DR guide

Offsite & DR with PBS Remote Sync

Design and implement Remote Sync between Proxmox Backup Servers, plan bandwidth and schedules, and learn how to run failover restore drills.

View pricing Back to resources

What you get

Offsite made simple.

  • 01Primary/secondary PBS layout
  • 02Bandwidth sizing + schedules
  • 03Namespace and role isolation
  • 04Failover drill checklist

Contents

1) Design the topology

  • Primary PBS: Receives backups from PVE clusters. Runs prune/GC/verify.
  • Secondary PBS: Receives Remote Sync from primary. Optionally backed by object-lock/WORM storage; immutability is enforced by the object store.
  • Namespaces/datastores: Mirror names across primary/secondary to simplify restores and permissions.
  • Network: Use a dedicated path/VPN between sites; enforce TLS and token scope.

2) Plan bandwidth and windows

  • Estimate change rate (daily deltas) and verify throughput the link can sustain.
  • Target to finish syncs before the next backup window; if not, reduce frequency or increase bandwidth.
  • Use bandwidth limits on the Remote Sync job during business hours; uncap overnight.
  • Measure effective throughput with a test sync and adjust job timing accordingly.

3) Set up Remote Sync

On the primary PBS:

  • Create a scoped token on the secondary PBS with access to the target datastore/namespace.
  • Remotes > Add: enter secondary PBS hostname, port, and token.
  • Sync Jobs > Add: choose datastore/namespace, set schedule, and bandwidth limit.
  • Enable Remove vanished only if you want deletions mirrored; otherwise, keep off for extra safety.

CLI example:

proxmox-backup-manager remote add secondary --host secondary.example.com --token 'pbs@pbs!sync=SECRET'
proxmox-backup-manager sync-job create sync-secondary \
  --remote secondary --remote-store primary --store primary \
  --schedule "daily" --delete 0 --limit 0

4) Scheduling and cadence

  • Run Remote Sync after backups and prune complete; avoid overlapping with verify on the same datastore.
  • Critical data: sync twice daily; standard: daily; archival: weekly.
  • Align verify on the secondary a few hours after sync to validate the offsite copy.

5) Security, isolation, and immutability

  • Scope tokens to specific datastores/namespaces; rotate regularly.
  • Restrict firewall rules to required ports from primary to secondary.
  • If using object-lock storage on secondary, enforce retention there; keep delete disabled in sync jobs. Object-lock/WORM is enforced by the storage.
  • Separate admin accounts per PBS; enable 2FA and audit logging.

6) Run failover restore drills

  • Monthly: restore a VM/CT from secondary PBS to a test PVE cluster; measure RTO and throughput.
  • Verify fingerprints and TLS trust on the secondary before drills to avoid delays.
  • Document steps: switch PVE backup target to secondary, run restore, validate app health, then switch back.

Example DR playbook

  • Retention: primary 7d/4w/3m; secondary +1 month.
  • Sync: twice daily at 01:00 and 13:00; bandwidth limited during business hours.
  • Verify: weekly on primary; weekly +1 day on secondary.
  • Immutability: secondary on object-lock storage; sync jobs keep delete disabled. Object-lock/WORM enforcement is at the storage layer.
  • Drills: monthly restore to test cluster; quarterly full failover simulation.

Need offsite PBS designed and tested?

We size bandwidth, build sync jobs, and give you a drill checklist to run.

See plans