Skip to main content

Hi Community,

 

We are trying to implement an air gap with commvault, the customer wants to have its replication done to an offline site.

Following documentation about the process and its feasibility with commvault, I came through network topologies and understood that the best thing to implement is the One-Way topology, which will implies that the MA located in the offline site will be the one that will establish the communication between the offline site and the production one.

I have gaps in understanding this process, since, let's say, the replication is orchestrated by the CS, when the time has come for the replication, how the MA can know that it's the right moment to establish the connection ? And even for recovery/restore, how can the CS orchestrate it when the MA is offline.

 

Please to apologize for my ignorance, knowing that this is the first time I am doing this.

Any help or explanations would be much appreciated.

 

Regards.

 

I’d like to give a rough answer before other experts can provide deeper explanation:

When you setup one-way network topo from MA to CS, the MA will poll the CS at certain interval (minutes) to check whether there is something need to execute (backup, aux copy or restore).

I’d like to give a rough answer before other experts can provide deeper explanation:

When you setup one-way network topo from MA to CS, the MA will poll the CS at certain interval (minutes) to check whether there is something need to execute (backup, aux copy or restore).

Thanks a lot, Yun Qian, it's a step forward for me to understand this process with your explanation.

@Commvault Engineer , can you elaborate further on what you are looking to set up?  Are you creating an Aux Copy on a remote Media Agent to tape?  Or using the Cloud based Power Management option?

Once we know exactly what you are looking tos et up, and what questions remain for you, we can better help answer them!

 

@Commvault Engineer , can you elaborate further on what you are looking to set up?  Are you creating an Aux Copy on a remote Media Agent to tape?  Or using the Cloud based Power Management option?

Once we know exactly what you are looking tos et up, and what questions remain for you, we can better help answer them!

 

The client wants to install a new MA on a remote site to implement air gap (make it an isolated site), and make AUX copies to its disk library, no tapes are used.

After documenting the feasibility through commvault, we came through network topology (One Way topology to be precise), so, I wanted to know how this can be implemented, how the MA can communicate with the CS to initiate the aux copy ? And in case of a restore, how can we initiate it through the CS since the MA will be isolated (Not reachable).

Thanks a lot @Mike Struening for your usual support.

 

 

Happy to help!

As @Yun Qian pointed out, there are some checks done to keep that communication going, it’s just that only one side can initiate ‘talks’.  After that, communication continues in both directions.

Now, if this MA is cloud based (or that’s an option) then you can look into the Power Management option where we control the Media Agent being powered on or off making it REALLY Air Gapped.

Check this out for more info:

https://documentation.commvault.com/11.26/expert/93808_overview_of_cloud_mediaagent_power_management.html

@Commvault Engineer

Network topologies will designate how Commvault is allowed to communicate to each other.  As you pointed out - a one-way topology gives you the flexibility to create one way connections in whichever direction you want.  You still need to architected the actual network to build proper isolation/segmentation, but the topology allows you to isolate storage without inbound connections  - while the destination storage establishes connections outbound to “pull” data in.

Before reading ahead, the next question to answer for yourself is - “Is isolation enough, or do I also need to virtually/physically air gap that storage?”.  Virtual air gap is a process of bringing the Commvault connection up and down periodically.  Alternatively you can physically air gap at a network layer by turning network interfaces on/off, or switch network ports/fw rules on/off periodically to sever the connections.  There also could be storage level ways of accomplishing air gap.  It depends on your requirements.  In my experience most customers just isolate storage, while some customers will apply virtual air gap, and very few do something at a physical layer.

We have a few solutions for virtual air gap - Firstly you can use a Proxy Topology instead of one-way, and control power management to the proxy using this workflow: https://documentation.commvault.com/11.26/essential/147278_starting_or_stopping_network_gateway_to_create_air_gap.html

If you want to virtually air gap, or completely turn off the outbound connections periodically using a one-way topology,  first create a blackout window to control when you want connections established. Next you can use a couple of Commvault commands to turn services on and off.  You need to run these commands on the Media Agent using a local task scheduler or as a unix cron job.  This has to be done on the Media Agent as a script (instead of CV workflow) since the MA will be gapped and unreachable at times.

For Windows, create a task schedule that runs the following command to stop services at the beginning of the operation window:

<Path to Commvault Base Directory>\gxadmin -stopsvcgrp “All” -console
Create another task schedule to run at the end of the operation window to execute the below command: 
<Path to Commvault Base Directory>\gxadmin -startsvcgrp "All" -console
For Unix create a cron job at the start of the operation window with the following command:
commvault -all stop
Then create a cron job at the end of the operation window using this command:
commvault -all start

Please note the disadvantage of applying virtual or physical air gap - is that it may be difficult to get your data copied over fast enough.  This should be a consideration.  As I always say - the purpose of data isolation and air gap is to limit exposure from lateral moving threats.  With any security control you need weigh the pros, cons, and potentials risks to determine how far you need to go to accomplish your goal with acceptable operational impact.

I would be happy to answer more questions if you have any.

@Commvault Engineer

Network topologies will designate how Commvault is allowed to communicate to each other.  As you pointed out - a one-way topology gives you the flexibility to create one way connections in whichever direction you want.  You still need to architected the actual network to build proper isolation/segmentation, but the topology allows you to isolate storage without inbound connections  - while the destination storage establishes connections outbound to “pull” data in.

Before reading ahead, the next question to answer for yourself is - “Is isolation enough, or do I also need to virtually/physically air gap that storage?”.  Virtual air gap is a process of bringing the Commvault connection up and down periodically.  Alternatively you can physically air gap at a network layer by turning network interfaces on/off, or switch network ports/fw rules on/off periodically to sever the connections.  There also could be storage level ways of accomplishing air gap.  It depends on your requirements.  In my experience most customers just isolate storage, while some customers will apply virtual air gap, and very few do something at a physical layer.

We have a few solutions for virtual air gap - Firstly you can use a Proxy Topology instead of one-way, and control power management to the proxy using this workflow: https://documentation.commvault.com/11.26/essential/147278_starting_or_stopping_network_gateway_to_create_air_gap.html

If you want to virtually air gap, or completely turn off the outbound connections periodically using a one-way topology,  first create a blackout window to control when you want connections established. Next you can use a couple of Commvault commands to turn services on and off.  You need to run these commands on the Media Agent using a local task scheduler or as a unix cron job.  This has to be done on the Media Agent as a script (instead of CV workflow) since the MA will be gapped and unreachable at times.

For Windows, create a task schedule that runs the following command to stop services at the beginning of the operation window:

<Path to Commvault Base Directory>\gxadmin -stopsvcgrp “All” -console
Create another task schedule to run at the end of the operation window to execute the below command: 
<Path to Commvault Base Directory>\gxadmin -startsvcgrp "All" -console
For Unix create a cron job at the start of the operation window with the following command:
commvault -all stop
Then create a cron job at the end of the operation window using this command:
commvault -all start

Please note the disadvantage of applying virtual or physical air gap - is that it may be difficult to get your data copied over fast enough.  This should be a consideration.  As I always say - the purpose of data isolation and air gap is to limit exposure from lateral moving threats.  With any security control you need weigh the pros, cons, and potentials risks to determine how far you need to go to accomplish your goal with acceptable operational impact.

I would be happy to answer more questions if you have any.

Thanks a lot @DMCVault  for your time and especially your very in-depth explanations, this is making things very much easier for me to understand, I will dive into it even further. Thanks again :)

Terms & ConditionsCookie settings