PBS behind a DMZ firewall

[Ventor]

Hi there,

I have a specific situation and would like to know, if the approach I took, is the best for my situation or if I should rethink some of it.

My situation:
I have one physical server, which is behind a restricted firewall. This server is in a DMZ and is not allowed to make any connections inbound to our local network. All we can do is connect from inside the normal LAN to it. We chose PVE for that server, since the recent VMware situation. Originally this was planned as ESX, but you know how that went...

On this server there will be around 8-12 Linux VMs, which we will need to backup of course. We use Commvault for our internal backup and would like to use it with that host, too. But Commvault does not yet support PVE for VM based backup. We had the idea of saving our VMs using the PVE internal backup function to another hard drive on the host and use the Commvault agent to get those tar.xz-images into our internal network using a pull mechanism. The problem with that: PVE does not do incremental backups so we would have to transfer every VMs full backup every night. That would be a very large consumption of storage space!

My solution was to introduce a PBS. I set it up on the PVE host as a normal VM, put it as backup target and ran a backup. Everything worked well.

Then I set up an internal PBS instance on our VMware cluster, which will pull the PBS content from the DMZ using the sync job feature. The sync seems to be working fine, also. So the setup works, but I don't know if that is the best fit for our unique situation. Do any of you guys have any idea for a different kind of approach to the problem?

Thank you in advance
Ventor

 

[aaron]

Sounds okay. You could install PBS bare-metal side by side with Proxmox VE as well. Though then you need to keep an eye out when doing major version upgrades, as they can only be done once both, PBS and Proxmox VE have the next major release. For example, the next one would be from Proxmox VE 8 -> 9 and PBS 3 -> 4.

Do you keep all the backups on the PBS local to the DMZ? Because in the case that it has a shorter retention period than the internal PBS, you might run into the situation that you want to restore a backup, or files from one, that is only available in the internal PBS.
You would either have to sync them back to the DMZ PBS or allow the Proxmox VE host direct access to the internal PBS to access these backups. But that could be enabled only temporarily and disabled once not needed anymore.

 

[Ventor]

Do you keep all the backups on the PBS local to the DMZ?

My idea is, that we only keep the latest backup in the DMZ itself. It's just a "temporary" backup space. The real backup takes place on the internal PBS. The internal PBS is saved as a VM by our normal backup solution via Commvault, since it's running on our main ESX servers.

So yeah, I need to set the retention period to only keep 1 backup on the PBS in the DMZ.

Another question: In the event, that I need to setup the whole DMZ server from scratch, for example when there is a massive failure on the drives, etc. - My idea would be to download the VM images from the webinterface of the internal PBS, transfer them to the DMZ Proxmox and restore them there. Is this a correct way of doing this?

 

[aaron]

Another question: In the event, that I need to setup the whole DMZ server from scratch, for example when there is a massive failure on the drives, etc. - My idea would be to download the VM images from the webinterface of the internal PBS, transfer them to the DMZ Proxmox and restore them there. Is this a correct way of doing this?

If you don't use encryption, you can download the disk images from the web interface. If you use encryption, you would need to use the CLI client to access the disk images, as the PBS itself has no knowledge of the key.

Once you have the raw disk image, you can use qm disk import (man page) to import it to a newly created VM.