Replication over NAT (Internet)

[Sorenemig]

We want to do replication to a single ESX host over WAN (direct Internet) but we want to avoid site-to-site VPN for various reasons. I have configured NAT for the required ports on a public IP address for the target ESX server on the remote site. I am able to add the target server to the Veeam console and the replication seems to work.

Now for my questions:

1. I know that the data is not encrypted in transit but how usable would it be anyway?
2. Does anyone have a good suggestion on how to add encryption?
3. Is this a bad idea?

[Gostev]

Bad idea if you care about your data/passwords/etc.
You most definitely should be using VPN.

[Sorenemig]

What can I do with the proxy role?

What if I create a veeam proxy on the remote site and do proxy-to-proxy replication job and select the Encrypt LAN traffic check box? I can't figure out if this check box has anything to do with proxy communication.

[tsightler]

Encrypt LAN traffic is only for network mode between the proxy and the ESXi hosts, not between proxies. I'd suggest just using the built in Windows L2TP/IPsec services to configure security between the two boxes.

[Sorenemig]

If encypt LAN is between proxy and ESXi host and the proxy is on the source site, will this not solve the problem then? I know two proxy will give other advantages like compression etc.

[dellock6]

If you are going to have proxy only on source site, and you do not want to use a VPN, how are you going to connect the remote ESXi host??? Exposing ESXi via PAT onto internet??? forget it!

A single proxy for wan replication is a bad idea, just like natting instead of a VPN. Out of curiosity, why do you want to avoid VPN between the two sites? Also, you really need to deploy a second proxy on the remote site...

Luca.

[Sorenemig]

If you are going to have proxy only on source site, and you do not want to use a VPN, how are you going to connect the remote ESXi host??? Exposing ESXi via PAT onto internet??? forget it!

A single proxy for wan replication is a bad idea, just like natting instead of a VPN. Out of curiosity, why do you want to avoid VPN between the two sites? Also, you really need to deploy a second proxy on the remote site...

Luca.

Ok, I give in and forget about PAT (I wasn’t fond of the idea anyway) The reason that I wanted to avoid VPN is that I want to protect the production end, because the remote site is a shared environment – I won’t allow traffic TO my production site to be initiated FROM the remote site . In my current setup I can’t filter inside the VPN tunnel, but a new router and a whole lot of work will fix that

I’m uncertain about the traffic flow when two proxies are involved. I want to filter inside the site-to-site VPN so that only established traffic from the production end is allowed, will this work?

[veremin]

May I ask you to provide a little more information regarding what moments stay unclear about traffic flow?

As Luca’s previously said, it’s strongly recommended in case of the offsite replication to have one Veeam agent running in the production site (closer to the source host), and another one in the remote DR site (closer to the target host).

Thus, to replicate across remote sites, you should deploy at least one local backup proxy in each site – a source backup proxy in the production site, and a target backup proxy in the remote DR site. During backup, the agents residing on proxy servers maintain a connection, which allows for uninterrupted operation over WAN.

Hope this helps.
Thanks.

[dellock6]

Søren, even if it's a shared environment, I should think the hosting provider gave you dedicated VLANs for your hostes servers. This is a first line of network segregation. From here, you can also configure the firewall managing the VPN to allow connection only coming from the remote Veeam proxy, and the other services you need to connect to in the remote site itself.

Luca.

[Sorenemig]

Søren, even if it's a shared environment, I should think the hosting provider gave you dedicated VLANs for your hostes servers. This is a first line of network segregation. From here, you can also configure the firewall managing the VPN to allow connection only coming from the remote Veeam proxy, and the other services you need to connect to in the remote site itself.

Luca.

