I created a previous post on Nimble Storage Integration with Veeam, discussing how you can potentially recover data even if a backup job’s Deleted VMs retention setting has passed. You can view the post here. For this post, I want to continue discussing Nimble Storage Integration, but provide you a security measure you can implement when configuring your Windows Proxies for Storage Integration or Direct SAN, as Veeam requires a Proxy to be configured with Direct SAN (or ‘Automatic Selection’) when using Backup from Storage Snapshots (BfSS).
A fellow Vanguard and I have occasional on-going discussions on how to best secure Windows Backup Proxies using Nimble (now called whatever...Alletra? 🙄 ) for Storage Integration. Several mos ago, we were trying to determine how best to present production storage to a Proxy, exposing as minimal amount of Nimble Volumes to a Windows OS as possible to prevent a catastrophic event, beit admin error or mal-intent. He and I were curious if Volumes used for Datastores really needed to be presented to the Windows Proxy OS. According to Veeam’s VMware User Guide here, when configuring your Proxy for Direct SAN mode (needed for BfSS), they state “SAN storage volumes presented as VMware datastores must be exposed to the OS of the backup proxy which works in the Direct SAN access transport mode.” I cannot speak for other storage systems/vendors, but I would hope it’s the same for them. For Nimble Volumes you use as Datastores, you do ***not*** need to present these Datastore Volumes to your Windows Proxy OS. All you need to do is configure access for these Volume(s) on your Nimble array with the Proxy(ies) IQN; and, configure the access on the array to apply to just “Snapshots Only”.
I won’t go into the full Windows Backup Proxy configuration process, but setting up your Proxies for DirectSAN/BfSS, you add the Microsoft File & iSCSI Services as a feature/role, and also install Nimble Connection Manager (NCM) and Discovery address to present your Nimble Volumes to the server. When you configure access to your Volumes on your array, your Volumes are not shown as being ‘presented’ to the Backup Proxy. This is exactly what we want. For Volumes used as Repositories (if you use your Proxies like I do as a ‘combo’ Proxy/Repo box), you select to ‘connect’ those Volumes. For your Volumes used as (production) Datastore storage, they will not be shown in NCM and thus not presented to the Windows OS. mitigating the potential of data removal. Notice no ‘disconnected’ Volumes in NCM below (which would be shown with a red ‘x’ icon on the Volume instead of a green check mark); but rather only my Repo Volumes:
Hope this helps you in implementing better security measures when using Storage Integration in your Veeam environment.