Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
From February 12, 2025, HI GIO Cloud powered by FPT & IIIJ has changed the user guide UI platform. The content remains unchanged and continues to be updated in the new UI.
The User Manual contains all the essential information for using the HI GIO Cloud's system. Use graphics where possible in this manual. The manual format may be altered if another format is more suitable for the project.
This manual includes a description of the system functions and capabilities, contingencies and alternate modes of operation, and step-by-step procedures for system access and use.
Search our essential information.
FPT Telecom International Co., Ltd
IIJ Global Solutions Vietnam Co., Ltd
Help desk:
Telephone assistance: 1900 6973
This technical manual provides a comprehensive guide to understanding and handling COMPUTE. It includes detailed descriptions, step-by-step instructions, and necessary resources for effective utilization. Please follow the procedures and recommendations outlined in this manual to ensure the smooth functioning of IT infrastructure.
HI GIO CLOUD is the first full-scale public cloud service in Vietnam and the unique product of a powerful collaboration between two leading technology companies, FPT Telecom and Internet Initiative Japan (IIJ). This platform offers high-performance computing resources, enabling businesses to seamlessly deploy, manage, and scale applications.
HI GIO DBaaS (coming soon)
COMPUTE
STORAGE
BACK-UP AS A SERVICE
DISASTER AS A SERVICE
NETWORK
MANAGEMENT
CONTAINER
DATABASE
This short manual guide is designed to help HI GIO users navigate the features and functionalities of our cloud storage service. Whether you need to store large files, collaborate with team members, or ensure data redundancy, HI GIO Cloud S3 Storage provides a seamless experience tailored to your needs.
Disaster scenarios almost always strike unexpectedly. In a disaster event, it is critical to restore the infrastructure of your business as soon as possible before any significant damage is done.
Failover and failback can help ensure that your business continues functioning properly, even if the DC site is affected by a disaster.
Backing data from NAS to HI GIO S3 Service using NAS ensures secure, scalable cloud storage. Integrating NAS with HI GIO S3 allows you to automate backups, protect files, and enable quick recovery while managing data efficiently through an easy-to-use interface. We support Synology, Qnap, and other NAS brands that can support S3-compatible.
HI GIO uses a layered networking architecture with four categories of networks to provide a highly flexible and secure network infrastructure in a multipurpose cloud environment. The categories are external networks, organization virtual data center (VDC) networks, data center group networks, and vApp networks. Most types of networks require additional infrastructure objects, such as edge gateways and network pools.
Step 1: On the Virtual Data Center dashboard screen, click the card of the virtual data center you want to explore, and from the left panel, select Virtual Machines.
Step 2: Select Card View\Grid View to view the virtual machines
Step 3: Click New VM.
Step 4: In the New VM dialog box, enter a Name, Computer Name, and Description for your VM.
Attention:
Step 5: Type: Select New
Step 6: Select the Power on check-box. If you want the VM to power on right after its creation
Step 7: Operating System: Select an OS family, Operating System, and Boot image.
Step 8: Compute: Enter Virtual CPUs, Core per socket, and Memory.
Step 9: Storage: Select Storage Policy & Size of disk.
Add more disk for VM if needed.
Step 10: Networking:
Network: Select the Organization VDC Networks that you want to use for VM
Network adapter Type: Select VMXNET3
Step 11: Click OK to save the virtual machine's settings and start the creation process. Once the virtual machine is created, it is a VM without OS. We must Insert Media (ISO) into the VM and install OS.
Step 12: Click the three vertical dots > Media > Insert Media
Step 13: Select the ISO image you want to mount from a catalog in the Insert CD dialog box, then click Insert.
Step 14: Click the three vertical dots >> Power >> Power On
Step 15: Open VM Console to install guest OS for VM
VM has boot from ISO file and start the installation.
Validate again on Windows OS.
Attention: Verify that the vApp is powered off.
Step 1: On the Virtual Data Cnter dashboard screen, click the card of the virtual data center you want to explore, and from the left panel, select vApps.
Step 2: In the vApps page, select card view.
Step 3: On the vApp card, click Details.
Step 4: Click the Start and Stop Order tab and click Edit.
Step 5: Edit each virtual machine's start and stop order properties and click OK.
Start Order: Enter the order (0, 1, 2, 3 ...) where you want the virtual machine to start.
Start Action: Select Power On (default) or None.
Step 1: Customer login to Portal vCD
Step 3: Choose the VM you want to encrypt. Note: this VM must be powered off before encryption
Step 5: Powered on the encrypted VM:
VM configuration files, including swap files, core dump files, and more, are encrypted.
All Hard disks are encrypted.
Step 1: Access the link https://iam.higiocloud.vn/tenant/ and fill in your tenant (organization) information as we provide
Step 2: Log in to the account provided by email
Step 3: Click on the top-right to access the S3 Portal
Step 4: After logging in to the S3 Portal, you will be asked to create a new PIN to use the S3 service. This PIN Code is used for security authentication when you operate to view the S3 Key (Access key, Secret key) or Delete the Bucket.
Step 1: Double-click on Bucket. Then select "New" -> “New folder”
Step 2: Enter the Folder name and click “Create the Folder.”
Click “New,” then choose “Upload Folder” or “Upload file(s).” You can also drag the File/Folder here.
Right-click on the Files you want to download, then choose “Download.”
Step 2: Choose the “Security” tab and get the S3 Key
Step 3: Enter the “Pin code” you created from the beginning “LINK“ to get the S3 Key.
Step 4: Save the Key information to add the HI GIO S3
Step 1: Log in to HI GIO Availability.
Step 2: Select Incoming Replications > select vAPP1 > ALL ACTIONS > Recovery settings.
Step 3: In the Recovery settings window > click the Nics tab > vAPP1
Step 4: Assign a network that fits with HI GIO's network > APPLY
Step 1: Log in to vCD portal > Data Centers > Virtual Machines > Guest OS Customization > EDIT.
Step 2: Verify guest customization is enabled and Specify password > SAVE.
Step 3: Power off and Power on, Force Recustomization.
This guide is designed to help developers and technical users integrate and interact with the HI GIO Cloud services through our powerful API.
This manual provides detailed information on authenticating, making API calls, and handling responses effectively. It also covers best practices, code examples, and troubleshooting tips to ensure a smooth integration process.
Please refer to the VM usage guide in the list below.
An HI GIO S3 Bucket Policy is a JSON-based resource policy that manages access permissions to S3 buckets. It specifies who can access the bucket, the actions allowed, and the conditions for access.
You can prefer the example S3 bucket policy in “HERE.”
Step 1: Right-click on the Bucket and select 'Bucket Policy.' Customize the Bucket Policy by Amazon S3 standards. For additional examples and further guidance, refer to the official documentation.
Step 2: You can modify the Bucket Policy as needed in this popup. Once you have made the necessary changes, click "Update Policy" to apply the updates.
This is a document for how to configure receive Alarm from BaaS
Step 1: Access by URL:
HN site:
HCM site:
Log in, then click Configuration:
Step 2: Choose Templates > Predefined Alarms and then choose the alarm that wants to notification to set up the parameter:
Attention: The details of all the alarms in the Veeam document are as follows.
Alarms - Use the Veeam Service Provider Console Guide, or you can read the Knowledge Base option in Edit Alarm.
Step 3: Choose specific rule by Tick a rule > Edit to define Rules to get the notification or Add more parameters:
Step 4: Define Actions to Receive the notification. We have 2 methods and can Add more parameters, too:
Send email notification: Input the email for the received notification (separate by commas).
Execute script: execute a custom script that you want.
Then, choose the condition to trigger the actions.
Step 5: Click Finish to save Alarm Settings:
Step 6: Enable it to use the Alarm:
To download files from HI GIO S3, generate a pre-signed URL. This link provides temporary access, allowing users to download files securely without HI GIO S3 credentials.
Step 1: Right-click on the File you need to get a link and choose “Public Sharing.”
Step 2: In HI GIO S3, you can set the sharing mode of your objects to either Private or Public.
This short manual guide is intended to assist HI GIO users in understanding the features and benefits of our DRaaS offering. In this guide, you will find step-by-step instructions for setting up your disaster recovery environment, best practices for maintaining your recovery plans, and tips for testing and optimizing your DRaaS strategy.
By using the management interface in the HI GIO cloud site, organization administrators create the server side of the L2 VPN session, enabling the L2 stretch of one or more networks across the on-premises site.
Step 1: Log in to HI GIO Portal
Select Network > Edge Gateways > VPC name
Step 2: Under Services, click L2 VPN > NEW to open L2 VPN Tunnel window.
ACL (Access Control List) is a mechanism that determines who has access to your buckets and objects (files/folders). To set up a Public ACL, right-click on the Bucket and select "Public" or select "Share Link" to set it up.
Step 1: Right-click on the Bucket and choose “Public“
Step 2: Once you have set up Public for a Bucket, the screen will display as “Public” when accessing the link of that Bucket.
Please refer to the other guides in the list below.
Backing data from Synology NAS to HI GIO S3 using CloudSync ensures secure, automated synchronization between your local NAS and S3 cloud storage. It enables continuous data protection, easy file recovery, and efficient storage management.