It’s complicated to explain but there is multiple partners who uses the same ESX server on the remote site and we want to shield these users from accessing our production LAN. Therefore, we need the filtering to apply at our end of the VPN tunnel. If we apply an “established” one-way rule, that allow traffic to be initiated from our end and only allow “return-traffic” it would accomplish that, but I don’t know if this is compatible with the way veeam proxy works. That’s why I’m asking about traffic flow and direction.

ps. English is not my native language so sorry if I’m not being clear enough

[tsightler]

This won't work by default as the target proxy makes TCP connections back to the source proxy. With 6.5 you can now "reverse" this but I don't know if it eliminates all connections from the target to the source and I have not had enough time to really dig with this feature in my lab.

[veremin]

It seems like one of those cases when only real test is likely to put everything into place.

Thanks.

[rkovhaev]

6.5 works fine with one way NAT, open properties of window server-> credentials-> ports -> there you'll find an option "run server on this side"

[Sorenemig]

Rustam, okay this might do the trick. Is it only the two proxy roles that needs to be able to communicate between the sites?


Also, thank you all for the helpful responses I think I will begin a lab test!

[foggy]

Rustam, okay this might do the trick. Is it only the two proxy roles that needs to be able to communicate between the sites?

Don't forget that both proxies need access to the backup server also. Here is the thread discussing all the required connections in case of offsite replica.

[Sorenemig]

Don't forget that both proxies need access to the backup server also. Here is the thread discussing all the required connections in case of offsite replica.

But, Isn't that one of the changes in veeam 6.5?

"Improved NAT support. Control whether the source backup proxy server or the backup repository/
target backup proxy server establishes network connectivity. This is helpful when deploying Veeam
Backup & Replication in a network with NAT and firewalls"

[foggy]

No, this point refers to the communication between agents only (specifically, the "Run server on this side" check box). Connection between backup server and agents is still required.

[Sorenemig]

Again, Thanks for all the help

Foggy, Keep in mind that we allow established return traffic:

your quote:
1. "Veeam backup server should have access to vCenter server, ESX(i) hosts and both source and target backup proxies." : This is the direction where we allow traffic, so this is ok right?
2. "Source backup proxy should have access to the backup serve Source host, and target proxy" : source -> source = same network and source -> target proxy is the allowed direction and with 6.5 we can dedicate a "server side"
3. "While target proxy should have access to the backup server, source proxy, and target host (connection to vCenter is not required for proxies)" : OK could be a problem... if the target proxy needs to initiate the connection to the backup server. If it's only established return traffic it should work. Do you know if this is the case?

If the target proxy is initiating the connection to the backup server I could allow some specific ports, but I'm not happy about it. If I dont trust the target network, would this be ok?

[foggy]

If the target proxy is initiating the connection to the backup server I could allow some specific ports, but I'm not happy about it. If I dont trust the target network, would this be ok?

Connection to agents is initiated from the backup server side.

[Sorenemig]

Thanks It should work as I see it.

To summarize, site-to-site VPN with filters that allow traffic from production to remote site and "established" return traffic, two proxy with the remote proxy set as "server side".

If there is consensus about the above it will justify the effort of building this in a lab.

[karlochacon]

hi guys

We have a datacenter and one partner wants to replicate their VMs using Veeam Replication....of course we for security reason won't publish our vCenter IP so our partner can connect the Vmware replication appliance...

so what is the way to go NAT vCenter IP so our partner can see vCenter IP as it is in their on Network?

let's says partner Network

10.10.10.x
Their vCenter and Vmware Replication: 10.10.10.20 and 10.10.10.21

our DataCenter Network is 192.168.10.x and our vCenter is 192.168.10.11 and ESXi 12 - 13 and 14.

so Network team makes a NAT for our vCenter like 10.10.10.30 so our partner can replicate?
is that possible? is that the way to go? will replication work? any workaround or recommendation?

thanks a lot

[karlochacon]

well someone sent me this, well it's for Vmware Replication but I think since it refers to vCenter too, it's not a good idea to NAT this kind of enviroment

http://kb.vmware.com/selfservice/micros ... Id=2018470

looks kinda convincing this part
If NAT is used in the VR environment, all VR components must be excluded from the NAT. All VR components must be able to communicate with each other using either internal addresses or external addresses.

so any workaround?

