Veeam Replication in a multi-tenant vCloud environment

[DaxUK]

We are attempting to setup Veeam Replication in a multi-tenant environment.
We are a vCloud Service provider and we are looking to setup replication from our client environments into our vCloud environment.
As you can expect our clients want to give us the least expansive permissions possible to enable us to replicate their VM into our environment and to replicate back in the case of DR

Our Current Setup for testing:

• Source Backup Proxy created within the clients vSphere infrastructure with access to the clients vCenter Server
• Target Backup Proxy within our vCloud Environment with access to our vCenter server.
• Veeam Backup and Replication server within our environment with Access to our vCenter server and the Clients vCenter server with user role as configured below.
• Permissions based from http://forums.veeam.com/viewtopic.php?f ... ons#p54761
• Using the vStorage API - Virtual Appliance mode (Replication) set of permissions
• Role based on above permissions assigned at the Datacenter level
o We tried assigning this to cluster and host level, including assigning permissions individually on DataStores, Networks, Resource Pools and Folders however we could not get the replication to work at all.
• We have assigned “No Access” permission to various resources we don’t need access to
• In this setup we have successfully managed to get Replication working from our client test environment to our production vCloud infrastructure.

As you can imagine in the case of a standard client requiring permissions at such a high level and then denying access using the “No Access” role is highly problematic due to the following issues:

• We have a high level of access into their vSphere environment
• On creating new resources they need to deny access using the “No Access” role or information leakage may occur

Therefore we need to know if there is any way in which we can negate the level of access we have into the client’s infrastructure and configure the most restrictive permissions and still get this working. Any thoughts tips or advice would be greatly received

Regards
Dave

[Vitaliy S.]

We tried assigning this to cluster and host level, including assigning permissions individually on DataStores, Networks, Resource Pools and Folders however we could not get the replication to work at all.

You should be applying these permissions on a datacenter level, not on individual hosts and clusters. In this case everything should work fine.

[steves]

Hi Vitaliy,

We have a situation where for various reasons the source vCenter permissions need to be as restrictive as much as possible. An ideal scenario is where we can only see VMs that we need for replication, and they are grouped into a specific resource pool. We have found that we can get replication to work with these permissions in the source vCenter:

 Configure RO on hosts
 Configure the VEEAM-Replication permissions on Resource Pool, network (dvSwitch via a folder) & Datastore that apply to the VMs; no relevant permissions configured in the VMs & Templates folder structure.
 VEEAM-Replication on Proxy VM

However, we are not sure if these permissions will work reliably - we did see a CBT error in one case that we overcame by temporarily raising the permissions to Administrator and then lowering them again. Can you see an issue in using these more restive permissions? Do you think the one-time CBT issue could have been related to the permissions being configured on these objects (rather than at the Datacenter)?

Thanks

[Vitaliy S.]

Hi Stephen,

In my case when I was researching the permissions list required, I could only make it work when restricted security role was assigned on a datacenter level (vStorage API didn't seem to work otherwise). If there was a reliability problem with CBT, then you would have seen this error across all VMs being backed up, right?

What kind of CBT error did you have? Can you tell me the exact error message?

Thanks!

[steves]

Hi Vitaliy,

Thanks for the swift thoughts. At this stage we are trying to prove the replication with limited permissions and so only had one VM replicating anyway. In terms of the CBT error - I have searched but cannot find it. Since we dont get it every time with these permissions configured, then it cant have been a direct consequence of the permissions.

Whilst the replication works with the more restricted permissions listed in the previous post, can you see any issues in using these limited permissions in a live deployment? If you have any thoughts, or other things I should consider with the limited permissions, that would be much appreciated.

Thanks in advance

[tsightler]

I would test carefully things like failover, Re-IP (if required in your environment), failback, etc.

[steves]

I could only make it work when restricted security role was assigned on a datacenter level (vStorage API didn't seem to work otherwise)

We also found that the Read Only access on the hosts was necessary for it to work, because it was using the vStorage API.

[Vitaliy S.]

Well, CBT can be reset by multiple reasons (at least I've seen that happens for some of our customers), and all of them were using admin account to connect to their vCenter Server. The permissions list I've created did work in many live deployments. Usually these permissions were required for service providers, and as you can see from the topic above, there are no posts talking that something doesn't work. Moreover, today one of your community members has confirmed that everything works just fine for him, at least for replication jobs.

Hope this helps!

[mbreitba]

Just out of curiosity - I've looked at this and almost tried to implement this on our systems as well, but I feel as though there are security risks when you start introducing multiple users into that scenario, and I'd like to get your thoughts on that.

The way I see it, you would have proxy servers dedicated to each client, but you would still have one central Veeam Backup and Recovery server. That server could possibly be a gateway from one customer to another, could it not? If one customer gained access to the Central Backup and Recovery server, could they not then access pretty much anyone else's vCenter system, and (possibly) cause havoc, or at a minimum, access data that they are not supposed to access?

[Vitaliy S.]

True, but you can provision dedicated Veeam B&R servers for each client and limit the access to your VI through the granular permissions I've mentioned above. Once you assign Veeam B&R for every customer, you can install Backup Enterprise Manager to have a single view across all managed backup servers.

[karlochacon]

hi DaxUK

one questions so you are saying that every customer will have restricted access to your vcenter infrastructure right?

right now we are trying to setup the same thing for 2 customer one is for Veeam and the other is for Vmware Replication.

but the thing is our network team says they don't allow customer to get-touch-to know about the management network for vCenter-ESXi....

but for what I understand you are doing it but restricting permissions to vcenter level so the user knows your vcenter IP but won't know about other VMs being replicated or hosted in your vCenter environment? Am I correct?

thanks a lot

[foggy]

Yes, your understanding is correct.