Skip to main content
Solved

Commvault BaaS (MSP) Design

  • 9 August 2024
  • 5 replies
  • 51 views

Hi Everyone,

 

We've got a customer intended to provide BaaS to its customers through Commvault. His main concerns are related to security. As his has customer which have their data located on-prem and which should be protected in the new BaaS.

 

The concern is how the network design should be in order to transmit the data from the end customer DC to the new BaaS platform without exposing all the CommCell nodes to the internet. We heard of Network Gateways, but actually we do not have any clue how this can be done.

 

If Network Gateways is actually the solution in order to only expose other nodes (CS and MAs), does that mean even the Management Plane (Access of the Tenant to the CommandCenter for Backup Management) is transmitted over the NetGw ?

 

Any details regarding this would be nice, thanks in advance.

 

Regards.

5 replies

Userlevel 7
Badge +19

You will have to use network gateways combined with the proper netwerk topology configuration to make sure clients initiate the connect to the gateways. I would advise to segregate the web console/command center role to a separate instance. Traffic to this instance is based on 80/443 and doesn't use the network topology, by default, as it is normal web traffic.

See also: https://documentation.commvault.com/2023e/essential/commvault_for_managed_service_providers_msps.html

Badge +2

Hi @Onno van den Berg,

 

Thank you so much for your prompt feedback.

Does that confirm that only the Network Gateways are going to be exposed to the internet ? This would be a nice start for us to understand the design that should be implemented.

 

P.S : Of course, we’ve also suggested to the customer to isolate the Web Server part from CS to another dedicated server/VM.

 

Kind regards.

Userlevel 7
Badge +19

It depends on your design and how you and customers are going to interact with the environment. I would personally treat everything that is not directly related to the backend infrastructure as public, so I would route all incoming connections towards the environment through the public Internet. 

Userlevel 4
Badge +11

Yes, you can route everything via a Network Gateway, this way you don’t need to expose CS or MAs to the internet;

 

https://documentation.commvault.com/2023e/essential/setting_up_network_gateway_connection_using_predefined_network_topology.html

 

The WebServer can also be within your internal network, The CommandCenter Server mus tbe on the DMZ, or at least on a place reachable to the end users so they can access it. Connections to the WebServer can be routed via TPPM to avoid opening ports.

Badge +2

Thank you guys for all the provided details, that’s a good start for us.

Reply