Surebackup isolated network not isolated?

[mcwill]

I'm not sure if this is a misunderstanding on my part or a failure to tick the appropriate setting in configuration, helpful advice would be appreciated.

We have a small DR test configured as a Surebackup/Sandbox job, this spins up 4 replicas at DR and leaves them running for us to perform manual application level checks. During the last run-through there was definite evidence that traffic originating from a VM in the isolated network was hitting a production server.

Shouldn't this traffic have been firewalled by the helper VM?

(In this case an MS Lync Client was attempting to start and connect to our Lync Server, whilst it was doing this the Production Lync server was showing the associated user flickering between idle and active indicating it was seeing the start of the login conversation.)

Thanks
Iain

[chrisdearden]

Is it possible that you allow internet access to your virtual lab and lync connected via an external gateway?

[mcwill]

Hi Chris,

No, the Internet Proxy option in the Virtual Lab is un-ticked. Thanks for the suggestion though.

Iain

[nefes]

We haven't seen such a behavior in our lab, and it definitely should not happen. Could you please open a support case to investigate it?

[mcwill]

Thanks Nikita,

I have just done so, case #00744411.

I've been looking more closely and it looks like the Veeam isolated dv Network is attached to the dv Switch uplinks, that doesn't look correct to me.

Regards,
Iain

[nefes]

Am I correct, that you use Advanced Multi-Host configuration in your lab?
If so, your portgroup on dVS should be definitely isolated from production by yourself.
It can be done either by dedicated vLAN ID, or by physical isolation of switch uplinks.

In this configuration we need to use uplinks for the case when your lab is located on one host, and some of VMs being tested located on another one.

[mcwill]

Hi Nikita,

Yes we utilize dVS so the only option is Advanced Multi-Host I believe?

So the isolated network created for the above is not by default isolated and instead connected to the production network?

Thanks,
Iain

[nefes]

First question is: do you use SureBackup with backups or replicas? If second, are all of your replica targets located on same host?
The only case when you need Multi-Host configuration is when your replicas located on differen target hosts, and you need to run that replicas in the same SureBackup job.
If it is not your case - you could freely switch to Single-Host configuration, that will make isolated networks on Standard Switch and traffic will never leave that network and that host.

If you need Multi-Host configuration, the only way to achieve it is via dVS. To make all VMs in job see each other, you need dVS that is connected to all your hosts. So traffic will definitely need to leave the host via dVS uplink.
There are two ways to isolate that traffic from Production: first is to physically isolate that uplinks from production, and second is to set vLAN ID to that portgroup, and isolate that traffic from production by filtering that vLAN ID on your network hardware, so the traffic should go only to the dVS uplinks on another hosts and not go to the production. I believe, our user guide states that.

If you need additional clarification - please ask your questions. You also could ask support to help you with configuration in your case.

[mcwill]

Hi Nikita,

This is replicas all on a single host with dvs setup. (10GB Networking at DR so dvs is worthwhile in this config)

The manual appears to indicate that for a dvs setup, the only available option is the Advanced Multi Host config and it does appear that this defaults to configuring the isolated dv portgroup with active uplinks to the production dvs.

Now that I know this is the case I can remove these uplinks and everything should be fine but it does strike me as odd that the isolated network defaults to this state. We were fortunate to test this at our DR site so the effects were minimal, had this occurred at our production site it could have been very messy.

Regards,
Iain

[nefes]

It is quite strange for me that you don't see Single-Host configuration available, we'll take a look at it, probably there's some GUI glitch in wizard.
Thanks for heads up, hope all will work for you now.