Home » Backup & Recovery » Veeam Sandbox: an all purpose On-Demand environment

Veeam Sandbox: an all purpose On-Demand environment

Veeam Sandbox is an on-demand environment serving for different purposes. Testing, patching, application updates and in-place upgrades, analytics, compliance and the list goes on. Veeam Sandbox is part of the Veeam DataLabs feature and leverages the configurations of  the Virtual Labs and Application Groups as previously covered in dedicated articles.

In the Veeam world, Virtual Labs coupled with Application Groups is what is needed to create a SureBackup job. The Veeam SureBackup job allows to automatically verify the recoverability of your backups. Veeam Sandbox configuration is a sort of SureBackup job with a twist. In fact, the advantage of the Veeam Sandbox is to create an isolated environment which is verified based on the criteria set on the SureBackup Roles configuration and it runs until stopped.

This provides the ability to spin up any copy from Backups, Replicas and even Storage Snapshots and use it for different purposes. Veeam Sandbox will mount the data in read-only mode from the source and all changes will be written into a redo log file or delta in case of backups and replicas respectively. These changes are written into a selected datastore. Ideally this datastore can even be a separate tier sitting on a secondary storage available. This way there would be virtually no impact on the backup storage itself other than the Reads from the source backup file.

This article shows the steps on how to create a Veeam Sandbox environment to run and test software updates for a Linux Ubuntu virtual machine running on VMware vSphere. There are plenty of use cases where the Veeam Sandbox on-demand environment proves helpful. To name just a few:

  • In place upgrade (eg. Active Directory or in general any other application with hardware based licensing)
  • Patch validation (eg. before unattended deployment on the Production assets)
  • Customization (eg. testing custom packages from development on the freshest backup copy of the Production environment)
  • and more..


Veeam Sandbox example with Linux Ubuntu

From the Veeam Backup Server Console > Home > Jobs the links to create a SureBackup job.

domalab.com Veeam Sandbox on-demand wizard

Next is to select the Virtual Lab to use for the Veeam Sandbox configurations. Ideally having two separate Virtual Labs one for verifications and the other for sandbox environments gives the option to have even more specific details based on requirements. Like separate Hosts, Datastores, Networks and so on.

domalab.com Veeam Sandbox on-demand virtual lab

In the Application Group section will show the available ones. In this case the “Linux VM Updates” is selected as per previous article. It automatically shows also all the VMs that will be included in the same job. In this case one. Should this VM have dependencies with other ones these can be added here with pertinent roles and verification rules.

This is the important part for the Veeam Sandbox creation. The option “Keep the application group running after the jobs completes” needs to be selected.

domalab.com Veeam Sandbox on-demand application group

Ideally it is also possible to add virtual machines from other jobs and in the advanced setting also the ability to set specific verification settings per VM. For example, boot time, memory allocation, role and even custom scripts.

domalab.com Veeam Sandbox on-demand linked jobs

In addition, there is the option to send SNMP traps and also send email notifications.

domalab.com Veeam Sandbox on-demand settings

The Veeam Sandbox jobs can also be scheduled on different criteria when required. For example provide an on-demand environment every Monday based on the Sunday full backup. Veeam also provides the ability to restrict access only to this on-demand environment. More on this in a dedicated article.

domalab.com Veeam Sandbox on-demand schedule

And finally a quick summary with the main setting before proceeding.

domalab.com Veeam Sandbox on-demand summary

As soon as the job is started the Virtual Proxy is powered on with two networks (or more depending on its configuration). One is the Production Network and the other is the Masked Network. The Virtual Lab automatically does the “translation” between these networks.

A few seconds later and a new VM is created (in the same VMware Resource pool where the Virtual Lab is running). As the screenshot is showing all the metadata correspond to the original VM in the backup. For the simple reason is reading from this. The only exception is the Network adapter now connected to the Virtual Lab Sandbox counterpart.

The hard disk configuration automatically points at the specified location in the Virtual Lab configuration. For example a different datastore.

domalab.com Veeam Sandbox on-demand Linux UbuntuIt’s now time to jump into the Linux Ubuntu VM. This has been created or read directly from the backup. As expected the Linux VM has taken an IP Address from the DHCP configuration.

domalab.com Veeam Sandbox on-demand VMware Ubuntu

To test the connectivity with the outside world a network ping to the IP address of the Virtual Lab proxy appliance and the main Gateway will provide more insight.

domalab.com Veeam Sandbox on-demand ubuntu network

That’s great. The Linux Ubuntu VM on this on-demand environment can access the internet. Next step is to allow the Web traffic and use the Virtual Lab appliance as a Web Proxy. First thing is to specify the Web Proxy settings.

The Network settings should look something similar to this where the IP address of the Virtual Lab is used as Web Proxy for HTTP and HTTPS traffic.

And a quick test reveals this virtual machine chan reach the internet. This is great as it helps downloading the software updates for this Linux Ubuntu VM.

domalab.com Veeam Sandbox on-demand ubuntu web

The Software Updater shows the list of the ones available.

It’s now time to download and install the updates.

In the background what is it happening? All the changes to the base backup file are written into a redo log file in the configured location on the Virtual Lab. There is a SureBackup folder on top with a list of subfolders with the same instance name of the powered on VMs. Inside these essentially the VM snapshots. In this case all the downloaded and installed updates on the basic Ubuntu 16.04 operating system generated a snapshot of almost 4 Gb.

It is possible to power on / off the VM it will not affect the backup and also will not delete and change that occurred since the beginning. All the changes will stay there until the Veeam Sandbox job is stopped from the Veeam Console. In that case the snapshot and the on-demand environment will be automatically cleaned up. This process can be repeated multiple times and allows to trial and error all the times is required.

Wait but I like what I see and the patches are working fine. Great! Veeam still provides the ability to Backup that new VM with changes, Replicate and even migrate to a different location. Of course everything needs to be done before stopping the Veeam Sandbox job!

About the author

Michele Domanico

Passionate about Virtualization, Storage, Data Availability and Software Defined Data Center technologies. The aim of Domalab.com is sharing with the Community the knowledge and experience gained with customers, industry leaders and like minded peers. Always open to constructive feedback and new challenges.

Add Comment

Click here to post a comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Browse articles

December 2023

Articles by Category


About Domalab

Welcome to my personal Blog. Feedback is welcome and in case of questions you can also contact me at 


error: Content is protected !!