I need some honest opinions here. Do you all restrict internet access in your Veeam infrastructure? We have our infrastructure segmented with VLANs and firewall rules, and only allow access from jump boxes to those specific devices. Is allowing internet access on the Veeam devices (for updates, license updates, etc.) a bad idea? I feel like with the precautions we have in place, allowing internet access would not be an issue, but I wanted to see what other professionals think, and maybe point out a scenario/flaw that I'm not thinking about.
Answer
Honest Opinion: Veeam Server Internet Access
Best answer by Chris.Childerhose
The answer to this is going to be “It depends”. If you have all the precautions in place then allowing access is not an issue as you need that for license updates, patches, etc.
We have all our VBR servers with internet access and have to with VCC servers being an MSP. As long as you have the security in place you should have no issues. But there are some that due to strict requirements cannot have it.
+21The answer to this is going to be “It depends”. If you have all the precautions in place then allowing access is not an issue as you need that for license updates, patches, etc.
We have all our VBR servers with internet access and have to with VCC servers being an MSP. As long as you have the security in place you should have no issues. But there are some that due to strict requirements cannot have it.
Chris Childerhose - VMCA2024 | VMCE2023 | VMCE-SP2024 | Veeam Vanguard 8* | Veeam Legend 5* | VUG Canada Leader | vExpert 6* | Toronto VMUG Leader | VCAP-DCV/VCP-DCV | Object First Ace | Cisco Champion | Twitter: @cchilderhose | Blog Site – https://just-virtualization.tech
+5I agree with Chris. Personally I don’t see much of a risk in outbound access to the internet, but some organizations have strict policies where everything needs to be whitelisted, even outbound. In these cases you can refer to the Veeam Port List to determine exactly what needs to be enabled.
Tommy O’Shea, VMCE, VMCE-SP, VMCA
+11Hi
[Microsoft MVP 2x | Veeam Legend (2021 -2025) | VMware vExpert 5x | Cisco Champion 3x | Object First Ace 2x]
+12Just from the security perspective an internet access is not needed for the operational tasks that Veeam performs. Licence updates etc. could be done manually but comes with a workload (obviously).
Depending on your organizational requirements you should decide from that perspective.
My blueprint says that you should segment DR systems as well (dedicated, seperated VLANs for Veeam data, Veeam oobm like iLOs and optional Veeam oobm for VHR). In case you run this properly there can be whitelist entries for allowing Veeam servers to communicate to license servers etc. located online.
In a world where we’re going to cloud-based object storage repos you will not be able to avoid internet access in general for a very long time anyways imo.
LK | Veeam Vanguard | VUG Leader - Cyber Security Space | Security Specialist
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.