Replicate ESXi/VEEAM environment?

J

j.a.duke

New Member
Dec 15, 2025
1
0
1
I've read through the documentation for both PVE & PBS and still am not sure how to replicate my current ESXi/VEEAM environment. Or maybe there's a better way to implement a PVE/PBS environment which offers the same benefits.

What I have currently is our primary server in the office hosting VMs, including VEEAM. VEEAM replicates all the VMs to our off-site server (also running ESXi and VEEAM) as well as backing up the VMs to in-office storage and B2.

How should I approach this from a PVE/PBS perspective?
 
Use PBS internal remote/sync mechanism to sync your backups to an offsite PBS. PBS also has ( allthough still Experimental) support for S3-storage. How is your in-office-storage connected?
How are you using your offsite ESXi except for veeam? Do you host any vms on it?
 
If you have two sites and lots of hardware and you are keen to use PBS instead of the VEEAM plugin, here is my experience:

Backup locally to the onsite PBS in the office that is hosting VMs. Then, from the remote-site PBS, run sync pull jobs from your onsite office PBS. This effectively gives you 3 copies and at least one offsite. You can tune the API tokens used for these sync pull jobs to ensure access from the offsite PBS is read-only which effectively adds a layer of ransomware protection.

This would make your cloud backup and additional physical backup solutions completely optional.
 
  • Like
Reactions: Johannes S
Adding to @heythiscomputes advice you can secure your remote PBS even more by using a firewall like iptables (or one if its frontends like ufw, firewalld or the firewall in ProxmoxVE if you happen to install proxmoxve on the same host) to close all ingoing connections to the offsite PBS. A pull-sync doesn't need a open port on the offsite PBS, for managment you could use a vpn connection which only allows your management client (e.g. your notebook) to access the PBS. In case of a needed recovery you would temporary open the port and afterwards close it again. The benefit is that an bad actor can't hack anything he can't access in the first place.
If the firewall way isn't an option @meyergru described how you could setup a reverse proxy so only the API endpoints are getting exposed: https://forum.proxmox.com/threads/u...-pbs-exposition-to-api-endpoints-only.182188/
 
You must log in or register to reply here.
Top Bottom
Back