Comprehensive data protection for all workloads
Post Reply
massimiliano.rizzi
Service Provider
Posts: 205
Liked: 26 times
Joined: Jan 24, 2012 7:56 am
Full Name: Massimiliano Rizzi
Contact:
Contact massimiliano.rizzi

Veeam Hardened Repository multihoming

Post by massimiliano.rizzi »

Hello experts,

as part of a hardware refresh project project for a new customer, we are planning on creating a separate /24 VLAN subnet behind the firewall in order to better segment and protect the Production vSphere environment, the new soon to come vSphere DR cluster as well as the Veeam backup fabric as they currently reside in the same flat VLAN and IP subnet where all clients and servers reside (as depicted below):

==================================================
Image
==================================================

Currently the Veeam Backup server/primary backup repository is a physical Windows server running Windows Server 2019 with 50TB of local storage. We are planning on moving the Veeam Backup Server to a new dedicated VM hosted on the soon to come vSphere DR cluster and, at the same time, repurpose the primary backup repository hardware into a Veeam Hardened Repository.

The main concern here are the 60 or so client computers with the Veeam Agent for Windows. More specifically, in the current scenario all network traffic between the source Veeam Data Movers running on the backup agents side and the target Veeam Data Movers running on the primary backup repository side are local in the same /23 subnet depicted above. After placing the Veeam backup fabric in the separate /24 VLAN subnet behind the firewall in order to better segment and protect it, all network traffic between the source and the target Veeam Data Movers will need to traverse the firewall and this is something we want to avoid at all costs for several reasons.

It looks that for some reason the external network and security consultants are reluctant to use VLAN routing and create proper ACLs on the core switch, so we are trying to find a way to work around this.

Although not recommended (especially from a security perspective), technically we could multihome the soon to come Veeam Hardened Repository to allow the source Veeam Data Movers running on the backup agents side to locally connect from the /23 subnet and, at the same time, allow the source Veeam Data Movers running on the VMware backup proxies side to locally connect from the new /24 subnet.

Could you please tell me if this is something that can be achieved, for example by properly configuring Network Traffic Rules or by splitting name resolution on the two subnets ?

It would be great if someone could kindly advice me on this matter.

Thanks and Regards,

Massimiliano
Top
JGM2023
Influencer
Posts: 18
Liked: 5 times
Joined: Jun 09, 2023 12:47 pm
Full Name: JGM
Contact:
Contact JGM2023

Re: Veeam Hardened Repository multihoming

Post by JGM2023 »

Hello,

Can't see your image but yes this Is possible, You could add a Network VLAN on the ESXI Hosts, For example VLAN 1000 - You would then Dual NIC the Proxies, 1 NIC In VLAN you are backing up and 1 NIC In VLAN 1000.

You would also need a NIC on the repository on VLAN 1000. You can then setup "Preferred Networks" In Network Traffic Rules. This tells Veeam to attempt to transfer all backup and replication traffic on that specific VLAN. I also found that additional DNS records were not required In this setup (I have observed that Veeam rotates through the NICS and tries to push all data through that network)

I know this Is possible with a standard Linux repository, I am not 100% sure If this will work on a "Hardened" repository though, Someone else might be able to confirm that for certain. This could also be a private VLAN I would expect.
Top
Post Reply

Return to “Veeam Backup & Replication”



Who is online

Users browsing this forum: No registered users and 100 guests