If you’ve tried to check the “Make recent backups immutable” box while setting up an Oracle Cloud Infrastructure (OCI) S3-compatible bucket in Veeam, you’ve likely hit a wall. Despite OCI’s robust security, it lacks the native S3 Object Lock API that Veeam requires to “talk” to the bucket for immutability.
While you can easily follow my guide on How to Add an OCI S3 Bucket as a Veeam Repository, you will quickly notice that the immutability checkbox is not an option.
To make matters more complex, Veeam only supports the OCI Standard Tier; attempting to save costs with the Infrequent Access tier is a recipe for job failures.
Why we do this: The 3-2-1-1-0 Rule Modern data protection has evolved. We used to follow the 3-2-1 Rule (3 copies, 2 media types, 1 offsite). Today, Veeam advocates for the 3-2-1-1-0 Golden Rule:
- 3 Copies of data.
- 2 Different media (e.g., Block and Object storage).
- 1 Offsite copy (Cloud is perfect for this).
- 1 Immutable or Offline copy (This is why we need the HLR or WORM!).
- 0 Errors after recovery verification (SureBackup).
So, how do you protect your OCI backups from ransomware without waiting for a feature update? In this nugget, we explore the three most viable workarounds, their costs, and why one stands out for enterprise resilience.
The Comparison: a 10 TB Backup Scenario (Saudi Arabia – Jeddah Region)
To understand the “Cost of Security,” let’s look at a 10 TB data footprint in the OCI Jeddah or Riyadh regions. (Example pricing.)
| Method | Storage Type | Cost (Approx. Monthly) | Price % Difference |
| Standard Backup | OCI Object (Standard) | ~956 SAR | Baseline (100%) |
| Immutable Backup | OCI Block (Balanced) | ~1,023 SAR | +7% |
| High-Perf Immutable | OCI Block (Higher Perf) | ~1,348 SAR | +41% |
Note: Prices are based on SAR 0.0956/GB for Object/Block base and SAR 0.00637 per VPU for performance.
The Recommended Solution: The “Elastic” Hardened Linux Repo
Since we cannot lock the bucket, we lock the Block Volume. By deploying a Linux-based Hardened Repository (HLR) inside OCI, we use XFS immutability to protect the data.
Why this is the “Professional Services” choice:
- Compatibility: You avoid the “S3 Lock” issue entirely by using local XFS filesystem flags.
- Performance: Unlike Object Storage, a Block Volume allows for Instant VM Recovery. In a ransomware event, you can boot your servers in seconds, not hours.
- The “Nugget” – Performance Scaling: OCI Block Volumes allow you to change performance tiers on the fly without rebooting.
The Strategy:
- During Backup (10 PM – 2 AM): Use a script to set the volume to “Higher Performance” (20 VPUs) to finish the backup window quickly.
- During Idle Time: Scale it back to “Balanced” or “Lower Cost” to bring your monthly bill back down toward that +7% baseline.
The Secret Weapon: XFS Fast Clone Efficiency
When you choose the Hardened Linux Repository (HLR) over Object Storage, you gain a massive architectural advantage: Reflink (Fast Clone).
On Object Storage, every “Synthetic Full” backup requires moving and copying data bits. On an XFS-formatted Block Volume in OCI, Veeam uses pointers instead of copying data blocks.
- Space Savings: Your “Synthetic Fulls” consume almost zero additional space.
- Performance: What takes hours on Object Storage takes minutes on XFS because no actual data is moved.
Comparison Table: 3 Ways to Secure OCI Backups
| Feature | Hardened Linux Repo (HLR) | Vault Bucket (Manual WORM) | S3-Native (e.g. Wasabi) |
| Veeam Status | Fully Native | Workaround (Manual) | Native (via FastConnect) |
| Immutability | XFS “Immutable” Flag | OCI Retention Rules | S3 Object Lock |
| Recovery | Instant (Seconds) | Slow (Hours) | Medium (Minutes) |
| Saudi Cost | ~1,023 SAR (10TB) | ~956 SAR (10TB) | Variable (incl. Egress) |
The “Hybrid” Option – Virtual Deduplication Appliances
For enterprises with massive data footprints who already use deduplication appliances on-premises (like Dell PowerProtect DD or HPE StoreOnce), there is a fourth path: The Virtual Deduplication Appliance.
- The Setup: You deploy the virtual version of your on-prem appliance as a VM in OCI.
- The Benefit: You can replicate deduplicated data from your local data center directly to OCI. This saves massive amounts of bandwidth and allows you to use OCI as a secondary immutable site.
- The Catch: It requires specific licensing and a higher entry cost for the VM resources, making it best suited for “Hybrid Cloud” scenarios rather than cloud-native startups.
Final Verdict
don’t risk the Infrequent Access tier. Instead, invest the extra 7% in cost (which is often offset by XFS Fast Clone savings) to move to a Hardened Linux Repository on Block Storage. You get true immutability, a fully supported Veeam configuration, and the ability to recover from ransomware in seconds.
This is the forth part of our series on OCI resilience. If you missed the previous step, check out the Workaround for Full Machine Recovery into OCI Native VMs.
Leave a Reply