Using object storage as a backup target
Post Reply
TRE3
Novice
Posts: 9
Liked: 2 times
Joined: Apr 11, 2018 7:47 am
Contact:

NSG rules for Azure proxy appliance (Archive Tier)

Post by TRE3 »

One of our customers uses Azure proxy appliances for moving capacity tier data to archive tier. The customer has several sites in different countries with different Veeam backup servers on each site. Every site has a static external IP address but no Site-to-Site VPN connection to Azure.

Every time a new proxy appliance gets deployed by Veeam, it is openly available over port 22 on the Internet. Azure Sentinel detects SSH brute force attacks from IP addresses all over the world that have nothing to do with the different Veeam sites of the customer.

Since the appliances and their network security groups get deployed now and then, it is not possible for us to only allow SSH access for the customer's own external IP addresses.

How can we fix this security issue without creating Site2Site VPNs for every customer site?

(object-storage-f52/ssh-access-to-veeam- ... 75229.html and registry key "ArchiveFreezingUsePrivateIpForAzureAppliance" only work with VPN/Express Route)

Thanks!

Gostev
SVP, Product Management
Posts: 29147
Liked: 5369 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: NSG rules for Azure proxy appliance (Archive Tier)

Post by Gostev »

Hello! I would not worry about this at all as there are millions of servers on the Internet openly available over port 22... so it's not some special or unique condition, or "security issue" per say. Especially when we're talking about short-lived helper appliances. However, if this is not acceptable for whatever reason, they I don't really see any options except leveraging VPNs, as Veeam needs to control the appliance remotely somehow. Thanks!

TRE3
Novice
Posts: 9
Liked: 2 times
Joined: Apr 11, 2018 7:47 am
Contact:

Re: NSG rules for Azure proxy appliance (Archive Tier)

Post by TRE3 »

Hello Gostev, Thank you for your answer! I will show the explanation to the customer so that he can decide ;-)

Post Reply

Who is online

Users browsing this forum: No registered users and 7 guests