Manual Firewall changes for Veeam Backup from Storage Snapshot with Cisco HyperFlex IOvisor processing

Challenge

This article describes making manual firewall changes for Veeam Backup from Storage Snapshot with Cisco HyperFlex IOvisor processing

Solution

To achieve the optimal balancing within the Cisco HyperFlex data network at Backup from Storage Snapshot processing, it is needed to change the ESXi host firewall. See more background information here.

One of the methods to change the ESXi host firewall is by manual creation of an ESXi host firewall rule. This configuration is reset by an ESXi host reboot and can be used for test environments.
To open ports on ESX(i) hosts, add the following firewall rule to the services.xml file on an ESX(i) host. 
<!--Cisco Firewall configuration information -->
 <ConfigRoot>
   <service id='9230'>
     <id>VeeamCiscoFirewall</id>
     <rule id='0000'>
       <direction>inbound</direction>
       <protocol>tcp</protocol>
       <porttype>dst</porttype>
       <port>
         <begin>0</begin>
         <end>65535</end>
       </port>
     </rule>           
  </service> 
</ConfigRoot>

The following example shows all steps required to open the firewall at an ESXi host SSH connection:
1. Back up the current services.xml file by running the command:

cp /etc/vmware/firewall/service.xml /etc/vmware/firewall/service.xml.bak

2. Modify the access permissions of the service.xml file to allow writes by running the chmod command:

chmod 644 /etc/vmware/firewall/service.xml

chmod +t /etc/vmware/firewall/service.xml

3. Open the service.xml file in a text editor:

vi /etc/vmware/firewall/service.xml

4. Add the rule to the service.xml file (see example above)
5. Revert the access permissions of the service.xml file to the read-only default by running the command:

chmod 444 /etc/vmware/firewall/service.xml

6. Refresh the firewall rules for the changes to take effect by running the command:

esxcli network firewall refresh

7. Enable the new firewall rule:

esxcli network firewall ruleset set -r "VeeamCiscoFirewall" -e true -a false 

8. Bind the firewall rule to all Veeam proxy server data network IPs, repeat the command for all proxy server:

esxcli network firewall ruleset allowedip add -r "VeeamCiscoFirewall" -i "<yourVeeamProxyIP>"

9. Check the IP binding

esxcli network firewall ruleset allowedip list | grep -v "All"

10. Check if the firewall rule is enabled

esxcli network firewall ruleset list

 

More Information

For more information about custom firewall rule creation, click here.