VMware Cloud Director application aware backup

[newman]

Documentation is a little unclear - so as Veeam BP - about how it is recommended to solve this requirement. I believe I am not alone - as a provider - when stating that don't really want a guest interaction proxy for all tenants since that would impose many issues with security. A single server should reach all tenants' all virtual machines'. Dedicated guest interaction proxy per tenant might be a better option, however that still would involve NAT in order to let backup server to reach the VBR server.

[PetrM]

Hi Peter,

Do I get it right that you want to use a single guest-interaction proxy for all tenants? If yes, what's the issue with this approach in your environment?

Thanks!

[newman]

Hello,
No, not yet using guest interaction proxy at the moment. However it is a must for sure. Currently I am trying the find the best and most secure solution to this. I don't want to use single - or multiple - but leveraged guest interaction proxy as that would be the single entry point for an attacker and get in to all tenants' network directly - furthermore techically I can't create a network like that. Probably better to use dedicated guest interaction proxy per tenant, I just need to know what is the reference design - if there is any - or what is the community experience, how others solved this challenge.

[EugeneK]

Greetings,

Do you happen to use NSX or similar technology in your environment that would allow for additional networking flexibility for the infrastructure deployment?
With NSX-like solutions in the picture, additional Edge Gateways can be deployed and configured to isolate tenant's traffic.

[newman]

Sure. A/A provider T0 - actually multiple - with VRF lite setup there. Each tenant has a VRF lite and a T1 that is managed by VCD, effectively by the tenant. Tenants are isolated today in routing and surely they can utilize GW firewall, so as DFW.

Question is about how not to violate this full separation with a network in which Veeam Guest Interaction should sit in and able to reach all clients all VMs.

VIX can be used, but wanted to check if there is a reference design for service providers - besides veeambp which completely misses this part in general.

[PetrM]

Looks like "VIX" is the only way to go if it's necessary to isolate traffic of each tenant. The number of guest interaction proxies will depend on scalability purposes but I guess just one server (even Veeam B&R itself) would be fine if you didn't process thousands of VMs simultaneously.

By the way, "VIX" is not the correct name for the guest interaction protocol: starting from vSphere 6.5, vSphere Web Services API is used instead of VIX (real "VIX" works on earlier vSphere versions) but it's still referenced as "VIX" sometimes

Thanks!

[newman]

Yeah, sure. Well even Veeam references it as "VMware VIX/vSphere Web Services" so I will keep calling it as VIX, just as the product states when testing credentials in VBR itself.