Step1: Connect to your NAS via Web Browser and install CloudSync
Step 2: Access the “Package Center” and then install “CloudSync”
S3 Versioning allows you to keep multiple versions of an object in the same bucket, protecting against accidental deletions and enabling easy recovery of previous file versions when needed.
Step 1: Right-click to Bucket, choose “Versions” to enable file versioning for a Bucket, and view all versions of files in that Bucket.
Step 2: previous versions of files, ensuring data recovery and protection from accidental deletions or overwrites.
This short manual guide is designed to help HI GIO users understand the features and benefits of our Backup as a Service and provide step-by-step instructions for setting up and managing your backups. Whether a small business or a large enterprise, our BaaS solution is tailored to meet your unique needs, ensuring your data is protected against loss, corruption, or unforeseen disasters.
Once the NSX Autonomous Edge appliance is deployed in the on-premises site, the On-Premises to Cloud Director Replication Appliance starts managing the NSX Autonomous Edge after you register it on-premises.
To complete the L2 stretch configuration entirely by using the management interface of the On-Premises to , after deploying the NSX Autonomous Edge in the on-premises site, you register it by using the On-Premises to Cloud Director Replication Appliance.
You can find the protected jobs on the jobs on-premises site.
After creating the protection job\reverse job on HI GIO cloud (by provider account), you cannot see these jobs on-premises site.
Solution: Change the owner of these jobs to a tenant organization
Bucket names must be unique.
Bucket names cannot be formatted as IP addresses
Bucket names can be 3 to 63 characters long.
Bucket names cannot contain uppercase characters or underscores.
Bucket names must start with a lowercase letter or number.
Bucket names must be a series of one or more labels.
The following example bucket names are valid and follow the recommended naming guidelines for general-purpose buckets:
docexamplebucket1
log-delivery-march-2020
my-hosted-content
The following example bucket names are valid but are not recommended for uses other than static website hosting:
my.example.s3.bucket
The following example bucket names are invalid:
doc_example_bucket (contains an underscore)
DocExampleBucket (contains uppercase letters)
doc-example-bucket- (ends with a hyphen)
Name is a name to identify the VM, Computer Name is the host name of the VM.
The Computer Name is copied from the Name field but can contain only alphanumeric characters and hyphens, so you may need to edit it if your VM Name contains spaces or special characters.
Attention: We recommend using the VMXNET3 network adapter where possible. The VMXNET virtual network adapter has no physical counterpart and is optimized for VM performance. Because operating system vendors don't provide built-in drivers for this card, you must install VMware Tools to have a driver available for the VMXNET network adapter.
Please provide disk information:
Disk size:
Disk ID (follow as below):
*** Check Disk ID via Disk Management:
Right-click the disk name > Properties
Once the support team has completed the infrastructure side.
Please log on to Windows OS and confirm that the disk has been removed. No disk offline status is shown on Disk Management.
Start Wait: The start wait time is the time (in seconds) you want to wait before VMware Cloud Director starts the next machine in the sequence.
Stop Action: Select Power Off; the VM powers off without performing shutdown. Otherwise, select Shut Down (required VMware tool installed), which ensures stability upon shutting down.
Stop Wait: The stop wait time is the time (in seconds) you want to wait before VMware Cloud Director shuts down the next virtual machine in the sequence.
So we can power off the vApp. It will automatically start the VMs based on the startup order (The reverse order is used to power them off).
Optional: Enable Security Devices – Trusted Platform Module (vTPM)
Choose Security Devices -> Edit -> Enable -> SAVE
NOTED: VM must meet the following requirements to add Trusted Platform Module:
VM is powered off
OS is compatible with Trusted Platform Module
VM doesn’t have any snapshots
Hardware version 14 or late
Boot firmware is EFI
vTPM is present (Optional: if it was enabled in step 5)
Attention: If you have defined the email on your user profile, you can specify it by role instead of email.
Get link download option: This URL grants temporary access to the private file, enabling users to download it without needing HI GIO S3 credentials in 60 minutes.
Public Mode: If you want to share objects publicly, you can configure the bucket or object permissions to allow public access. This enables anyone with the link to view or download the files. Using this mode cautiously is essential to prevent unauthorized access to sensitive data.
On Choose Session Mode, select Server > click Next.
Enter a name and pre-shared key > NEXT
Enter the IP address for the Local IP, remote IP, Initiation Mode > NEXT
- Select Networks > NEXT
These networks were created in the preparation phase.
Review and click FINISH.
Waiting some minutes.
Once complete, we can see tunnel IDs (use it for manual configure on NSX autonomous edge)
And copy Peer code (use it for manual configure on NSX autonomous edge)
You can also select individual VMs in this step.
Step 4: Confirm Reverse Replication from HI GIO Cloud to on-prem. Click REVERSE.
Step 5: Expectation result:
Reverse Replication is in progress. You can monitor the progress of the Reverse task in the Last changed section and replicate the state.
Reverse Replication is Completed. Here, APP1 & DB1 are replicated back to On-Prem, and the Recovery State is Reversed.
Step 4: Configure Migrate Settings. Leave the Defaults and Click on NEXT
Step 5: Review the Migration Settings and click on FINISH
Migration in Progress
Migration to on-premises is Completed Successfully. Confirm that:
- Recovery state = Failed-Back
- Replication type = On-Premise Protection
- Overall health = Green
Confirm VMs migrated back to On-premises.
VM APP1-xxxx, DB-xxxx now show up in the vCenter's inventory
Login to APP1 & DB1 by local account > change the IP address to fit with the on-premise site (in my case, I just changed the default gateway to .1) and validate the application.
Step 3: Setup and configure Cloud Sync connect to HI GIO S3 Storage
Step 4: Fill in the information from HI GIO S3 Portal
S3 Server: Choose Custom Server URL
Server Address, Access Key, Secret Key get it in “HERE”
Step 5: Setup Backup type
We have 3 ways to take Backup to HI GIO S3 Storage
2-way sync (Upload/Download): Bidirectional
1-way sync (Upload only): Upload local Change only
1-way sync (Download only): Download Remote change only
Depending on the business backup plan, you can choose 2-way synchronization or 1-way synchronization (Upload Only) or 1-way synchronization (Download Only)
To expand the storage space for the NAS device, we recommend you use the synchronization type (Upload Only). When deleting data on the NAS, the data on the Cloud will remain.
Enter the address of BaaS Cloud Gateway Address:
HCM: backup-hcmc.higio.net
HN: backup-hni.higio.net
Accept the certificate details.
Enter Username and Password
Check the capacity of BaaS Storage.
Advanced configuration.
Schedule Backup.
Check the settings.
Run the Backup Job.
Step 1: On the Virtual Data Center dashboard screen, click the card of the virtual data center you want to explore, and from the left panel, select Virtual Machines.
Step 2: Select Card View\Grid View to view the virtual machines
Step 3: Click New VM.
Step 4: In the New VM dialog box, enter a Name, Computer Name, and Description for your VM.
Attention:
Name is a name to identify the VM, Computer Name is the host name of the VM.
The Computer Name is copied from the Name field but can contain only alphanumeric characters and hyphens, so you may need to edit it if your VM Name contains spaces or special characters.
Step 5: From the Type radio buttons, select From Template.
Step 6: Select the Power on check-box. If you want the VM to power on right after its creation,
Step 7: In the Templates section, select the template you want to use for your VM, depending on your requirement (OS type and VM size).
Step 8: Select Storage Policy
Step 9: Select Network, Network adapter Type, IP mode for VM
Attention: If using the Linux template, you can change the default password or SSH public key (optional)
Step 10: Click OK to save the virtual machine's settings and start the creation process.
Attention:
After the creation is completed using a Windows template, you will see this screen in the first boot.
Remember: DO NOT TOUCH on anything. Let it be completed by itself.
Attention:
Just wait for it to restart (about 3 minutes) to apply your specific configuration (IP, hostname,…).
When you see the Login screen, you can get control from now.
Step 1: On the Virtual Data Center dashboard screen, click the card of the virtual data center you want to explore, and from the left panel, select Virtual Machines.
Step 2: Click card view
Step 3: On the card of the virtual machine that you want to start, click ACTIONS > Power > Power On.
A powered-on virtual machine displays a Powered-on status in green.
The Shut Down Guest OS for VM action shuts down the guest operating system and powers off the virtual machine. VMware Tools must be installed and running on the VM.
Powering off a virtual machine is the equivalent of powering off a physical machine.
Resetting a virtual machine clears the state (memory, cache, and so on), but the virtual machine continues to run. Resetting a virtual machine is the equivalent of pushing the reset button of a physical machine. It initiates a hard reset of the operating system without changing the virtual machine's power state.
Step 1: On the Virtual Data Center dashboard screen, click the card of the virtual data center you want to explore, and from the left panel, select Virtual Machines.
Step 2: Click card view
Step 3: In the card of the virtual machine that you want to power off, click ACTIONS > Power > Power Off\Shut Down Guest OS\Reset
Suspending a virtual machine preserves its current state by writing the memory (RAM) to disk.
The suspend and resume feature is useful when you want to save your virtual machine's current state (RAM) and continue work later from the same state.
Step 1: On the Virtual Data Center dashboard screen, click the card of the virtual data center you want to explore, and from the left panel, select Virtual Machines.
Step 2: Click card view
If a virtual machine is in a suspended state and you no longer need to resume the use of the machine, you can discard the suspended state. Discarding the suspended state removes the saved memory and returns the machine to a powered-off state.
