Discussions specific to the VMware vSphere hypervisor
Sorenemig
Influencer
Posts: 12
Liked: never
Joined: Jan 05, 2013 4:16 pm
Full Name: Søren Emig

Replication over NAT (Internet)

Post by Sorenemig » Jan 05, 2013 6:00 pm

We want to do replication to a single ESX host over WAN (direct Internet) but we want to avoid site-to-site VPN for various reasons. I have configured NAT for the required ports on a public IP address for the target ESX server on the remote site. I am able to add the target server to the Veeam console and the replication seems to work.

Now for my questions:

1. I know that the data is not encrypted in transit but how usable would it be anyway?
2. Does anyone have a good suggestion on how to add encryption?
3. Is this a bad idea? :)

Gostev
SVP, Product Management
Posts: 24789
Liked: 3522 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Replication over NAT (Internet)

Post by Gostev » Jan 06, 2013 6:24 pm

Bad idea if you care about your data/passwords/etc.
You most definitely should be using VPN.

Sorenemig
Influencer
Posts: 12
Liked: never
Joined: Jan 05, 2013 4:16 pm
Full Name: Søren Emig

Re: Replication over NAT (Internet)

Post by Sorenemig » Jan 07, 2013 9:11 am

What can I do with the proxy role?

What if I create a veeam proxy on the remote site and do proxy-to-proxy replication job and select the Encrypt LAN traffic check box? I can't figure out if this check box has anything to do with proxy communication.

tsightler
VP, Product Management
Posts: 5418
Liked: 2240 times
Joined: Jun 05, 2009 12:57 pm
Full Name: Tom Sightler
Contact:

Re: Replication over NAT (Internet)

Post by tsightler » Jan 07, 2013 12:51 pm

Encrypt LAN traffic is only for network mode between the proxy and the ESXi hosts, not between proxies. I'd suggest just using the built in Windows L2TP/IPsec services to configure security between the two boxes.

Sorenemig
Influencer
Posts: 12
Liked: never
Joined: Jan 05, 2013 4:16 pm
Full Name: Søren Emig

Re: Replication over NAT (Internet)

Post by Sorenemig » Jan 07, 2013 6:07 pm

If encypt LAN is between proxy and ESXi host and the proxy is on the source site, will this not solve the problem then? I know two proxy will give other advantages like compression etc.

dellock6
Veeam Software
Posts: 5734
Liked: 1625 times
Joined: Jul 26, 2009 3:39 pm
Full Name: Luca Dell'Oca
Location: Varese, Italy
Contact:

Re: Replication over NAT (Internet)

Post by dellock6 » Jan 07, 2013 11:05 pm

If you are going to have proxy only on source site, and you do not want to use a VPN, how are you going to connect the remote ESXi host??? Exposing ESXi via PAT onto internet??? forget it!

A single proxy for wan replication is a bad idea, just like natting instead of a VPN. Out of curiosity, why do you want to avoid VPN between the two sites? Also, you really need to deploy a second proxy on the remote site...

Luca.
Luca Dell'Oca
Principal EMEA Cloud Architect @ Veeam Software

@dellock6
https://www.virtualtothecore.com/
vExpert 2011 -> 2019
Veeam VMCE #1

Sorenemig
Influencer
Posts: 12
Liked: never
Joined: Jan 05, 2013 4:16 pm
Full Name: Søren Emig

Re: Replication over NAT (Internet)

Post by Sorenemig » Jan 08, 2013 1:59 pm

dellock6 wrote:If you are going to have proxy only on source site, and you do not want to use a VPN, how are you going to connect the remote ESXi host??? Exposing ESXi via PAT onto internet??? forget it!

A single proxy for wan replication is a bad idea, just like natting instead of a VPN. Out of curiosity, why do you want to avoid VPN between the two sites? Also, you really need to deploy a second proxy on the remote site...

