File Level Restore between 2 separated networks but with shared storage and compute

[TimLawhead]

I have a potential setup I am trying to work out.

2 environments that don't share physical networking switches, but share back-end SAN storage over fiber channel (FC) and compute in a blade chassis.

Environment A and Environment B have a firewall between them. Environment A will have VMware vCenter, vSphere management traffic, and Veeam Backup and Replication in it.

I am planning to get 1 physical "Landing Zone" server (LZ) as a backup repository and it will be connected to the FC to allow for hotadd of the SANs VM Datastores and be able to backup both environments VMs from their shared storage.

What I am trying to ascertain is what would be needed to do a File Level Restore (FLR) from the Environment A LZ to VM servers in Environment B.

As I understand I need a mount server that can reach the LZ, but talk to Env. B's restore location (Original or new location).

I am looking to make this happen in the most secure fashion.

Potential Options:

1. I have a Mount server in Env. A with the Backup Console installed, that isn't on domain in Env. A, it is a VM that has Virtual NICs to both environments and can thus talk to Env. B and perform the backups. My concern is I'm now bridging networks and I really don't want to do that.
2. I put a mount server with the backup console in Env. B., It has ports open through the firewall to reach the VBR and LZ.I think this may be better, I'm just concerned if it's doable.

Any direction or feedback is most appreciated.

[HannesK]

Hello,
do you maybe have a picture of your setup? I just draw it and I could not find a connection between VCenter and the ESX servers in environment B. So you do not have backups of environment B. You only want to restore from A to B?

If you really have no connection, then I only see this option
1) restore to a VM in A.
2) de-register the VM in A
3) register the disk to a VM in B (you cannot use the VM network connection as you mentioned there is no connection)


If you do it like most people do (management is connected and only VM traffic is separated) , then I see the following options
a) VIX restore
b) instant disk restore
c) restore to a "3rd party" location that both environments can reach and download from there

I like option b most.

Best regards,
Hannes

[TimLawhead]

This is what I see as the layout:

The VMs for the 2 environments are going to be running inside a Blade Compute Chassis with a Fabric A and Fabric B for Ethernet and a Fabric C for Fiber Channel. The VMs will be tied to different vSwitches which path to separate physical chassis switching modules allowing for full separation of the networking. The storage is to a SAN that will be have storage paths to all the blades in the chassis. All VMs will exist on the same storage device, but separate LUNS. The Veeam Backup Repository will have storage paths for Env. A and Env. B mapped to it.

VM management and Veeam will all be on the Env. A network.

[HannesK]

okay, cabling is clear now for me.

the main question is how does VCenter and Veeam connect to environment B. If there is really no connection, then VCenter can only manage environment A. So my 1-3 applies

The Veeam Backup Repository will have storage paths for Env. A and Env. B mapped to it.

I assume that your repository is also a proxy. Even if you have fibre-channel connection to the storage, it will not be possible to backup anything from environment B. Because Veeam / VCenter cannot trigger a snapshot in B without a connection.

A starting point could be https://helpcenter.veeam.com/docs/backu ... 100#backup

[TimLawhead]

Thank you HannesK for the replies.

One thing not on the drawing - attached to the Backup Repository via SAS is a Tape Library. This is offline storage.

The VMs in Environment B are being co-hosted on the same physical blade servers as Env. A, but will be assigned different vSwitches than Env. A and tied to VLANs that are on physical paths to the Fabric B network modules, thus providing the VMs a completely separated network.

The blade servers will have their vSphere management and vMotion traffic on Env. A's network, and the all of the SAN's (Shared Storage) mappings for both the Env. A. and Env. B datastores/volumes/LUNS will be mapped to both the blade servers and to the physical Backup Repository Server. The Backup Repo, should be able to mount the datastores of Env. B and create backups of the VMs without ever touching the Env. B network, however, reviewing your link it looks like I'm forgetting about the Guest interaction proxy or Mount Server for VM Guest OS's....

The current layout design doesn't allow for those VM Guest Processing and I'd lose the capability to backup with those unless those process were allowed to pass through the firewall.

I guess I'm thinking my options are as follows:
1. Don't use VM Guest Processing in Veeam and rely only on VMware Tools quiescence.
2. Allow ports through the firewall to allow for VM Guest Processing and allow VBR to talk to Env. B's VMs... SECURITY RISK with open ports.
a. What's the best setup scenario for keeping things secure... could I put the VBR in the DMZ of Env. A. and then put a VBR proxy server in the DMZ of ENV. B. to limit traffic?
3. I was thinking stand up VBR in Env. B and buy another Backup Repo/Tape Library ($50k-$60k costs...) but there's not a separate vCenter to talk to and the blades would be under the control of the vCenter in Env. A.

These are small environments, but business critical. The network separation is a must, but some Firewall ports allowance may be allowed if it justifies not having to buy another set of redundant hardware, software licensing, and the support to go with them, as well as give up space and power to stand them up.

I'm guessing that Veeam is operating in some larger Datacenters and they have some solution in place for co-hosted servers that provides a secure/separate environment. Just curious how they are getting it done and how I can emulate that for my small environment.

[HannesK]

Hello,

The blade servers will have their vSphere management and vMotion traffic on Env. A's network

so you say that the ESX servers in B are connected to A? Then it's easy: put the backup server to the same network.

The Backup Repo, should be able to mount the datastores

a backup repository never mounts anything from the virtual environment. backup is done by the backup proxy.

Yes, option 1 or even without any guest processing is a common way for such environments.

I don't believe that 3 is required. I still don't understand your network setup, but it sounds like a normal setup where you have a couple of DMZ systems. The only issue is application aware backup and direct restore into the VMs.

I already mentioned some solutions for the restore, and another one came up into my mind: Enterprise Manager self-service portal with the "download" option.

Best regards,
Hannes