[foggy]

Carlos, basically for the replication to work, you need to add the target vCenter to the Veeam B&R console (either using public IP or via publishing it over NAT) and make all other required communications possible. You may find some related considerations in the thread above. Thanks.

[karlochacon]

hi

I want to know if Veeam has the same restriction as Vmware Replication

We have a Datacenter, in fact 7 in different countries in Latin America and customer started asking for Replication as a service.... but this is what is happening

Our datacenters are usually 1 vCenter and 4 ESXi hosts, we normally create VMs that customers need and that's it so far, we manage all the environment so all networking to manage vCenter and ESXi is private, our customer use site to site VPNs or something to communicate to their VMs in our Datacenters....they don't have access to let's say "our internal management network"

but when talking about replication I think we have some problems with that service since Vmware Replication needs to contact vCenter IP, so creating the pair for replication the customer will need to have access from his Vmware replication to our vCenter....

I was thinking about NAT our vCenter IP for every customer that needs Replication but I am reading Vmware Replication does not work really well with NAT idea how to manage this?

So when using Veeam to replicate from multiple tenants to our Veeam in our Datacenter, will the Veeam Server located at the customer site need access to our "private vCenter IP"?

or how is Replication as a Service used in Veeam?

thanks a lot

[karlochacon]

hi guys

In our Datacenter we provide some Replication as a service.

So the network Team creates an Internal and External communication for VMs, in this case for a Customer we need an internal IP like 10.5.10.x and for external (customer segment) 192.168.100.x so some network translation needs to be done.

in this scenario the Windows Proxy Veeam VM is going to have an internal like 10.5.10.50 and a external so this Veeam Proxy will communicate with Veeam Server at the customer premises.

so in this scenario is Veeam Supported?

thanks

[Vitaliy S.]

If your backup server can reach target VMs/proxy and repository over their external IP addresses, then it should work. In your case NAT configuration should be required.

[Berniebgf]

Hello,

I have been looking through the forum for information on support for leveraging NAT within a Veeam environment, I have found mixed responses with the overall feeling that it is not recommended / not supported / don't bother.

I would like some clear clarification on this subject, does Veeam support NAT configurations?

Specifically for the following configuration.

1. Site A - Veeam Backup and Admin Server / Proxy and Destination ESXi Host \
Address Translation between sites.... (Masquerade IP's used)
2. Site B - Veeam Proxy and Source VMware ESXi Hosts

My personal opinion is not to leverage this setup, however I need clear guidance from Veeam / SME's so I can feed the "Veeam communities" opinion back to my client.

thanks

Bernie.

[foggy]

Bernard, in your scenario NAT configuration is supported, please see considerations above. Thanks.

[Berniebgf]

Hi Foggy,

With much respect;

I have read through this thread (and many others), one comment will be questions, the next one negative comments RE: NATing, no real answers. In other threads I see SME's (many posts) saying DON'T do NAT with Veeam....

Is there any "Official" stance by Veeam on NATing? over "it should work"? Is there any official documentation on how to configure Veeam to work with NAT'ing? Maybe a "Best practice / setup" guide for NAT configurations?

Thanks

Bernard.

[tsightler]

It is certainly possible to get Veeam to work over NAT, I've helped several service providers configure NAT connections with their customers, but it does involve some significant challenges. Primarily, endpoints have to be added by host names and you must configure DNS and/or host tables so that systems resolve the "NAT" addresses and not the original addresses of the hosts in question. You can also leverage the advanced "Run server on this side" option to change the direction which connections are made.

At one point this question came up often and I was going to make a guide, however, for whatever reason, I rarely get this question anymore, perhaps because most providers are using VPN without NAT since Veeam traffic is not encrypted in current versions, but it will work with NAT if everything is setup correctly. The logs can be quite useful in determining the exact setup required.