-
- Novice
- Posts: 3
- Liked: never
- Joined: Mar 27, 2015 12:32 pm
- Full Name: Miran Munjas
- Contact:
Linux repository placement, SAN?
Hi all,
We'll soon be implementing a new SAN with two vSphere hosts and two shared storages.
We also plan to use linux server as a Veeam repository.
Veeam would be a VM on the vSphere cluster
Question would be, do we place the linux server in SAN with network interface from Veeam VM to SAN? Would this be the best practice perfomanse and protection-wise?
Also, we will need to be able to restore VMs in a DR location. Anyone have any good reads on the topic?
Tnx in advance.
We'll soon be implementing a new SAN with two vSphere hosts and two shared storages.
We also plan to use linux server as a Veeam repository.
Veeam would be a VM on the vSphere cluster
Question would be, do we place the linux server in SAN with network interface from Veeam VM to SAN? Would this be the best practice perfomanse and protection-wise?
Also, we will need to be able to restore VMs in a DR location. Anyone have any good reads on the topic?
Tnx in advance.
-
- Veeam Software
- Posts: 712
- Liked: 168 times
- Joined: Nov 30, 2010 3:19 pm
- Full Name: Rick Vanover
- Location: Columbus, Ohio USA
- Contact:
Re: Linux repository placement, SAN?
Hi Miran - welcome to the Veeam Forum!
Generally speaking - I always advise to have as much separation as possible in the placement of the Veeam infrastructure within a virtualization installation. Meaning - if VMware vSphere is the problem - would that inhibit your ability to restore backups or drive a failover to DR?
So based on what you have here - I would place the Linux Repository as a Linux VM as separate as possible from the to vSphere hosts. This could be a physical server. If that isn't an option - just think through how you would access the storage for a restore if the vSphere environment is not available.
You may also want to consult the Best Practice guide written by Veeam's top architects: https://bp.veeam.expert
Generally speaking - I always advise to have as much separation as possible in the placement of the Veeam infrastructure within a virtualization installation. Meaning - if VMware vSphere is the problem - would that inhibit your ability to restore backups or drive a failover to DR?
So based on what you have here - I would place the Linux Repository as a Linux VM as separate as possible from the to vSphere hosts. This could be a physical server. If that isn't an option - just think through how you would access the storage for a restore if the vSphere environment is not available.
You may also want to consult the Best Practice guide written by Veeam's top architects: https://bp.veeam.expert
-
- Novice
- Posts: 3
- Liked: never
- Joined: Mar 27, 2015 12:32 pm
- Full Name: Miran Munjas
- Contact:
Re: Linux repository placement, SAN?
Hi Rick!
I think I may not have expressed myself the best
On the SAN would be vSphere hosts, two shared storages and a physical linux server which would act as a repository for Veeam
Veeam server would be a VM running on vSphere and shared storage and would store backups on this physical linux server over a SAN interface
Linux server may or may not have an interface to "regular" network.
In this scenario, I believe I would have access to the backups if vSphere hosts fail and would be able to do a failover to DR
So, would it be ok for physical Linux repository to reside in SAN with vSphere and shared storage boxes?
I think I may not have expressed myself the best
On the SAN would be vSphere hosts, two shared storages and a physical linux server which would act as a repository for Veeam
Veeam server would be a VM running on vSphere and shared storage and would store backups on this physical linux server over a SAN interface
Linux server may or may not have an interface to "regular" network.
In this scenario, I believe I would have access to the backups if vSphere hosts fail and would be able to do a failover to DR
So, would it be ok for physical Linux repository to reside in SAN with vSphere and shared storage boxes?
-
- Expert
- Posts: 193
- Liked: 47 times
- Joined: Jan 16, 2018 5:14 pm
- Full Name: Harvey Carel
- Contact:
Re: Linux repository placement, SAN?
Planning for DR tends to be a matter of defining your threat vector and designing appropriately -- are you trying to defend against malware, or just worried a disk in the RAID might go?