Luca.
Ok, I give in and forget about PAT (I wasn’t fond of the idea anyway) :-) The reason that I wanted to avoid VPN is that I want to protect the production end, because the remote site is a shared environment – I won’t allow traffic TO my production site to be initiated FROM the remote site . In my current setup I can’t filter inside the VPN tunnel, but a new router and a whole lot of work will fix that :-)

I’m uncertain about the traffic flow when two proxies are involved. I want to filter inside the site-to-site VPN so that only established traffic from the production end is allowed, will this work?

veremin
Product Manager
Posts: 16892
Liked: 1435 times
Joined: Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin
Contact:

Re: Replication over NAT (Internet)

Post by veremin » Jan 08, 2013 2:16 pm

May I ask you to provide a little more information regarding what moments stay unclear about traffic flow?

As Luca’s previously said, it’s strongly recommended in case of the offsite replication to have one Veeam agent running in the production site (closer to the source host), and another one in the remote DR site (closer to the target host).

Thus, to replicate across remote sites, you should deploy at least one local backup proxy in each site – a source backup proxy in the production site, and a target backup proxy in the remote DR site. During backup, the agents residing on proxy servers maintain a connection, which allows for uninterrupted operation over WAN.

Hope this helps.
Thanks.

dellock6
Veeam Software
Posts: 5734
Liked: 1625 times
Joined: Jul 26, 2009 3:39 pm
Full Name: Luca Dell'Oca
Location: Varese, Italy
Contact:

Re: Replication over NAT (Internet)

Post by dellock6 » Jan 08, 2013 3:05 pm

Søren, even if it's a shared environment, I should think the hosting provider gave you dedicated VLANs for your hostes servers. This is a first line of network segregation. From here, you can also configure the firewall managing the VPN to allow connection only coming from the remote Veeam proxy, and the other services you need to connect to in the remote site itself.

Luca.
Luca Dell'Oca
Principal EMEA Cloud Architect @ Veeam Software

@dellock6
https://www.virtualtothecore.com/
vExpert 2011 -> 2019
Veeam VMCE #1

Sorenemig
Influencer
Posts: 12
Liked: never
Joined: Jan 05, 2013 4:16 pm
Full Name: Søren Emig

Re: Replication over NAT (Internet)

Post by Sorenemig » Jan 08, 2013 3:42 pm

dellock6 wrote:Søren, even if it's a shared environment, I should think the hosting provider gave you dedicated VLANs for your hostes servers. This is a first line of network segregation. From here, you can also configure the firewall managing the VPN to allow connection only coming from the remote Veeam proxy, and the other services you need to connect to in the remote site itself.

Luca.
It’s complicated to explain but there is multiple partners who uses the same ESX server on the remote site and we want to shield these users from accessing our production LAN. Therefore, we need the filtering to apply at our end of the VPN tunnel. If we apply an “established” one-way rule, that allow traffic to be initiated from our end and only allow “return-traffic” it would accomplish that, but I don’t know if this is compatible with the way veeam proxy works. That’s why I’m asking about traffic flow and direction.

ps. English is not my native language so sorry if I’m not being clear enough :oops:

tsightler
VP, Product Management
Posts: 5418
Liked: 2240 times
Joined: Jun 05, 2009 12:57 pm
Full Name: Tom Sightler
Contact:

Re: Replication over NAT (Internet)

Post by tsightler » Jan 08, 2013 3:49 pm

This won't work by default as the target proxy makes TCP connections back to the source proxy. With 6.5 you can now "reverse" this but I don't know if it eliminates all connections from the target to the source and I have not had enough time to really dig with this feature in my lab.

veremin
Product Manager
Posts: 16892
Liked: 1435 times
Joined: Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin
Contact:

Re: Replication over NAT (Internet)

Post by veremin » Jan 08, 2013 3:57 pm

It seems like one of those cases when only real test is likely to put everything into place.

