Host-based backup of VMware vSphere VMs.
Post Reply
BLWL
Enthusiast
Posts: 35
Liked: 41 times
Joined: Jan 27, 2015 7:24 am
Full Name: Bjorn L
Contact:

Move Veeam to a new environment - poke a hole in my plan - PART 2!

Post by BLWL »

Hi again,

So, we are rebuilding our backup infrastructure in more segmented network, new AD domain etc. I got some good advise from @foggy in my first thread: Move Veeam to a new environment - poke a hole in my plan!

One thing I forgot to mention was since we are moving from NetApp storage (storage integrated snapshots) to Nutanix, we'll need to change transport mode. This requires some additional planning. According to Nutanix Best Practice for Veeam, NFS direct is strongly recommended. Network transport mode is only used if NFS direct fails for some reason.

Since we want to build more segments, or referred to as zones in VBR Infrastructure Hardening Guide. In that guide ESXi hosts, Proxy, Repos and Nutanix Control VM (CVM) should reside on the same network (page 16). I can see that this is of course for performance and reliability to not traverse a firewall.

Having Veeam Proxy/Repo, ESXi hosts and Nutanix CVM share same VLAN network is fine for us. Let's call it "Virtual Infra Network"

Question:
Can I place Veeam Management server and vCenter in their own network segment, "Virtual Management Network"? Also, Prism Central (Nutanix management) will be placed there.

Is this placement recommended from a security and performance perspective?

EDIT: For a diagram over the discussed setup, please see: https://imgur.com/wcLdTQv. I want to add an additional network for vCenter, VBR mgmt for exaple on 10.10.15.0/24 network.

Let me know if I am not clear!

Thanks! :)
ejenner
Veteran
Posts: 636
Liked: 100 times
Joined: Mar 23, 2018 4:43 pm
Full Name: EJ
Location: London
Contact:

Re: Move Veeam to a new environment - poke a hole in my plan - PART 2!

Post by ejenner »

Provided you have the required ports open and any necessary NAT'ing the management server can be anywhere.

What I'd think about when deciding where to place it is whether or not you'll be able to log onto it in certain kinds of DR scenarios. For instance, if you've configured it using domain credentials and you don't know those local credentials that is a potential pitfall. Another possible consideration is whether or not the server could be rebuilt from the configuration backup at other site or on another server if you had to. Where do you store your configuration backup? Is it always going to have access to the repositories or could an outage stop you from recovering your network? How many failure points are there? A firewall is a potential weak point if it doesn't have redundancy.
BLWL
Enthusiast
Posts: 35
Liked: 41 times
Joined: Jan 27, 2015 7:24 am
Full Name: Bjorn L
Contact:

Re: Move Veeam to a new environment - poke a hole in my plan - PART 2!

Post by BLWL »

Hi!

Good points, thanks! Then I _think_ we check most boxes there, but it's always good to revise availability.

- Currently using domain credentials, but I will go with the recommendations in the Infrastructure Hardening Guide, stand alone.
- Config backup is stored on DR site
- Veeam server resides on a active/active metro cluster storage, so availability is pretty good
- Backup copies resides on a third site, network is a full mesh "triangle" so it should be available (or we can just move it to DR site in 1-2 hours of time)
- Firewalls are spanned over two sites too

Weak points I'll have to think about.

Thanks again.

BR
BL
BLWL
Enthusiast
Posts: 35
Liked: 41 times
Joined: Jan 27, 2015 7:24 am
Full Name: Bjorn L
Contact:

Re: Move Veeam to a new environment - poke a hole in my plan - PART 2!

Post by BLWL »

The repositories must change IP as well.

Any thoughts on that?

Is it still the powershell script used in https://www.veeam.com/kb1905?
veremin
Product Manager
Posts: 20400
Liked: 2298 times
Joined: Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin
Contact:

Re: Move Veeam to a new environment - poke a hole in my plan - PART 2!

Post by veremin » 1 person likes this post

If you need to update IP of managed server hosting repository role, then, yes, you need to use the script mentioned in the KB article - just checked, it still works as expected. Thanks!
BLWL
Enthusiast
Posts: 35
Liked: 41 times
Joined: Jan 27, 2015 7:24 am
Full Name: Bjorn L
Contact:

Re: Move Veeam to a new environment - poke a hole in my plan - PART 2!

Post by BLWL »

Great, thanks!
veremin
Product Manager
Posts: 20400
Liked: 2298 times
Joined: Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin
Contact:

Re: Move Veeam to a new environment - poke a hole in my plan - PART 2!

Post by veremin »

You're welcome. Feel free to reach us, if other help is needed. Thanks!
Post Reply

Who is online

Users browsing this forum: Dima P., ECB34, Google Feedfetcher, mbrzezinski, Mildur and 87 guests