Design question, how to not overload the firewall.
Customer has a physical B&R server on LAN1, and a physical Linux Hardened Repo on LAN1.
They also have like 100 Physical servers on LAN2, 3 and 4.
Traffic goes through the firewall obviously, and the fear is that it will overload it, affecting production.
Since we can’t use Proxy Servers for Agent backups (no such thing apparently), how can I avoid pulling the traffic through the Firewall?
The B&R Server and LHR are 10Gbit and use tagged VLANs, so I can quite simply add VLAN2,3,4 to the VLAN trunk and give them a link into the Agent VLANs.
Will that work? Do I need to add both the B&R server and the LHR, or just the LHR?
Can an LHR have several IP’s like that and still work?
Will the traffic go from the agent directly to the LHR or via the B&R server?
Other ideas welcome...
Thanks!
Page 1 / 1
Hello @magnusvr , how many data / files will be backed up every day? 100 servers does not sound that much…
Have the other servers 10Gbit connections, too?
Hi JM,
I’m not sure actually, the Agent servers are varying, 1 or 10Gbit, and I’m guessing they are around 10-20TB of Frontend data, and it will decrease to a large degree in the next 1-12 months.
I don’t think there is much of change rate, these are application, sql and webhosting servers, no users.
The Firewall is probably 1 Gbit but I’m not sure it can actually throughput 1 Gbit, and it will probably affect the 24/7 webhosting traffic.
@magnusvr hi
In order not to pass traffic over the firewall, I dedicated a network to backup and configured on veeam Specifying Preferred Networks
Yes, a dedicated network is my preferred solution for this, too.
And you can spread the agent backups to different hours to decrease the amount of backup data at a given time frame.
hello @magnusvr 100 physical servers is a lot but it only depends on the change rate. not very helpful but maybe think about a virtualization project for your customer?
anyway; if you try to avoid or bypass the firewall please think about that now “all” ports are reachable in this specific “local lan”. how you will restrict network communication to your critical backup infrastructure?
some options are: - use a dedicaded backup network (add ports) and like @Link State said use the “preferred network” option. maybe some dns trickery (with an additionally alias) is helpful. - another firewall (different hardware for the backup traffic) - use another repository concept (sobr with a small “performance tier” and copy/move to the LHR after 1/a few days). for example a proxy/repository “near” the systems you want to backup with iscsi or fc disks from another system in the backup environment.
but these are also budget topics and if the customer is willing to invest. i would first recommend try the “out of the box” options and see how it goes.
best regards daniel
Thank you all for your thoughts. The background is that they are running a lot of VMs in Proxmox, which means Agent backups. Only a few Agents are actually Physical servers. They have a new AHV cluster and are migrating to it, but it will be some time before they are all migrated. Once in AHV, the problem is gone.
A Backup Network is hard to suggest now, and I feel that security wise, that would also connect all the servers together in one LAN, perhaps even more so that putting an IP on the backup server.
I’m kind of assuming that I can’t get the Agent to connect directly to the LHR without segmenting it up into many, which sounds like a hassle.
Can I put an extra IP/LAN on the B&R server and have the traffic go from the Agent to the B&R, and the B&R will then ship the traffic to the LHR? Or do I always need a connection from the Agent to the LHR?
Complicated to explain my thoughts...thanks!
Can I put an extra IP/LAN on the B&R server and have the traffic go from the Agent to the B&R, and the B&R will then ship the traffic to the LHR? Or do I always need a connection from the Agent to the LHR?
the backup traffic will go directly from the agents to the repo:
Default port used for communication with the Veeam backup server.
Data between the Veeam Agent for Linux computer and backup repositories is transferred directly, bypassing Veeam backup servers.
the vbr server in this case do just management.
best regards
daniel
Thank you Daniel,
And as Veeam has the LHR registered with an IP in LAN1, it won’t help if I assign an IP in LAN2 on the VBR, since Veeam server won’t know that IP?
I would have to add the LHR two times in Veeam (?), one for each IP, and control which agents from which network, that stores in what Repo instance.
I don’t have a hardened Repository server with multiple IPs, but some “normal” repository server. Veeam was every time intelligent enough to route the traffic about the correct interface.
Even if an agent cannot reach the repository server directly. Then the traffic is routed over the VBR server. I think the direct connection is an option not a must-have...
Interesting. I will experiment a little bit and see. Thanks all!
@magnusvr
these are the target repositories supported by the Windows agent
Alternatively you can use as target repository a share server dedicated
I would think that if you could do some layer 3 switching here, the VBR/Repo would be able to talk to the VM’s/servers on their respective networks at switch/line speed without having to go though the firewall, but I’d set limitations so that only the servers are going to only the required backup infrastructure. Not sure though if you have the capability of making network changes like that.
Thanks Link State,
since the customer has a brand new Veeam setup with a 300TB LHR, that’s what we want to use, to get the benefit och immutability and XFS pointers.. Also, the Agents will be server managed.
I will move forward with suggesting to run the traffic through the firewall after all, and work with speed limits, distributed schedules, and possibly QoS in the FW.
/Magnus
@dloseke Excellent Idea, the thought had crossed my mind, I’m also unsure if that is possible. I think they are running Cisco, possibly Nexus switches at the site, but I guess it would require a redesign of the whole network… I will add that as a suggestion.
@dloseke Excellent Idea, the thought had crossed my mind, I’m also unsure if that is possible. I think they are running Cisco, possibly Nexus switches at the site, but I guess it would require a redesign of the whole network… I will add that as a suggestion.
I’ve converted a Cisco nexus 3k from L2 to L3 using vPC for gateway redundancy with VRRP/HSRP can’t remember which protocol they used sorry! Was easy enough, can either do it “Big Bang”by swapping your gateway IP from being configured for your firewall to your switch, or create a new gateway IP and move everything one device at a time.
In either scenario for security you can use ACLs to have more basic firewall style filtering.
As an alternative to maintain security without production impact. Why not a virtual firewall such as pfSense?