Step 1: On the Virtual Data Center dashboard screen, click the card of the virtual data center you want to explore, and from the left panel, select Virtual Machines.
Step 2: Click card view
Step 3: In the card of the virtual machine that you want to start, click ACTIONS > Power > Discard the suspended state.
The state is discarded, and the virtual machine is powered off
Building a vApp requires you to provide a name and, optionally, a description of the vApp. You can go back and add the virtual machines to the vApp later.
Attention: vApp can contain multiple VMs, so Shut down\Stop vApp, it will affect all VMs inside vApp.
Step 1: On the Virtual Data Center dashboard screen, click the card of the virtual data center you want to explore, and from the left panel, select vApps.
Step 2: In the vApps page, click New, then select New vApp.
Step 3: Enter a Name and a Description (optionally) for the vApp.
Step 4:
#Optional: If you want the vApp to power on upon deployment, select the Power on the check box.
Attention: The vApp can power on only if virtual machines exist.
Step 5: Click Add Virtual Machine.
Attention: You can click Create at this point to create an empty vApp and add VMs to it later.
Step 6: In the New VM dialog box, select:
New to create a VM from scratch Create a New Standalone Virtual Machine
From Template to create a VM from an existing template Create a Virtual Machine from a Template
Step 7:
#Optional: Repeat for each additional virtual machine you want to create within the vApp.
Step 8: To complete the creation of the vApp, click Create.
You can add a network to a vApp to make the network available to the virtual machines in the vApp. You can add a virtual data center network to a vApp.
Step 1: On the Virtual Data Center dashboard screen, click the card of the virtual data center you want to explore, and from the left panel, select vApps.
Step 2: On vApps page, select Card View to view vApp in card view.
Step 3: Click Actions menu of the vApp to which you want to add a network, select Add > Add Network.
Step 4: On the Add Network page:
Check type: Direct and select the network that you want to add.
Step 1: On the Virtual Data Center dashboard screen, click the card of the virtual data center you want to explore, and from the left panel, select Virtual Machines.
Step 2: Select Card View to view Virtual Machine in Card View on Virtual Machines Windows.
Step 3: Click Actions menu of the Virtual Machine which you want to Move, select Move
Step 4: Select Destination vApp, then click Next
Step 5:
Step 1: Download the RClone tool at this “Link” and extract the file after download
Step 2: Run the RClone tool by Windows PowerShell
Example: the path of the folder which stores RClone tool “.\Downloads\rclone\”
Open Window PowerShell and run this command “ .\Downloads\rclone\rclone.exe help “ to check RClone tool is working on your Server/PC
Step 3: Configuration HI GIO S3 storage connect with RClone
Create the connection configuration file with this command
** Note: “ .\Downloads\rclone\rclone.exe" is the folder path store the RClone tool. Security Key get it in
Step 4: Mount a bucket as a local drive on your computer to enable direct access and management of cloud storage data.
To mount a bucket as a drive on your computer, ensure that WinFsp is installed.
Setup WinFSP → Click Next until Finish
Step 5: Set up the configuration to automatically mount the bucket on system reboot.
Open “Run,” then type “shell:startup”
Create the new file withthe name “mounts3.cmd” and copy this code below to that file
Step 2: Create Token on vCD portal
Login IAM portal -> vCD portal -> User preferences
API tokens -> New
Copy token ({{api-token-generated}})
Step 1: Prepare information
Login IAM portal -> vCD portal: collect the information
{{vcd_url}}
{{vm-uuid}}: select VM -> take a look vm uuid on url
{{Bearer Token}}: Please follow “API token login” document
Step 2: Get VM status
GET https://{{vcd_url}}/api/vApp/{{vm_uuid}}
Authorization: {{Bearer Token }}
Headers:
Step 3: Change the status VM
POST https://{{vcd_url}}/api/vApp/{{vm_uuid}}/power/action/{{powerOn/powerOff}}
Authorization: {{Bearer Token}}
Headers:
We offer a user-friendly & cost-effective online Data Backup & Recovery solution ensuring safeguarding files, folders, etc.
Utilizing Veeam Portal
Applying on Gen.1, Gen.2 and on-premises environment
Tailoring a secure & efficient storage, disaster recovery, and backup service to business need
We offer a high-speed Backup & Recovery solution with VM servers in a single portal, exclusively available for HI GIO Gen.2.
Allowing tenants to backup & restore single VMs and vApps.
Facilitating handy self-service restoration within a single portal using vCloud Director (vCD).
Swiftly restore diverse workloads as VMs by instant recovery; aid in migration or quickly recovering with minimal impact; improve RTO and minimize disruption to mere minutes.
Our current Backup as a Service (BaaS) for Microsoft 365 solution harnesses Veeam’s proficiency and capabilities in backup, recovery, and data management to deliver a simple and complete way to eliminate the risk of losing access and control over your Office 365 data.
Microsoft 365 (formerly Office 365) provides robust services, but a comprehensive backup of your data is not included in a standard Microsoft 365 license.
Step 1: Click on “Create Bucket”
Step 2: Fill in name of “Bucket”. Refer the rule for define the Name for Bucket in this “Link”
Step3: Enable Object Lock (If needed)
Object Lock is a feature that allows you to store objects using the write-once, read-many (WORM) model. ObjectLock can help prevent objects from being deleted or overwritten for a fixed period or indefinitely.
The Object Lock feature is only used when creating a new Bucket. After selecting “Enable object lock” for a Bucket, all files/folders created/uploaded in that Bucket will be automatically set to the mode you selected in the next step.
Step 4: Choose "Governance mode" or "Compliance mode" or “NONE“
Governance mode: Use Governance mode if you want to protect objects from deletion by most users for a pre-set retention period but also want some users with special permissions to have the flexibility to change retention settings or delete objects. Users with the s3:BypassGovernance Retention permission can override or delete retention settings in governance mode.
PUT https//{{vcd_url}}APIi/vApp/{{vm-uuid}}/virtualHardwareSection/disks
Authorization: {{Bearer Token }}
Headers:
- 'Accept’: */*;version=37.2
- ‘Content-type’: application/vnd.vmware.vcloud.rasdItem+xml
Body: {{select raw -> copy and paste response body from Get VM’s disk information }}
Ex:
Find word ns10:capacity and edit the value in ,”, it’s the VM’s disk (MB)
SEND request.
Procedure: To complete the L2 stretch, we follow the steps:
On-premises Site: fulfill VLAN, IP address, port groups, and Public IP.
HI GIO site: Public IP, networks.
Step 1: Log in to the management interface of the VMware Cloud Director Availability On-premises Appliance.
In a Web browser, go to https://On-Premises-Appliance-IP-address/ui/admin.
Log in as the root user.
Step 2: In the left pane, under the System section click L2 Stretch.
Step 3: On the NSX Autonomous edges page, click New.
Step 4: Register a New NSX Autonomous Edge window, register the new NSX Autonomous Edge with the On-Premises to Cloud Director Replication Appliance.
Enter a friendly name for the new NSX Autonomous Edge in the Name text box.
From the vCenter Server drop-down menu, select the vCenter Server instance hosting the NSX Autonomous Edge virtual machine.
Step 5: On the NSX Autonomous edges page, select deployed NSX Autonomous Edge instance & Click EDIT NETWORK
Select the network adapters of the NSX Autonomous Edge > click Apply.
Step 6: On the NSX Autonomous edges page, select deployed NSX Autonomous Edge instance > Click Configure the uplink port.
Enter the settings for the external network port > click Apply.
Enable versioning for the Bucket, but because the number of file versions is large, it takes up much storage space.
Multipart files are not fully uploaded, and parts of the files are still on the system, leading to a waste of storage space.
Managing Lifecycle rules will help you solve the above problems. In a Bucket, you can create multiple Lifecycle rules to apply only to folders or all files and folders, depending on your needs.
Step 1: Right-click into Bucket and choose Lifecycle rules
Step 2: Click on “New Rule” to create the Rules
Step 3: Set up the rules you want to apply to your bucket and set the days you need to apply. After choosing the Rules, click “Add New Rule”.
Permanently delete file: It will remove all versions of the object from the bucket, including any archived versions, making it unrecoverable once deleted.
Permanently deleting previous versions: It will remove older file versions from the bucket, ensuring they cannot be recovered while the current version remains intact.
Step 4: Click “Save” to apply the Rule to Bucket.
Virtual Machine disk consolidation is needed.
Migrating back VMs from HI GIO cloud to on-premises made VMs warn - virtual machine disk consolidation is needed.
Solution: consolidate for VMs
The issue with the Windows server - lost trust relationship after migrating VM to HI GIO cloud or migrating back to on-premises.
Solution: Follow this guide to resolve it https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/windows/troubleshoot-broken-secure-channel
Tip. You can configure the maximum computer password age using the Domain member: Maximum machine account password age policy under Computer Configuration-> Windows Settings-> Security Settings-> Local Policies-> Security Options. A computer password lifetime may last from 0 to 999 days (30 days by default);
You can edit the properties of a virtual machine, including the virtual machine name and description, hardware and network settings, guest OS settings, and so on.
You can review and change a virtual machine's name, description, and other general properties.
