FEATURE REQUESTS - network security configuration

[eraskin]

Hello:

We are new users for your Google product - it is working fine so far. Thank you!

I have two requests that I would like you to consider:

1) In your default network rule for the worker, I would like to be able to lock down the HTTPS ports to only include IP addresses in my default network. As it is currently built, I have to use 0.0.0.0/0 for the source port in order for the firewall rule to be recognized. I consider this a security hole that hackers can exploit.

2) I would like to be able to configure a non-standard SSH port for the Veeam manager and worker VMs. If I look in the log files for the Manager, I see a huge number of attacks on port 22. It would be great if I could configure a non-standard ssh port (as I do for all my other VMs) to avoid that.

I look forward to your comments.

Eric Raskin

[nielsengelen]

1) Are you talking about the worker when you do a FLR? Or are you talking about the appliance in general?
2) Are you getting these attacks on the appliance or the workers?

[eraskin]

1) I would like to lock down everything, both appliance and workers.

2) the attacks are visible in the appliance system logs. Workers probably don't live long enough.

[nielsengelen]

1) If you enable the firewall to only allow port 443 from your IP’s or ranges - it should work fine. No need to open it to the world.
2) Same here, u can lock port 22 normally down to only allow traffic from your IP’s or ranges.

If you are seeing issues with this, then please open a support case and let us know the ID.

[eraskin]

Regarding 443: True, but that would lock down 443 and 22 from all hosts for everything. We do run a corporate website so 443 has to be open, at least for that one server. Anyway, I tried to use a firewall rule on the worker configuration other than "default-https" that allowed 443 from only our internal network IPs. I could not choose it - I got an error if I did.

Regarding 22: The way I lock things down on Google Compute Enging is to attach a tag to each machine and put that tag in a rule. The rule says that port 22 is not allowed. When I do that to your machine, backups fail. There is now way that I know of to lock down Google Compute Engine for port 22 on the "external side". It's all done by applying rules to VMs. If I'm mistaken, please teach me how!

[nielsengelen]

I'm not sure how 443 affects your corporate website? The VBG appliance is standalone and the webservice runs on that port. Workers are different as they are created and destroyed so they aren't static at this point in time.

[Alec King]

Couple of additional points -
1. Port 22 is not required at all, neither for Veeam Backup appliance or workers. Certainly backups should not fail if only port 22 is blocked (we just tested and re-confirmed this). Can you please check your port 22 firewall rule?
2. We require https 443 only for the Veeam Backup web ui, and for access to the FLR (file-level recovery) session from the PC where you want to recover files. Can you clarify the error you received when choosing a firewall rule for 443?

Veeam Workers communicate with Veeam Backup appliance using Google Private Access, can you confirm how this is configured?

[eraskin]

Hmmm - your documentation specifically says that Port 22 is required. See page 9 of the "Veeam Backup for Google Cloud Platform User Guide". "Required to deploy the Worker service to worker instances" (I wish I could attach a screenshot here)

As for 443, if I go to Edit Worker Configuration->Network Settings and choose a Firewall Rule like "veeam-backup-tcp-443", I get the message "Firewall rule does not allow HTTPS traffic". If I check the Google Firewall settings for this tag, it lists my internal IP ranges and "tcp:443".

[Alec King]

Yes, apologies for the documentation error, port 22 is definitely not required. I've already asked for User Guide to be updated.
Regarding the warning about https, this warning doesn't actually prevent the creation of the Worker Configuration. It may be that the warning is just not well worded and concerns external 443 access. If you complete the Worker Configuration with your desired internal IP range rule, do you see any errors or failures in backup or FLR?
Meanwhile we are also checking internally to confirm this.

[eraskin]

OK, thanks. I will try it and see what happens. I have locked down port 22 and 443 to my internal networks. Now if I could just get my backup to complete! See Case #04673902 for info about that one.

[Alec King]

OK, thanks!
And yes, we are also digging into your other issue

[eraskin]

Thank you.