Centralized Backup & DR in a Multi-Hypervisor Environment — Case Study
How we designed and deployed Veeam Backup & Replication infrastructure for three hypervisors (VMware, Hyper-V, oVirt) with offsite to Azure and ransomware protection.
Three hypervisors. VMware ESXi, Microsoft Hyper-V, and oVirt. Scattered backups. Zero coherent data protection strategy. That was the reality for a client who needed a single, centralized backup system compliant with the 3-2-1 rule — and resistant to ransomware.
📋 TL;DR
- Initial state: three different virtualization platforms, no consistent backup strategy, no offsite copies
- Solution: 3× Veeam Backup & Replication (one instance per hypervisor) + Scale-Out Backup Repository + Azure Blob Storage (Capacity Tier)
- Security: Object Lock in Azure — immutable backups, ransomware-proof
- Result: RPO/RTO reduced to minutes, costs optimized through deduplication and tiering, full 3-2-1 compliance
⚠️ Problem: three hypervisors, zero consistency
The organization grew rapidly and adopted different virtualization technologies at different times. The result? A production environment running on three independent platforms:
| Platform | Use case | Snapshot mechanism |
|---|---|---|
| VMware ESXi | Main production environments | vSphere Snapshots + HotAdd |
| Microsoft Hyper-V | Windows apps, AD servers | VSS (Volume Shadow Copy) |
| oVirt | Internal dev environments | oVirt API Snapshots |
Each platform had its own independent approach to backup — or none at all. There was no central repository, no offsite copies, no guarantee of data immutability. The question “what happens if the entire DC goes down?” had no good answer.
What needed fixing?
- No 3-2-1 strategy — backups existed locally only, with no offsite copy
- Inconsistent protection — each hypervisor was “backed up” differently (or not at all)
- No immutability — ransomware could encrypt the backup copies too
- Long recovery times — no tested DR procedures
- Storage costs — no deduplication, no tiering
🎯 Project goal
Requirements were clear:
- Consistent protection of all three virtualization platforms from a single ecosystem
- 3-2-1 rule — minimum 3 copies, on 2 different media types, 1 copy offsite
- Backup immutability — protection against ransomware and accidental deletion
- RPO/RTO optimization — critical services restored in minutes, not hours
- Cost control — intelligent storage space management
🔧 Solution: architecture step by step
Step 1: Three Veeam instances — native support per hypervisor
As a certified Veeam VMCE engineer, I designed an architecture based on three dedicated Veeam Backup & Replication instances. Each was optimized for a specific hypervisor to fully leverage native snapshot mechanisms and minimize backup windows.
┌──────────────────────────────────────────────────────────────┐
│ VEEAM INFRASTRUCTURE │
│ │
│ ┌────────────────┐ ┌────────────────┐ ┌────────────────┐ │
│ │ VBR #1 │ │ VBR #2 │ │ VBR #3 │ │
│ │ VMware ESXi │ │ Hyper-V │ │ oVirt │ │
│ │ │ │ │ │ │ │
│ │ • HotAdd │ │ • VSS │ │ • Veeam │ │
│ │ • CBT │ │ • Application │ │ Kasten / │ │
│ │ • vSphere API │ │ Consistent │ │ Plug-in │ │
│ └───────┬────────┘ └───────┬────────┘ └───────┬────────┘ │
│ │ │ │ │
│ └──────────────────┼──────────────────┘ │
│ │ │
│ ┌────────▼────────┐ │
│ │ SOBR │ │
│ │ Scale-Out │ │
│ │ Backup Repo │ │
│ ├─────────────────┤ │
│ │ Performance │ │
│ │ Tier (local) │──── fast restore │
│ ├─────────────────┤ │
│ │ Capacity Tier │ │
│ │ (Azure Blob) │──── offsite + 3-2-1 │
│ │ + Object Lock │──── immutability │
│ └─────────────────┘ │
└──────────────────────────────────────────────────────────────┘VMware ESXi instance — configured with HotAdd for maximum data transfer performance. Changed Block Tracking (CBT) ensures incremental backups without full disk scans.
Hyper-V instance — integrated with VSS (Volume Shadow Copy Service) for application-consistent backups on Windows systems. Critical for environments with Active Directory and SQL Server databases.
oVirt instance — using Veeam Kasten / Plug-in for full protection of virtual machines on this platform. Native integration with the oVirt API guarantees consistent snapshots.
Step 2: Scale-Out Backup Repository with Azure Capacity Tier
A key architectural component was deploying a Scale-Out Backup Repository (SOBR) combining two storage tiers:
| Tier | Role | Technology |
|---|---|---|
| Performance Tier | Fast access to recent backups | Local repository (NVMe/SSD) |
| Capacity Tier | Long-term storage + offsite | Azure Blob Storage |
Data automatically migrates from the Performance Tier to the Capacity Tier based on retention policies. The latest backups stay local — for instant recovery. Older backups go to Azure — for 3-2-1 compliance and protection against total data center loss.
Step 3: Object Lock — backup immutability
The last but critical piece: Object Lock in Azure Blob Storage. This feature ensures that backups in the Cloud Tier are:
- Immutable — they cannot be modified or overwritten
- Undeletable — they cannot be removed before the retention period expires
- Ransomware-proof — even if an attacker gains access to the backup infrastructure, copies in Azure remain untouched
This is the difference between “we have backups” and “we have backups that will survive an attack.”
📊 Results
| Metric | Before | After deployment |
|---|---|---|
| RPO (Recovery Point Objective) | Irregular, often >24h | Defined per workload (1h to 4h) |
| RTO (Recovery Time Objective) | Hours (manual recovery) | ~15 minutes (Instant Recovery) |
| 3-2-1 compliance | ❌ Not met | ✅ Fully compliant |
| Ransomware protection | ❌ None | ✅ Object Lock + immutability |
| Storage costs | High (no deduplication) | Optimized (deduplication + tiering) |
| Protection consistency | 3 different approaches | 1 Veeam ecosystem |
RPO and RTO optimization
With configuration based on VMCE best practices, recovery time for critical services dropped to approximately 15 minutes. Instant Recovery lets you boot a virtual machine directly from backup — no need to wait for a full restore to target storage.
Cost reduction
Veeam deduplication and compression combined with Azure tiering enabled:
- Optimal use of local disk space (only recent backups kept locally)
- Lower long-term storage costs (Azure Cool/Archive tiers)
- Elimination of redundant backup infrastructure
Ransomware protection
Object Lock in Azure is the last line of defense. Even in a scenario of full on-premises compromise — encrypted servers, deleted local copies — backups in the Cloud Tier remain intact and ready for recovery.
🔑 Key takeaways
- Multi-hypervisor doesn’t mean multi-chaos — with the right architecture, you can consistently protect even highly heterogeneous environments
- The 3-2-1 rule is a minimum, not a luxury — offsite in public cloud eliminates the risk of data loss during a DC failure
- Immutability is a must-have — in the age of ransomware, backups without modification protection are backups that may not exist when you need them
- Certification matters — VMCE expertise allows you to extract maximum performance and security from Veeam
Need centralized backup in a multi-hypervisor environment? As a Veeam VCSP partner, we design and deploy backup infrastructure tailored to your architecture — VMware, Hyper-V, oVirt, or Proxmox. Let’s talk →