@Commvault Engineer
Network topologies will designate how Commvault is allowed to communicate to each other. As you pointed out - a one-way topology gives you the flexibility to create one way connections in whichever direction you want. You still need to architected the actual network to build proper isolation/segmentation, but the topology allows you to isolate storage without inbound connections - while the destination storage establishes connections outbound to “pull” data in.
Before reading ahead, the next question to answer for yourself is - “Is isolation enough, or do I also need to virtually/physically air gap that storage?”. Virtual air gap is a process of bringing the Commvault connection up and down periodically. Alternatively you can physically air gap at a network layer by turning network interfaces on/off, or switch network ports/fw rules on/off periodically to sever the connections. There also could be storage level ways of accomplishing air gap. It depends on your requirements. In my experience most customers just isolate storage, while some customers will apply virtual air gap, and very few do something at a physical layer.
We have a few solutions for virtual air gap - Firstly you can use a Proxy Topology instead of one-way, and control power management to the proxy using this workflow: https://documentation.commvault.com/11.26/essential/147278_starting_or_stopping_network_gateway_to_create_air_gap.html
If you want to virtually air gap, or completely turn off the outbound connections periodically using a one-way topology, first create a blackout window to control when you want connections established. Next you can use a couple of Commvault commands to turn services on and off. You need to run these commands on the Media Agent using a local task scheduler or as a unix cron job. This has to be done on the Media Agent as a script (instead of CV workflow) since the MA will be gapped and unreachable at times.
For Windows, create a task schedule that runs the following command to stop services at the beginning of the operation window:
<Path to Commvault Base Directory>\gxadmin -stopsvcgrp “All” -console
Create another task schedule to run at the end of the operation window to execute the below command:
<Path to Commvault Base Directory>\gxadmin -startsvcgrp "All" -console
For Unix create a cron job at the start of the operation window with the following command:
commvault -all stop
Then create a cron job at the end of the operation window using this command:
commvault -all start
Please note the disadvantage of applying virtual or physical air gap - is that it may be difficult to get your data copied over fast enough. This should be a consideration. As I always say - the purpose of data isolation and air gap is to limit exposure from lateral moving threats. With any security control you need weigh the pros, cons, and potentials risks to determine how far you need to go to accomplish your goal with acceptable operational impact.
I would be happy to answer more questions if you have any.