I waited a while before writing this article to better understand what features in the new version 13 of Veeam could really give it that extra edge. I read the “What’s New” document a few times, trying to get to grips with the details and understand what they mean. So what I’m going to write will be based mainly on what it says there.
The current trend of managing hybrid IT environments is a constant challenge, made worse by increasing complexity and security risks. These days, it’s absolutely vital for businesses to make sure their data can bounce back if they’re hit by a cyber attack.
V13 is the latest version of Veeam, and it’s been designed to tackle these challenges head on. They’ve completely overhauled the platform’s architecture to make it more secure, simpler to use and faster.
In this article, I’ve picked out the features that I think make a modern data protection platform better in terms of day-to-day use and what you can expect from it.
The appliance is really straightforward and secure “Out-of-the-Box”.
When it comes to my approach to architecture, I’ve always tried to follow the KISS principle (Keep It Simple, Stupid), meaning simple is better. But of course, you’ll need to take the necessary precautions. This version marks a big change from traditional Windows-based installations, thanks to the new Veeam Software Appliance (VSA).
This is a bit different from how we did things in the past, when we had to build the backup environment bit by bit. The VSA combines a hardened operating system and backup software into one solution, which is managed completely by Veeam. Now, let’s take a look at some specifications related to what I call the “3 Pre”. These features make v13 more robust and reliable, and they aim to simplify implementation and ensure stable performance.
- Pre-built: The VSA is all-in-one package, with a ‘JeOS’ (Just Enough Operating System) based on Rocky Linux 9.2 and the backup software. It’s a pre-assembled, ready-to-use virtual appliance, updated by Veeam, so it’ll save you time on installation and configuration.
- Pre-hardened: Security is built in by default. There are a lot of optimisations in the security settings according to strict DISA STIG guidelines to minimise the attack surface. Multi-factor authentication (MFA) is a must, and core services run with low-privilege accounts to really reduce chances of privilege escalation and lateral movement if there’s a vulnerability. You also need to have a Security Officer for operations that need dual authorisation.
- Predictable: The VSA is designed in Zero Trust mode. Backup administrators don’t have root privileges at the operating system level, so they can avoid misconfigurations that could compromise security, reliability and performance.
In summary: the backup environment is easier to access, even for SMEs and ROBOs (Remote Office/Branch Office), because implementation time is reduced, operating costs are lower and security risks are minimised.
A small personal note: I’m not a fan of the default users that are automatically created during installation (i.e., an attacker should know 0 about the environment they’re trying to attack).
A future without Windows?
With this new architecture, all components will be able to run on Linux operating systems. This’ll cut licensing costs for Microsoft, which is a bonus, and it’ll be a real money-saver, especially in complex environments. Up until version 12.3, you could only get things like Mount Server, Gateway Server and Guest Interaction Proxy working on Windows machines, but now they fully support Linux too.
In summary: you’ll get unparalleled flexibility, a big drop in Windows licensing costs and the platform will be in sync with Linux-based solutions.
A small personal note: Just a quick note to say there is a slight issue. A Windows-type mount server is:
- Mandatory when you’re restoring files on Windows machines that have ReFS-formatted disks.
- Mandatory if Re-IP is used during a replication failover.
- Recommended for any other cases.
It’s recommended because Linux can read NTFS-type file systems, but there are some limitations. But if you’re not sure, it’s best to check the official documentation page.
A new heart under the hood
As I mentioned earlier, the whole platform has been made significantly more secure and performant.
Goodbye to NTLM: The NTLM authentication protocol is now obsolete and insecure, it’s being replaced by the more robust and modern Kerberos, which reduces exposure to known vulnerabilities.
Goodbye to RPC and WMI: These two old Microsoft protocols are being replaced by the new gRPC. As result we can reduce the number of network ports we need to open reducing the network’s attack surface.
SSO for All: Great news, single sign-on (SSO) integration with providers like Entra ID or Okta is now available in all editions of the Veeam Data Platform, not just the premium tiers.
