Ports used to communicate with archive tier appliance

[dariusz.tyka]

Dear,

can you provide me with the link where I can find ports required for communication between Veeam backup server and archive tier proxy appliance. I could not find those on this page:
https://helpcenter.veeam.com/docs/backu ... ml?ver=110

Maybe I'll describe our situation - we have a backup server in location A. It has direct access to internet and VPN connection to AWS - location B.
Offload to S3 works fine. But when I manually start archive tier offload I can see proxy appliances are provisioned (in private subnet) but backup can't connect to those appliances via SSH.
Internally via VPN all ports are open but I suspect Veeam tries to access those appliances over the Internet. Is my assuming correct?
Can we somehow force Veeam server to connect to those appliances internally via VPN?

Dariusz

[veremin]

If proxy appliances are deployed in private subnet, backup server tries to communicate with them, using public IP and expectedly fails.

You can confirm whether this is the case by parsing debug logs:

Code: Select all

c:\ProgramData\Veeam\Backup\SOBR_Archival_SOBR_NAME\Session_XXXXX\ProxyAppliance.XXXXXc.log

for entities similar to the following:

Code: Select all

<17> Info [AmazonTempLinuxVmProvider] Initialized machine ID 'i-XXXX', IP 'XXX.XXX.XXX.XXX', MachineType 'm5.xlarge'

and seeing what IP is reported there.

Alternatively, you can enable Internet access in the subnet settings.

Also, we're planning to provide a regkey that allows backup server to communicate with proxy appliance over private IP in the next product update.

Thanks!

[dariusz.tyka]

Hi Veremin,

I checked the logs and confirmed backup server was trying to reach appliance using public IP address:
<20> Info [AmazonTempLinuxVmProvider] Initialized machine ID 'i-0410f5a09e83ad216', IP '34.244.155.213', MachineType 'm5.xlarge'

Also we would like to have all communication between backup server and appliance going over private subnet. Also for this reason we deployed S3 gateway within our VPC so EC2 instances can communicate with S3 internally not via Internet.

Is it also the case if we configure Veeam to use gateway server deployed directly in AWS as EC2 instance? That Veeam always tries to reach proxy appliance via public IP address.

Dariusz

[dariusz.tyka]

One more question - when proxy appliance is started it gets the public IP assigned via Veeam or automatic IP assignment should be configured on subnet level within AWS? Also Internet access via NAT from this subnet where proxy appliances are started is sufficient?

[veremin]

Is it also the case if we configure Veeam to use gateway server deployed directly in AWS as EC2 instance?

Correct, having gateway will not help to avoid connection to proxy appliance over public IP

Also Internet access via NAT from this subnet where proxy appliances are started is sufficient?

No, having NAT configured for the corresponding subnet will not solve the issue.

Thanks!

[inferno66]

Hello,

Any news about this feature?

My Veeam Server is on AWS with direct access to S3.
S3 (capacity tier) offloading is working great

Now with Veeam V11 I'm trying to use archive tier (to get rid of AWS VTL Storage Gateway), but when configuring the proxy appliance it tells what it'll have a Public IP address.
But my proxy appliance will be on the same VPC / Same Subnet than my Veeam server (and with direct S3 access), so I want them to communicate on private IP.

"Also, we're planning to provide a regkey that allows backup server to communicate with proxy appliance over private IP in the next product update." ==> But I don't see nothing on the changes logs since (https://www.veeam.com/kb4126)

Regards

[veremin]

Sure, see the adjacent thread. Thanks!

[inferno66]

Hello,

Thanks a lot

Hoping that the update will be effectively released this month

Regards