Security, Segregation, Data Backup and Data Restore; these do not always play well together. Sometimes, when you build a secure infrastructure to protect and secure your Tenants’, or your Data, you will introduce an unavoidable challenge; especially when it comes to data backup and recovery.

The complexity of these scenarios lay in the question of which is more important; security and segregation, or data backup?

In this issue of our blog, we will discuss the Veeam Guest interaction Proxy, and learn how we can enjoy the best of both worlds without discriminating one against the other.

Let’s begin…

If you are a Service Provider cautious about the security of your Tenants’ data, and I am sure you are, you will have built your offering to them based on security and Tenant data segregation. By now, you have already realized that by offering this important segregation measurement on a shared infrastructure, it is beginning to cause you some challenges with backups and restoration of your Tenants’ data.

A reason behind this challenge that your core infrastructure and your Tenant infrastructure are completely separate; and this is so regardless of these infrastructures being hosted under the same data center roof. To make your situation more complex, they are hosted on the same virtual infrastructure.

There are many methods of segregation Service Providers can use; they can achieve complete separation with firewall configurations, VLANs, vCloud Directory deployment, and more. To simplify our discussion, let’s take a look at a segregated Service Provider common architecture in the figure below.

From the figure, you will see that the core infrastructure and the Tenants share infrastructure are not connecting to each other, even though they are running on the same virtual infrastructure.

Backup and Recovery Challenge

If you built your offering on a VMware based virtual infrastructure, your Veeam solution can backup the Tenants’ VM’s using the VMware VIX technology, and do this without much complexity.; but, the application aware backup and restoration process is a different story.

Scenario

The scenario we are going to discuss here is one shared by a Service Provider who is using VMware vCloud Director to offer IaaS; in addition to managing services, including Tenant backups.

Some of the challenges the discusses service provider is facing in our scenario are:

• Restore the application files back to the tenant server – SQL in this case; and
• Backup a tenant SQL server log files via VIX is so slow.

Veeam Solution

The challenge in our scenario is a normal challenge occurring in modern data centre architecture.  Veeam is designed and built to protect the modern data centre, so this challenge is quickly eliminated when designing your data centre architecture, and then configuring Veeam to deal with this segregated infrastructure.

The Veeam answer to this modern data centre architecture challenge is provided with a feature called “Guest Interactive Proxy.” This is where Veeam will off-load the processing of the application-aware file-indexing and transaction log backups to a guest OS running on a remote, or segregated Tenant zone.

The Configuration of Veeam

Back to our shared service provider story. To solve the backup requirement for their customers and their network configuration restraints,  the backup admin chooses to deploy a “Guest interactive Proxy” in a unique way. The method used does not just solve the challenge of the application and restore aware processing; but, also adds a revenue stream to their offering.

The method and configuration  used is illustrated in the diagram below.

From the above diagram, you will notice that the service provider offered the customer a dedicated server configured on the service provider virtual infrastructure only. The Guest server was configured with two network address cards (NICs), each connected to a different Network zone. One NIC is connected to the Tenant Zone with an IP address assigned from the Tenant subnet, and the IP is pingable to avoid double allocation from the tenant side. The second NIC is connected to the core infrastructure.

To make the above configuration fully workable and secure, the Guest interactive proxy is configured to point to, and to use, the tenant DNS server. On the Service Provider side, the Tenant’s subnet has been added as DNS conditional forwarding to ensure there is no traffic forwarded to the Tenant’s DNS from the Service Provider’s infrastructure.

After the Guest interactive Proxy was provisioned and configured, the backup job was modified to instruct Veeam to use this new Proxy. In this example, it is vProxy02.veeamsalab.org. The first Veeam configuration is applied on the backup job Guest Processing.

The Second challenge, backing up the SQL transaction Log,  is addressed by configuring the Application-aware – SQL Configuration. Check the diagram below for the checkboxes to be ticked to back up the Log.

Conclusion

By setting up the steps we have just described, the service provider solved the problem of running the aware application backup while keeping the Tenant infrastructure secured and segregated. In addition, they were able to now offer this service as a cost product to each Tenant requiring this level of Backup and Recovery granularity.