Our Backup Strategy: The 3-2-1 Rule in Practice
At RDEM Systems, every VM comes with a guaranteed daily backup. But behind the scenes, our infrastructure applies the 3-2-1 rule across 4 datacenters. Discover our approach to resilience — and our areas for improvement.
The 3-2-1 Rule at a Glance
copies of your data
media types (SSD + HDD)
offsite copy (Frankfurt)
What We Guarantee
Our contractual commitment is simple and clear: one backup per day for every hosted VM. That is the minimum you can expect, and that is what we guarantee.
A reliable backup is the cornerstone of a successful VMware to Proxmox migration. Without it, no transition can be worry-free.
Our Current Architecture
In practice, our backup infrastructure goes well beyond the minimum commitment. We use Proxmox Backup Server (PBS) to benefit from:
- Native deduplication : drastic reduction in storage requirements
- Incremental backups: only modified blocks are transferred
- Verify Jobs : automatic integrity verification after each backup
Current Architecture
The first 3 datacenters are in the Paris region. Frankfurt ensures geographic resilience.
For businesses looking to outsource their PBS backup, discover NimbusBackup: outsourced PBS backup . We offer hosted PBS plans with NimbusBackup , with the option to enable Double Drive PBS: replication across 2 separate sites for complete redundancy.
Why 2 Backups per Day?
With a morning and an evening backup, we reduce the Recovery Point Objective (RPO) to approximately 12 hours maximum. In the event of an incident at the end of the day, you only lose a few hours of work instead of an entire day.
Verify Jobs: Testing Your Backups
An untested backup is not a backup. PBS includes Verify Jobs that automatically check the integrity of each backup after creation. This verification ensures that data is actually restorable.
Self-Service Restore
From your member portal (fr) , you can manage your restores autonomously:
Available Features
- Automated restore: trigger the latest backup restore with a single click
- On-demand snapshot: create an instant snapshot (retained for max 12 hours)
- Granular restore: recover individual files without restoring the entire VM
Understanding VM Backup Limitations
The Risk of File Corruption
A VM backup captures the disk state at a given point in time. Unlike a memory-inclusive snapshot, we only save disk data — not the RAM state.
This approach works perfectly for the vast majority of applications. However, certain files can be corrupted if they were being written to at the exact moment of the backup:
- - Databases (MySQL, PostgreSQL, MongoDB...) with in-flight transactions
- - Large files being transferred or modified
- - Application caches not synced to disk
Important Technical Note
A restore is equivalent to a hard power cut: as if you had unplugged the power cord and plugged it back in. The VM restarts in the exact disk state at the time of the backup. Modern filesystems (ext4, XFS) handle this scenario well, but applications with unflushed buffers may lose data.
The Solution: QEMU Guest Agent Hooks
For critical applications, the solution is to use the QEMU Guest Agent fsfreeze hooks. These scripts intercept the imminent backup signal and:
- Put the database into "backup" mode (flush buffers)
- Sync all cached files to disk
- Notify the hypervisor that the VM is ready for the snapshot
Note: Setting up these hooks is part of our managed services . Discover our managed Proxmox offering. For clients with basic hosting, this configuration remains their responsibility.
Ransomware Protection
What We Do Today
Our multi-site architecture with compartmentalized access already limits risks:
- Separate access: backup servers have distinct credentials
- Geographic replication: Frankfurt is isolated from the main network
- Long retention: 4 weeks allow detection and recovery after an attack
To learn more about this topic, discover how immutable backup against ransomware strengthens the resilience of your PBS backups.
Identified Limitation
Residual risk: privileged account compromise
An attacker who gains administrator access (via phishing, social engineering, or vulnerability exploitation) could theoretically reach the different sites and delete backups. While this risk is low, it exists in our current architecture.
Under Investigation: Air-Gapped Protection
We are working on an air-gapped solution to achieve the highest level of protection. Here is the target architecture:
Target Architecture (under investigation)
PBS + ZFS
Receiving server
Rotating disks
Status: This architecture is under investigation and not yet implemented.
Honesty About Limitations
Even an air-gapped solution has theoretical limitations. An administrator with physical access to the storage media could destroy them. IT security is about layers of protection and risk reduction, not total elimination.
For maximum security requirements (banking, defense...), solutions such as storage with a trusted third party or in a bank vault can be considered — at a significantly higher cost.
To dive deeper into air-gapped and immutable backup techniques, see our state of the art air-gapped Proxmox backup on Nimbus.
Summary
| Item | Details |
|---|---|
| Contractual guarantee | 1 backup/day minimum |
| Actual frequency | 2 backups/day (morning + evening) |
| Technology | Proxmox Backup Server (PBS) |
| Deduplication | Native PBS + compression |
| Verification | Automatic Verify Jobs |
| SSD retention | 7 rolling days |
| HDD retention (Frankfurt) | 4 weeks |
| 3-2-1 rule | 3 copies, 2 media types, 1 offsite |
| Air-gapped | Under investigation |
Frequently Asked Questions
Official Documentation
To explore the concepts covered in this article further, refer to the official Proxmox documentation: