Host-based backup of VMware vSphere VMs.
Post Reply
newman
Service Provider
Posts: 19
Liked: 1 time
Joined: Aug 14, 2022 7:20 am
Full Name: Peter Neumann
Contact:

VMware Cloud Director application aware backup

Post by newman »

Documentation is a little unclear - so as Veeam BP - about how it is recommended to solve this requirement. I believe I am not alone - as a provider - when stating that don't really want a guest interaction proxy for all tenants since that would impose many issues with security. A single server should reach all tenants' all virtual machines'. Dedicated guest interaction proxy per tenant might be a better option, however that still would involve NAT in order to let backup server to reach the VBR server.
PetrM
Veeam Software
Posts: 3262
Liked: 527 times
Joined: Aug 28, 2013 8:23 am
Full Name: Petr Makarov
Location: Prague, Czech Republic
Contact:

Re: VMware Cloud Director application aware backup

Post by PetrM »

Hi Peter,

Do I get it right that you want to use a single guest-interaction proxy for all tenants? If yes, what's the issue with this approach in your environment?

Thanks!
newman
Service Provider
Posts: 19
Liked: 1 time
Joined: Aug 14, 2022 7:20 am
Full Name: Peter Neumann
Contact:

Re: VMware Cloud Director application aware backup

Post by newman »

Hello,
No, not yet using guest interaction proxy at the moment. However it is a must for sure. Currently I am trying the find the best and most secure solution to this. I don't want to use single - or multiple - but leveraged guest interaction proxy as that would be the single entry point for an attacker and get in to all tenants' network directly - furthermore techically I can't create a network like that. Probably better to use dedicated guest interaction proxy per tenant, I just need to know what is the reference design - if there is any - or what is the community experience, how others solved this challenge.
VCIX DCV,VCIX NV,HCI Master,Tanzu Specialist,vExpert/PRO/NSX,VMCE
EugeneK
Veeam Software
Posts: 170
Liked: 43 times
Joined: Mar 19, 2016 10:57 pm
Full Name: Eugene Kashperovetskyi
Location: Chicago, IL
Contact:

Re: VMware Cloud Director application aware backup

Post by EugeneK »

Greetings,

Do you happen to use NSX or similar technology in your environment that would allow for additional networking flexibility for the infrastructure deployment?
With NSX-like solutions in the picture, additional Edge Gateways can be deployed and configured to isolate tenant's traffic.
Eugene K
VMCA, VCIX-DCV, vExpert
newman
Service Provider
Posts: 19
Liked: 1 time
Joined: Aug 14, 2022 7:20 am
Full Name: Peter Neumann
Contact:

Re: VMware Cloud Director application aware backup

Post by newman »

Sure. A/A provider T0 - actually multiple - with VRF lite setup there. Each tenant has a VRF lite and a T1 that is managed by VCD, effectively by the tenant. Tenants are isolated today in routing and surely they can utilize GW firewall, so as DFW.

Question is about how not to violate this full separation with a network in which Veeam Guest Interaction should sit in and able to reach all clients all VMs.

VIX can be used, but wanted to check if there is a reference design for service providers - besides veeambp which completely misses this part in general.
VCIX DCV,VCIX NV,HCI Master,Tanzu Specialist,vExpert/PRO/NSX,VMCE
PetrM
Veeam Software
Posts: 3262
Liked: 527 times
Joined: Aug 28, 2013 8:23 am
Full Name: Petr Makarov
Location: Prague, Czech Republic
Contact:

Re: VMware Cloud Director application aware backup

Post by PetrM »

Looks like "VIX" is the only way to go if it's necessary to isolate traffic of each tenant. The number of guest interaction proxies will depend on scalability purposes but I guess just one server (even Veeam B&R itself) would be fine if you didn't process thousands of VMs simultaneously.

By the way, "VIX" is not the correct name for the guest interaction protocol: starting from vSphere 6.5, vSphere Web Services API is used instead of VIX (real "VIX" works on earlier vSphere versions) but it's still referenced as "VIX" sometimes :)

Thanks!
newman
Service Provider
Posts: 19
Liked: 1 time
Joined: Aug 14, 2022 7:20 am
Full Name: Peter Neumann
Contact:

Re: VMware Cloud Director application aware backup

Post by newman » 1 person likes this post

Yeah, sure. Well even Veeam references it as "VMware VIX/vSphere Web Services" so I will keep calling it as VIX, just as the product states when testing credentials in VBR itself.
VCIX DCV,VCIX NV,HCI Master,Tanzu Specialist,vExpert/PRO/NSX,VMCE
Post Reply

Who is online

Users browsing this forum: No registered users and 77 guests