Step 1: On the Virtual Data Center dashboard screen, click the card of the virtual data center you want to explore and from the left panel, select Virtual Machines.
Step 2: Click card view
Step 3: In the virtual machine card you want to edit, click Details.
Step 4: Under General expands by default > Edit to list of properties
You can view virtual machines that are standalone or part of a vApp.
You can view virtual machines in a grid view or a card view.
Step 1: On the Virtual Data Center dashboard screen, click the card of the virtual data center you want to explore, and from the left panel, select Virtual Machines.
Step 2: You can select grid view or card view by selecting:
Backing data from NAS to S3 with Hyper Backup provides secure, scheduled backups, versioning, and data compression. It ensures efficient storage use, easy restoration, and long-term data protection in the cloud.
Step 1: Install Hyper Backup on NAS via Package Center
Step 2: After Install and Open, Create the “DATA Backup Task” on Hyper Backup
This document is for installing the Veeam Backup Agent Linux on RHEL 9.2
OS: RHEL 9.2, running kernel 5.14.0-362.13.1.el9_3.x86_64
Veeam repository: veeam-release-el9-1.0.8-1.x86_64.rpm
Veeam Agent: veeam-6.0.3.1221-1.el9.x86_64
Veeam blksnap module: blksnap-6.0.3.1221-1
Step 1: Download Veeam repository:
The Veeam repository for Linux can be found at . On this page select "veeam-release-el9-1.0.8-1.x86_64.rpm", “blksnap-6.0.3.1221-1.noarch.rpm”, “veeam-6.0.3.1221-1.el9.x86_64.rpm“.
Step 2: Install Veeam and dependencies:
This will download an RPM file. You will likely be unable to download this directly from this page to your Linux machine, as your server will likely not have a GUI or web browser. To get around this, it is best to download the RPM to your workstation and then use WinSCP or MobaXterm to copy the RPM file to your server via SSH.
Once the RPM is on your server, install it and its dependencies:
This is a document on creating a backup job for Linux on Portal.
Step 1: Access and login to BaaS portal:
HCM:
HN:
Step 2: Create a Backup Job
Choose Managed Computers → Choose Backup Agents tab → Tick Computer want to create job → Choose Assign…
You can choose the job that was already created from the Service Prover template, or you can create a new one by choosing Create New.
Input the Name and description (Optional), then click Next
Choose
If the protected site (on-premises) is unavailable. In the HI GIO cloud, you can perform a workload disaster recovery operation (full failover)
Step 1: Log on to the HI GIO portal.
Step 2: Expand More > Click on Availability ()
Step 3:
In this scenario, on-premise has issues: network, hardware host, and storage… that make it not available.
Step 1: Log on to the HI GIO portal: select vAPP1 > Virtual machines.
Step 2: Confirm that 02 VMs, APP1 & DB1, were migrated to HI GIO and are running.
Step 1: Log in to vCenter, Expand Menu > Click on Cloud Provider DR and Migration
Step 2: Click on Outgoing Replications > New Protection
Step 3: Enter credential of Organization > LOGIN
Step 4: On Source VMs windows:
- Enable Group VMs to a single vApp.
- Select APP1 & DB1.
- Click NEXT
Step 5: On vApp Settings
- Enter vApp name: vAPP1
- Set: start wait time
- Click NEXT
Step 6: Select destination VDC & storage policy > NEXT
Step 7: Select SLA profile > NEXT
Step 8: Review > FINISH
Step 9: Expectation result
Confirm the Replication is started. You can monitor the % progress here
Replication state completed. Confirm that:
- Replication state = healthy,
This short manual guide is crafted to help HI GIO users navigate our network offerings, providing you with the knowledge and tools necessary to optimize your network infrastructure. In this guide, you will find step-by-step instructions for configuring and managing your network services, best practices for maintaining optimal performance, and tips for troubleshooting common issues.
This is a document on how to:
Update Veeam Service Provider Console Management Agent for Linux from v.8.1 to v9 and Veeam Backup Agent for Linux from v.6 to v.6.3
Update Veeam Service Provider Console Management Agent for Windows from v.8.1 to v9 and Veeam Backup Agent for Windows from v.6 to v.6.3
Update Veeam Service Provider Console Management Agent for Windows from v.8.1 to v.9 & Veeam Backup Agent for Windows from v.6 to v.6.3
Step 1: Update Veeam MGMT Agent for Window
Management Agent for Windows will auto-update to the v9 – If not, we can do it in UI
Login to the Web UI > Managed Computers > Discovered Computers
Update Veeam Service Provider Console Management Agent for Linux from v.8.1 to v.9 and Veeam Backup Agent for Linux from v.6 to v.6.3
Step 1: Update Veeam MGMT Agent for Linux
Management Agent for Windows will auto-update to the v9 – If not, we can do it in UI
Login to the Web UI > Managed Computers > Discovered Computers
Integrating S3 with Veeam Backup allows seamless data backup and recovery in S3 buckets, ensuring data protection, compliance, and efficient cloud storage management.
Step 1: Log in to HI GIO S3 Portal & Choose the “Security” tab and get the S3 Key
Step 2: Enter “Pin code” you created from beginning ““ to get the S3 Key
After migrating over the workload to On-Premises, we can reverse the replication and reprotect it back to the HI GIO Cloud site.
Once reprotect is successful, this will show as outgoing replication from On-Premises to the Cloud.
Step 1: Log on to the HI GIO portal.
Step 2: Expand More > Click on Availability ()
Step 3: Click on Outgoing Replications >Check the checkbox for vAPP1 > Expand ALL ACTIONS
VMware Tools improves the management and performance of the virtual machine by replacing generic operating system drivers with VMware drivers tuned for virtual hardware such as storage, network, and display. You install VMware Tools into the guest operating system. Although the guest operating system can run without VMware Tools, you lose important features and convenience.
TIP: All VM templates provided by HI GIO have VMware tools updated to be the best compatible.
Step 1: On the Virtual Data Center dashboard screen, click the card of the virtual data center you want to explore, and from the left panel, select Virtual Machines.
Step 2: Click Card View
After configuring the networks of the NSX Autonomous Edge, by using On-Premises to Cloud Director Replication Appliance create the client side of the L2 VPN session, stretching one or more networks across the cloud site.
Step 1: Log in to the management interface of the VMware Cloud Director Availability On-premises Appliance.
In a Web browser, go to .
Log in as the root user.
Step 2: In the left pane, under the System section, click L2 Stretch.
Client-side encryption (CSE)
Allows customers to encrypt their data on their devices before sending it to the Fstorage server for storage. This ensures that the data remains encrypted throughout its entire lifecycle, providing a high level of security because the customer manages the encryption keys, which are never shared with Fstorage or any third parties. This approach requires customers to manage their keys carefully, but it is an ideal solution for those needing complete data security control.
Server-side encryption (SSE)
Provides an alternative solution where data is encrypted when it reaches the Fstorage server. This is Fstorage’s responsibility, significantly reducing the security management burden on customers. There are two methods of server-side encryption:
SSE-C - Server-Side Encryption with Customer Keys: Customers can provide and manage their own encryption keys, giving them full control over data security. This option is particularly suitable for organizations with specific compliance and data security needs, as it allows exclusive management of encryption keys.
SSE-S3 - Server-Side Encryption with HI GIO S3 Cloud-Managed Keys (in development): This simplifies the encryption process by using keys managed by Fstorage. This method is ideal for customers who want a robust encryption solution without the complexities of key management. It integrates the use of KMS (Key Management Service).
HI GIO S3 Storage does not store your keys. If the key is lost, all data will be lost, and there is no way to recover it.
Using server-side encryption (SSE) with customer-provided encryption keys (SSE-C - Server-Side Encryption with Customer Keys) allows you to specify your encryption keys.
When you download an object, HI GIO S3 Storage uses the encryption key provided by the customer to apply AES-256 encryption to the data.
While checking an Object, the client must provide the same encryption key as part of its request. Firstly, HI GIO S3 will check that the client’s encryption key matches, then decrypt the Object before returning the data to you.
When using SSE-C, you must provide encryption key information using the following request headers:
--sse-customer-algorithm
Use this header to specify the encryption algorithm. The header value must be AES256.
--sse-customer-key
Use this header to provide a 256-bit, base64-encoded encryption key for HI GIO S3 to encrypt and decrypt data
--sse-customer-key-md5
(Optional)
Use this header to provide a base64-encoded 128-bit MD5 digest of the encryption key per RFC 1321. S3 uses this header to check the integrity of the message to ensure that the encryption key was transmitted without error.
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<RasdItemsList xmlns="http://www.vmware.com/vcloud/v1.5" xmlns:vmext="http://www.vmware.com/vcloud/extension/v1.5" xmlns:ovf="http://schemas.dmtf.org/ovf/envelope/1"
…………………………………………….
………………………………………
<rasd:HostResource xmlns:ns10="http://www.vmware.com/vcloud/v1.5" ns10:storageProfileHref="https://iaas-hcmc02.higiocloud.vn/api/vdcStorageProfile/a7c6c2f7-3c2211e6e7b0" ns10:busType="6" ns10:busSubType="VirtualSCSI" ns10:capacity="15240" ns10:iops="4000" ns10:storageProfileOverrideVmDefault="false"></rasd:HostResource>
<rasd:InstanceID>2000</rasd:InstanceID>
<rasd:Limit xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:nil="true"/>
<rasd:MappingBehavior xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:nil="true"/>
<rasd:OtherResourceType xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:nil="true"/>
<rasd:Parent>2</rasd:Parent>
</Item>
</RasdItemsList>
The virtual machine is suspended, but its state is preserved.
