2.5 Cloud Gateways
Cloud gateways are the components responsible for receiving external connections from customers and tunnelling all data transmissions over a single TCP port (also UDP for DRaaS services), protected by a SSL certificate.
Cloud gateway is a Windows service, so the best platform is a modern 64-bit OS like Windows Server 2016. The correct sizing of a cloud gateway depends on the amount of traffic the service provider expects to receive, and on the redundancy design to be realized. You should note that Veeam encryption for backup and backup copy jobs is not managed by the cloud gateways, but directly by the target data movers (WAN accelerators and/or backup repositories). Cloud gateways are responsible for the SSL cyphering of communications and data transfers, and their compute requirements are low.
A single connection from a customer consumes around 512 KB of memory. So, 1 GB of memory in a cloud gateway can be used to receive up to 2,000 concurrent connections.
A group of cloud gateways can work in concert to create a pool. They can all receive and manage incoming connections from customers and can balance these connections between them without the help of any external load balancer. If any gateway fails, another gateway can take care of the existing connections, giving continuity to customers’ operations. This book will explain the interaction with external load balancers later.
In order to offer a reliable connection to customers, a service provider will deploy multiple cloud gateways following a N+K redundancy design. N is the minimum number of always-available gateways, and K is the number of gateways that can be lost. A typical redundancy design is N+1, where there is one more gateway than required to manage all incoming connections, so the service provider can lose up to one cloud gateway at any given time and still guarantee the planned level of service. Additional designs can be N+2 or others. Any service provider can find the right balance between the desired level of redundancy and the need to deploy additional gateways in advance.
Additional complexity in the design of Cloud Gateways can come from Cloud Gateway pools; thanks to this feature, the same Veeam Cloud Connect environment can be exposed over multiple connections in order to create complex setup. Two typical examples are Cloud Connect exposed concurrently over public Internet and private MPLS, or a geo-distributed Cloud Connect. A dedicated section in chapter 3 will talk in details about this option.
The cloud gateway is the external component of a Veeam Cloud Connect infrastructure that is responsible for interconnecting the different customers to the services offered by the service provider over the internet. Because it faces the internet, it is imperative to properly configure the firewall rules:
|** Service**||** Port**|
|Veeam Cloud Gateway Service||TCP / UDP 6180 from outside|
|Veeam Cloud Gateway Service||TCP 6168 from VBR Server|
|Veeam Installer Service||TCP 6160 from VBR Server|
While the cloud gateway has to talk with the managing Veeam Backup & Replication server over TCP ports 6168 and 6160, it has to be reached only with the single TCP/UDP port used by the service over the internet. By default, this port is 6180, but the service provider may customize this, like using 443 if customers have strict egress firewall rules.
Furthermore, additional connections are needed for the proper operation of a cloud gateway:
|Cloud Gateway||SP VBR server||TCP 6169||SP VBR server listens to cloud commands from the tenant side. Tenant cloud commands are passed to the Veeam Cloud Connect Service via the cloud gateway|
|Cloud Gateway||SP backup repository||TCP 2500 to 5000||Default range of ports used as transmission channels for backup jobs. For every TCP connection that a job uses, one port from this range is assigned|
|Cloud Gateway||SP backup proxy||TCP 2500 to 5000||Default range of ports used as transmission channels for replication jobs. For every TCP connection that a job uses, one port from this range is assigned|
|Cloud Gateway||Provider-side network extension appliance||UDP 1195||Port used to establish secure VPN connection for network extension during partial site failover. If a tenant has several IP networks, additional odd ports should be opened starting from 1195 — one port per tenant’s IP network. For example, 1195, 1197, 1199 to connect 3 different networks of the same tenant.|
NOTE: When an SMB share or a deduplication appliance is used, the service provider backup repository is considered the backup gateway server directly connected to the device.
Once deployed, the cloud gateway has different services installed in the Windows machine that should be monitored to guarantee the best availability of the service:
|** Service Display name**||Service Name||Startup Type||Log On as|
|Veeam Cloud Gateway Service||VeeamGateSvc||Automatic||Local System|
|Veeam Data Mover Service||VeeamTransportSvc||Automatic||Local System|
|Veeam Installer Service||VeeamDeploySvc||Automatic||Local System|
Note: There are additional Veeam services deployed as part of the default installation. We ignored them in this list, as they are not involved in a Veeam Cloud Connect infrastructure.
From a protection standpoint, a cloud gateway does not need to be saved, because there is no permanent data on it. Additionally, a new cloud gateway can be deployed in a few minutes while other existing cloud gateways are serving customers.