IBM Cloud Docs
Architecture pattern for Veeam replication connectivity in IBM Cloud

Architecture pattern for Veeam replication connectivity in IBM Cloud

This architecture pattern explains how to deploy and configure Veeam® replication connectivity on VMware Cloud Foundation for VPC instances that are running on IBM Cloud VPC. These connectivity patterns use a combination of IBM Cloud native services and networking services that are provided by VMware NSX®.

This pattern assumes that Veeam is deployed by following the guidance for the consolidated architecture.

Replication connectivity over private network

When you replicate over a private network, the VMware Cloud Foundation for VPC instance needs to connect to on-premises or Classic VMware® and Veeam deployments. The connectivity can be established by using Transit Gateways or Direct Link.

The following diagram introduces the high-level steps to configure and deploy this connectivity type.

Replication connectivity over private network
Replication connectivity over private network

This architecture pattern deployment is summarized as follows:

  1. Provision new or use an existing Transit Gateway or Direct Link to connect to the Veeam replication partner network.
  2. Validate that the management subnet and on-premises VMware and Veeam networks can communicate.
  3. With Classic VMware and Veeam deployments, ensure that you configured static routes for the IBM Cloud VPC prefixes or subnets with the backend customer router (BCR) as the next hop.
  4. Configure Veeam replication between IBM Cloud and on-premises proxies by following the Veeam documentation and best practices.

Replication connectivity over the internet

When you replicate over a public network, the VMware Cloud Foundation for VPC instance needs to connect to on-premises VMware and Veeam deployments.

Two alternative patterns are introduced for this connectivity.

In this first alternative pattern, the connectivity is established by using VPC (Virtual Private Cloud) VPNaaS site-to-site IPsec VPN. The following diagram introduces the high-level steps to configure and deploy this connectivity type.

Connectivity over Public Internet by using VPC VPNaaS
Connectivity over Public Internet using VPC VPNaaS

This architecture pattern deployment is summarized as follows:

  1. Deploy VPC VPN as a Service - Site to Site Gateway. You can use the NSX private uplink subnet in VPC; many IP addresses are available for the VPN Gateway.
  2. Establish an IPsec VPN between IBM Cloud VPC and your on-premises networks. You can use either policy-based or route-based tunnels.
  3. With policy-based VPN tunnels, ensure that at least the management and the management subnets of VI workload domains are included. With route-based tunnels, create VPC routes to the on-premises networks and ensure that the on-premises networks have a route to at least to the management and the management subnets of VI workload domains.
  4. Configure Veeam replication between IBM Cloud and on-premises proxies by following the Veeam documentation and best practices.

In this second alternative pattern, the connectivity is established by using NSX Tier 0 IPsec VPN and integrated routing with VPC networking (VPC routes). The following diagram introduces the high-level steps to configure and deploy this connectivity type.

Replication connectivity over Public Internet by using NSX Tier 0 IPsec VPN
Replication connectivity over Public Internet using NSX Tier 0 IPsec VPN

This architecture pattern deployment is summarized as follows:

  1. Create a VPN endpoint in the Tier 0 gateway by using one of the floating IP addresses provisioned for the Tier 0 HA public VIP.
  2. Establish an IPsec VPN between IBM Cloud VPC and your on-premises networks. You can use either policy-based or route-based tunnels.
  3. With policy-based VPN tunnels, ensure that at least the management and the management subnets of VI workload domains are included in the local networks. With route-based tunnels, use BGP or create static routes in Tier 0 gateway to the on-premises networks and ensure that the on-premises networks have a route to at least to the management and the management subnets of VI workload domains.
  4. Create a VPC route to the on-premises networks by using Tier 0's private HA VIP as the next-hop. This route is required for the Veeam components in the management subnet to reach the on-premises network.
  5. Configure Veeam replication between IBM Cloud and on-premises proxies by following the Veeam documentation and best practices.

Considerations for Veeam replication connectivity in IBM Cloud

When you design or deploy this architecture pattern, consider the following information:

  • Design your network flows carefully. For more information about ports and protocols, see Veeam Backup & Replication ports and protocols.
  • Ensure that the used IBM Cloud VPC security groups and firewall rules allow the replication traffic.
  • Ensure that the networks are properly routed and possible firewall rules allow the required traffic at both source and destination sites.
  • Ensure that your MTUs match end to end, and that your VPN can handle shorter inner MTU across the Internet.