3.4 Cloud gateways

A Veeam Cloud Connect infrastructure requires at least one cloud gateway, but as explained previously, multiple gateways are mandatory to deploy a reliable solution. In this scenario, you will deploy three cloud gateways, to satisfy a 2+1 redundancy: three gateways will be available to accept and manage incoming connections, and in case of a failure of any of them, there will always be two available gateways, thus guarantying load balancing and redundancy even in a degraded situation. Furthermore, the use of three gateways allows maintenance activities to any of the gateways (patching, hardware maintenance or upgrades, etc.) while always leaving two running gateways.

GTW1  
server name gtw1.cloudconnect.local
IP Address 10.10.111.98
IP Address 185.62.37.98
Operating System Windows Server 2016
Installed components Veeam Cloud Gateway
vCPU 2
RAM 2 Gb
Disk 40 Gb
GTW2  
server name gtw2.cloudconnect.local
IP Address 10.10.111.99
IP Address 185.62.37.99
Operating System Windows Server 2016
Installed components Veeam Cloud Gateway
vCPU 2
RAM 2 Gb
Disk 40 Gb
GTW3  
server name gtw3.cloudconnect.local
IP Address 10.10.111.100
IP Address 185.62.37.100
Operating System Windows Server 2016
Installed components Veeam Cloud Gateway
vCPU 2
RAM 2 Gb
Disk 40 Gb

For cloud gateway sizing, a service provider should follow these recommendations:

CPU: 2 vCPU or cores can manage a bandwidth up to 10Gbit/s.

RAM: Around 512 KB of RAM are consumed per single connection. From a load perspective, it is suggested to limit a gateway to 1,000 connections by adding multiple instances when the total amount of connections goes above this value.

With 1,000 connections, the total memory requirement for the cloud gateway service is around 512 MB; the requirements of the underlying OS must be taken into consideration and added to this value, hence the 2 GB suggested value.

Cloud gateways networking

Cloud gateway networking is configured in a specific way in this guide. Service providers may decide to follow this example or to create a different configuration.

Each cloud gateway server has two network connections linked to the public WAN network and the DMZ. This way, the external interface can be configured with a public IP and be reachable directly from the tenants’ side. The internal windows firewall of the machine and the external firewall protecting this subnet allow only connections towards TCP/UDP 6180, the default port of the Veeam Cloud Connect service.

As it can be observed in one of the gateways, the configuration of the network connection looks like this:

Cloud Gateway WAN link configuration

3.6: Cloud gateway WAN link configuration

Only TCP/IP v4 has been enabled; every other protocol and service available as a default in the Windows connection has been disabled. The WAN connection has the default gateway enabled, but no DNS configuration because this is configured in the DMZ connection:

Cloud Gateway WAN link configuration

3.7: Cloud gateway DMZ link configuration

There are some permanent routes configured on the Windows machine:

Persistent Routes:      
Network Address Netmask Gateway Address Metric
0.0.0.0 0.0.0.0 185.62.37.97 Default
10.10.51.0 255.255.255.0 10.10.111.254 1
10.10.110.0 255.255.255.0 10.10.111.254 1

The first one is the default route. The other two are created to allow the cloud gateway to connect back to the management network (10.10.51.0/24) and to the storage network (10.10.110.0/24). To create these two rules, these commands can be executed in an elevated Windows command prompt:

route add 10.10.51.0 mask 255.255.255.0 10.10.111.254 -p

route add 10.10.110.0 mask 255.255.255.0 10.10.111.254 -p

10.10.111.254 is the IP address of the firewall connecting and segregating the DMZ subnet from the other subnets. Only the minimum amount of required connections are allowed from DMZ to management and storage.

To make rule creation easier, some aliases have been created:  
VCC_gateways 10.10.111.98, 10.10.111.99, 10.10.111.100
Domain_Controllers 10.10.51.21, 10.10.51.22
VBR_Server 10.10.51.40
WAN_accelerators 10.10.110.11, 10.10.110.12
Linux_repositories 10.10.110.51, 10.10.110.71, 10.10.110.72, 10.10.110.73
Windows_repositories 10.10.110.52, 10.10.110.61, 10.10.110.62, 10.10.110.63, 10.10.110.64
Proto Source Port Destination Port Description
IPv4 TCP/UDP VCC_gateways * Domain_controllers 53 (DNS) Allow gateways to use internal dns
IPv4 TCP VCC_gateways * VBR_Server 6169 Gateways pass tenant VBR commands to SP VBR
IPv4 TCP VBR_Server * VCC_gateways 6160 Veeam Installer from VBR to VCC gateways
IPv4 TCP VBR_Server * VCC_gateways 6162 Veeam Transport from VBR to VCC gateways
IPv4 TCP VBR_Server * VCC_gateways 6168 Cloud gateway listen for cloud commands from SP VBR
IPv4 TCP/UDP VBR_Server * VCC_gateways 137 - 139 Veeam SMB share access from VBR to VCC gateways
IPv4 TCP/UDP VBR_Server * VCC_gateways 445 Veeam SMB share access from VBR to VCC gateways

The last two rules can be disabled and enabled only when a new Veeam component needs to be installed or upgraded because Veeam uses SMB shares to deploy the installer packages into remote Windows servers.

DoS protection

The cloud gateway is directly exposed over internet. In order to be protected by DoS (Denial of Service) attacks trying to saturate all the available connections, this component has default limits on the amount of connections it can accept:

number of connections from the same IP address = 16

number of total connections = 256

To change these values, a service provider needs to create two new DWORD registry keys in each cloud gateway in:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Veeam\Veeam Gate Service

and configure them as follows (and restart the service to apply the new numbers):

PeerCloudConnectionsLimit (per IP, default is 16)

MaxSimultaneousCloudConnections (total, default is 256)

Remember that a cloud gateway is a failure domain when evaluating the impact on connections caused by its loss. One thousand connections lost on a failed cloud gateway will impact several customers. A service provider should carefully evaluate this scenario and deploy multiple cloud gateways to spread the connections over a larger number of smaller failure domains.

Installation

Once the three cloud gateways are added to the backup infrastructure as managed Windows servers, the service provider will deploy on each of them the cloud gateway component. The procedure is quick and easy, and should be repeated for all the three gateways.

  1. From the Cloud Connect node, go to Cloud Gateways and select Add Cloud Gateway

  2. Select one of the previously added servers:

3.8: Add a new cloud gateway

  1. Configure the desired networking mode:

3.9: Select the desired networking mode for the cloud gateway

We suggest in this guide to use the direct mode. Direct mode is available to directly expose a cloud gateway over the Internet with a public IP address configured on the gateway machine itself. Veeam Cloud Connect fully supports both deployment modes, and service providers should properly protect the cloud gateways behind a firewall, regardless which mode is used.

When configuring the cloud gateways in NAT mode, the wizard needs to be filled with the expected DNS name that will be used to connect to the gateway itself. Following the example, the mappings would be:

HOST INTERNAL IP DNS HOST NAT IP
gtw1.cloudconnect.local 10.10.111.98 gtw1.virtualtothecore.com 185.62.37.98
gtw2.cloudconnect.local 10.10.111.99 gtw2.virtualtothecore.com 185.62.37.99
gtw3.cloudconnect.local 10.10.111.100 gtw3.virtualtothecore.com 185.62.37.100

Once the DNS A (host) records are configured with all the public IP addresses in order to enable round robin, the internet-facing part of Veeam Cloud Connect is ready.