Skip to main content
Question

vSphere proxy and hardened repository architecture

J

I have a fairly simple site, where I have vCenter, 2 ESXi’s, a baremetal veeam backup server and 2 QNAPs for backups storage, also 2 proxies each residing on one of the ESXi (for hot-add).

Up until now, when proxies were windows ones and we didn’t use the hardened setup we had the QNAPs attached via iscsi to the proxies, where the proxies would be 1:1 nated via a linux firewall, so they would have a production reachable IP but then translated into non-production network, with different vlans and the traffic would be heavily filtered - this worked very well.

I’m redesigning this and moving the repos to linux hardened repositories now, also want to switch over the proxies to run on linux.

 

Is there a way, to keep the repos unreachable for the backup server itself? So the repos would be reachable only by the proxies? I imagine proxies having 2 nics, one towards the backup server and the other in the backup storage network. The backup server needs to be within the domain, and as you know this always puts some risks into the setup and the previous design kept things apart (proxies were not domain joined).

I have one proxy and one repo on linux now, for tests and I get mixed results, but I have that linux router/firewall in between still and I see the backup server is trying to reach the repos.

 

I’ve gone trough a lot of documentation and so on, but without a major success (I mean, things are working, but not the way I would like them to), so I assume I just missed some stuff, or maybe this is not possible the way I think about it.

 

Any help would be greatly appreciated!

    wolff.mateus
    CarySun
    2 people like this
    • wolff.mateus
      wolff.mateus
    • CarySun
      CarySun

    5 comments

    Chris.Childerhose
    Forum|alt.badge.img+21
    • Chris.Childerhose
    • Veeam Legend, Veeam Vanguard
    • 8554 comments
    • February 8, 2025

    The Veeam server needs to be able to communicate to the repos regardless.  The proxies send the data to them but everything works together.

    Check the BP guide on design here - https://bp.veeam.com/vbr/2_Design_Structures/

     

    Chris Childerhose - VMCA2024 | VMCE2023 | VMCE-SP2024 | Veeam Vanguard 8* | Veeam Legend 5* | vExpert 6* | VCAP-DCV/VCP-DCV | Object First Ace | Cisco Champion | Twitter: @cchilderhose | Blog Site – https://just-virtualization.tech
    MarcoLuvisi
    1 person likes this
    • MarcoLuvisi
      MarcoLuvisi
    J
    • JacekJ
    • Author
    • New Here
    • 2 comments
    • February 8, 2025

    Thanks for sharing this guide, I never stumbled across this one tbh.

    So there is no option to isolate the repository from the veeam b&r server as they need to be added as managed servers (that’s what I noticed while configuring this, hence my post here).

    Now, is there a way to tell the proxies to use their local interfaces to push data to the repositories?

    I have a separate vlan lets say 100 and proxies and repos have addresses within the 10.0.100.0/24 network, but also have their production IP addresses mapped via the router/firewall to 172.16.100.0/24 accordingly. I need to add the repo using their 172.16.100.10 address, but is there a way to tell veeam to use 10.0.100.10 for the transport?

    I assume you know what I’m getting in here, so isolate the backup data and traffic on that vlan 100 and only use the production IP’s for communicating with the veeam server.

    Maybe there is a design, that I’m looking at but just missing it? Or is the common thing to leave the traffic on the production network and that’s it?

    Chris.Childerhose
    MarcoLuvisi
    2 people like this
    • Chris.Childerhose
      Chris.Childerhose
    • MarcoLuvisi
      MarcoLuvisi
    Chris.Childerhose
    Forum|alt.badge.img+21
    • Chris.Childerhose
    • Veeam Legend, Veeam Vanguard
    • 8554 comments
    • February 8, 2025

    You can configure the network via the console.  See here - https://helpcenter.veeam.com/docs/backup/vsphere/network_rules.html?ver=120

     

    Chris Childerhose - VMCA2024 | VMCE2023 | VMCE-SP2024 | Veeam Vanguard 8* | Veeam Legend 5* | vExpert 6* | VCAP-DCV/VCP-DCV | Object First Ace | Cisco Champion | Twitter: @cchilderhose | Blog Site – https://just-virtualization.tech
    MarcoLuvisi
    1 person likes this
    • MarcoLuvisi
      MarcoLuvisi
    J
    • JacekJ
    • Author
    • New Here
    • 2 comments
    • February 8, 2025

    This won’t help, in the approach I mentioned above with the router, the backup server won’t know the internal IP’s of the repositories, maybe I’m overthinking stuff.

    Chris.Childerhose
    MarcoLuvisi
    2 people like this
    • Chris.Childerhose
      Chris.Childerhose
    • MarcoLuvisi
      MarcoLuvisi
    Chris.Childerhose
    Forum|alt.badge.img+21
    • Chris.Childerhose
    • Veeam Legend, Veeam Vanguard
    • 8554 comments
    • February 8, 2025
    JacekJ wrote:

    This won’t help, in the approach I mentioned above with the router, the backup server won’t know the internal IP’s of the repositories, maybe I’m overthinking stuff.

    Then you will need to do routing via switches otherwise contact support maybe.

    Chris Childerhose - VMCA2024 | VMCE2023 | VMCE-SP2024 | Veeam Vanguard 8* | Veeam Legend 5* | vExpert 6* | VCAP-DCV/VCP-DCV | Object First Ace | Cisco Champion | Twitter: @cchilderhose | Blog Site – https://just-virtualization.tech
    MarcoLuvisi
    1 person likes this
    • MarcoLuvisi
      MarcoLuvisi

    Comment


    Terms & Conditions