Feature Request: Specify Veeam Proxies per protected workload or site

[Seve CH]

Hello,

If I am not mistaken, in a job, we currently have:
Veeam proxy (transport): Global per job (automatic or manual selection, automatic using appliance mode capabilities for selection)
Veeam proxy (interaction): Global per job (automatic or manual selection, I assume automatic uses same network)
Credentials: Default + Per workload (I.e. VMs with tag 1 = credential A, VMs with tag 2 = credential B), etc.
VM Guest processing: Per workload (I.e. VMs with tag 1 = no guest processing, VMs with tag 2 = X parameters, etc.)

My feature request is to be able to map proxies to VMs

How and where?

• On the guest processing options, a new tab like any other setting (this works for guest interaction proxy, but for backup proxy it will be more awkward).

• Where they are (a button to specify them), but using a new "Proxy selection" Window like "Application aware processing options" or "Virtual machines" selection window where it will be possible to select the workload and map proxies to it

Another option less flexible would be to map proxies to sites.

A proxy has a site selection: "This proxy manages sites: ...". So: Workloads on site A = proxies available to site A. Workloads on site B = proxies available to site B.
Site could be "Europe-Germany-Datacenter X" or something more generic like "Automation".

Business case:
Infrastructure:

• HQ with a single vCenter managing most hosts worldwide (some branch offices have only 1 host).

• Several almost-autonomous environments (hosts+storage+network+routers) with delegated administration or different security policies.

• An environment could be a department (i.e. "Automation", "Development", "Prod-1", etc.) in HQ or a branch office ("Germany") or a mix (E-CH-Prod1, E-DE-Prod1).

• Veeam has his own VLANs: repos, servers, and a Proxy VLAN per "environment" where the proxies are being deployed (this defeats the "same-subnet" proxy selection algorithm)

Requisites:

• We want to do backups based on backup destination (Repo), RPO and retention. For that, we leverage VM Labels to map VMs to jobs. This also separates roles (Veeam administrator vs VM administrator).

• We would like to avoid having several jobs with the same RPO and Retention (this is currently the only option: a job per environment to assign proxies)

• We want to minimize where each credential is exposed. So a proxy or a router in the development environment shouldn't be able to see the interaction password from production SAP server.

Thanks for considering this feature request

[Egor Yakovlev]

Hi Seve.

Noted a feature request for internal discussion, however I am wondering if existing Proxy Affinity will do the trick here, as each site will have it's own repository and you prefer to do backups based on backup destination, we can then "prefer" manually-selected proxies based on destination target!

/Cheers!

[Seve CH]

Hi Egor,

Thanks for your answer.

Proxy affinity for a repository would work for sites with a local repository per security zone. Sadly, this is not always the case.

Our inter-site links can be something between 100Mbit/s and 20Gbit/s so in many cases it doesn't make sense to create dedicated repositories per site and zone. We are deploying local repositories to insure the RTO in case of a full-site restore.

In other cases, it is a management boundary: Some VMs are being managed by a team whilst other are being managed by a different one.

Example:


Everything is on the same vCenter managed hosts. If the workloads are equivalent from the information/management side, it would make sense to put everything on the same job (thus, same repo).

There is also workload mobility: VMs are running on a "site" and being v-motioned to another for several reasons (migration, process workflows, compliance/regulation...)

We would to be able to tell Veeam that workloads on the orange zone (tagged with vSphere tags) must use orange proxies. And the same for green workloads and green proxies.

I think that:
Proxy affinity for a repository is more focused about networking (optimize network usage while accessing storage)
Proxy selection for workloads is more focused about workload security and firewalls (avoid exposing credentials / workload management network outside of the required security zones)

So I feel that we need both

Playing with proxy-repo affinity, it would be possible to set the security zones at the expense of:

• More storage: a VM moves to a different zone/proxy = new backup chain in a different repo, sometimes over a WAN link

• More jobs: a job per repo + its corresponding vSphere Tags

• More complexity: now the operator deploying a vm will need to decide which tag to assign based not only on retention, location and credentials, but also the right proxy for the right zone.

We will implement something like that, we can't wait for Veeam 12 , but it is still good as a feature request: Avoiding workarounds is always a good thing .

Best regards