Veeam in multiple restricted networks

[peeky1323]

Hi,

We are designing a solution for a customer who uses the ISA 95 manufacturing model. They currently have Veeam in the trusted corporate LAN where their user PC reside backing up to direct storage on the Veeam server. They also have multiple networks behind a DMZ separated by a firewall where there are 2 Hyper-V servers that will need the VM backing up.. Anything in these restricted networks can't access the internet by design. Would the best approach be to use their current Veeam installation and open the required ports on the Firewall to access the Hyper-V servers in the restricted networks? Also, their repository for these Hyper-V servers is a NAS that resides in the restricted network. I believe the reason for this is that the backup traffic will have to pass over the Firewall which is slow and their data is 10+TB with a high change rate.

Thanks,

Matt

[PetrM]

Hi Matt,

From a security perspective, I guess it's not a problem to let Veeam B&R which is located in the trusted LAN orchestrate jobs for the workloads running on Hyper-V servers. For instance, you may refer to this page of our best practices guide to get more info about typical zones segmentation methods.

The backup traffic will go from the Hyper-V host to the repository because the source Data Mover is running on the host itself (unless off-host mode is used). As far as I understand, the Hyper-V hosts and the repositories are located in the same network segment, therefore backup traffic will not pass the firewall. However, the management traffic will go through the firewall because Veeam B&R is located in another network but it will not impact backup performance.

Thanks!