3.2 Security zones
The Veeam Cloud Connect environment is divided into different security zones, and different server types are placed in each zone. All the zones are protected from each other and from the outside by firewalls.
By applying different firewall rules to allow only the minimum amount of necessary connections between the different zones, the level of security is improved.
As described in the network diagram, there are four different areas:
DMZ: This area hosts the cloud gateways and an optional web portal to offer users self-service capabilities. The portal is not a Veeam component, but it can be developed by a service provider to offer self-service operations to customers. This is the only area connected and reachable from users via a public internet connection (directly or via firewall orNAT).
Management: This area hosts the management components of Veeam Cloud Connect. This area is not reachable from outside.
Storage: This area hosts the WAN accelerators and the backup repositories. This area is not reachable from outside. A more complex design can also have WAN accelerators and repositories divided in two separated areas.
WAN (public): This area is the public internet or, in general, the network outside of the Veeam Cloud Connect infrastructure where tenants are supposed to connect to the cloud gateways and their cloud repositories to consume the web portal, if available.
One of the reasons to separate the environment in several distinguished security zones is because of the possibility to limit the network connections between them to a minimum. Inside the same zone, all servers are free to communicate with each other. For example, the Veeam Backup & Replication server can freely connect to Veeam Enterprise Manager.
Assume that all connections between security zones are denied unless explicitly allowed via a firewall rule. For a complete list of the required network ports, please refer to the network diagram and the additional general required ports in the Veeam Backup & Replication User Guide or in the knowledge-base article KB1518 (http://www.veeam.com/kb1518).
The two domain controllers are contacted by the Veeam Backup & Replication server and the Veeam Enterprise Manager server. Outside of the management zone, no server needs to connect to Active Directory services. All cloud gateways, WAN accelerators and Windows-based repositories will use local authentication only. This way, any security breach in these zones (especially the DMZ) will not expose Active Directory to any risk.
Additionally, this design will keep the management components of Veeam Cloud Connect isolated.
However, for better management, all servers will be registered in the DNS services running on the domain controllers. Even the servers using local authentication will be reachable using their hostname and the domain suffix, cloudconnect.local. For the same reason, the only connections to the domain controllers that is allowed will be toward the DNS servers over ports TCP/UDP 53.
This security zone hosts the cloud gateways. These components are the only ones directly reachable via public internet connections. For the best protection, a service provider should isolate this zone from both public internet (allowing only the single TCP port needed for publishing the service) and the rest of the Veeam Cloud Connect infrastructure.
The cloud gateways need to communicate with the management zone for DNS resolution using the domain controllers (and for Active Directory operations if they were joined to the Cloud Connect internal domain). They also need to communicate with the Veeam backup server to operate the backup services and to the storage zone to allow communication between the data mover components at the customer site and the WAN accelerators and repositories at the service provider site.
This security zone hosts the data movers managing all the inbound and outbound data streams. Backup repositories are the foundation to create the logical cloud repositories customers use, while the (optional) WAN accelerator technology allows important bandwidth savings for those customers who have WAN accelerators on their own side.
Both components need to communicate with cloud gateways and through the cloud gateways to the customers. Additionally, they will communicate with the Veeam backup server and with the domain controllers (if the storage components have been joined to Active Directory or to simply use their DNS services).
Direct access should be limited to few authorized people, because an administrator can see all customers’ backup files on the on the backup repositories. If those are not encrypted, unauthorized access to customers data is possible.
Each security zone is isolated thanks to dedicated VLANs and firewalls that are the only entry points to and from each security zone to another, with rules limiting connections to the minimum required to operate a Veeam Cloud Connect environment.
The service provider uses one IPv4 subnet for each security zone. This allows you to write firewall rules per subnet more easily.
|Security Zone||Subnet||VLAN id||Gateway|
All subnets have a getaway address; these IP addresses are configured and managed by one or more firewalls. This way, every communication between the security zones is filtered.
Notice that WAN and DMZ are two distinct subnets. Because of more advanced configurations required by replication services in Chapter 4, cloud gateways will have two network connections: one in the WAN subnet and the other in the DMZ subnet. Because they are reachable from the internet and thus vulnerable to attacks, their connection to the other subnets is blocked by a firewall that only allows the minimum required ports to the other services.