Veeam Replication
Deathmage
Banned Posts: 2,496
Hey guys,
So as many here use Veeam in there VMware datacenters I'm curious as to the best practises when it comes to Veeam off-site replication.
If someone could list somethings as to what are needed that would be helpful, but I'll throw what I think is needed for it to work and correct my logic along the way if needed.
My thought is this, if the Veeam Backup and Replication Appliance is say a VM, I'd probably need to make a vSwitch called say Backup Replication, then on the VMware side of things connect the VM to this vSwitch IP subnet with say a VMXNET 3 or E1000 probably a E1000 since this will literally just be passing through the VMware host, then assign a Physical Nic on this host the VM is on and that would be the VMware side of things. Now on the networking side....
To me this replication traffic should be on it's own fabric, but my employer probably will not go for a new switch just for replication, so I'll make a vLAN on the L2 fabric that the vSwitch is a member of. Then in my mind the traffic will be either routed to L3 then to the firewall or I could simply connect an available port or two on the edge firewall from L2 directly since it will just be switched traffic not routed (now I'm thinking about this some if I leave routing on the firewall this will work but if not only the L3 option would work, meh I'll need to munch on this) and make a aggregated link for HA. Now on the firewall side...
To me on the firewall side of things I'd use one of our IP's from our ISP block and assign that to a NAT mapping of this public address to the internal address of the VM on the vLAN is use by the Backup Replication vSwitch with the Veeam Replication Appliance.
What this all equates to in the end....
...In essense the public address would only be able to connect to the Backup Appliance over a secure tunnel or just a VPN or other connection method I'm not thinking of to the VM cluster. The above just outlines to me what in the background is needed.
Does this sound about right or am I missing anything in my logic, tried to go step by step in my thinking so if I'm wrong you guys can correct me. I'm always thinking about things and how I can DR more effective, again I'm wanting to get into 'best practises' on this methodology. Suggestions are welcome.
So as many here use Veeam in there VMware datacenters I'm curious as to the best practises when it comes to Veeam off-site replication.
If someone could list somethings as to what are needed that would be helpful, but I'll throw what I think is needed for it to work and correct my logic along the way if needed.
My thought is this, if the Veeam Backup and Replication Appliance is say a VM, I'd probably need to make a vSwitch called say Backup Replication, then on the VMware side of things connect the VM to this vSwitch IP subnet with say a VMXNET 3 or E1000 probably a E1000 since this will literally just be passing through the VMware host, then assign a Physical Nic on this host the VM is on and that would be the VMware side of things. Now on the networking side....
To me this replication traffic should be on it's own fabric, but my employer probably will not go for a new switch just for replication, so I'll make a vLAN on the L2 fabric that the vSwitch is a member of. Then in my mind the traffic will be either routed to L3 then to the firewall or I could simply connect an available port or two on the edge firewall from L2 directly since it will just be switched traffic not routed (now I'm thinking about this some if I leave routing on the firewall this will work but if not only the L3 option would work, meh I'll need to munch on this) and make a aggregated link for HA. Now on the firewall side...
To me on the firewall side of things I'd use one of our IP's from our ISP block and assign that to a NAT mapping of this public address to the internal address of the VM on the vLAN is use by the Backup Replication vSwitch with the Veeam Replication Appliance.
What this all equates to in the end....
...In essense the public address would only be able to connect to the Backup Appliance over a secure tunnel or just a VPN or other connection method I'm not thinking of to the VM cluster. The above just outlines to me what in the background is needed.
Does this sound about right or am I missing anything in my logic, tried to go step by step in my thinking so if I'm wrong you guys can correct me. I'm always thinking about things and how I can DR more effective, again I'm wanting to get into 'best practises' on this methodology. Suggestions are welcome.