Thanks.

rkovhaev
Veeam Software
Posts: 39
Liked: 21 times
Joined: May 17, 2010 6:49 pm
Full Name: Rustam
Location: hockey night in canada
Contact:

Re: Replication over NAT (Internet)

Post by rkovhaev » Jan 09, 2013 7:33 am

6.5 works fine with one way NAT, open properties of window server-> credentials-> ports -> there you'll find an option "run server on this side"

Sorenemig
Influencer
Posts: 12
Liked: never
Joined: Jan 05, 2013 4:16 pm
Full Name: Søren Emig

Re: Replication over NAT (Internet)

Post by Sorenemig » Jan 09, 2013 8:59 am

Rustam, okay this might do the trick. Is it only the two proxy roles that needs to be able to communicate between the sites?


Also, thank you all for the helpful responses :-) I think I will begin a lab test!

foggy
Veeam Software
Posts: 18257
Liked: 1559 times
Joined: Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson
Contact:

Re: Replication over NAT (Internet)

Post by foggy » Jan 09, 2013 10:04 am

Sorenemig wrote:Rustam, okay this might do the trick. Is it only the two proxy roles that needs to be able to communicate between the sites?
Don't forget that both proxies need access to the backup server also. Here is the thread discussing all the required connections in case of offsite replica.

Sorenemig
Influencer
Posts: 12
Liked: never
Joined: Jan 05, 2013 4:16 pm
Full Name: Søren Emig

Re: Replication over NAT (Internet)

Post by Sorenemig » Jan 09, 2013 10:29 am

foggy wrote: Don't forget that both proxies need access to the backup server also. Here is the thread discussing all the required connections in case of offsite replica.
But, Isn't that one of the changes in veeam 6.5?

"Improved NAT support. Control whether the source backup proxy server or the backup repository/
target backup proxy server establishes network connectivity. This is helpful when deploying Veeam
Backup & Replication in a network with NAT and firewalls"

foggy
Veeam Software
Posts: 18257
Liked: 1559 times
Joined: Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson
Contact:

Re: Replication over NAT (Internet)

Post by foggy » Jan 09, 2013 10:51 am

No, this point refers to the communication between agents only (specifically, the "Run server on this side" check box). Connection between backup server and agents is still required.

Sorenemig
Influencer
Posts: 12
Liked: never
Joined: Jan 05, 2013 4:16 pm
Full Name: Søren Emig

Re: Replication over NAT (Internet)

Post by Sorenemig » Jan 09, 2013 12:07 pm

Again, Thanks for all the help :)

Foggy, Keep in mind that we allow established return traffic:

your quote:
1. "Veeam backup server should have access to vCenter server, ESX(i) hosts and both source and target backup proxies." : This is the direction where we allow traffic, so this is ok right?
2. "Source backup proxy should have access to the backup serve Source host, and target proxy" : source -> source = same network and source -> target proxy is the allowed direction and with 6.5 we can dedicate a "server side"
3. "While target proxy should have access to the backup server, source proxy, and target host (connection to vCenter is not required for proxies)" : OK could be a problem... if the target proxy needs to initiate the connection to the backup server. If it's only established return traffic it should work. Do you know if this is the case?

If the target proxy is initiating the connection to the backup server I could allow some specific ports, but I'm not happy about it. If I dont trust the target network, would this be ok?

foggy
Veeam Software
Posts: 18257
Liked: 1559 times
Joined: Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson
Contact:

Re: Replication over NAT (Internet)

Post by foggy » Jan 09, 2013 1:36 pm

Sorenemig wrote:If the target proxy is initiating the connection to the backup server I could allow some specific ports, but I'm not happy about it. If I dont trust the target network, would this be ok?
Connection to agents is initiated from the backup server side.

Sorenemig
Influencer
Posts: 12
Liked: never
Joined: Jan 05, 2013 4:16 pm
Full Name: Søren Emig

Re: Replication over NAT (Internet)

Post by Sorenemig » Jan 10, 2013 7:47 am

Thanks :) It should work as I see it.

