Host-based backup of VMware vSphere VMs.
Post Reply
wa15
Veteran
Posts: 323
Liked: 25 times
Joined: Jan 02, 2014 4:45 pm
Contact:

Restricting Veeam's access to part of a vCenter environment

Post by wa15 »

We have a number of VMs in a vCenter environment that we would like Veeam to NOT "see" when creating a job due to compliance purposes. In this guide, it reads "You can also leverage security to restrict the part of the environment that the backup server can “see”. The restricted VMs we would like to "hide" from Veeam's view are in a VM folder.

To accomplish this, I referenced the permissions document in that guide and I:

A) Created a vCenter Layer role that contained the datastore cluster and global permissions and I set it to inherit permissions for child objects.
B) Created a VM layer role that contained the Virtual Machine and Datastore permissions and I applied this to the folder that the restricted VMs are a part of.
C) We are using Network Mode so those are the permission set I used for the roles above.

This did not work however, as the backup job fails at Getting VM info from vSphere with the error:
Error: NFC storage connection is unavailable. Storage: [stg:datastore-14,nfchost:host-2223,conn:VCENTER]. Storage display name: [DATASTORE].
Failed to create NFC download stream. NFC path: [nfc://conn:VCENTER,nfchost:host-2223,stg:datastore-14@VM/VM.vmx].


When the guide says parts of the environment can be "hidden" or remain restricted from Veeam, at what layer is this restriction applied? Can a folder be restricted from Veeam's view?
If so, am I doing this incorrectly with the steps above?
tsightler
VP, Product Management
Posts: 6035
Liked: 2860 times
Joined: Jun 05, 2009 12:57 pm
Full Name: Tom Sightler
Contact:

Re: Restricting Veeam's access to part of a vCenter environment

Post by tsightler » 1 person likes this post

A folder can be restricted or allowed from Veeam's view, however, some permissions must be applied either globally or at other levels, for example, datastore permissions have to be applied at the datastore level.

In other words, if an account is restricted to see only VMs in a given folder, and those VMs live on DATASTORE01, the account must also have permissions to DATASTORE01 assigned at the datastore level. It's possible that other VMs might live on DATASTORE01, but these VMs would not be visible to Veeam because the account does not have permissions to those VMs. The permissions document you reference clearly lists the level at which each permission must be assigned.

Now, I'm not saying this setup is easy to configure, but it's definitely possible. It sounds like you were mostly there, but some specific permissions was not allowed, probably a datastore level permission.
wa15
Veteran
Posts: 323
Liked: 25 times
Joined: Jan 02, 2014 4:45 pm
Contact:

Re: Restricting Veeam's access to part of a vCenter environment

Post by wa15 »

Makes sense. And if configured according to the article, would the restricted VMs be hidden from Veeam’s view? Or would they still show but we just wouldn’t be able to back them up?

Reason I ask is because in my case when I tried it, the VMs, even though they were restricted, they still showed up.
tsightler
VP, Product Management
Posts: 6035
Liked: 2860 times
Joined: Jun 05, 2009 12:57 pm
Full Name: Tom Sightler
Contact:

Re: Restricting Veeam's access to part of a vCenter environment

Post by tsightler »

Basically, if the account can't see those VMs when logging in via vCenter, then Veeam shouldn't see them either. If you restrict VMs from an account that previously had access to them, they might exist due to infrastructure cache, but a rescan should remove them.

From Veeam's perspective, it's really quite simple, we're completely dependent on the permissions the account has to see things because it's vCenter that restricts our access to object. If you login with that account to vCenter you will see exactly the same things that vCenter allows Veeam to access with that account.

I know the setup is possible because I've worked with mulitple cases where this was required. That being said, there are certainly things that are not possible, or at least, not easily possible with just folders. For example, networks, you have to assign networks to individual accounts as there's not "folder" for networks. Also, you do have to look out for things like, for example, if you use folders to assign permissions, but some accounts are still propogated down from childer, for example, in the datacenter view, it can be an issue. That's why the easiest thing to do is to use vCenter to make sure the account can only see the resources you expect.
Post Reply

Who is online

Users browsing this forum: Ilya and 59 guests