Usage of a predefined VMware ESXi extension (VIB) for Veeams Backup from Storage Snapshot with Cisco HyperFlex IOvisor processing

Challenge

This article describes the usage of a predefined VMware ESXi extension (VIB) for Veeams Backup from Storage Snapshot with Cisco HyperFlex IOvisor processing.

Cause

To achieve optimal balancing within the Cisco HyperFlex data network at Backup from Storage Snapshot processing, it is needed to change the ESXi host firewall.
See more background information here.
One of the Methods to change the ESXi host firewall is by a pre-defined VIB that can be found at the Veeam Community GitHUB site.
To implement this, follow the below instructions.
 

Solution

Install the Firewall VIB on ESXi:

Repeat the following steps on all Cisco HyperFlex nodes in your cluster.

1. Enable ssh and log in to your ESXi host by using a tool like PuTTY
Image may be NSFW.
Clik here to view.

2. Copy the VIB file to the ESXi host's tmp folder using HTTP or a SCP client
Image may be NSFW.
Clik here to view.

3. Install the VIB
Command:

esxcli software vib install -v /tmp/VeeamCiscoHXFirewall.vib -f

Image may be NSFW.
Clik here to view.

4. Verify the VIB was installed
Command:

esxcli software vib list | grep 'Veeam'

Image may be NSFW.
Clik here to view.

5. Verify the new firewall rule is active
Command:

esxcli network firewall ruleset list

Note: If the VIB installation fails, you might need to set the acceptance level to CommunitySupport and retry the installation.
Command:

esxcli software acceptance set --level=CommunitySupported

Image may be NSFW.
Clik here to view.


Set the Veeam Proxy Servers

1. Enable allowed IP list for the new firewall rule
Command:

esxcli network firewall ruleset set -r "VeeamCiscoHXFirewall" -a false 

Image may be NSFW.
Clik here to view.

2. Set the Veeam proxy server data network IP that is on the Hyperflex ("Storage Controller Data Network")
Repeat the following command for all Veeam proxy server or set a subnet:

esxcli network firewall ruleset allowedip add -r "VeeamCiscoHXFirewall" -i "172.17.53.53."

Image may be NSFW.
Clik here to view.

3. Verify the IPs are set
Command:

esxcli network firewall ruleset allowedip list | grep -v "All"

Image may be NSFW.
Clik here to view.

Note: Veeam recommends to set the all IPs of Veeam proxy servers in the firewall rule. Otherwise the firewall rule is enabled for all incoming connections. You can specify either the IP address or a subnet. Use one command per proxy.


Check if everything is configured correctly

1. Check the Security Profile on the ESXi hosts

For HX systems < HX2.5 using the relevant VIB.
Image may be NSFW.
Clik here to view.

For HX system >= HX2.5 using the relevant VIB.
Image may be NSFW.
Clik here to view.


2. Check the VIB
Command:

esxcli software vib list | grep 'Veeam'

Image may be NSFW.
Clik here to view.

3. Check the ruleset
Command:

esxcli network firewall ruleset list

Image may be NSFW.
Clik here to view.

4. Check which Veeam Proxy IPs are assigned
Command:

esxcli network firewall ruleset allowedip list | grep -v "All"

Image may be NSFW.
Clik here to view.