To summarize, site-to-site VPN with filters that allow traffic from production to remote site and "established" return traffic, two proxy with the remote proxy set as "server side".

If there is consensus about the above it will justify the effort of building this in a lab.

karlochacon
Enthusiast
Posts: 50
Liked: never
Joined: Mar 21, 2012 5:43 pm
Full Name: Carlos Chacon
Contact:

[MERGED] Private vCenter IP and Veeam Replication

Post by karlochacon » Apr 21, 2014 3:50 am

hi guys

We have a datacenter and one partner wants to replicate their VMs using Veeam Replication....of course we for security reason won't publish our vCenter IP so our partner can connect the Vmware replication appliance...

so what is the way to go NAT vCenter IP so our partner can see vCenter IP as it is in their on Network?

let's says partner Network

10.10.10.x
Their vCenter and Vmware Replication: 10.10.10.20 and 10.10.10.21

our DataCenter Network is 192.168.10.x and our vCenter is 192.168.10.11 and ESXi 12 - 13 and 14.

so Network team makes a NAT for our vCenter like 10.10.10.30 so our partner can replicate?
is that possible? is that the way to go? will replication work? any workaround or recommendation?

thanks a lot

karlochacon
Enthusiast
Posts: 50
Liked: never
Joined: Mar 21, 2012 5:43 pm
Full Name: Carlos Chacon
Contact:

Re: Private vCenter IP and Veeam Replication

Post by karlochacon » Apr 21, 2014 2:46 pm

well someone sent me this, well it's for Vmware Replication but I think since it refers to vCenter too, it's not a good idea to NAT this kind of enviroment

http://kb.vmware.com/selfservice/micros ... Id=2018470

looks kinda convincing this part
If NAT is used in the VR environment, all VR components must be excluded from the NAT. All VR components must be able to communicate with each other using either internal addresses or external addresses.

so any workaround?

foggy
Veeam Software
Posts: 18257
Liked: 1559 times
Joined: Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson
Contact:

Re: Replication over NAT (Internet)

Post by foggy » Apr 22, 2014 11:31 am

Carlos, basically for the replication to work, you need to add the target vCenter to the Veeam B&R console (either using public IP or via publishing it over NAT) and make all other required communications possible. You may find some related considerations in the thread above. Thanks.

karlochacon
Enthusiast
Posts: 50
Liked: never
Joined: Mar 21, 2012 5:43 pm
Full Name: Carlos Chacon
Contact:

[MERGED] Can Veeam overcome this? Replication as a Service

Post by karlochacon » May 24, 2014 6:19 am

hi

I want to know if Veeam has the same restriction as Vmware Replication

We have a Datacenter, in fact 7 in different countries in Latin America and customer started asking for Replication as a service.... but this is what is happening

Our datacenters are usually 1 vCenter and 4 ESXi hosts, we normally create VMs that customers need and that's it so far, we manage all the environment so all networking to manage vCenter and ESXi is private, our customer use site to site VPNs or something to communicate to their VMs in our Datacenters....they don't have access to let's say "our internal management network"

but when talking about replication I think we have some problems with that service since Vmware Replication needs to contact vCenter IP, so creating the pair for replication the customer will need to have access from his Vmware replication to our vCenter....

I was thinking about NAT our vCenter IP for every customer that needs Replication but I am reading Vmware Replication does not work really well with NAT idea how to manage this?

So when using Veeam to replicate from multiple tenants to our Veeam in our Datacenter, will the Veeam Server located at the customer site need access to our "private vCenter IP"?

or how is Replication as a Service used in Veeam?

thanks a lot

karlochacon
Enthusiast
Posts: 50
Liked: never
Joined: Mar 21, 2012 5:43 pm
Full Name: Carlos Chacon
Contact:

[MERGED] Veeam proxy and NAT support

Post by karlochacon » Jun 18, 2014 9:33 pm

hi guys

In our Datacenter we provide some Replication as a service.

