AHV worker and Nutanix "network segmentation"

[marcrousseau]

Hi all,

We are installing Veeam in a Nutanix environment and are facing an architecture issue:

Our nutanix cluster is actualy configured with Nutanix "Network segmentation" best practices explained in Nutanix "Security Guide"
All traffic types are splitted in different VLAN : management,backplane,DR,volumes (aka iscsi)
https://portal.nutanix.com/page/documen ... -wc-c.html

That means we have 2 Data Services IP (DSIP) for iSCSI traffic :

1. the "cluster DSIP" on management VLAN. (this one is mandatory for Prism Central)

https://portal.nutanix.com/page/documen ... ess-c.html

About The iSCSI Data Services IP Address
This iSCSI data services IP address acts as an iSCSI target discovery portal and initial connection point.
(...)
Should be in the same subnet as the cluster Controller VM IP eth0 network interface addresses

https://portal.nutanix.com/page/documen ... tes-r.html

Prism Central cannot perform upgrade operations using a segmented DSIP.
The segmented DSIP and the cluster DSIP are distinct entities.
A DSIP in the same subnet ensures direct communication between Prism Central and the cluster during the upgrade proces

2. the "segmented DSIP" in a dedicated VLAN for backup

https://portal.nutanix.com/page/documen ... ork-t.html

After you enable network segmentation for Volumes, you must manually migrate connections from existing iSCSI clients to the newly segmented network. Even though support is available to run iSCSI traffic on both the segmented and management networks at the same time, Nutanix recommends that you move the iSCSI traffic for guest VMs to the segmented network to achieve true isolation.

We would like to configure everything related to backup in this dedicated VLAN for backup:
-veeam appliance
-repository
-AHV worker

This way:
-all traffic related to backup stay in this dedicated vlan
-Backup flows doesn't go through firewall (for performance reason)
-AHV Worker doesn't need two NIC (not allowed by our security policies)

The problem is :
AHV worker try to use "Cluster DSIP" for iscsi traffic and it's not allowed. We would like to use dedicated "segmented DSIP" instead.

Here is our architecture:


Any idea how to use segmented DSIP ? I found nothing about nutanix "network segmentation" in Veeam documentation.

My colleague already opened a support case #08060333 but it's more an architecture issue

Any idea, suggestion, or help is welcome

Thanks
Marc

[ronnmartin61]

@marcrousseau currently there isn't any way to specify a custom DSIP for our iSCSI/Volume Group connection requirements. When we added worker support for multiple networks (https://helpcenter.veeam.com/docs/vbr/u ... tml?ver=13) our aim was to satisfy the frequent request to segregate the backup traffic flow from management traffic and we did not have this particular use scenario in mind. I assume you'd want to register this as a feature request?