Replication over NAT (Internet)

VMware specific discussions

Re: Replication over NAT (Internet)

Veeam Logoby Sorenemig » Wed Jan 09, 2013 10:29 am

foggy wrote:
Sorenemig wrote:Rustam, okay this might do the trick. Is it only the two proxy roles that needs to be able to communicate between the sites?


Don't forget that both proxies need access to the backup server also. Here is the thread discussing all the required connections in case of offsite replica.


But, Isn't that one of the changes in veeam 6.5?

"Improved NAT support. Control whether the source backup proxy server or the backup repository/
target backup proxy server establishes network connectivity. This is helpful when deploying Veeam
Backup & Replication in a network with NAT and firewalls"
Sorenemig
Novice
 
Posts: 9
Liked: never
Joined: Sat Jan 05, 2013 4:16 pm
Full Name: Søren Emig

Re: Replication over NAT (Internet)

Veeam Logoby foggy » Wed Jan 09, 2013 10:51 am

No, this point refers to the communication between agents only (specifically, the "Run server on this side" check box). Connection between backup server and agents is still required.
foggy
Veeam Software
 
Posts: 14746
Liked: 1083 times
Joined: Mon Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson

Re: Replication over NAT (Internet)

Veeam Logoby Sorenemig » Wed Jan 09, 2013 12:07 pm

Again, Thanks for all the help :)

Foggy, Keep in mind that we allow established return traffic:

your quote:
1. "Veeam backup server should have access to vCenter server, ESX(i) hosts and both source and target backup proxies." : This is the direction where we allow traffic, so this is ok right?
2. "Source backup proxy should have access to the backup serve Source host, and target proxy" : source -> source = same network and source -> target proxy is the allowed direction and with 6.5 we can dedicate a "server side"
3. "While target proxy should have access to the backup server, source proxy, and target host (connection to vCenter is not required for proxies)" : OK could be a problem... if the target proxy needs to initiate the connection to the backup server. If it's only established return traffic it should work. Do you know if this is the case?

If the target proxy is initiating the connection to the backup server I could allow some specific ports, but I'm not happy about it. If I dont trust the target network, would this be ok?
Sorenemig
Novice
 
Posts: 9
Liked: never
Joined: Sat Jan 05, 2013 4:16 pm
Full Name: Søren Emig

Re: Replication over NAT (Internet)

Veeam Logoby foggy » Wed Jan 09, 2013 1:36 pm

Sorenemig wrote:If the target proxy is initiating the connection to the backup server I could allow some specific ports, but I'm not happy about it. If I dont trust the target network, would this be ok?

Connection to agents is initiated from the backup server side.
foggy
Veeam Software
 
Posts: 14746
Liked: 1083 times
Joined: Mon Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson

Re: Replication over NAT (Internet)

Veeam Logoby Sorenemig » Thu Jan 10, 2013 7:47 am

Thanks :) It should work as I see it.

To summarize, site-to-site VPN with filters that allow traffic from production to remote site and "established" return traffic, two proxy with the remote proxy set as "server side".

If there is consensus about the above it will justify the effort of building this in a lab.
Sorenemig
Novice
 
Posts: 9
Liked: never
Joined: Sat Jan 05, 2013 4:16 pm
Full Name: Søren Emig

[MERGED] Private vCenter IP and Veeam Replication

Veeam Logoby karlochacon » Mon Apr 21, 2014 3:50 am

hi guys

We have a datacenter and one partner wants to replicate their VMs using Veeam Replication....of course we for security reason won't publish our vCenter IP so our partner can connect the Vmware replication appliance...

so what is the way to go NAT vCenter IP so our partner can see vCenter IP as it is in their on Network?

let's says partner Network

10.10.10.x
Their vCenter and Vmware Replication: 10.10.10.20 and 10.10.10.21

our DataCenter Network is 192.168.10.x and our vCenter is 192.168.10.11 and ESXi 12 - 13 and 14.

so Network team makes a NAT for our vCenter like 10.10.10.30 so our partner can replicate?
is that possible? is that the way to go? will replication work? any workaround or recommendation?

thanks a lot
karlochacon
Enthusiast
 
Posts: 35
Liked: never
Joined: Wed Mar 21, 2012 5:43 pm
Full Name: Carlos Chacon

Re: Private vCenter IP and Veeam Replication

Veeam Logoby karlochacon » Mon Apr 21, 2014 2:46 pm

well someone sent me this, well it's for Vmware Replication but I think since it refers to vCenter too, it's not a good idea to NAT this kind of enviroment

http://kb.vmware.com/selfservice/micros ... Id=2018470

looks kinda convincing this part
If NAT is used in the VR environment, all VR components must be excluded from the NAT. All VR components must be able to communicate with each other using either internal addresses or external addresses.

so any workaround?
karlochacon
Enthusiast
 
Posts: 35
Liked: never
Joined: Wed Mar 21, 2012 5:43 pm
Full Name: Carlos Chacon

Re: Replication over NAT (Internet)

Veeam Logoby foggy » Tue Apr 22, 2014 11:31 am

Carlos, basically for the replication to work, you need to add the target vCenter to the Veeam B&R console (either using public IP or via publishing it over NAT) and make all other required communications possible. You may find some related considerations in the thread above. Thanks.
foggy
Veeam Software
 
Posts: 14746
Liked: 1083 times
Joined: Mon Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson

[MERGED] Can Veeam overcome this? Replication as a Service

Veeam Logoby karlochacon » Sat May 24, 2014 6:19 am

hi

I want to know if Veeam has the same restriction as Vmware Replication

We have a Datacenter, in fact 7 in different countries in Latin America and customer started asking for Replication as a service.... but this is what is happening

Our datacenters are usually 1 vCenter and 4 ESXi hosts, we normally create VMs that customers need and that's it so far, we manage all the environment so all networking to manage vCenter and ESXi is private, our customer use site to site VPNs or something to communicate to their VMs in our Datacenters....they don't have access to let's say "our internal management network"

but when talking about replication I think we have some problems with that service since Vmware Replication needs to contact vCenter IP, so creating the pair for replication the customer will need to have access from his Vmware replication to our vCenter....

