Veeam

This site uses Just the Docs, a documentation theme for Jekyll.

Search

3.1 Security zones

The Veeam Cloud Connect environment is divided into different security zones, and different server types are placed in each zone. All the zones are protected from each other and from the outside by firewalls.

By applying different firewall rules to allow only the minimum amount of necessary connections between the different zones, the level of security is improved.

There are four different zones:

  • DMZ: This area hosts the cloud gateways. This is the only area connected and reachable from users via a public internet connection (directly or via firewall or NAT).

  • Management: This area hosts the management components of Veeam Cloud Connect. This area is not reachable from outside.

  • Storage: This area hosts the WAN accelerators and the backup repositories. This area is not reachable from outside. A more complex design can also have WAN accelerators and repositories divided in two separated areas.

  • WAN (public): This area is the public internet or, in general, the network outside of the Veeam Cloud Connect infrastructure where tenants are supposed to connect to the cloud gateways.

Firewall considerations

One of the reasons to separate the environment in several distinguished security zones is to limit the network connections between them to a minimum. Inside the same zone, all servers are free to communicate with each other.

This design assumes that all connections between security zones are denied unless explicitly allowed via a firewall rule. For a complete list of the required network ports, please refer to the 2.13 Networking and ports and the additional required ports in the Veeam Cloud Connect User Guide.

Management zone

The DNS servers are contacted by all the different Veeam servers and all the other components. Aside from DNS, no server outside of the management zone needs to connect to Management servers. All the servers will use local authentication only, with unique credentials. In this way, any security breach in other zones (especially the DMZ) will not expose Management servers to any risk.

Additionally, this design will keep the management components of Veeam Cloud Connect isolated.

All servers are registered in the DNS services running in the management zone. They will be reachable using their hostname and the domain suffix, cloudconnect.local.

DMZ zone

This security zone hosts the cloud gateways. These components are the only ones directly reachable via public internet connections. For the best protection, a service provider should isolate this zone from both public internet (allowing only the single TCP/UDP port needed for publishing the service) and the rest of the Veeam Cloud Connect infrastructure.

The cloud gateways need to communicate with the management zone for DNS resolution. They also need to communicate with the Veeam backup server to operate the backup services and to the storage zone to allow communication between the data mover components at the customer site and the WAN accelerators and repositories at the service provider site.

Storage zone

This security zone hosts the data movers managing all the inbound and outbound data streams. Backup repositories are the foundation to create the cloud repositories, while the (optional) WAN accelerator technology allows important bandwidth savings for those customers who have WAN accelerators on their own side.

Both components need to communicate with cloud gateways and through the cloud gateways to the customers. Additionally, they will communicate with the Veeam backup server and with the DNS servers.

Direct access should be limited to few authorized people, because an administrator can see all customers’ backup files stored on the backup repositories. If those are not encrypted, unauthorized access to customers data is possible.

Object storage used for Direct Backup to Object Storage could be placed into this zone, or potentially in a dedicated zone, since it is directly exposed over internet as in a DMZ environment.

Subnets

Each security zone is isolated thanks to dedicated VLANs and firewalls that are the only entry points to and from each security zone to another, with rules limiting connections to the minimum required to operate a Veeam Cloud Connect environment.

The service provider uses one IPv4 subnet for each security zone. This allows to write firewall rules per subnet more easily.

Security Zone Subnet VLAN id Gateway
WAN 203.0.113.0/24 3 203.0.113.1
DMZ 172.27.218.0/24 218 172.27.218.254
Management 172.27.217.0/24 217 172.27.217.254
Storage 172.27.219.0/24 219 172.27.219.254

All subnets have a getaway address; these IP addresses are configured and managed by one or more firewalls. This way, every communication between the security zones is filtered.

Notice that WAN and DMZ are two distinct subnets. Because of more advanced configurations required by replication services in Chapter 4, cloud gateways will have two network connections: one in the WAN subnet and the other in the DMZ subnet. Since they are reachable from the internet and thus vulnerable to attacks, their connection to the other subnets is blocked by a firewall that only allows the minimum required ports to the other services.

A final consideration about performance: the firewall that control the traffic flowing between the subnets can be a huge bottleneck if not properly sized. A good design must consider the amount of traffic that will involve the connections between the DMZ zone and the Storage zones, as the backup data will arrive to the Cloud Gateways and sent to Repositories and WAN Accelerators.