Attention: From the VM Suspended state, just power on if you need the VM to run with the current memory.
Step 5: Click ADD
Enter & validate the information: Name, Computer Name, Target VM storage Policy, Network, IP Mode for Virtual Machine, then click Next
Step 6: Validate and click Done
"Listing the bucket information"
"Listing objects inside the bucket"
After installing WinFSP app, run the command below to mount Bucket
Verify if the mount was successful.
Save the file, then reboot the Server to test.
Headers:
- 'Accept: application/json'
- 'Content-Type: application/x-www-form-urlencoded'
Body:
raw: 'grant_type=refresh_token&refresh_token={{api-token-generated}}'
SEND request.
Response body: "access_token" (Bearer token)
SEND request.
Check the VM status on line 3 of Response Body. If Link rel="power:powerOff", VM is Power ON else VM is Power Off.
SEND request.
Check on vCD portal
Login IAM -> vCD portal-> select VM
After choosing 1 of 2 modes to lock the object, you have to choose the desired number of days in the "Retention period" section. Retention period: 90 days means that the Bucket and the objects in that Bucket are locked in the mode you choose for 90 days from the date the Bucket was created.
Retention period: Specify a fixed period of time during which the object is locked. During this period, your object is protected by WORM and cannot be overwritten or deleted. You can apply a retention period in days with a minimum of 1 day and no maximum.
NONE mode: Use Veeam Backup mode to protect the backup file “immutable mode of Veeam”.
In the Management Address text box, enter the URL for the NSX Autonomous Edge management.
In the User name and Password text boxes, enter the admin user credentials for the NSX Autonomous Edge management.
(Optional) In the Description text box, enter a description for this NSX Autonomous Edge.
-To register the NSX Autonomous Edge for management, click REGISTER.
NSX Autonomous Edge will show up once completed.
Step 1: On the Virtual Data Center dashboard screen, click the card of the virtual data center you want to explore, and from the left panel, select Virtual Machines.
Step 2: Click card view
Step 3: In the card of the virtual machine that you want to edit, click Details.
Step 4: To view the available removable media, such as attached CD/DVD and floppy drives, under Hardware, select the Removable Media tab.
Step 5: To edit the hard disk settings or add hard disks, select Hard Disks and click Edit. Click Save once done
Attention: You can increase the size of an existing hard disk if the virtual machine is not a linked clone and has no snapshots.
Step 6: To edit the computing settings, select Compute > Edit the relevant section.
Attention: vSphere restriction
VMware has set a maximum value for hot-add memory. By default, this value is 16 times the memory assigned to the virtual machine. ()
If you are running WM with Linux OS having less than 3GB RAM, you can change the memory to only 3GB RAM in total if you need more. You must power off the VM, increase memory to, for example, 4 GB RAM, and power it on again. ().
Step 7: To edit the NICs settings or add NICs, click NICs > Edit. Save once Done.
To view the virtual machines in a card view, click
The list of virtual machines is displayed in a grid view or as a list of card views.
Step 2.1: From the grid view, click the three vertical dots on the left of a virtual machine to display the actions you can take for the selected virtual machine.
Step 2.2: To access the console for the guest operating system of the virtual machine, click on VM Console.
Step 2.3: To view and edit the details for a virtual machine, click the VM’s name.
Step 2.4: From the grid view, click the three vertical dots on the left of a virtual machine to display the actions you can take for the selected virtual machine.
Step 2.5: To access the console for the guest operating system of the virtual machine, click on VM Console.
Step 2.6: To view and edit the details for a virtual machine, click the VM’s name.
Step 3.1 : From the card view, click the Action to display your actions for the selected virtual machine.
Step 3.2: To access the console for the guest operating system of the virtual machine, click on VM Console.
Step 3.3: To view and edit the details for a virtual machine, click Details.
Step 4: Fill in the information from HI GIO S3 Portal
S3 Server: Choose Custom Server URL
Server Address, Access Key, Secret Key get it in “HERE”
Step 5: Choose Folder that needs to be backup then click Next
Step 6: Choose the application on NAS needs to Backup
Step 7: Pick the time for Run Backup Task
{{vm-uuid}}: select VM -> take a look vm uuid on url
{{Bearer Token}}: Please follow “Api token login” document
Step 3: Reconfigure VM’s CPU
Postman:
PUT https://{{vcd_url}}/api/vApp/{{vm-uuid}}/virtualHardwareSection/cpu
Authorization: {{Bearer Token }}
Headers:
- 'Accept: */*;version=37.2
- ‘Content-type’: application/vnd.vmware.vcloud.rasdItem+xml
Body: {{select raw -> copy and paste response body from Get VM’s CPU information }}
Ex:
==============================================================================
Find line “<rasd:VirtualQuantity>8</rasd:VirtualQuantity>” and edit the number, it’s the CPU number.
SEND request.
The modules bdevfilter and blksnap will be created in /lib/modules/$(uname -r)/extra
We can confirm that this module has not loaded by running lsmod, and grepping for blksnap. We will see that grep returns no output.
Step 3: Insert modules bdevfilter and blksnap:
We need to load the module into the currently running kernel using insmod:
At this point, our agent-based backups will run fine; however, the loaded module will not persist if we reboot. We must create a file called /etc/modules-load.d/bdevfilter.conf and/etc/modules-load.d/blksnap.conf , and make sure that it has the name of the kernel module. We will also need to run depmod to add the loaded kernel module to the kernel module dependencies list.
Once we reboot the RHEL server, the bdevfilter and blksnap module will automatically be loaded as a kernel module.
And our agent-based backups will now work correctly.
Choose the Backup Mode that you want, then Next
Choose the Veeam Cloud Connect repository, then Next
Set the Restore points you want to keep and choose Advanced Settings… for more options.
Advanced Option:
After finishing Apply then, choose Next to continue.
Choose Use sub-tenant accounts for each managed backup agent with the following quota and set the quota for this backup job, or you can set it Unlimited.
Enable application-aware processing or script execution or file system indexing if you want to back up. Next.
Schedule the backup job, then Next.
Review the backup job configuration and then choose Finish.
Tick the job that wants to run, then choose Assign.
Choose the policy from the Backup Policy column to check the create backup job process.
The backup job has been created and completed.
Step 4: Configure Recovery Settings for Failover
- Instances handing after recovery: Default.
- Power Settings: Power on recovered vApps.
- Network Settings: Apply preconfigured network settings on migrating.
Click NEXT
Step 5: Configure Recovery Instance for Failover
Click SELECT LATEST FOR EVERY VM > NEXT
Step 6: Review and FINISH
Step 7: Expectation result:
Failover in Progress: In the Detailed Status, you will notice Failover in Progress with % progress.
Failover successfully: This process will take a couple of minutes. Please be patient.
After the failover task finishes, the failed over workload runs in the HI GIO cloud.
Confirm that all VMs in vAPP1:
- Recovery State = Failed-Over.
- Replication Type = On-Premise Protection
- Overall health = Green
Logon APP1 & DB1 by admin local > change default gateway and validate that APP1 & DB1 can be reachable.
Step 4: Point domain name to APP1 (public DNS record if needed).
Step 5: Access to APP1 via the internet (in my case, I used a public IP).
Confirm the Replication Status from HI GIO Cloud:
Log in to HI GIO Availability > Incoming Replications, select INSTANCES.
Confirm the vAPP1:
- Replication state = Healthy
- Overall Health = Green
Choose Server Windows > Management Agent > Upgrade
Step 2: Update Backup Agent for Windows
Select Managed Computers > Backup Agents
Choose Server Windows > Backup Agent > Upgrade
Wait for Deployment Progress
Backup Agent updated successfully:
Choose Server Windows > Management Agent > Upgrade
Wait for Deployment Progress
Step 2: Update Backup Agent for Linux
Select Managed Computers > Backup Agents
Choose Server Linux > Backup Agent > Upgrade.
Wait for Deployment Progress
Backup Agent updated successfully:
Step 3: Save the Key information to add the HI GIO S3 to Veeam
Step 4: Open the Veeam Backup & Replication Console on your Server
Then choose Backup Infrastructure, then choose Backup Repositories, Right Click and choose Add Backup Repository
Step 5: Choose Object Storage
Step 6: Choose S3 Compatible
Step 7: Fill in the “Name” for the Repository
Step 8: Fill in the “Service Point” information you got on at Step 3, then Click “Add” to add the Credential.
Step 9: Click “Browse” to choose the Bucket
Step 10: Click “Browse” at “Folder” to choose the “Folder.” in Bucket
Step 11: Click “Next” and “Apply” until completed
Step 4: Click on Reverse
Step 5: Click on REVERSE
The reverse from On-Premises to HI GIO Cloud Is In Progress
Reverse from On-Premises to Cloud Completed Successfully. Outgoing Replications is empty now.
Since the replication is configured from On-Premises to Cloud, we will view Incoming Replications.
Select Incoming Replications. Here, you will notice VM APP1-xxxx is replicated back from On-Premises to Cloud, and the Replication type is On-Premise Protection.
