Network Extension Appliance

To enable communication between production VMs on the tenant's side, VM replicas on the cloud host, backup infrastructure components and external network nodes, Veeam Backup & Replication uses network extension appliances. The network extension appliance is a Linux-based auxiliary VM created on virtualization hosts where tenant VMs and their replicas reside.

For every tenant who plans to replicate VMs to the cloud host and use all built-in cloud networking and failover capabilities (perform both full site failover and partial site failover), at least two network extension appliances should be deployed — one on the SP side and the other on the tenant's side.

• The network extension appliance on the SP side is deployed on the virtualization host in the SP environment that acts as a replication target. The network extension appliance VM is assigned an IP address from the SP production network and placed to the Cloud_Connect_Replication folder and resource pool created on the ESX(i) host or a dedicated folder on the Hyper-V host.
• The network extension appliance on the tenant's side is deployed on the source virtualization host where production VMs reside. The network extension appliance VM is assigned an IP address from a tenant's production network and placed to the selected folder and resource pool created on the ESX(i) host or a selected folder on the Hyper-V host.

The SP specifies network settings for the provider-side network extension appliance when subscribing a tenant to a hardware plan. A tenant specifies network settings for the tenant-side network extension appliance when connecting to the SP or rescanning resources available from the SP. Veeam Backup & Replication automatically deploys and configures the network extension appliance VM using the specified settings.

Tenant Network Extension Appliance

Veeam Backup & Replication uses the network extension appliance on the tenant's side to route requests between production VMs on the source host and VM replicas on the cloud host after partial site failover.

The network extension appliance connects to a production network with a network adapter. On the tenant's side, a separate network extension appliance must be deployed for every production IP network. For example, if there are two networks on the tenant's production site, the tenant should configure two network extension appliances. The network adapter of every network extension appliance on the tenant's side gets an IP address from the corresponding production network.

When the tenant connects to the SP, Veeam Backup & Replication configures on the tenant's side one network extension appliance with default settings. To do this, Veeam Backup & Replication detects the production network, connects the appliance to this network and tries to assign an IP address to the appliance using DHCP. The tenant should check and, if necessary, edit settings for the default pre-configured appliance.

The tenant can specify settings for the required number of network extension appliances that will be deployed on the source host. If the tenant does not plan to perform partial site failover, he or she may omit the network extension appliance deployment when connecting to the SP.

SP Network Extension Appliance

For every tenant subscribed to a hardware plan, Veeam Backup & Replication deploys a dedicated network extension appliance on the SP virtualization host that acts as a replication target. With the network extension appliance, the SP does not need to reconfigure production network in his Veeam Cloud Connect infrastructure. The SP network extension appliance acts as a gateway between the production network and tenant VM replica networks.

Veeam Backup & Replication uses the network extension appliance on the SP side for the following purposes:

• Routing requests between VM replicas on the cloud host and production VMs on the source host after partial site failover.

All traffic that comes from tenants' VM networks to cloud hosts on the SP side is encapsulated in individual VPN tunnels opened between a pair of network extension appliances.

• Separating traffic of the SP production network(s) and tenants' VM networks (by connecting to different VLANs in the SP network infrastructure).
• Providing VM replicas with public IP addresses after full site failover.
• Routing requests between VM replicas on the cloud host and network hosts in the internet after full site failover.

The network extension appliance connects to the SP production network and to virtual networks (VLANs) provided to a tenant through a hardware plan using vNIC adapters. Veeam Backup & Replication does not deploy a separate network extension appliance on the SP side for every IP network in a hardware plan. Instead, it adds to the appliance one vNIC adapter per each VLAN in all hardware plans to which the SP subscribes the tenant.

For example, the SP can configure on the same host one hardware plan with 2 networks and another hardware plan with 3 networks. When the SP assigns both hardware plans to the same tenant, Veeam Backup & Replication will add 6 vNIC adapters to the network extension appliance — 1 vNIC adapter for the SP production network and 5 vNIC adapters for all networks (VLANs) provided to a tenant through hardware plans configured on the SP host.

If the SP assigns to a tenant several hardware plans that utilize resources on different hosts, Veeam Backup & Replication will deploy network extension appliances for this tenant on every host that acts as a replication target.

Network Extension Appliances Interaction

The SP and tenant network extension appliances use a set of networking technologies to automatically establish and maintain a secure connection between a VM network on the tenant side and VM replica network on the SP side. A pair of network extension appliances acts as gateways between the two networks, routing requests from the tenant's production site to VM replicas on the cloud host and vice versa.

When a tenant performs the partial site failover operation, a production VM and a failed-over VM replica on the cloud host begin to communicate to each other using network extension appliances in the following way:

1. Veeam Backup & Replication powers on a VM replica on the cloud host.
2. Veeam Backup & Replication powers on a network extension appliance VM on the SP host where the replication target is configured and starts a VPN server on the appliance.
3. On the tenant's side, Veeam Backup & Replication powers on a corresponding network extension appliance VM, starts a VPN client on the appliance and connects to the VPN server on the SP network extension appliance to establish a secure VPN tunnel between two appliances through the cloud gateway.
4. The network extension appliance on the tenant's side receives requests from a production VM that are addressed to a failed-over VM and transmits them to the appliance on the SP side through the VPN tunnel.
5. The network extension appliance on the SP side accepts requests from the tenant's appliance and transmits them to the VM replica.
6. VM replica receives a request from the SP network extension appliance.
7. VM replica sends a request to the production VM in the similar order.
8. Production VM and VM replica continue communication through a secure VPN tunnel.

Limitations for Network Extension Appliance

The network extension appliance deployed on the SP side has the following limitations:

• The network extension appliance supports one failover operation type at a time. A tenant cannot perform partial site failover and full site failover simultaneously.
• The network extension appliance does not support usage of port 22 as a port for a public IP address in public IP addressing rules. Veeam Backup & Replication uses this port for communication with the network extension appliance. To learn more about public IP addressing settings, see Specify Public IP Addressing Rules.
• You cannot deploy a network extension appliance on the following types of storage:

• VMware vSAN
• VMware Virtual Volumes (VVol)
• Datastore Cluster