Security "Use an isolated backup network" recommendation

[evilaedmin]

Hello,

The documentation has the following recommendation:

Isolate backup traffic. Use an isolated network to transport data between backup infrastructure components — backup server, backup proxies, repositories and so on.

This seems like a fine recommendation, but how should one operationalize this in the context of Veeam? For example, there is no support for multihomed hotadd proxies, so how would one 'isolate' the 'network to transport data' between proxies?

My understanding is there is no support for using alternate names/addresses for ESXi hosts, so for example if vCenter reports hosts as 'host.fqn' and an alternate management interface exists within the environment at 'host.fqdn.backup' there is no way to make Veeam B&R aware of this alternate isolated interface without munging /etc/host files?

Thank you kindly, any further reading on the topic (specific to VBR) will be welcome.

[nitramd]

One thing is that you have an entirely separate network just for backups which suggests (physical) NICs, switches, routers, etc. At VeeamON a couple of years ago, a participant mentioned that he finally convinced his company to install a separate network just for backups - the company had geographically dispersed sites. But this would be an expensive option.

I have proxies that have several (virtual) NICs and it works well - think routing. In your scenario, and to keep it simple, the Veeam infrastructure have 2 NICs, one to pull VM data and the other for Veeam.

Sounds like an experiment if you can swing it.