Verify replication status from the On-Premises site
Expand Menu > Click on Cloud Provider DR and Migration.
Click on Outgoing Replications.
Confirm VM APP1-xxxx & DB1-xxxx is replicated back from On-Premises to Cloud and Replication type is Protection.
Click Install in a Pop-up prompt.
Step 4: Log in to the operating system and follow the wizard to install the tools with OS types: https://kb.vmware.com/s/article/1014294.
- {{vm-uuid}}: select VM -> take a look vm uuid on url
-{{Bearer Token}}: Please follow “Api token login” document
Step 3: Reconfig VM’s memory
PUT https://{{vcd_url}}/api/vApp/{{vm-uuid}}/virtualHardwareSection/memory
Authorization: {{Bearer Token }}
Headers:
-'Accept: /;version=37.2
-‘Content-type’: application/vnd.vmware.vcloud.rasdItem+xml
Body: {{select raw -> copy and paste response body from Get VM’s memory information }}
Ex:
==============================================================================
Find line “<rasd:VirtualQuantity>2048</rasd:VirtualQuantity>” and edit the value, it’s the VM’s memory (MB).Please note that Value must be a multiple of 4 MB
SEND request.
Step 3: On the NSX Autonomous edges page, click L2 VPN Sessions > NEW
Step 4: If your user session is not currently extended to the cloud site, enter credentials to authenticate to the cloud site.
Step 5: Select the cloud site virtual data center and the edge gateway on the VDC and edge Gateway page.
Step 6: On the Settings and networks page, configure the L2 VPN and click Next.
In the Name text box, enter a name for this client L2 VPN session.
From the Server session drop-down menu, select the cloud side L2 VPN server session.
In the Local Address text box, enter the on-premises IP address at the client side of the L2 VPN session. The local IP address must be the same as the uplink port IP address of the NSX Autonomous Edge hosting the client L2 VPN session.
In the Remote Address text box, enter the HI GIO public IP address at the server side of the L2 VPN session.
Under the Client Network column, to create an L2 stretch across the networks select an on-premises VLAN network.
Step 7: On the Ready To Complete page, review and click FINISH.
>>> The client L2 VPN session on-premises is created and the L2 stretch across the cloud site is complete.
*** Test Connectivity
Ping to Gateway (on-prem) from HI GIO.
Ping to HI GIO’s VM (same VLAN\difference VLAN) from on-prem.
The network has IP addresses on a static IP Pool (used for applications without HI GIO Load Balancing).
Load Balancer Pool and Virtual Service (used for applications with HI GIO Load Balancing).
The vApp template of the VM needs to be scaled.
Step 1: Log in to HI GIO Portal > Applications > Scale Groups > NEW SCALE GROUP
Step 2: In the General Settings:
Pick an owner of the Scale Group.
Pick an Organisation VDC.
Enter Group Name.
Number of Min VMs.
Number of Max VMs.
Step 3: In the Application Settings:
Select the vApp template of the previously prepared application.
Pick a Storage Policy.
Step 4: Select a network for the scale group in the Network Settings section.
If you want to manage the load balancer on your own or if there is no need for a load balancer, select
Step 1: Select Scale Group > Rules > ADD RULE.
Step 2: In the General tab:
Name: enter rule name.
Number of VMs: The number of VMs will scale.
Step 2: Get VM’s network information
GET https://{{vcd_url}}/api/vApp/{{vm-uuid}}/virtualHardwareSection/networkCards
Authorization: {{Bearer Token}}
Headers:
Portal:
HCM site: https://portal-hcmc-backup.higio.net/
HN site: https://portal-hni-backup.higio.net/
Cloud Gateway:
HCM site: backup-hcmc.higio.net (IP address 118.68.171.248 and 118.68.171.233)
HN site: backup-hni.higio.net (IP address 1.55.215.248 and 1.55.215.250)
Step 1: Check and prepare your machine to match the requirements from BaaS Support Matrix:
Step 2: Open firewall outbound to Cloud Gateway IP with ports 6180 and 53:
Step 3: Access the BaaS portal, download and install the Agent following OS types:
For Server.
For Server.
Manage backup (After installation is completed, you can manage the backup job and machine via the BaaS portal or via the Veeam agent console).
Create a backup job:
Via agent console:
Please refer to the HI GIO BaaS guide in the list below.
How to access to Veeam Backup
How to create Backup Jobs
How to perform Backup
How to perform Restore
Step 1: From the main menu vCD Portal, select More Data Protection with Veeam
Step 2: The Dashboard will display statistics:
Number of VMs backed up
Number of backup jobs configured
Total storage quota
Used storage size
Status of backup jobs
Average data transfer speed
Step 1: Select the tab Jobs
Step 2: Select Create
Step 3: Open the Backup Job window
Step 4: Input the backup job name in the box Job name
Step 5: Input a description of the backup job in the box Description (or keep default)
Step 6: Select the number of Restore points to keep
After each successful backup, the system creates a version of the data during that backup, called a restore point.
Step 1: After creating the Backup Jobs, the created backup jobs will display in the tab Jobs.
Step 2: To execute the backup job, select the backup job and select Start
Here, the customer can also select Stop to stop the backup job
Step 1: Select tab VMs
The list of VMs that have been successfully backed up and the number of restore points corresponding to each VM will be displayed here.
Step 2: Select VM needs to be restored, select Restore VM Overwrite
Overwrite: Backup data will be restored overwriting the current VM
Keep: Backup data will be restored as a new VM
Step 1: Download Veeam Service Provider Console Management Agent
Login to the Web UI with the customer user
Select Managed Computers > Discovered Computers
Choose Download Agent > Windows
Step 2: Install Windows Management Agent
Copy the agent installation file to the machine where you want to install the agent.
Make sure that you have permission to execute the installation file.
Install the Management Agent
Step 3: Install Veeam Backup Agent Windows
Login to the Web UI > Managed Computers > Discovered Computers
Choose the Windows Server > Install Backup Agent
Step 4: Check the result via portal and OS:
Step 1: Insert Veeam Recovery Media for Windows to VM
From VM choose ALL ACTION > Media > Insert Media
Choose Veeam Recovery Media(According to your OS) > Insert
Then POWER ON VM and wait for Veeam Recovery Media to boot
Step 2: Restore from a restore point
When the boot is completed, choose Bare Metal Recovery
Choose Network storage
Remember to configure IP for the connection to Cloud Gateway via Configure network settings
Choose available Ethernet > Properties.
Input the IP address, then choose OK
Choose the Veeam Cloud Connect repository
Enter the address of BaaS Cloud Gateway Address:
HCM: backup-hcmc.higio.net
HN:
Continue on the certificate details.
Enter Username and Password
Select Job that want to restore
Select restore point that want to restore
Choose Restore Mode
Review Summary of restore job
Begin the process and complete the restore
Shutdown the VM and then Eject Media
POWER ON the VM
Step 1: Access and login to BaaS portal:
Step 2: Create a Backup Job
Choose Managed Computers → Choose Backup Agents tab → Tick Computer want to create job → Choose Assign…
You can choose the job already created from the Service Prover template, or you can create a new one by choosing Create New.
Input the Name, Description (Optional) then click Next.
Choose Server, then Next.
Choose the Backup Mode that you want, then Next.
Choose Veeam Cloud Connect repository, then Next.
Set the Restore points you want to keep and choose Advanced Settings… for more options.
Advanced Option:
After finishing Apply then, choose Next to continue.
Choose Use sub-tenant accounts for each managed backup agent with the following quota and set the quota for this backup job, or you can set it Unlimited.
Enable the backup cache feature if needed, then go next.
Enable application-aware processing or file system indexing you want to backup, then Next.
Schedule the backup job, then Next.
Review the backup job configuration and then choose Finish.
Tick the job that wants to run, then choose Assign.
Choose the policy from the Backup Policy column to check the create backup job process.
The backup job has been created and completed.
Step 1: Configure job on Veeam Backup Agent
Start Veeam Backup Agent Application
Step 2: Create a Back Job
Choose Add New Job…
Input Name and Description for the job
Choose Backup Mode
Choose Veeam Cloud Connect Repository
Enter the address of BaaS Cloud Gateway Address:
HCM: backup-hcmc.higio.net
HN: backup-hni.higio.net
Accept the certificate details.
Enter Username and Password.
Check the capacity of BaaS Storage
Advantage configuration
Enable or Disable Backup Cache
Enable or Disable Guest Processing (Backup SQL, File index)
Schedule Backup
Check the settings
Run the Backup Job
Setup IPSec IKEv2 Remote Access VPN Setup VPN Windows Client
Step 1: Configuration VPN Profile for Windows client.
Open PowerShell with Administrator permission.
Copy and paste the information below into PowerShell (replace red word xxxx by your domain name).
Add-VpnConnection -Name "HI-GIO-IKEv2-VPN" -ServerAddress " remote-xxxxx.xxxx01.vpn.higio.net " -TunnelType "Ikev2"
Set-VpnConnectionIPsecConfiguration -ConnectionName "HI-GIO-IKEv2-VPN" -AuthenticationTransformConstants GCMAES128 -CipherTransformConstants GCMAES128 -EncryptionMethod GCMAES128 -IntegrityCheckMethod SHA256 -PfsGroup "PFS2048" -DHGroup "Group14" -PassThru -Force
Step 2: Enable VPN split tunneling in the Windows client.
