3.3 Cloud gateways

A Veeam Cloud Connect infrastructure requires at least one cloud gateway, but as explained previously, multiple gateways are mandatory to deploy a reliable solution. In this scenario, you will deploy three cloud gateways, to satisfy a 2+1 redundancy: three gateways will be available to accept and manage incoming connections, and in case of a failure of any of them, there will always be two available gateways, thus guarantying load balancing and redundancy even in a degraded situation. Furthermore, the use of three gateways allows maintenance activities to any of the gateways (patching, hardware maintenance or upgrades, etc.) while always leaving two running gateways.

GTW1  
server name gtw1.cloudconnect.local
IP Address 172.27.218.35
IP Address 203.0.113.35
Operating System Windows Server 2022
Installed components Veeam Cloud Gateway
vCPU 4
RAM 8 Gb
Disk 40 Gb
GTW2  
server name gtw2.cloudconnect.local
IP Address 172.27.218.36
IP Address 203.0.113.36
Operating System Windows Server 2022
Installed components Veeam Cloud Gateway
vCPU 4
RAM 8 Gb
Disk 40 Gb
GTW3  
server name gtw3.cloudconnect.local
IP Address 172.27.218.37
IP Address 203.0.113.37
Operating System Windows Server 2022
Installed components Veeam Cloud Gateway
vCPU 4
RAM 8 Gb
Disk 40 Gb

For cloud gateway sizing, a service provider should follow these recommendations:

CPU: 4 vCPU or cores can manage a bandwidth up to 10Gbit/s.

RAM: Around 512 KB of RAM are consumed per single connection. From a load perspective, it is suggested to limit a gateway to 1,000 connections by adding multiple instances when the total amount of connections goes above this value.

With 1,000 connections, the total memory requirement for the cloud gateway service is around 512 MB; the requirements of the underlying OS must be taken into consideration and added to this value, hence the 4 GB suggested value.

Cloud gateways networking

Cloud gateway networking is configured in a specific way in this guide. Service providers may decide to follow this example or to create a different configuration.

Each cloud gateway server has two network connections linked to the public WAN network and the DMZ. This way, the external interface can be configured with a public IP and be reachable directly from the tenants’ side. The internal windows firewall of the machine and the external firewall protecting this subnet allow only connections towards TCP/UDP 6180, the default port of the Veeam Cloud Connect service.

As it can be observed in one of the gateways, the configuration of the network connection looks like this:

Cloud Gateway WAN link configuration

3.4: Cloud gateway WAN link configuration

Only TCP/IP v4 has been enabled; every other protocol and service available as a default in the Windows connection has been disabled. also, inside the TCP/IP v4 configuration, Netbios over TCP/IP has been disabled. The WAN connection has the default gateway configured, but no DNS configuration because this is configured in the DMZ connection:

Cloud Gateway WAN link configuration

3.5: Cloud gateway Internal link configuration

As Microsoft Windows can have only one gateway, and this is configured on the WAN connection, we need some permanent routes to control the traffic in the DMZ network towards the other Cloud Connect components:

Persistent Routes:      
Network Address Netmask Gateway Address Metric
0.0.0.0 0.0.0.0 185.56.139.33 Default
172.27.217.0 255.255.255.0 172.27.218.254 1
172.27.219.0 255.255.255.0 172.27.218.254 1

The first one is the default route, and uses the WAN connection. The other two are created to allow the cloud gateway to connect back to the management network (172.27.217.0/24) and to the storage network (172.27.219.0/24) using the DMZ connection. To create these two rules, these commands can be executed in an elevated Windows command prompt:

route add 172.27.217.0 mask 255.255.255.0 172.27.218.254 -p

route add 172.27.219.0 mask 255.255.255.0 172.27.218.254 -p

172.27.218.254 is the IP address of the firewall connecting and segregating the DMZ subnet from the other subnets. Only the minimum amount of required connections are allowed from DMZ to management and storage.

DoS protection

The cloud gateway is directly exposed over internet. In order to be protected by DoS (Denial of Service) attacks trying to saturate all the available connections, this component has default limits on the amount of connections it can accept:

number of connections from the same IP address = 64

number of total connections = 1024

These values can be tuned by service providers in each cloud gateway. Please refer to Section 8.5 to learn more about them.

Remember that each cloud gateway is a single failure domain. One thousand connections lost because of a failed cloud gateway will impact several customers. A service provider should carefully evaluate this scenario and deploy multiple cloud gateways to spread the connections over a larger number of smaller failure domains. 3 gateways is a good choice for many Cloud Connect deployments.

Installation

Once the three cloud gateways are added to the backup infrastructure as managed Windows servers, the service provider will deploy on each of them the cloud gateway component. The procedure is quick and easy, and should be repeated for all the three gateways. Detailed steps are described in the corresponding section of the User Guide, here we want to highlight the step where we choose the connection mode:

3.6: Select the desired networking mode for the cloud gateway

We suggest in this guide to use the direct mode. Direct mode exposes a cloud gateway directly over the Internet with a public IP address configured on the gateway machine itself. Veeam Cloud Connect fully supports both deployment modes, and service providers should properly protect the cloud gateways (behind a firewall or with other methods), regardless which mode is used.

When configuring the cloud gateways in NAT mode, the wizard needs to be filled with the expected DNS name that will be used to connect to the gateway itself. In our environment, the mappings would be:

HOST INTERNAL IP DNS HOST NAT IP
gtw1.cloudconnect.local 10.10.111.35 gtw1.virtualtothecore.com 185.56.139.35
gtw2.cloudconnect.local 10.10.111.36 gtw2.virtualtothecore.com 185.56.139.36
gtw3.cloudconnect.local 10.10.111.37 gtw3.virtualtothecore.com 185.56.139.37

Also, in NAT mode, in the wizard be careful about which DNS name has to be used. The general DNS name cc.virtualtothecore.com used for Round Robin is sent to tenants and then used to configure the client part of cloud connect; but in the Cloud Gateway configuration each gateway has to be set with their specific DNS name, like this:

3.7: Configure the proper DNS name for NAT mode

Once the DNS A (host) records are configured with all the public IP addresses in order to enable round robin, the internet-facing part of Veeam Cloud Connect is ready.