Firewalled Veeam components

[kevdpc]

My Veeam server/repository physical machine, Veeam backup proxy VM, and VM environment are all on different subnets and firewalled.

Veeam B&R server/repository (subnet1)
Veeam backup proxy (subnet2)
VM environment (subnet3)

I believe that jobs would traverse firewall interfaces twice, following the path below. I assume that this would affect performance since traffic is inspected twice.

Veeam B&R server/repository (subnet1) > *firewall* > Veeam backup proxy (subnet2) > *firewall* > VM environment (subnet3)

Is this bad? Is there a best practice?

How do you have your Veeam components laid out?

[PetrM]

Hi Kevin,

At first, you can reduce a number of hops through firewalls by using Virtual Appliance mode: data flow goes from virtual proxy to a repository in Subnet 1, in this case it passes firewall just one time.
However, I would place a backup repository and proxy in the same subnet to exclude completely a firewall. By the way, it makes sense to refer to this section of our best practices guide, it contains tips and tricks for repository hardening.

Basically, if your jobs fit backup window, then the deployment above is not bad even in case of double inspection of backup traffic.

Thanks!