So the network Team creates an Internal and External communication for VMs, in this case for a Customer we need an internal IP like 10.5.10.x and for external (customer segment) 192.168.100.x so some network translation needs to be done.

in this scenario the Windows Proxy Veeam VM is going to have an internal like 10.5.10.50 and a external so this Veeam Proxy will communicate with Veeam Server at the customer premises.

so in this scenario is Veeam Supported?

thanks

Vitaliy S.
Product Manager
Posts: 22984
Liked: 1556 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: Replication over NAT (Internet)

Post by Vitaliy S. » Jun 22, 2014 12:56 pm

If your backup server can reach target VMs/proxy and repository over their external IP addresses, then it should work. In your case NAT configuration should be required.

Berniebgf
Service Provider
Posts: 94
Liked: 9 times
Joined: Sep 01, 2010 11:36 pm
Full Name: Bernard Tyers
Contact:

[MERGED] Veeam - NAT Supported?

Post by Berniebgf » Aug 19, 2014 11:19 pm

Hello,

I have been looking through the forum for information on support for leveraging NAT within a Veeam environment, I have found mixed responses with the overall feeling that it is not recommended / not supported / don't bother.

I would like some clear clarification on this subject, does Veeam support NAT configurations?

Specifically for the following configuration.

1. Site A - Veeam Backup and Admin Server / Proxy and Destination ESXi Host \
Address Translation between sites.... (Masquerade IP's used)
2. Site B - Veeam Proxy and Source VMware ESXi Hosts

My personal opinion is not to leverage this setup, however I need clear guidance from Veeam / SME's so I can feed the "Veeam communities" opinion back to my client.

thanks

Bernie.

foggy
Veeam Software
Posts: 18257
Liked: 1559 times
Joined: Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson
Contact:

Re: Replication over NAT (Internet)

Post by foggy » Aug 20, 2014 8:55 am

Bernard, in your scenario NAT configuration is supported, please see considerations above. Thanks.

Berniebgf
Service Provider
Posts: 94
Liked: 9 times
Joined: Sep 01, 2010 11:36 pm
Full Name: Bernard Tyers
Contact:

Re: Replication over NAT (Internet)

Post by Berniebgf » Aug 20, 2014 12:40 pm

Hi Foggy,

With much respect;

I have read through this thread (and many others), one comment will be questions, the next one negative comments RE: NATing, no real answers. In other threads I see SME's (many posts) saying DON'T do NAT with Veeam....

Is there any "Official" stance by Veeam on NATing? over "it should work"? Is there any official documentation on how to configure Veeam to work with NAT'ing? Maybe a "Best practice / setup" guide for NAT configurations?

Thanks

Bernard.

tsightler
VP, Product Management
Posts: 5418
Liked: 2240 times
Joined: Jun 05, 2009 12:57 pm
Full Name: Tom Sightler
Contact:

Re: Replication over NAT (Internet)

Post by tsightler » Aug 20, 2014 1:26 pm

It is certainly possible to get Veeam to work over NAT, I've helped several service providers configure NAT connections with their customers, but it does involve some significant challenges. Primarily, endpoints have to be added by host names and you must configure DNS and/or host tables so that systems resolve the "NAT" addresses and not the original addresses of the hosts in question. You can also leverage the advanced "Run server on this side" option to change the direction which connections are made.

At one point this question came up often and I was going to make a guide, however, for whatever reason, I rarely get this question anymore, perhaps because most providers are using VPN without NAT since Veeam traffic is not encrypted in current versions, but it will work with NAT if everything is setup correctly. The logs can be quite useful in determining the exact setup required.

Post Reply

Who is online

Users browsing this forum: AdsBot [Google], Baidu [Spider], tim.hudson and 24 guests