Linux backup repositories ignore proxy affinity

[ConsequenceWestern97]

Hello all!
I have recently begun using the Veeam Linux Hardened Repository image, and previously was testing a custom Linux repository. Before this my repositories were simply an NFS connection to an off-the-shelf NAS.

There are several Backup Proxies in the environment, across multiple sites. Each site had/has it's own NAS for backups. So naturally I had configured Proxy Affinity settings for each repository to ensure that the locally located proxy would be managing all traffic directly to the local NAS. Firewalls which control network traffic flow between networks/sites allow only the proxies to communicate with each other, and the NAS systems sit in a further segregated network at each site to ensure they are as secure as possible.

Now with the deployment of Veeam Linux Hardened Repository in the environment, I have also configured Proxy Affinity on this new repository. I have placed the Hardened Repository within the segregated network the same as the NAS before it. Local backup jobs have been transferred to this new repository and succeed without issue.

The problem comes when the backup copy job to copy the local backups from the local repository to the remote site's repository. The job fails with an error stating that the other site's backup proxy is unreachable. This initially did not make logically sense becasue nothing about the network communication between the local proxy and the remote proxy has changed. Then I checked the firewall logs and learned that the Hardened Repository itself was attempting to connect directly to the offsite proxy. Therefore ignoring the proxy affinity.

Then there's a backup copy job which copies backups from the remote site to the local repository, which is now the new Linux Hardened Repository. This job also fails with the error that the remote proxy cannot reach the Hardened Repository. Firewall logs confirm that the remote proxy is attempted to connect directly to the Hardened Repository. Therefore ignoring the proxy affinity.

Is there a way to configure Veeam to only allow the proxy which is defined in the affinity settings to communicate directly with the Linux Hardened Repository? If not, I question the viability of Linux Hardened Repositories as a secure system. Network segmentation is a core security concept, and behaving counter to that is antithesis of the core design principal (in my mind) of a Hardened Repository. Never mind the added network configuration complexity this behavior presents, and the simple fact that it ignores proxy affinity settings with no warning and no mention of the behavior in the documentation (as far as I have so far found).

All help and suggestions are appreciated.

[haslund]

A backup copy job does not involve a backup proxy (see the user guide here for a nice diagram: https://helpcenter.veeam.com/docs/backu ... ocess.html)

In reviewing the user guide for proxy affinity, it also explains which job types it is applied to here (which does not include backup copy): https://helpcenter.veeam.com/docs/backu ... ml?ver=120

The local site repository is a Linux hardened repository, what about the remote site, is that also a Linux Hardened Repository? or is it still NFS based?

[ConsequenceWestern97]

I see now and understand the absence of mentioning the usage of backup proxy for backup copy jobs.

The remote site does not currently use a Linux Hardened Repository. It is still NFS based.

Is there any way in which Veeam can be configured to direct all traffic through a proxy? Would a WAN Accelerator accomplish this task?

And if not, the question stands, why? Why have Veeam engineers designed the most secured repository type to have direct connections to and from it? This runs afoul of the concept for increasing security in the first place which would imply that you want your repositories to be on a segregated network and not directly connected to by many clients, especially if those clients are (for example) laptops with the Veeam agents.

[haslund]

@ConsequenceWestern97: There is no way to direct all the traffic through a "proxy" per se; however, you are correct that a pair of WAN accelerators could be used. If your link is more than 100 Mbit/s, please make sure to configure it to high bandwidth mode: https://helpcenter.veeam.com/docs/backu ... width-mode