Event Recap: Veeam Hardening Best Practices (March 19, 2025)

Thanks for posting this one Lukas as I missed it.  I will watch it now.  👍

Thanks for presenting and posting the recap. It was a great presentation! 

Nice one, was a very good session 👏💚

Hi Lukas, thank you for your presentation!

I’ve just a question: why did you choose to extend the backup VLAN to the repositories? Also steching it to diffirent sites, it is not a “security issue”? Assuming that the Veeam BP network design should be separate as much vlan as possible, it is better to not segment too much components in you opinion?

Thank you Marco!

The design always has to be matching the customer’s requirements so you always have to match blueprint to the actual situation.

My blueprint is designed for small to midrange customers since they often don’t have any segmentation at all.

The goal of putting repos and VBR / proxies into a single VLAN is simple: To avoid running backup data traffic (which can be lots of TB) through firewalls which are used for segmentation.

I often see the scenario that customers don’t even have a 10Gbit firewall which would slow down the backup process extremly.

As always: Please use the design which fits the requirements mostly and refer to the official BP guide in case of more complex scenarios.

Thanks for sharing, Lukas! I missed the session, but I’ll definitely watch the recap.

In the case of protecting a Hyper-V environment where the Hyper-V hosts are the proxies, would it be accurate to say the Veeam repositories must be on the same VLAN as the Hyper-V hosts? There seems to be no way to enable an off-host proxy to backup directly from the SAN for Hyper-V.

I have a customer that is being very strict about breaking everything into separate VLANs and minimizing routed traffic to avoid as much traffic going through the firewall as possible.

Good point! Since Hyper-V works a bit different, I see a few options here, all are maintaining the VLAN segmentation / separation:

1. (this only works for 3-tier architectures, so a dedicated storage / SAN) off-host proxy with SAN integration:

Here you can simply apply my blueprint or any other best practice blueprint with separation and simply attach the proxy (which can be a physical server with the repo role as well) to the SAN (FC / iSCSI), this has to be done by dedicated, seperated NICs / HBAs. I don’t see a huge security risk here since this is a different protocol.

With that you can use off-host proxy method but you have to refer to the storage vendor guides to implement this.

2. on-host proxy with dedicated NICs on the Hyper-V

You could add dedicated NICs to your Hyper-V nodes that run the VMs and use network policies and an optional hardware firewall between HV and repo to get the traffic to the repo. The disadvantage is that there will always be a security risk since there is a direct, dedicated connection (in case you don’t have a hardware fw in between).

3. on-host proxy through hardware firewall

You also could use the “default” and don’t add dedicated NICs for backup data traffic and route this through your firewalls. The disadvantage is that there will be a huge workload added to the fw so you could have a bottleneck there. The advantage is (compared to aspect 2 mentioned above) that you will have a specific security level maintained since there is no direct communication possible.

Especially when you use HCI scenarios (Microsoft S2D) you have to work with methods 2 or 3 since there is no dedicated storage appliance and - as far as I know - no integration possible.

Hope that helps!

Lukas