backups and two copies of the weekly backups on the local backup storage.

•The on-premises backup retention must be applied to all types of workloads that are backed up by Veeam Backup & Replication, such as virtual machines, physical servers, NAS systems, etc.

This requirement is based on the business and compliance needs of Veeam University Hospital, which are:

•To have a fast and reliable restore option for the most recent backups in case of a disaster or failure.

•To comply with the HIPAA regulations that require health care organizations to retain backup data for at least six years1.

Option C uses replica seeding to reduce the network traffic during the initial replication. By creating a backup job of the source VM at the primary site and pointing the replica job to that backup repository at the secondary site, Veeam Backup & Replication can restore the VM from the backup and synchronize it with the latest state of the source VM. Then it can use the restored VM as a replica2