Comprehensive data protection for all workloads
Post Reply
gingerdazza
Expert
Posts: 205
Liked: 14 times
Joined: Jul 23, 2013 9:14 am
Full Name: Dazza
Contact:

Firewall Placement

Post by gingerdazza »

Hi. I'm trying to ensure my new VBR environment is appropriately isolated from the main LAN. We have a hyperconverged compute platform and a Veeam Hardened Repo. I take it that whilst having the hyper-converged storage network and repo isolated from the general population LANs is necessary, that having a firewall in the path of the data backup flow to the repo is NOT a good idea? And of course I believe that the VBR Server should be in the "management zone" network. So,

looking at this article... https://bp.veeam.com/vbr/Security/Hardening_Zones.html

1. does this mean that there should be firewalls between all zones, or can the zones merely be different subnets not routable from user LANs? (i.e. what defines sufficient zone isolation/controls?)
2. should you have a firewall between management and restricted zones?
3. how best to get the data from hyperconverged infrastructure to repo (assuming without passing through a fw?) perhaps using proxies on the compute nodes?

trying to visualise and understand this all a bit more.
HannesK
Product Manager
Posts: 14487
Liked: 2929 times
Joined: Sep 01, 2014 11:46 am
Full Name: Hannes Kasparick
Location: Austria
Contact:

Re: Firewall Placement

Post by HannesK » 1 person likes this post

Hello,
yes, there should be a firewall between each zone. Due to bandwidth / performance requirements, proxy and repository are usually in the same network without firewall in between it. Management traffic can go through firewalls, because it's only a small amount of data

Best regares,
Hannes
gingerdazza
Expert
Posts: 205
Liked: 14 times
Joined: Jul 23, 2013 9:14 am
Full Name: Dazza
Contact:

Re: Firewall Placement

Post by gingerdazza »

In the Veeam segmentation strategy, it says that Veeam proxies are "part of the trusted zone". And that the repository should be part of the restricted zone. So, that means a firewall would exist between the proxy/data movers and the repo, no? Unless the idea is to dual home the proxies/data movers? How can I get the throughput between the proxies and the repo if they are in different zones? Any help here appreciated.

It really would be useful for Veeam to have publicly available reference architectures around this. I know that might squeeze your partner ecosystem somewhat but transparency always helps.
HannesK
Product Manager
Posts: 14487
Liked: 2929 times
Joined: Sep 01, 2014 11:46 am
Full Name: Hannes Kasparick
Location: Austria
Contact:

Re: Firewall Placement

Post by HannesK » 1 person likes this post

Hello,
So, that means a firewall would exist between the proxy/data movers and the repo, no?
yes, correct. But many customers don't do that for performance / cost reasons.
Unless the idea is to dual home the proxies/data movers?
no, I never suggest dual-homing. Dual-homing means bypassing the firewall and except for storage networks (iSCSI / NFS) it's a bad design.
How can I get the throughput between the proxies and the repo if they are in different zones?
get a faster firewall? :-)
It really would be useful for Veeam to have publicly available reference architectures around this.
hmm, what's wrong with the document you found?

Best regards,
Hannes
gingerdazza
Expert
Posts: 205
Liked: 14 times
Joined: Jul 23, 2013 9:14 am
Full Name: Dazza
Contact:

Re: Firewall Placement

Post by gingerdazza »

I think the document is fine as a concept, but following it through to a low level design with a reference architecture would be a massive help to your customers. I never understand the hesitancy in working with providers to produce LLD Reference Architectures. If you had these for Nutanix, vSAN, Pure, HPE, etc. your customers would be very much empowered and the quality of Veeam deployments would rise, only improving the Veeam brand reputation.
Post Reply

Who is online

Users browsing this forum: Google [Bot] and 136 guests