Replication on different subnets with hardened linux repo

[CaptinJack]

Hi All,
We have a Veeam install on two separate sites with hardened linux repo.

The hardened linux repo is only accessible via the Veeam console instance on each site (private 10gb nic from windows to linux, not accessible via any network). This is setup on both sites. Both consoles can communicate with each other via VPN.

Backups are working perfectly without any issues.

We are planing to implement site to site replication between the two consoles but have come across a stumbling block.

The two linux repositories are trying to communicate with each other using their isolated IP's to transfer the backup copies, which is obviously not working.

I have tried to implement WAN accelerators to get around this without success.

Does anyone have any suggestions?

[Mildur]

Hi Captin

I assume, you mean Backup Copy and not Replication. Replication is also possible with Veeam, but I believe it has nothing todo with your question.

Backup Copy data flow is always directly between the source and target repository:
- Source Repository > Target Repository

If you use WAN Accelerators, then the traffic goes like this:
- Source Repository > Source WAN Accelerator > Target WAN Accelerator > Target Repository

Where have you installed the WAN Accelerator?

Thanks
Fabian

[CaptinJack]

Hi Fabian,
Yes sorry, backup copy.

We have installed WAN Accelerator at both sites on the Veeam Console servers.

[Mildur]

To understand your scenario.
You installed Veeam Backup & Replication in both datacenter on a machine.
Then you have on both sites a Linux Hardened Repository connected to that Veeam Backup & Replication machine.

Site 1:
- VBR-Server-1
- Hardened-Repo-Server-1

Site 2:
- VBR-Server-2
- Hardened-Repo-Server-2

A Backup Copy cannot be done in this scenario from Hardened-Repo-Server-1 to Hardened-Repo-Server-2. Backups on a Hardened Repository Server can only be written from a single backup server.
VBR-Server-1 will never be able to write backups to Hardened-Repo-Server-2.
VBR-Server-2 will never be able to read backups from Hardened-Repo-Server-1.

You should have only 1 single Backup Server and make the Hardened Repository accessible over the network. You can use a dedicated vLAN and Subnet. Protect it with a firewall, so that you can't access from any other server or client. Both Hardened Repositories must be added to the same backup server.

Thanks
Fabian

[CaptinJack]

Hi Fabian,
Thanks for the explanation. This makes sense.

Unfortunately it is a requirement from the customer to have two separate consoles (they wish to have a third in azure at a later date but I won't confuse matters for now!).

So, looking at your reply, the best option would be to introduce a second Hardened Repo Server at each site which is accessible via the network for the sole purpose of hosting backup copies from the source site.

VBR-Server-1 to Hardened-Repo2-Server-2.
VBR-Server-2 to Hardened-Repo2-Server-1.

Would this be possible?

Thanks

[Mildur]

You're welcome.

to have two separate consoles

May I ask, what you are referring to with multiple consoles? The console is a management GUI, which you can install on multiple system to manage the backup server. Console is not a backup server.

If you mean "console" = "backup server", then this design gets really complicated. In my opinion, the second Veeam backup server isn't really necessary. Also a third Veeam Backup Server in Azure will make it even more complex. There is no real benefit from that.
A third copy in azure should only be an offload to the capacity tier. In case your customer loose the on-premise infrastructure, he can deploy a new backup server in the cloud and reconnect to the Azure Blob capacity tier or import the configuration backup. This allows him to restore his entire machines directly as cloud VMs. The configuration backup can also be used to restore the configuration to the second backup server in the second site.

Does the customer has production workload in both datacenter? About how many VMs are we talking?
I suggest, you talk to the customer again. It's building a network design against buying/building another 2 physical hardware server and 2x WAN Accelerator on each side and a second VBR server. I'm not a network specialist, but it looks much easier to have an isolated subnet than building a complex environment with additional servers.

Thanks
Fabian

[CaptinJack]

Hi Fabian,
Yes console = backup server.

There are production workloads in both DC's.

Both DC's have an isolated backup network with a further isolated hardened linux repo only accessible by the local backup server.

I completely agree, it is far over complicated. But this is the requirement from the customer upon recommendation from 'Cyber Security'.

There are about 60 VMs in total across both sites, each site has two DC's essentially which are isolated but the backup network connects to both.

We won't be buying additional hardware as its virtualised.

[Mildur]

Hi Jack

Best to run a PoC with the WAN Accelerators.
- Source WAN Accelerator must have access to the source repository.
- Target WAN Accelerator must have access to the target repository.
- Backup server must have access to both WAN Accelerator and repositories.

May I ask, if it's all virtualized, do you use dedicated hypervisor for the backup infrastructure? Running production and backup workloads on the same hypervisor requires additional security hardening. Even if it's only the backup server or the WAN Accelerator, a vCenter admin could reset the local administrator password and get administrative access to the VM operating system. Especially if you have the Linux server as a VM. Doesnt take longer then 15 minutes to get root access and delete all backups.

Thanks
Fabian

[CaptinJack]

Hi Fabian,
Yes, dedicated hypervisors are being used for backups. They are totally isolated from production network via a firewall.
The vmware console is only accessible via VM running on the hypervisor or physically plugging into the backup network.

The VM where Veeam is installed is firewalled off so no production network traffic can reach it.

Thanks

[CaptinJack]

Ok So I appear to be having issues with the traffic flow which is confirmed by firewall logs. I have created the below to visualise it. The target linux repository is trying to directly access the source repository and completely bypassing the WAN accelerators.

Any ideas what could be causing this?

What is happening

Code: Select all

Site A                                             Site B
172.60.1.x                10.0.0.x                 10.0.1.x            10.0.1.x
Linux Source ------------ Source WAN Accell        Target WAN Accell --- Target Linux Repository
 ^                                                                          /
  \----------<------------<-----------<------------------------------------/

What should happen

Code: Select all

Site A                                                         Site B
172.60.1.x                10.0.0.x                             10.0.1.x              10.0.1.x
Linux Source ------------ Source WAN Accell       <----->      Target WAN Accell --- Target Linux Repository

[CaptinJack]

Working with support on this now who have confirmed what we are trying to achieve should work. Will keep people posted on the final outcome

[Mildur]

Thank you.
Could you maybe provide the case number, so I can follow the case from our side (PM)?

Thank you
Fabian

[CaptinJack]

Sure, sent you the ticket number.

[Mildur]

Thank you