3.4 Cloud gateways

A Veeam Cloud Connect infrastructure requires at least one cloud gateway, but as explained previously, multiple gateways are mandatory to deploy a reliable solution. In this scenario, you will deploy three cloud gateways, to satisfy a 2+1 redundancy: three gateways will be available to accept and manage incoming connections, and in case of a failure of any of them, there will always be two available gateways, thus guarantying load balancing and redundancy even in a degraded situation. Furthermore, the use of three gateways allows maintenance activities to any of the gateways (patching, hardware maintenance or upgrades, etc.) while always leaving two running gateways.

GTW1  
server name gtw1.cloudconnect.local
IP Address 10.10.111.35
IP Address 185.56.139.35
Operating System Windows Server 2019
Installed components Veeam Cloud Gateway
vCPU 2
RAM 2 Gb
Disk 40 Gb
GTW2  
server name gtw2.cloudconnect.local
IP Address 10.10.111.36
IP Address 185.56.139.36
Operating System Windows Server 2019
Installed components Veeam Cloud Gateway
vCPU 2
RAM 2 Gb
Disk 40 Gb
GTW3  
server name gtw3.cloudconnect.local
IP Address 10.10.111.37
IP Address 185.56.139.37
Operating System Windows Server 2019
Installed components Veeam Cloud Gateway
vCPU 2
RAM 2 Gb
Disk 40 Gb

For cloud gateway sizing, a service provider should follow these recommendations:

CPU: 2 vCPU or cores can manage a bandwidth up to 10Gbit/s.

RAM: Around 512 KB of RAM are consumed per single connection. From a load perspective, it is suggested to limit a gateway to 1,000 connections by adding multiple instances when the total amount of connections goes above this value.

With 1,000 connections, the total memory requirement for the cloud gateway service is around 512 MB; the requirements of the underlying OS must be taken into consideration and added to this value, hence the 2 GB suggested value.

Cloud gateways networking

Cloud gateway networking is configured in a specific way in this guide. Service providers may decide to follow this example or to create a different configuration.

Each cloud gateway server has two network connections linked to the public WAN network and the DMZ. This way, the external interface can be configured with a public IP and be reachable directly from the tenants’ side. The internal windows firewall of the machine and the external firewall protecting this subnet allow only connections towards TCP/UDP 6180, the default port of the Veeam Cloud Connect service.

As it can be observed in one of the gateways, the configuration of the network connection looks like this:

Cloud Gateway WAN link configuration

3.6: Cloud gateway WAN link configuration

Only TCP/IP v4 has been enabled; every other protocol and service available as a default in the Windows connection has been disabled. The WAN connection has the default gateway enabled, but no DNS configuration because this is configured in the DMZ connection:

Cloud Gateway WAN link configuration

3.7: Cloud gateway DMZ link configuration

There are some permanent routes configured on the Windows machine:

Persistent Routes:      
Network Address Netmask Gateway Address Metric
0.0.0.0 0.0.0.0 185.56.139.33 Default
10.10.51.0 255.255.255.0 10.10.111.1 1
10.10.110.0 255.255.255.0 10.10.111.1 1

The first one is the default route, and uses the WAN connection. The other two are created to allow the cloud gateway to connect back to the management network (10.10.51.0/24) and to the storage network (10.10.110.0/24) using the DMZ connection. To create these two rules, these commands can be executed in an elevated Windows command prompt:

route add 10.10.51.0 mask 255.255.255.0 10.10.111.1 -p

route add 10.10.110.0 mask 255.255.255.0 10.10.111.1 -p

10.10.111.1 is the IP address of the firewall connecting and segregating the DMZ subnet from the other subnets. Only the minimum amount of required connections are allowed from DMZ to management and storage.

To make rule creation easier, some aliases have been created:
Alias IP addresses
VCC_gateways 10.10.111.35, 10.10.111.36, 10.10.111.37
Domain_Controllers 10.10.51.21, 10.10.51.22
VBR_Server 10.10.51.40
WAN_accelerators 10.10.110.11, 10.10.110.12
Linux_repositories 10.10.110.61, 10.10.110.62, 10.10.110.63, 10.10.110.64

and finally these rules have been added:

Proto Source Port Destination Port Description
IPv4 TCP/UDP VCC_gateways * Domain_controllers 53 (DNS) Allow gateways to use internal dns
IPv4 TCP VCC_gateways * VBR_Server 6169 Gateways pass tenant VBR commands to SP VBR
IPv4 TCP VBR_Server * VCC_gateways 6160 Veeam Installer from VBR to VCC gateways
IPv4 TCP VBR_Server * VCC_gateways 6162 Veeam Transport from VBR to VCC gateways
IPv4 TCP VBR_Server * VCC_gateways 6168 Cloud gateway listen for cloud commands from SP VBR
IPv4 TCP VBR_Server * VCC_gateways 445 Veeam SMB share access from VBR to VCC gateways

DoS protection

The cloud gateway is directly exposed over internet. In order to be protected by DoS (Denial of Service) attacks trying to saturate all the available connections, this component has default limits on the amount of connections it can accept:

number of connections from the same IP address = 64

number of total connections = 1024

These values can be tuned by service providers in each cloud gateway. Please refer to Section 8.5 to learn more about them.

Remember that each cloud gateway is a single failure domain. One thousand connections lost because of a failed cloud gateway will impact several customers. A service provider should carefully evaluate this scenario and deploy multiple cloud gateways to spread the connections over a larger number of smaller failure domains.

Installation

Once the three cloud gateways are added to the backup infrastructure as managed Windows servers, the service provider will deploy on each of them the cloud gateway component. The procedure is quick and easy, and should be repeated for all the three gateways.

  1. From the Cloud Connect node, go to Cloud Gateways and select Add Cloud Gateway

  2. Select one of the previously added servers:

3.8: Add a new cloud gateway

  1. Configure the desired networking mode:

3.9: Select the desired networking mode for the cloud gateway

We suggest in this guide to use the direct mode. Direct mode exposes a cloud gateway directly over the Internet with a public IP address configured on the gateway machine itself. Veeam Cloud Connect fully supports both deployment modes, and service providers should properly protect the cloud gateways (behind a firewall or with other methods), regardless which mode is used.

When configuring the cloud gateways in NAT mode, the wizard needs to be filled with the expected DNS name that will be used to connect to the gateway itself. Following the example, the mappings would be:

HOST INTERNAL IP DNS HOST NAT IP
gtw1.cloudconnect.local 10.10.111.35 gtw1.virtualtothecore.com 185.56.139.35
gtw2.cloudconnect.local 10.10.111.36 gtw2.virtualtothecore.com 185.56.139.36
gtw3.cloudconnect.local 10.10.111.37 gtw3.virtualtothecore.com 185.56.139.37

Also, in NAT mode, in the wizard be careful about which DNS name has to be used. The general DNS name cc.virtualtothecore.com used for Round Robin is sent to tenants and then used to configured the client part of cloud connect; but in the Cloud Gateway configuration each gateway has to be set with their specific DNS name, like this:

Once the DNS A (host) records are configured with all the public IP addresses in order to enable round robin, the internet-facing part of Veeam Cloud Connect is ready.