Skip to main content

Hi There.

I am searching for technical resources on how we setup an air-gapped environment.

The idea is to have an isolated HSX cluster that we air-gap from the production HSX cluster and used only for Aux Copies long retention.

I checked the online documentation and the internet on how CV achieve this with no luck. 

I want to use a VM as a network gateway proxy with blackout window and network topology. I just didn't find how we can automatically shutdown and power up the VM to isolate the air-gapped environment.

Searched for workflow but couldn’t find anything relevant.

Anyone did this before and if so how was it done ?

Thanks

Abdel

Hi @Abdellatif AITELBACHA , thanks for the post!

Have you looked at this white paper?

https://www.commvault.com/resources/greater-ransomware-protection-with-data-isolation-and-air-gap-technologies

We covered this and a few other items in our Ransomware blog:

 

 


There is always tape. Its a Sheltered Harbor solution that can be plugged into the HSX.

Ejecting tapes is guaranteed air gap. Store them in the same location no need send them offsite.  

If you can virtually partition your tape library you can store them in the same library. Moving tapes from one virtual partition to another is done remotely by library software not by the backup software. It is completely out of band and even on a different or isolated IP network.   


Thanks Guys for your inputs

 

Tape is not an option as HSX was proposed and sold as the replication target on the air-gapped environment.

I was under the impression that Commvault will manage the VM Proxy power state using some workflows. But by reading the links provided, this should ne managed from the hypervisor.

In short, correct me if I am wrong, we use a combination of VM power management (from hypervisor), blackout window and network topology (from Commvault) to “open and close the gate” between the source HSX cluster/CS  and the air-gapped HSX cluster.

Then we assign proper schedules to Aux Copies so that they are allowed to run only outside the blackout window. The proxy VM being powered off during the blackout window , communication cannot be established with the appliances. It can also be enforced by FW or network routing.

Am I correct ?

Regards

Abdellatif

 


@Abdellatif AITELBACHA , you have it.  The hypervisor keeps the vm proxy offline via power management as an extra security measure.  This limits exposure to malicious sources.


Reply