Virtual private network (VPN) split tunneling lets you route some of your application or device traffic through an encrypted VPN. In contrast, other applications or devices have direct access to the internet.
Copy and paste the information below into PowerShell.
Set-VPNconnection -name "HI-GIO-IKEv2-VPN" -SplitTunneling $true
Step 3: Add a route to a VPN connection.
Add a VPN connection route for the subnet (example: 10.16.1.0/24). If we need to add an additional subnet, perform the same way and replace it with the new subnet.
Copy and paste the information below into PowerShell.
Add-VpnConnectionRoute -ConnectionName "HI-GIO-IKEv2-VPN" -DestinationPrefix "10.16.1.0/24
With the option of Entire recovery, you can restore an entire VM from a backup file to the latest state or to a previous point in time if the original VM fails. Entire VM restore enables full disk I/O performance.
Check your available resources.
Create a new vApp to restore the VM if you want to restore it to a new location.
Add the original VM network to the new vApp.
Choose the VM and point that needs to be restored with Entire Recovery.
Select Restore mode.
Verify status restore.
This is a document on how to Restore a Linux VM.
Step 1: Insert Veeam Recovery Media for Windows to VM
From VM choose ALL ACTION > Media > Insert Media
Choose Veeam Recovery Media(According to your OS) > Insert
Then POWER ON VM and wait for Veeam Recovery Media to boot
Step 2: Restore from a restore point
When boot is completed, choose Proceed without SSH
Accept license agreement
Remember to configure IP for the connection to Cloud Gateway via Configure network
Choose Edit a connection
Choose available
On-premises sites or the client’s L2 VPN require a specially configured VMware® NSX Edge™ appliance called autonomous edge. Deploy the NSX Autonomous Edge appliance using an OVF file on the ESXi host.
The autonomous NSX Edge is straightforward to deploy and provides a high-performance VPN. The autonomous NSX Edge is deployed using an OVF file. You can also enable high availability (HA) for VPN redundancy by deploying primary and secondary autonomous Edge L2 VPN clients.
Please request the HI GIO team to get the OVF file.
Step 1: Log in to the vCenter Server.
Step 2: Select Hosts and Clusters. To show the available hosts, expand the clusters.
Step 3: To deploy the NSX Edge, right-click the host where you want it and select Deploy OVF Template.
Use this step when your primary infrastructure (on-premise) is running well. After this step:
- Workload is on the HI GIO cloud site.
- Source workload is powered off.
Step 1: Log on to the HI GIO portal.
Step 2: Expand More > Click on Availability ()
Step 3:
Step 1: Log on to the HI GIO portal: select vAPP1 > Virtual machines.
Step 2: Confirm that VM APP1 was migrated to HI GIO and powered on.
Network address translation (NAT) allows the source or destination IP address to be changed to enable traffic to transition through a gateway or router.
HI GIO supports some NAT types:
A SNAT rule translates the source IP address of packets sent from an organization's VDC network out to an external network or another organization's VDC network.
A NO SNAT rule prevents the translation of the internal IP address of packets sent from an organization VDC out to an external network or another organization VDC network.
.\Downloads\rclone\rclone.exe config create Higio s3 env_auth false access_key_id xxxxxxxxxxxxxx secret_access_key xxxxxxxxxxxxxxxxxxx region default endpoint https://xxx.xxx.xx"C:\Users\Administrator".\Downloads\rclone\rclone.exe mount Higio:examblebucket1 S:\ --vf.\Downloads\rclone\rclone.exe lsf Higio:.\Downloads\rclone\rclone.exe lsf Higio:examplebucket1.\Downloads\rclone\rclone.exe mount Higio:examplebucket1 S:\ --vfs-cache-mode full# sudo rpm -ivh veeam-release-el9-1.0.8-1.x86_64.rpm
# sudo subscription-manager repos --enable codeready-builder-for-rhel-9-$(arch)-rpms
# sudo dnf install \
https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm
# sudo yum install dkms perl kernel-modules-extra -y
# sudo rpm -ivh blksnap-6.0.3.1221-1.noarch.rpm
# sudo rpm -ivh veeam-6.0.3.1221-1.el9.x86_64.rpm[root@rhel9 ~# ls /lib/modules/$(uname -r)/extra
bdevfilter.ko.xz blksnap.ko.xz[root@rhel9 ~]# lsmod | grep blksnap[root@rhel9 ~]# sudo insmod /lib/modules/$(uname -r)/extra/bdevfilter.ko.xz
[root@rhel9 ~]# sudo insmod /lib/modules/$(uname -r)/extra/blksnap.ko.xz
[root@rhel9 ~]# lsmod | grep blksnap
blksnap 217088 0
bdevfilter 20480 1 blksnap[root@rhel9 ~]# sudo depmod
[root@rhel9 ~]# sudo echo bdevfilter > /etc/modules-load.d/bdevfilter.conf
[root@rhel9 ~]# sudo echo blksnap > /etc/modules-load.d/blksnap.conf
[root@rhel9 ~]# cat /etc/modules-load.d/bdevfilter.conf
bdevfilter
[root@rhel9 ~]# cat /etc/modules-load.d/blksnap.conf
blksnap[root@rhel9 ~]# uptime && lsmod | grep blksnap
17:43:06 up 18 min, 1 user, load average: 0.00, 0.00, 0.00
blksnap 217088 0
bdevfilter 20480 1 blksnap
Via portal:
Active alarm for a backup job
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ns4:Item xmlns:ovf="http://schemas.dmtf.org/ovf/envelope/1" xmlns:rasd="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_ResourceAllocationSettingData" xmlns:common="http://schemas.dmtf.org/wbem/wscim/1/common" xmlns:ns4="http://www.vmware.com/vcloud/v1.5"
<rasd:Reservation>0</rasd:Reservation>
<rasd:ResourceSubType xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:nil="true"/>
<rasd:ResourceType>3</rasd:ResourceType>
…………………………………………………………………………..
………………………………………………………………………….
<rasd:VirtualQuantity>8</rasd:VirtualQuantity>
<rasd:VirtualQuantityUnits xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:nil="true"/>
<rasd:Weight>0</rasd:Weight>
<vmw:CoresPerSocket ovf:required="false">2</vmw:CoresPerSocket>
type="application/vnd.vmware.vcloud.rasdItem+json"/>
</ns4:Item>
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ns4:Item xmlns:ovf="http://schemas.dmtf.org/ovf/envelope/1" xmlns:rasd="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_ResourceAllocationSettingData" xmlns:common="http://schemas.dmtf.org/wbem/wscim/1/common" xmlns:ns4="http://www.vmware.com/vcloud/v1.5" xmlns:vssd="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_VirtualSystemSettingData" xmlns:vmw="http://www.vmware.com/schema/ovf"
………………………………………………………….
……………………………………………………………
<rasd:ResourceType>4</rasd:ResourceType>
<rasdraidtualQuantity>2048</rasd:VirtualQuantity>
<rasd:VirtualQuantityUnits xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:nil="true"/>
type="application/vnd.vmware.vcloud.rasdItem+json"/>
</ns4:Item>Pick a Network.
Click CREATE GROUP AND ADD RULES.
If your applications use HI GIO Load Balancing, select I have set-up a Load Balancer option.
Enter Network CIDR.
Pick Edge Gateway.
Pick Server Pool
Click CREATE GROUP AND ADD RULES.
Step 5: Set up Firewall rules depending on the application’s requirements.
Grow: scale out.
Shink: scale in.
Cool down: Enter a cooldown period in minutes after each auto scale in the group.
Attention: The conditions cannot trigger another scaling until the cooldown period expires. The cooldown period resets when any of the rules of the scale group takes effect.
Step 3: In the Conditions tab, Add a condition that triggers the rule.
Avg. Utilization:
CPU usage.
memory usage.
Condition:
greater or equal to.
lower or equal to.
Amount: in percent.
Duration: The period when the condition must be valid to trigger the rule.
Attenstion: An AND operator groups conditions in a rule.
After a condition is met, it might be executed with a delay of up to 5 minutes.
- ‘Content-type’: application/vnd.vmware.vcloud.rasdItem+xml
SEND request.
Copy Response Body
Headers:
- 'Accept’: */*;version=37.2
- ‘Content-type’: application/vnd.vmware.vcloud.rasdItemsList+xml; charset=ISO-8859-1
Body: {{select raw -> copy and paste response body from Get VM’s networks information }}
Ex:
=====================================================================
Find word :
ns10:ipAddressingMode and edit the value in “ ” (network mode: “DHCP”, “Pool”, “Manual”)
+ DHCP: Please setup DHCP pool on your network -> The P Management
+ Pool: Please setup Static IP pools on yoursetork -> IP Management
ns10:ipAddress and edit the value in “” (“VM ipv4 address”) – no need if using DHCP or Pool
ns10:primaryNetworkConnection and edit the value in “” (paste network name {{netwok_name}} )
SEND request.
Check on the vCD portal
Login IAM -> vCD portal-> select VM-> NICs
If a customer needs to backup 1 VM daily, once a day, and store all those backups in the last 15 days, the number of restore points customers need to set is 15.
Select Next to continue.
