6.1 Assign vSphere replication resources

The service provider can offer replication services to an existing customer already consuming backup resources, or on-board a new tenant only willing to consume replica resources. In this example, we are showing the first option, but please remember both are possible:

6.1: Assign replication resources to a tenant

Once replication resources are assigned to a tenant, new steps in the Tenant wizard are enabled. First, service provider configure replica resources:

6.2: Add a hardware plan to a tenant

Here the service provider selects the hardware plan that has been previously created for a given tenant, and assigns the plan itself to this tenant.

NOTE: we assume during the entire guide that a service provider is going to use Veeam built-in network capabilities via Network Extension Appliances. If a service provider disables this option for a tenant in this step of the wizard, different technologies need to be put in place, but they are out of the scope of this guide.

Then, the service provider configures the network extension appliance that is going to be deployed at the service provider side:

6.3: Configure networking for the Network Extension Appliance

Here there are some information that the service provider has to correctly fill in:

• name: every appliance should have a unique name in order to be easily identified and managed. We suggest to use a naming convention that should then be followed throughout the deployments;

• External network: every NEA has one external network and one or more internal network. The internal networks are configured creating different port groups, each tagged with a unique VLAN ID as explained in this guide. The external network is instead the internet-facing network of the appliance, and via this interface the NEA allows virtual machines to reach internet, and to be reached from internet (if the tenant has configured the public IP publishing rules). This external interface has to be connected to a port group that can reach internet, and where the subnet in use can be applied. In our case, we are connecting this interface on the same port group used for the external interface of the cloud gateways. In this way, during a partial failover the two components can communicate with each other, as this is a requirement to make partial failover work;

• IP address: after the port group has been selected, an IP address should be configured in accordance with the port group: here we are using a public IP address in the same subnet used by the cloud gateways. This IP address should not be in the pool configured during the creation of the Replication service, as the risk is that it could be assigned as an additional IP address to another NEA. Ideally, service providers should have two different pools, one loaded into the Cloud Connect configuration so that they can be assigned as public IP to tenants that need to publish their VMs over the internet, and another pool not loaded into Cloud Connect, but just used to configure the primary IP of each NEA.

After the network extension appliance has been configured, the service provider can assign one or more public IPs to the tenant:

6.4: Allocate public IP addresses

When all settings are confirmed and applied, the first available IP address is automatically assigned to the tenant, the Cloud Host is created, and the NEA for the tenant is deployed in the virtualized environment:

6.5: NEA deployed in the vSphere environment

We can see in the information of the VM that there are two interfaces, as we configured this hardware plan to have 1 network with internet access. External interface is connected to portgroup DPG-test_net (the shared VLAN where all the public IPs are published) while internal interface is connected to portgroup tenant.vsphere-tenant1.vlan3001.

This is a completely new port group that Cloud Connect created for this tenant, and the naming scheme is self-explaining: this is a portgroup created for tenants, specifically for vsphere-tenant1, and is using VLAN 3001. If you check figure 4.11, VLAN 3001 is the first ID of the pool assigned to network with internet access.

NOTE: the port group where the external interface is connected is considered, from a security point of view, an external and untrusted area. Connections happening outside of the external interface are considered unprotected and unfiltered, unless a service provider is using additional security procedures to monitor and protect this network.

NEA deployment at the tenant side

Depending on the different scenario a tenant may fall under, there are different moments when the corresponding Network Extension Appliance will be deployed at the tenant side:

• on a new customer consuming only replication resources, the NEA is deployed during the service provide setup wizard;
• on an existing customer already consuming backup resources, the NEA deployment is requested by Veeam Backup & Replication during the first partial failover attempt, otherwise there would be no tenant-side NEA to initiate the VPN tunnel:

Reagardless the scenario, Veeam Backup & Replication brings the customer to the corresponding section of the service provider setup wizard, where the tenant can configure his local Network Extension Appliance:

6.6: Network extension step during service provider setup wizard

The wizard tries to automatically choose the best network to connect the Network Extension Appliance too, but it’s extremely important that the tenant edits the configuration of the NEA so that it is going to be connected to the same network of the VM’s he wants to replicate towards the service provider:

6.7: Configure networking for the tenant NEA

Note: Tenant NEA has only ONE network interface. If the tenant has received from the service provider multiple networks, a different NEA will be deployed for each network. At the service provide however only one NEA with multiple interfaces will be deployed.

The NEA is deployed in the tenant vSphere environment, ready to be powered on for any partial failover activity:

6.8: Tenant NEA as seen from local vSphere environment