It is not possible for it to be completely isolated, Veeam needs to be able to coordinate backups with your hypervisor hosts. You can do it through a firewall, but there must be some ports open https://helpcenter.veeam.com/docs/backu ... tml?ver=95
Honestly, if they are concerned about protecting the environment, they should think about a lot more than just isolating the backup servers. Just a few things off-hand that would go a lot farther:
- Set up a separate domain for the Hyper-V hosts, and keep the Hyper-V hosts isolated from the VMs and all other user-facing systems on different networks. Veeam could be placed in this network as well.
- Use Shielded VMs to protect the VMs from compromise of the hosts, with TPM-based attestation. This requires another isolated set of servers to run the host guardian service
- Separate admin/user credentials for people with admin access to Hyper-V, Active Directory, Veeam, etc.
- Use Privileged Access Workstations to ensure a careless admin does not get malware on the computer used to access the infrastructure. Jump servers are not the answer!