4.8 Veeam proxies

In order to receive replication data from a tenant, at least one proxy is needed. This proxy needs to be able to talk with its controlling VBR server, the vCenter server (standalone or connected to vCloud Director) and all the ESXi hosts. To increase the availability of the service, deploy multiple proxy servers. Any service provider should consider carefully how many proxies are necessary based on the specific design of the environment.

In our lab, we have one Windows and one Linux proxy, to remember that any of the two type can be used, or both of them at the same time.

PROXY1  
server name proxy1.cloudconnect.local
IP Address 10.10.110.101
Operating System Windows Server 2019
Installed components Veeam Proxy
vCPU 4
RAM 8 Gb
Disk 40 Gb
PROXY2  
server name proxy2.cloudconnect.local
IP Address 10.10.110.102
Operating System Ubuntu Linux
Installed components Veeam Proxy
vCPU 4
RAM 8 Gb
Disk 20 Gb

Proxies need to communicate with the different components: ESXi hosts and vCenter, Veeam Backup & Replication server, cloud gateways, WAN accelerators. For this reason, you should add firewall rules between the different networks.

NOTE: Some additional aliases have been added to the central firewall:

Proxies: 10.10.110.101, 10.10.110.102

Proto Source Port Destination Port Description
IPv4 TCP/UDP Proxies * Domain_controllers 53 (DNS) Allow proxies to use internal DNS
IPv4 TCP VBR_Server * Proxies 22 Temporary port to deploy Veeam components on Linux proxies
IPv4 TCP VBR_Server * Proxies 445 Temporary port to deploy Veeam components on Windows proxies
IPv4 TCP VBR_Server * Proxies 6160 Veeam Installer from VBR to Proxies
IPv4 TCP VBR_Server * Proxies 6162 Veeam Transport from VBR to Proxies
IPv4 TCP VCC_gateways * Proxies 2500-3300 Gateways transfer data to Proxies
IPv4 TCP VBR_Server * Proxies 2500-3300 VBR transfers data to Proxies
IPv4 TCP VBR_Server * Proxies 49152-65535 Veeam RPC from VBR to Windows Proxies (for disks and volumes discovery)

Once all the different firewall rules are in place, service providers can deploy the proxy component on the different proxy servers:

Install a new Veeam proxy

4.24: Install a new Veeam proxy

You should leave all the configuration parameters as the default ones; transport mode specifically should be left as automatic because the proxies are VMs and they will use hotadd mode, which is the preferred mode for a target proxy. However, leaving automatic selection on allows for the usage of network mode as a failover option should something not work for the hotadd mode.

Traffic rules are also left empty, as any bandwidth management is done directly by Veeam Cloud Connect when configuring a tenant.

One last step must be done once the different Veeam proxies have been deployed. By default, the Veeam Backup & Replication server itself is also configured as a proxy.

List of available Veeam proxies

4.25: List of available Veeam proxies

To guarantee that replication traffic follows the designed path from cloud gateways to WAN accelerators and proxies, you have to disable the default proxy role installed in Veeam Backup & Replication server or even choose to remove the role completely.