You can go the ultra-paranoid route and defend against everything, but just keep in mind that dialing Security up to 11 usually means dialing Usability to 0.
The nice thing about Veeam is that with proxies, you can stick them just about anywhere. Personally, I like the idea of exfiltrating data out of the SAN network, but that's just me. On one site, we do some mojo to disable the backup network when not in use, and also rely a lot on rotated media to ensure we always have something air-gapped. Our SLAs are designed specifically with this in mind, and we fight pretty hard with our clients to explain why we refuse to make the same SLA promises that other providers do (i.e., impossible to guarantee SLAs when malicious actors are considered). Ultimately, yeah, this has lost us business, but they're customers we can do without, I think.
Plan your backups according to the situation you want to prevent. If I were you, I'd give the SAN its own network and the backup infrastructure its own network and just make sure that only a few gatekeeper accounts/paths exist, and watch them heavily.
You can go the ultra-paranoid route and defend against everything, but just keep in mind that dialing Security up to 11 usually means dialing Usability to 0.
The nice thing about Veeam is that with proxies, you can stick them just about anywhere. Personally, I like the idea of exfiltrating data out of the SAN network, but that's just me. On one site, we do some mojo to disable the backup network when not in use, and also rely a lot on rotated media to ensure we always have something air-gapped. Our SLAs are designed specifically with this in mind, and we fight pretty hard with our clients to explain why we refuse to make the same SLA promises that other providers do (i.e., impossible to guarantee SLAs when malicious actors are considered). Ultimately, yeah, this has lost us business, but they're customers we can do without, I think.
Plan your backups according to the situation you want to prevent. If I were you, I'd give the SAN its own network and the backup infrastructure its own network and just make sure that only a few gatekeeper accounts/paths exist, and watch them heavily.
-
- Veteran
- Posts: 370
- Liked: 97 times
- Joined: Dec 13, 2015 11:33 pm
- Contact:
Re: Linux repository placement, SAN?
It sounds like you're trying to backup data on your SAN, to your SAN.... what happens if your SAN then fails?
-
- Veeam Software
- Posts: 712
- Liked: 168 times
- Joined: Nov 30, 2010 3:19 pm
- Full Name: Rick Vanover
- Location: Columbus, Ohio USA
- Contact:
Re: Linux repository placement, SAN?
Ah so Miran - I see now a bit more. I'm thinking that the only shared element between vSphere and the Backup infrastructure would be the SAN itself. That is closer to a great design. I also recommend having backup storage off-site and you mention DR so you are going the right way
-
- Novice
- Posts: 3
- Liked: never
- Joined: Mar 27, 2015 12:32 pm
- Full Name: Miran Munjas
- Contact:
Re: Linux repository placement, SAN?
@csydas
Basically all of it
Yes, I want to be secure in case of a malware attack, that's why I would use linux, place the thing in a SAN and use a separate login that is unique for that machine.
Also, I need to be able to spin things up from a DR site, it's a requirement.
@DaveWatkins
No, I have a separate physical machine on which I would like to store backups
@Rick.Vanover
Yes, vSphere and Backup repository would communicate over SAN, that's all they have in common. Would that be ok or should I separate it further?
Yes, I have a separate backup box (identical to the first one) in DR site and need to be able to restore all VMs there, but thats veeam replication I guess
Basically all of it
Yes, I want to be secure in case of a malware attack, that's why I would use linux, place the thing in a SAN and use a separate login that is unique for that machine.
Also, I need to be able to spin things up from a DR site, it's a requirement.
@DaveWatkins
No, I have a separate physical machine on which I would like to store backups
@Rick.Vanover
Yes, vSphere and Backup repository would communicate over SAN, that's all they have in common. Would that be ok or should I separate it further?
Yes, I have a separate backup box (identical to the first one) in DR site and need to be able to restore all VMs there, but thats veeam replication I guess
Who is online
Users browsing this forum: Majestic-12 [Bot] and 104 guests