-
- Enthusiast
- Posts: 35
- Liked: 41 times
- Joined: Jan 27, 2015 7:24 am
- Full Name: Bjorn L
- Contact:
Move Veeam to a new environment - poke a hole in my plan - PART 2!
Hi again,
So, we are rebuilding our backup infrastructure in more segmented network, new AD domain etc. I got some good advise from @foggy in my first thread: Move Veeam to a new environment - poke a hole in my plan!
One thing I forgot to mention was since we are moving from NetApp storage (storage integrated snapshots) to Nutanix, we'll need to change transport mode. This requires some additional planning. According to Nutanix Best Practice for Veeam, NFS direct is strongly recommended. Network transport mode is only used if NFS direct fails for some reason.
Since we want to build more segments, or referred to as zones in VBR Infrastructure Hardening Guide. In that guide ESXi hosts, Proxy, Repos and Nutanix Control VM (CVM) should reside on the same network (page 16). I can see that this is of course for performance and reliability to not traverse a firewall.
Having Veeam Proxy/Repo, ESXi hosts and Nutanix CVM share same VLAN network is fine for us. Let's call it "Virtual Infra Network"
Question:
Can I place Veeam Management server and vCenter in their own network segment, "Virtual Management Network"? Also, Prism Central (Nutanix management) will be placed there.
Is this placement recommended from a security and performance perspective?
EDIT: For a diagram over the discussed setup, please see: https://imgur.com/wcLdTQv. I want to add an additional network for vCenter, VBR mgmt for exaple on 10.10.15.0/24 network.
Let me know if I am not clear!
Thanks!
So, we are rebuilding our backup infrastructure in more segmented network, new AD domain etc. I got some good advise from @foggy in my first thread: Move Veeam to a new environment - poke a hole in my plan!
One thing I forgot to mention was since we are moving from NetApp storage (storage integrated snapshots) to Nutanix, we'll need to change transport mode. This requires some additional planning. According to Nutanix Best Practice for Veeam, NFS direct is strongly recommended. Network transport mode is only used if NFS direct fails for some reason.
Since we want to build more segments, or referred to as zones in VBR Infrastructure Hardening Guide. In that guide ESXi hosts, Proxy, Repos and Nutanix Control VM (CVM) should reside on the same network (page 16). I can see that this is of course for performance and reliability to not traverse a firewall.
Having Veeam Proxy/Repo, ESXi hosts and Nutanix CVM share same VLAN network is fine for us. Let's call it "Virtual Infra Network"
Question:
Can I place Veeam Management server and vCenter in their own network segment, "Virtual Management Network"? Also, Prism Central (Nutanix management) will be placed there.
Is this placement recommended from a security and performance perspective?
EDIT: For a diagram over the discussed setup, please see: https://imgur.com/wcLdTQv. I want to add an additional network for vCenter, VBR mgmt for exaple on 10.10.15.0/24 network.
Let me know if I am not clear!
Thanks!
-
- Veteran
- Posts: 636
- Liked: 100 times
- Joined: Mar 23, 2018 4:43 pm
- Full Name: EJ
- Location: London
- Contact:
Re: Move Veeam to a new environment - poke a hole in my plan - PART 2!
Provided you have the required ports open and any necessary NAT'ing the management server can be anywhere.
What I'd think about when deciding where to place it is whether or not you'll be able to log onto it in certain kinds of DR scenarios. For instance, if you've configured it using domain credentials and you don't know those local credentials that is a potential pitfall. Another possible consideration is whether or not the server could be rebuilt from the configuration backup at other site or on another server if you had to. Where do you store your configuration backup? Is it always going to have access to the repositories or could an outage stop you from recovering your network? How many failure points are there? A firewall is a potential weak point if it doesn't have redundancy.
What I'd think about when deciding where to place it is whether or not you'll be able to log onto it in certain kinds of DR scenarios. For instance, if you've configured it using domain credentials and you don't know those local credentials that is a potential pitfall. Another possible consideration is whether or not the server could be rebuilt from the configuration backup at other site or on another server if you had to. Where do you store your configuration backup? Is it always going to have access to the repositories or could an outage stop you from recovering your network? How many failure points are there? A firewall is a potential weak point if it doesn't have redundancy.
-
- Enthusiast
- Posts: 35
- Liked: 41 times
- Joined: Jan 27, 2015 7:24 am
- Full Name: Bjorn L
- Contact:
Re: Move Veeam to a new environment - poke a hole in my plan - PART 2!
Hi!
Good points, thanks! Then I _think_ we check most boxes there, but it's always good to revise availability.
- Currently using domain credentials, but I will go with the recommendations in the Infrastructure Hardening Guide, stand alone.
- Config backup is stored on DR site
- Veeam server resides on a active/active metro cluster storage, so availability is pretty good
- Backup copies resides on a third site, network is a full mesh "triangle" so it should be available (or we can just move it to DR site in 1-2 hours of time)
- Firewalls are spanned over two sites too
Weak points I'll have to think about.
Thanks again.
BR
BL
Good points, thanks! Then I _think_ we check most boxes there, but it's always good to revise availability.
- Currently using domain credentials, but I will go with the recommendations in the Infrastructure Hardening Guide, stand alone.
- Config backup is stored on DR site
- Veeam server resides on a active/active metro cluster storage, so availability is pretty good
- Backup copies resides on a third site, network is a full mesh "triangle" so it should be available (or we can just move it to DR site in 1-2 hours of time)
- Firewalls are spanned over two sites too
Weak points I'll have to think about.
Thanks again.
BR
BL
-
- Enthusiast
- Posts: 35
- Liked: 41 times
- Joined: Jan 27, 2015 7:24 am
- Full Name: Bjorn L
- Contact:
Re: Move Veeam to a new environment - poke a hole in my plan - PART 2!
The repositories must change IP as well.
Any thoughts on that?
Is it still the powershell script used in https://www.veeam.com/kb1905?
Any thoughts on that?
Is it still the powershell script used in https://www.veeam.com/kb1905?
-
- Product Manager
- Posts: 20405
- Liked: 2298 times
- Joined: Oct 26, 2012 3:28 pm
- Full Name: Vladimir Eremin
- Contact:
Re: Move Veeam to a new environment - poke a hole in my plan - PART 2!
If you need to update IP of managed server hosting repository role, then, yes, you need to use the script mentioned in the KB article - just checked, it still works as expected. Thanks!
-
- Enthusiast
- Posts: 35
- Liked: 41 times
- Joined: Jan 27, 2015 7:24 am
- Full Name: Bjorn L
- Contact:
-
- Product Manager
- Posts: 20405
- Liked: 2298 times
- Joined: Oct 26, 2012 3:28 pm
- Full Name: Vladimir Eremin
- Contact:
Re: Move Veeam to a new environment - poke a hole in my plan - PART 2!
You're welcome. Feel free to reach us, if other help is needed. Thanks!
Who is online
Users browsing this forum: Amazon [Bot], Bing [Bot], nathang_pid, veremin and 84 guests