Hi all, was curious if there's a formal data flow diagram or description somewhere that will outline which systems need access to what in a vCenter/vSphere backup and replication scenario? Will be using linux proxies and would like to have some level of control over the interfaces / targets used to replicate too if possible. I'm trying to figure out what the minimal set of firewall/routing rules will look like for a site to site replication scenario, and equally important, where the high bandwidth conversations occur so we can tune for speed.
Assumptions/questions:
Fairly certain that the source side VB&R master needs access to the target vCenter management system of the destination cluster. Does it require access to the target cluster's vSphere hosts? We would be specifying a target cluster, not a target host.
From the GUI, I'm getting the impression that the source master needs its own target proxy. If we have Veeam B&R infrastructure in both locations, can a proxy be shared so we don't need a doubling of proxies to handle local backups plus receiving remote replication? Or are they exclusive per master?
I assume VB&R has the necessary logic to handle and resolve any conflicts between local backups and remote replications that may want to occur at the same time? I've found documentation that change block tracking in a backup + replication scenario isn't an issue, but wasn't sure if we need to manipulate the job types to ensure they don't overlap.
Can a proxy be told what its replication target IP is and have it differ from the hostname? For example, the proxies need to be on a specific network for management access from the VB&R master, which itself has to be on a network with access to vCenter or the actual vCenter network, but we'd prefer to have a second network interface where replication occurs, as that one we can map into a vlan with site to site vpn access.
I'd suggest to review the following pages on our help center: replication scenarios and used ports. Also, it's recommend to deploy Veeam B&R server on the target site in case of replication scenario to allow seamless working of failover scenarios in case of disaster on the source site. You may check our best practices guide as well.
Answering your questions:
Basically, it's enough to make sure that the target proxy has access to ESXi hosts, in particular 902 port to ensure data transfer in Network mode and VM configuration upload over NFC. But if this proxy becomes unavailable due to whatever reason, jobs will be failed.
I wouldn't recommend to share proxies between different Veeam B&R instances. Also, it's not clear why do you need to have two backup servers? You can install just a single one on the remote site and orchestrate both backups and replication jobs, you just need to have a proxy on the source site.
I'd try to avoid jobs overlapping anyway. Perhaps, replication from backup might be a good option for you.
Not clear which specific replication traffic would you like to route over a dedicated network? If you're talking about data transmission between source and target Data Movers, then the preferred network setting might be a way to go. Data read from ESXi by proxy on source and data write to ESXi by proxy on target depend on transport mode.