• EN

QUESTION April 18th From MP

Geoff Burke
Userlevel 7
Badge +22

Another great one inspired from our top Veeam Agent in the UK MP!

 

You have a customer that wants physical servers to backup to offsite (Cloud) object storage directly. They also want to use the Veeam Agent to protect key business stakeholders (C-suite) devices wherever they are around the globe. To prevent opening the cloud storage to accept connections from any public IP address, you decide to force the endpoints to connect indirectly to object storage, using a gateway over the corporate VPN.

To achieve this, you create your Veeam backup repository as object storage, specify the connection mode as direct, and set access permissions to “provided by the backup server (traffic goes through a gateway server)”

You then create backup jobs that are managed by the VBR server to target the servers, and create backup job policies that are managed by the Veeam Agent for the device endpoints.

What happens when you test this? And what is used as the gateway?

VMCA2022, VMCE2023, CKA, CKAD, KCNA, LFCS, PCA,TARS

6 comments

MicoolPaul
Userlevel 7
Badge +20

Looking forward to seeing the comments on this one!

Michael Paul - #VeeamLegend | #VeeamVanguard | Veeam Certified Architect | VMware vExpert | https://micoolpaul.com | Twitter: @MicoolPaul | Mastodon: @micoolpaul@masto.nu | Bluesky: @micoolpaul.bsky.social
Chris.Childerhose
Userlevel 7
Badge +20

Well here is my stab at it to see.  Cannot wait for other comments and the answer.  😎

What happens when you test this?

The physical servers managed by the VBR server will run and send direct to Object storage via the Agent (physical servers require the agent as well), but the Agents you need to ensure the repository access control permissions are set for them to use the Object storage repository.  Proxies and Agents need direct network access to the object storage when using direct mode.  So, in this case, if the C-Suite laptops use a Gateway for indirect access to Object Storage, backups will fail.  The better way would be to have the Agents, when roaming, connect directly to the Cloud storage, but that is not allowed in this case.

And what is used as the gateway?

The VBR server or Proxies would be used as the GW to connect to Object Storage repositories.

Chris Childerhose - VMCA2022 | VMCE2023 | Veeam Vanguard 7* | Veeam Legend 3* | vExpert 5* | VCAP-DCV/VCP-DCV | Object First Ace | Cisco Champion | Twitter: @cchilderhose | Blog Site – https://just-virtualization.tech
MicoolPaul
Userlevel 7
Badge +20

Will give everyone till next week to discuss, and then I’ll share what the actual outcome is :)

Michael Paul - #VeeamLegend | #VeeamVanguard | Veeam Certified Architect | VMware vExpert | https://micoolpaul.com | Twitter: @MicoolPaul | Mastodon: @micoolpaul@masto.nu | Bluesky: @micoolpaul.bsky.social
Chris.Childerhose
Userlevel 7
Badge +20

Will give everyone till next week to discuss, and then I’ll share what the actual outcome is :)

Don't wait too long have my VMCA exam April 27th. 😜

Chris Childerhose - VMCA2022 | VMCE2023 | Veeam Vanguard 7* | Veeam Legend 3* | vExpert 5* | VCAP-DCV/VCP-DCV | Object First Ace | Cisco Champion | Twitter: @cchilderhose | Blog Site – https://just-virtualization.tech
coolsport00
Userlevel 7
Badge +17

This very item was discussed on the virtual UK VUG by @MicoolPaul . After the Agent → Object Storage, it all got a bit fuzzy and muddy 😁

Shane Williford - Veeam VMCA/VMCE | Veeam Legend | VUG Leader | VCP-DCV | Twitter: @coolsport00
MicoolPaul
Userlevel 7
Badge +20

Hi everyone, as promised:

 

So, everything will work, but not as planned.

 

Even “Direct” expected data flows will traverse the gateway due to the access permissions. However, because we selected direct instead of gateway, we didn’t (and can’t) define a gateway. So what is the gateway in this scenario? The answer is: the mount server! Every backup to the object storage backup repository will traverse the mount server, and if the firewall rules prevent this, it will fail!

Michael Paul - #VeeamLegend | #VeeamVanguard | Veeam Certified Architect | VMware vExpert | https://micoolpaul.com | Twitter: @MicoolPaul | Mastodon: @micoolpaul@masto.nu | Bluesky: @micoolpaul.bsky.social

Comment


Terms & Conditions