Role-based access control (RBAC):Â You can create roles with granular permissions. You can set up roles like Backup Operator or Restore Operator and limit what they can see or do, all with security in mind.
BLAKE3 algorithm: The new BLAKE3 hashing algorithm is great news for anyone looking to reduce CPU usage on proxies and agents, as it can cut usage by up to 30%. This means faster backups, especially when the CPU is the problem. BLAKE3 uses a binary tree structure to make the most of a virtually unlimited degree of parallelism. It processes large amounts of data at once and is way faster than other hashing algorithms, which is great for backing up data. Veeam puts a Data Mover role on proxies to make the data transfer process faster.
In summary: we’ve got a smaller attack surface on the network, SSO with external providers, a new hashing algorithm and faster backups. There’s been a reduction in bottlenecks in environments with thousands of concurrent jobs.
A small personal note: I’ve had a look at the new Blake3 algorithm. It’s definitely more secure than SHA2/3, with its 128-bit security and superior performance. It’s also pretty new.
New web interface
The user experience has also been updated with the introduction of a preview of a new, modern web-based user interface.
This new UI eliminates platform dependencies (there is no longer a need to install a dedicated console on a Windows PC for many everyday tasks), improves accessibility and makes better use of screen size. However, the classic Windows console, complete with all its features, is still available for separate download.
Dark Mode is also included, offering a more comfortable and modern visual experience.
In summary: there has been a reduction of infrastructure components and visibility in Dark Mode.
A small personal note: this first version does not yet have all the features integrated. However, version 13.1, expected in Q4, should integrate all features.
HA for the backup server
In the event of a backup server failure, the standard procedure is to restore a backup in three simple steps: install a new Windows server, install software, and configure the system. This process ensures full functionality is restored as quickly as possible.
V13 introduces the High Availability (HA) feature for VSA in an active/passive cluster configuration. The Postgres database is continuously replicated to a standby node, enabling one-click failover in the event of a failure or disaster.
In summary: active/passive cluster ensures high reliability.
A small personal note: Please note that this feature requires the VDP Premium edition and will be available from version 13.0.1 of the VSA.
Doubled performance
Veeam guarantees increased performance in terms of backup execution speed (a 2x increase is claimed). The improvements are so significant that they deserve a separate mention, as they allow you to protect more workloads using the same hardware.
- Agent backups: Throughput has increased by more than 100% for both Windows and Linux agents on the same hardware.
- Job scalability: The latest version of the job management engine now supports up to 5.000 managed agents (double that of v12) and 750 parallel backup jobs.
- VM in job: The number of virtual machines (VMs) per backup job has been increased to 2.000, and the number of VMs that can be managed per backup server has been doubled (now 10.000).
In summary: This system will facilitate faster backups and restores, with less impact on VSA and proxy performance.
A small personal note: In order to ensure optimal efficiency, it is essential to have a storage repository that offers the same level of performance, given the increase in throughput speed (both outgoing and incoming). I recommend opting for on-premises object storage or the Veeam Hardened Repository, but based on truly high-performance hardware.
What conclusions can be drawn from this?
It is evident that this preliminary release is intended for new installations and cannot be migrated from previous versions.
The full version (GA) is scheduled for release in Q4 2025 (from 1st October, all possibilities remain on the table) and will include the installation package for Windows and all additional features. At that point, an in-place upgrade from version V12 will be available.
In addition, Veeam One V13 has been released in conjunction with the Veeam Software Appliance.
It is evident that there are many new features regarding the backup of hybrid environments that need to be verified on a case-by-case basis, depending on how they are intended to be used. However, beginning to use it in the lab allows you to familiarise yourself with the new web interface, compare it with the previous version and also check the various backup settings. Veeam’s objective was to modernise the platform, potentially in anticipation of a future transition to the cloud, with a primary focus on ensuring security, simplicity and performance.
A little spoiler: to upgrade from version 12.x to 13 and from Windows to Linux, use a service provider with Veeam’s VASP program.
If you have any questions, please contact me at my Linkedin profile
