Move Veeam to a new environment - poke a hole in my plan - PART 2!

[BLWL]

Hi again,

So, we are rebuilding our backup infrastructure in more segmented network, new AD domain etc. I got some good advise from @foggy in my first thread: Move Veeam to a new environment - poke a hole in my plan!

One thing I forgot to mention was since we are moving from NetApp storage (storage integrated snapshots) to Nutanix, we'll need to change transport mode. This requires some additional planning. According to Nutanix Best Practice for Veeam, NFS direct is strongly recommended. Network transport mode is only used if NFS direct fails for some reason.

Since we want to build more segments, or referred to as zones in VBR Infrastructure Hardening Guide. In that guide ESXi hosts, Proxy, Repos and Nutanix Control VM (CVM) should reside on the same network (page 16). I can see that this is of course for performance and reliability to not traverse a firewall.

Having Veeam Proxy/Repo, ESXi hosts and Nutanix CVM share same VLAN network is fine for us. Let's call it "Virtual Infra Network"

Question:
Can I place Veeam Management server and vCenter in their own network segment, "Virtual Management Network"? Also, Prism Central (Nutanix management) will be placed there.

Is this placement recommended from a security and performance perspective?

EDIT: For a diagram over the discussed setup, please see: https://imgur.com/wcLdTQv. I want to add an additional network for vCenter, VBR mgmt for exaple on 10.10.15.0/24 network.

Let me know if I am not clear!

Thanks!

[ejenner]

Provided you have the required ports open and any necessary NAT'ing the management server can be anywhere.

What I'd think about when deciding where to place it is whether or not you'll be able to log onto it in certain kinds of DR scenarios. For instance, if you've configured it using domain credentials and you don't know those local credentials that is a potential pitfall. Another possible consideration is whether or not the server could be rebuilt from the configuration backup at other site or on another server if you had to. Where do you store your configuration backup? Is it always going to have access to the repositories or could an outage stop you from recovering your network? How many failure points are there? A firewall is a potential weak point if it doesn't have redundancy.

[BLWL]

Hi!

Good points, thanks! Then I _think_ we check most boxes there, but it's always good to revise availability.

- Currently using domain credentials, but I will go with the recommendations in the Infrastructure Hardening Guide, stand alone.
- Config backup is stored on DR site
- Veeam server resides on a active/active metro cluster storage, so availability is pretty good
- Backup copies resides on a third site, network is a full mesh "triangle" so it should be available (or we can just move it to DR site in 1-2 hours of time)
- Firewalls are spanned over two sites too

Weak points I'll have to think about.

Thanks again.

BR
BL

[BLWL]

The repositories must change IP as well.

Any thoughts on that?

Is it still the powershell script used in https://www.veeam.com/kb1905?

[veremin]

If you need to update IP of managed server hosting repository role, then, yes, you need to use the script mentioned in the KB article - just checked, it still works as expected. Thanks!

[BLWL]

Great, thanks!

[veremin]

You're welcome. Feel free to reach us, if other help is needed. Thanks!