2.4 Cloud Gateways

Cloud gateways are the components responsible for receiving external connections from customers and tunnelling all data transmissions over a single TCP port (also UDP for DRaaS services), protected by a SSL certificate.

Cloud gateway is a Windows service, so the best platform to execute it is a modern 64-bit OS like Windows Server 2016 or 2019. The correct sizing of a cloud gateway depends on the amount of traffic the service provider expects to receive, and on the redundancy design to be realized. You should note that Veeam encryption for backup and backup copy jobs is not managed by the cloud gateways, but directly by the target data movers (WAN accelerators and/or backup repositories). Cloud gateways are responsible for the SSL cyphering of communications and data transfers, and their compute requirements are usually low.

A single connection from a customer consumes around 512 KB of memory. So, 1 GB of memory in a cloud gateway can be used to receive up to 2,000 concurrent connections. These are theoretical numbers, in real deployments you may want to have a single cloud gateway limited to a smaller amount of managed connections, to avoid single points of failures and bottlenecks on other resources, like the network links.

A group of cloud gateways can work in concert to create a pool. They can all receive and manage incoming connections from customers and can balance these connections between them without the help of any external load balancer. If any gateway fails, another gateway can take care of the existing connections, giving continuity to customers’ operations. This book will explain the interaction with external load balancers later.

In order to offer a reliable connection to customers, a service provider will deploy multiple cloud gateways following a N+K redundancy design. N is the minimum number of always-available gateways, and K is the number of gateways that can be lost. A typical redundancy design is N+1, where there is one more gateway than required to manage all incoming connections, so the service provider can lose up to one cloud gateway at any given time and still guarantee the planned level of service. Additional designs can be N+2 or others. Any service provider can find the right balance between the desired level of redundancy and the need to deploy additional gateways in advance.

Additional complexity in the design of Cloud Gateways can come from Cloud Gateway pools; thanks to this feature, the same Veeam Cloud Connect environment can be exposed over multiple connections in order to create complex setup. Two typical examples are Cloud Connect exposed concurrently over public Internet and private MPLS, or a geo-distributed Cloud Connect. A dedicated section in chapter 3 will talk in details about this option.

Firewall

The cloud gateway is the external component of a Veeam Cloud Connect infrastructure that is responsible for interconnecting the different customers to the services offered by the service provider over the internet. Because it faces the internet, it is imperative to properly configure the firewall rules:

Service Port
Veeam Cloud Gateway Service TCP / UDP 6180 from outside
Veeam Cloud Gateway Service TCP 6168 from VBR Server
Veeam Installer Service TCP 6160 from VBR Server

While the cloud gateway has to talk with the managing Veeam Backup & Replication server over TCP ports 6168 and 6160, it has to be reached only with the single TCP/UDP port used by the service over the internet. By default, this port is 6180, but the service provider may customize this if customers have strict egress firewall rules.

Furthermore, additional connections are needed for the proper operation of a cloud gateway:

From To Destination Port Notes
Cloud Gateway SP VBR server TCP 6169 SP VBR server listens to cloud commands from the tenant side. Tenant cloud commands are passed to the Veeam Cloud Connect Service via the cloud gateway
Cloud Gateway SP backup repository TCP 2500 to 3300 Default range of ports used as transmission channels for backup jobs. For every TCP connection that a job uses, one port from this range is assigned
Cloud Gateway SP backup proxy TCP 2500 to 3300 Default range of ports used as transmission channels for replication jobs. For every TCP connection that a job uses, one port from this range is assigned
Cloud Gateway Provider-side network extension appliance UDP 1195 Port used to establish secure VPN connection for network extension during partial site failover. If a tenant has several IP networks, additional odd ports should be opened starting from 1195 — one port per tenant’s IP network. For example, 1195, 1197, 1199 to connect 3 different networks of the same tenant.

NOTE: When an SMB share or a deduplication appliance is used, the service provider backup repository is considered the backup gateway server directly connected to the device.

Monitoring

Once deployed, the cloud gateway has different services installed in the Windows machine that should be monitored to guarantee the best availability of the service:

** Service Display name** Service Name Startup Type Log On as
Veeam Cloud Gateway Service VeeamGateSvc Automatic Local System
Veeam Data Mover Service VeeamTransportSvc Automatic Local System
Veeam Installer Service VeeamDeploySvc Automatic Local System

Note: There are additional Veeam services deployed as part of the default installation. We ignored them in this list, as they are not involved in a Veeam Cloud Connect infrastructure.

Protection

From a protection standpoint, a cloud gateway does not need to be saved, because there is no permanent data on it. Additionally, a new cloud gateway can be deployed in a few minutes while other existing cloud gateways are serving customers.