Does it make sense to use a separate vCenter with one ESXi host for SureBackup, or can SureBackup be configured on the production vCenter, just using a dedicated ESXi host for SureBackup?
Answer
Veeam Sure Backup and vCentet
Best answer by Link State
Does it make sense to use a separate vCenter with one ESXi host for SureBackup, or can SureBackup be configured on the production vCenter, just using a dedicated ESXi host for SureBackup?
-
Isolated Networks: These are the networks within the Virtual Lab that mimic your production networks. They are designed to be completely cut off from your live environment to prevent any interference.
-
Port Groups: In VMware vSphere, port groups are used to connect virtual machines to virtual switches. For SureBackup, Veeam creates specific port groups for the isolated networks.
Key Considerations for Isolation
-
No Uplinks (Standard Switches): If you're using Standard vSwitches, the isolated port groups created by Veeam will typically have no physical uplinks. This ensures that traffic within the virtual lab cannot leave the ESXi host and interfere with production.
-
VLAN Tagging (Distributed Switches - dVS): For environments using Distributed vSwitches (dVS), which are common in multi-host setups or for SureReplica, physical isolation via uplinks might be used, or more commonly, VLAN tagging is employed. You assign a unique VLAN ID to the isolated port group that is not used in your production environment. This VLAN should also be isolated at your physical network hardware level (e.g., by filtering this VLAN ID) to prevent any leakage.
-
Masquerade Network: To allow the Veeam Backup & Replication server to communicate with the VMs in the isolated lab, Veeam uses a "masquerade" network. This is a separate IP range that is routed through the Virtual Lab appliance. The original VMs in the lab retain their production IPs, and the Virtual Lab appliance handles the translation.
+21You can do either option as it is when you create the virtual lab you specify the host(s). See here - https://helpcenter.veeam.com/docs/backup/vsphere/surebackup_hiw.html?ver=120
Chris Childerhose - VMCA2024 | VMCE2023 | VMCE-SP2024 | Veeam Vanguard 8* | Veeam Legend 5* | VUG Canada Leader | vExpert 6* | Toronto VMUG Leader | VCAP-DCV/VCP-DCV | Object First Ace | Cisco Champion | Twitter: @cchilderhose | Blog Site – https://just-virtualization.tech
+21It doesn’t really matter
Hope that helps.
Shane Williford - Veeam VMCA/VMCE | Veeam Legend | VUG Leader | VCP-DCV | Twitter: @coolsport00
It doesn’t really matter
Hope that helps.
This means that the Surebackup Esxi host must have the same port groups as the productive ESXi?
+21Ideally, yes; but when you run the SureBackup job, a NAT appliance is created to isolate the prod network from your backup testing VMs. The link Chris shared above shows via diagrams how it looks and what each component does. Hope that helps.
Shane Williford - Veeam VMCA/VMCE | Veeam Legend | VUG Leader | VCP-DCV | Twitter: @coolsport00
+9I think both options are ok.
Maybe you should look on rest of things like licenses and if it make sense to use dedicated esx for sure backup only. Maybe is big and is waste of resources. So you can use it for production as well and just limit number of parallel VMs proccessed by sure backup.
Another thing is like mentioned above. You need to configure all networks, firewalls like NSX ... it will be more complicated for operational team ...
If you will use dedicated vCenter. You need to register it in Veeam console and adding premission for customer in enteprise manager ... From my point of view is btter to have solution simple as possible to be easy to operate it by admin in prodution ....
Marcel Kačmár | VCSP Partner 2022 | VMCE 2024 | VMCA 2024 | Veeam Legend 2025 |
You do not need a separate vCenter just to run SureBackup. You can and typically should configure SureBackup on the production vCenter, while using a dedicated ESXi host (or cluster) for running SureBackup jobs.
+11Does it make sense to use a separate vCenter with one ESXi host for SureBackup, or can SureBackup be configured on the production vCenter, just using a dedicated ESXi host for SureBackup?
-
Isolated Networks: These are the networks within the Virtual Lab that mimic your production networks. They are designed to be completely cut off from your live environment to prevent any interference.
-
Port Groups: In VMware vSphere, port groups are used to connect virtual machines to virtual switches. For SureBackup, Veeam creates specific port groups for the isolated networks.
Key Considerations for Isolation
-
No Uplinks (Standard Switches): If you're using Standard vSwitches, the isolated port groups created by Veeam will typically have no physical uplinks. This ensures that traffic within the virtual lab cannot leave the ESXi host and interfere with production.
-
VLAN Tagging (Distributed Switches - dVS): For environments using Distributed vSwitches (dVS), which are common in multi-host setups or for SureReplica, physical isolation via uplinks might be used, or more commonly, VLAN tagging is employed. You assign a unique VLAN ID to the isolated port group that is not used in your production environment. This VLAN should also be isolated at your physical network hardware level (e.g., by filtering this VLAN ID) to prevent any leakage.
-
Masquerade Network: To allow the Veeam Backup & Replication server to communicate with the VMs in the isolated lab, Veeam uses a "masquerade" network. This is a separate IP range that is routed through the Virtual Lab appliance. The original VMs in the lab retain their production IPs, and the Virtual Lab appliance handles the translation.
Veeam: VMCA | VMCE | VMXP | Veeam Legend - Microsoft: MCITP | MCP | MCSA | 2008 R2 | 2012R2 | 2016 | MCSE Core Infrastructure | MCSE Cloud Platform - Azure: AZ900 | AZ104| AZ500|AZ305 - AWS Cloud Practitioner - VMWare: VCP-DCV Vsphere 7.x - Cisco: CCNA (Expired)
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.