I was thinking about NAT our vCenter IP for every customer that needs Replication but I am reading Vmware Replication does not work really well with NAT idea how to manage this?

So when using Veeam to replicate from multiple tenants to our Veeam in our Datacenter, will the Veeam Server located at the customer site need access to our "private vCenter IP"?

or how is Replication as a Service used in Veeam?

thanks a lot
karlochacon
Enthusiast
 
Posts: 35
Liked: never
Joined: Wed Mar 21, 2012 5:43 pm
Full Name: Carlos Chacon

[MERGED] Veeam proxy and NAT support

Veeam Logoby karlochacon » Wed Jun 18, 2014 9:33 pm

hi guys

In our Datacenter we provide some Replication as a service.

So the network Team creates an Internal and External communication for VMs, in this case for a Customer we need an internal IP like 10.5.10.x and for external (customer segment) 192.168.100.x so some network translation needs to be done.

in this scenario the Windows Proxy Veeam VM is going to have an internal like 10.5.10.50 and a external so this Veeam Proxy will communicate with Veeam Server at the customer premises.

so in this scenario is Veeam Supported?

thanks
karlochacon
Enthusiast
 
Posts: 35
Liked: never
Joined: Wed Mar 21, 2012 5:43 pm
Full Name: Carlos Chacon

Re: Replication over NAT (Internet)

Veeam Logoby Vitaliy S. » Sun Jun 22, 2014 12:56 pm

If your backup server can reach target VMs/proxy and repository over their external IP addresses, then it should work. In your case NAT configuration should be required.
Vitaliy S.
Veeam Software
 
Posts: 19566
Liked: 1104 times
Joined: Mon Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov

[MERGED] Veeam - NAT Supported?

Veeam Logoby Berniebgf » Tue Aug 19, 2014 11:19 pm

Hello,

I have been looking through the forum for information on support for leveraging NAT within a Veeam environment, I have found mixed responses with the overall feeling that it is not recommended / not supported / don't bother.

I would like some clear clarification on this subject, does Veeam support NAT configurations?

Specifically for the following configuration.

1. Site A - Veeam Backup and Admin Server / Proxy and Destination ESXi Host \
Address Translation between sites.... (Masquerade IP's used)
2. Site B - Veeam Proxy and Source VMware ESXi Hosts

My personal opinion is not to leverage this setup, however I need clear guidance from Veeam / SME's so I can feed the "Veeam communities" opinion back to my client.

thanks

Bernie.
Berniebgf
Service Provider
 
Posts: 89
Liked: 9 times
Joined: Wed Sep 01, 2010 11:36 pm
Full Name: Bernard Tyers

Re: Replication over NAT (Internet)

Veeam Logoby foggy » Wed Aug 20, 2014 8:55 am

Bernard, in your scenario NAT configuration is supported, please see considerations above. Thanks.
foggy
Veeam Software
 
Posts: 14746
Liked: 1083 times
Joined: Mon Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson

Re: Replication over NAT (Internet)

Veeam Logoby Berniebgf » Wed Aug 20, 2014 12:40 pm

Hi Foggy,

With much respect;

I have read through this thread (and many others), one comment will be questions, the next one negative comments RE: NATing, no real answers. In other threads I see SME's (many posts) saying DON'T do NAT with Veeam....

Is there any "Official" stance by Veeam on NATing? over "it should work"? Is there any official documentation on how to configure Veeam to work with NAT'ing? Maybe a "Best practice / setup" guide for NAT configurations?

Thanks

Bernard.
Berniebgf
Service Provider
 
Posts: 89
Liked: 9 times
Joined: Wed Sep 01, 2010 11:36 pm
Full Name: Bernard Tyers

Re: Replication over NAT (Internet)

Veeam Logoby tsightler » Wed Aug 20, 2014 1:26 pm

It is certainly possible to get Veeam to work over NAT, I've helped several service providers configure NAT connections with their customers, but it does involve some significant challenges. Primarily, endpoints have to be added by host names and you must configure DNS and/or host tables so that systems resolve the "NAT" addresses and not the original addresses of the hosts in question. You can also leverage the advanced "Run server on this side" option to change the direction which connections are made.

At one point this question came up often and I was going to make a guide, however, for whatever reason, I rarely get this question anymore, perhaps because most providers are using VPN without NAT since Veeam traffic is not encrypted in current versions, but it will work with NAT if everything is setup correctly. The logs can be quite useful in determining the exact setup required.
tsightler
Veeam Software
 
Posts: 4769
Liked: 1738 times
Joined: Fri Jun 05, 2009 12:57 pm
Full Name: Tom Sightler

PreviousNext

Return to VMware vSphere



Who is online

Users browsing this forum: erbr and 30 guests