3.2 Security zones

The Veeam Cloud Connect environment is divided into different security zones, and different server types are placed in each zone. All the zones are protected from each other and from the outside by firewalls.

By applying different firewall rules to allow only the minimum amount of necessary connections between the different zones, the level of security is improved.

As described in the network diagram, there are four different areas:

  • DMZ: This area hosts the cloud gateways. This is the only area connected and reachable from users via a public internet connection (directly or via firewall or NAT).

  • Management: This area hosts the management components of Veeam Cloud Connect. This area is not reachable from outside.

  • Storage: This area hosts the WAN accelerators and the backup repositories. This area is not reachable from outside. A more complex design can also have WAN accelerators and repositories divided in two separated areas.

  • WAN (public): This area is the public internet or, in general, the network outside of the Veeam Cloud Connect infrastructure where tenants are supposed to connect to the cloud gateways.

Firewall considerations

One of the reasons to separate the environment in several distinguished security zones is to limit the network connections between them to a minimum. Inside the same zone, all servers are free to communicate with each other.

This design assumes that all connections between security zones are denied unless explicitly allowed via a firewall rule. For a complete list of the required network ports, please refer to the network diagram and the additional general required ports in the Veeam Backup & Replication User Guide.

Management zone

The domain controllers are contacted by the Veeam Backup & Replication server. Outside of the management zone, no server needs to connect to Active Directory services. All cloud gateways, WAN accelerators and Windows-based repositories will use local authentication only. This way, any security breach in these zones (especially the DMZ) will not expose Active Directory to any risk.

Additionally, this design will keep the management components of Veeam Cloud Connect isolated.

However, for better management, all servers will be registered in the DNS services running on the domain controllers. Even the servers using local authentication will be reachable using their hostname and the domain suffix, cloudconnect.local. For the same reason, the only connections to the domain controllers that is allowed will be toward the DNS servers over ports TCP/UDP 53.

DMZ zone

This security zone hosts the cloud gateways. These components are the only ones directly reachable via public internet connections. For the best protection, a service provider should isolate this zone from both public internet (allowing only the single TCP port needed for publishing the service) and the rest of the Veeam Cloud Connect infrastructure.

The cloud gateways need to communicate with the management zone for DNS resolution using the domain controllers. They also need to communicate with the Veeam backup server to operate the backup services and to the storage zone to allow communication between the data mover components at the customer site and the WAN accelerators and repositories at the service provider site.

Storage zone

This security zone hosts the data movers managing all the inbound and outbound data streams. Backup repositories are the foundation to create the cloud repositories, while the (optional) WAN accelerator technology allows important bandwidth savings for those customers who have WAN accelerators on their own side.

Both components need to communicate with cloud gateways and through the cloud gateways to the customers. Additionally, they will communicate with the Veeam backup server and with the domain controllers to use their DNS services.

Direct access should be limited to few authorized people, because an administrator can see all customers’ backup files stored on the backup repositories. If those are not encrypted, unauthorized access to customers data is possible.

Subnets

Each security zone is isolated thanks to dedicated VLANs and firewalls that are the only entry points to and from each security zone to another, with rules limiting connections to the minimum required to operate a Veeam Cloud Connect environment.

The service provider uses one IPv4 subnet for each security zone. This allows to write firewall rules per subnet more easily.

Security Zone Subnet VLAN id Gateway
WAN 185.56.139.32/29 6 185.56.139.33
DMZ 10.10.111.0/24 111 10.10.111.1
Management 10.10.51.0/24 51 10.10.51.1
Storage 10.10.110.0/24 110 10.10.110.1

All subnets have a getaway address; these IP addresses are configured and managed by one or more firewalls. This way, every communication between the security zones is filtered.

Notice that WAN and DMZ are two distinct subnets. Because of more advanced configurations required by replication services in Chapter 4, cloud gateways will have two network connections: one in the WAN subnet and the other in the DMZ subnet. Because they are reachable from the internet and thus vulnerable to attacks, their connection to the other subnets is blocked by a firewall that only allows the minimum required ports to the other services.

A final consideration about performance: the firewall that control the traffic flowing between the subnets can be a huge bottleneck if not properly sized. A good design must consider the amount of traffic that will involve the connections between the DMZ zone and the Storage zones, as the backup data will arrive to the Cloud Gateways and sent to Repositories and WAN Accelerators.