Step 7: At the tab Virtual Machines, select Add
Step 8: Select VM need backup, select OK
Select symbol + to open the components until the list of VMs appears (VM will be at the last symbol +)
Select Next to continue.
Step 9: (Optional) Set some advanced features (can keep default)
Select Next to continue.
Step 10: Schedule a backup job
Check the box Run the job automatically, and let the system automatically backup according to the set schedule.
Specify the time to backup (every day, every month, specific days of the week, …)
Automatic retry: Option to run the backup job again if the job fails for some reason.
Wait before each attempt for: interval between retry.
Step 11: (Optional) Setting Email Notifications
Check the box Enable e-mail notifications to turn on notifications
Input e-mail address in the box Recipients
Select cases to receive notifications:
Notify on success: Receive email notification if the job is completed successfully
Notify on warning: Receive an email notification if the job is completed with a warning
Notify on error: Receive email notification if the job fails
Suppress notifications until the last retry: Receive email notification about the final job status
Check the box Power on a machine after restoring to power on the VM after the restore is complete.
Step 4: Select History to view restore history and restore process
Wait for the connection to be connected:
Attention: if you cannot connect to Cloud Gateway, please check:
Cloud Gateway address:
HCM: backup-hcmc.higio.net
HN: backup-hni.higio.net
Check connections to the internet.
Check connections to Cloud Gateway port 6180. #telnet {Cloud Gateway address} 6180
Return to the Veeam Server Provider Console that the Linux Machine will be displayed in “Discovery Computer” with the status “active.”
In the Use guest OS credentials form section, select an account that will be used to upload setup files to client computers and start installation.
The account must have local privilege permissions on computers where you want to install Veeam backup agents.
Select the Account specified in the discovery rule or the management agent settings if you want to install the same account that you specified for the discovery of client computers, either in the master agent configuration or in the discovery rule settings.
Select The following user account if you want to specify an account different from the one you used for discovery. You can select an account from the list or click Create New to specify credentials for a new account.
Step Connect VPN from Windows Client.
Login to the account with the provided username and password, then click OK.
The VPN connection was established successfully.
Using the ping command line, confirm that you are connected to the application located on the HGIO Cloud.
Step 2. Select tab VMs
There are 2 modes:
Mode 01- Restore to the original location: Quickly restore the selected VM to its original location with the original name and settings. This option minimizes the chance of user input error.
The restore VM will override the original VM.
The original VM will be shut down and deleted when the storage is successful.
>> Please follow step 5.1
Mode 02 - Restore to a new location or with different settings: Customize the restored VM location and change its settings. The wizard will automatically populate all controls with the original VM settings as the defaults.
This mode will increase your resources, so please check your available resource and contact HI GIO-Sales if you want to add more resources to restore the VM.
You need to create a new vApp to restore the VM.
>> Please follow step 5.2
5.1.1 Select Next
5.1.2 On Summary
Verify VM restore information → select Power on VM automatically → Finish
5.2.1 Select Next
5.2.2 On Destination
*** Specify vApp to restore the virtual machine to, and type in the restored VM's name.
Click Choose
Select vApp has been created before
Change VM name → Next
5.2.3 On Network
Keep default or choose network already added on vApp → Select Next
5.2.4 On Datastore
Keep default or choose Policy already on your resource → Select Next
5.2.5 On Summary
Verify VM restore information → select Power on VM automatically → Finish
Select tab VMs → History to check the status of VM restore
Restore VM successfully
You'll get the message like this: "Bringing up interface eth0: Device eth0 has different MAC address than expected, ignoring."
The reason for this is VM has been assigned an ethernet adapter with a different MAC address than what the source VM was using.
Resolve: Get MAC address that VM has assigned and update it to interface
Input the IP address then choose OK
Choose Restore volumes
Choose Add Cloud Connect provider
Enter address of BaaS Cloud Gateway Address:
HCM: backup-hcmc.higio.net
HN: backup-hni.higio.net
Accept the certificate details.
Enter Username and Password
Select Job and restore point that want to restore
Choose Hard disk that want to restore
Enter and select Restore from…
Choose the exact disk want to restore
Check that the mapping is correct, and then press ”s” to continue
Review the Summary of the restore job, then press Enter to begin
Begin the process and complete the restore
Shutdown the VM and then Eject Media
POWER ON the VM
must to have access to internet
3
Network 2
Trunk
–
–
4
Network 3
– (HA, optional)
192.168.137.81
192.168.137.82
Set security: enable Promiscuous mode and Forged transmits
Select IP for gateway CIDR (It's must not duplicate IP address)
#
Port Group
VLAN
Remark
1
Management
137
For NSX Autonomous Edge management
2
Uplink
138
For NSX Autonomous Edge uplink
3
Trunk
140, 141, 142
Stretch L2 network traffic
#
OVF Template Name
Port Group
Primary Node
Second Node (optional)
Remark
1
Network 0
Management
192.168.137.79
192.168.137.80
2
Network 1
Uplink
192.168.138.77
On-premises Public IP
HI GIO's Public IP
<IP Address>
<IP Address>
–
On the Select an OVF template page, to download and deploy the OVF file, paste the URL, or select a locally downloaded OVF file and click NEXT.
On the Select a name and folder page, Enter Virtual machine name & select a location for its > click Next.
Select the destination compute resource > click Next on the Select a compute resource page.
On the Review details page, verify the OVF package template details > click Next.
On the Configuration page, select a deployment configuration size (detail as below) > click Next.
Medium size is suitable for normal use-case. If you don’t have special requirement, please use it.
Sizing for NSX Autonomous Edge VM
On the Select storage page: select a storage & select virtual disk format = Thin provision > click Next.
On the Select networks page, for all destination networks select the management network > click Next.
On the Customize template page, enter the following properties > click NEXT.
+ In the Application section, do the following:
Set the System Root User Password.
Set the CLI "admin" User Password.
Select the Is Autonomous Edge checkbox.
Leave the remaining fields empty.
NSX Edge core services do not start unless you enter passwords meeting these requirements:
At least 12 characters
At least one uppercase letter
At least one lowercase letter
At least one digit
At least one special character
At least five different characters
+ In the Network Properties section, do the following:
Set the Hostname.
Set the Management Network IPv4 Address. This is the management IP for the autonomous edge.
Set the Management Network Netmask. This is the management network prefix length.
Set the Default IPv4 Gateway. This is the default gateway of the management network.
+ In the DNS section, do the following:
In the DNS Server list field, enter the DNS server IP addresses separated by spaces.
In the Domain Search List field, enter the domain name.
+ In the Services Configuration section, do the following:
Enter the NTP Server List.
Enter the NTP Servers, separated by spaces.
Select the Enable SSH checkbox.
Select the Allow Root SSH logins checkbox.
+ In the External section, do the following:
Enter the External Port details in the following format: VLAN_ID,Exit Interface,IP,Prefix Length.
For example: 138,eth2,192.168.138.77,24. Replace the following values:
VLAN ID: VLAN ID of the uplink VLAN
Exit Interface: interface ID reserved for uplink traffic
IP: IP address reserved for the uplink interface
Prefix Length: prefix length for the uplink network
In the External Gateway field, enter the default gateway of the uplink network.
+ (Optional) In the HA section, do the following:
Enter the HA Port details in the following format: VLAN_ID,Exit Interface,IP,Prefix Length.
For example: 137,eth2,192.168.137.81,24. Replace the following values:
VLAN ID: VLAN ID of the uplink VLAN
Exit Interface: interface ID reserved for uplink traffic
IP: IP address reserved for the uplink interface
Prefix Length: prefix length for the uplink network
In the HA Port Default Gateway field, enter the default gateway of the management network
Review the NSX Autonomous Edge settings > on the Ready to complete page> and click FINISH.
After the deployment completes, power on the NSX Autonomous Edge virtual machine.
Log in NSX autonomous via web browser:
Step 2: Install Linux Management Agent
Log on to the machine where you want to install the master agent.
Copy the agent installation package (the .sh file) to the machine where you want to install the agent.
Make sure that you have permission to execute the installation package file.
sudo chmod +x LinuxAgentPackages...
Step 3: Install the package with the following command:
sudo ./LinuxAgentPackages....
Check connection by command:
veeamconsoleconfig -s
Note: if you cannot connect to Cloud Gateway, please check:
Cloud Gateway address:
HCM: backup-hcmc.higio.net
HN: backup-hni.higio.net
Check connections to the internet.
Check connections to Cloud Gateway port 6180. #telnet {Cloud Gateway address} 6180
If the connection to Cloud Gateway port 6180 cannot be opened, do the following command:
Delete iptables rule:
Step 4: Return to the Veeam Server Provider Console that the Linux Machine will be displayed in “Discovery Computer” with the status “active.”
Step 5: Install Veeam Backup Agent Linux
Login to the Web UI > Managed Computers > Discovered Computers
Choose the Linux Server > Install Backup Agent
In the Use guest OS credentials form section, select an account that will be used to upload setup files to client computers and start installation.
The Account must have local root permissions on computers where you want to install Veeam backup agents.
Select the Account specified in the discovery rule or the management agent settings if you want to install the same Account that you specified for the discovery of client computers, either in the master agent configuration or in the discovery rule settings.
Select The following user account if you want to specify an account different from the one you used for discovery. You can select an account from the list or click Create New to specify credentials for a new account.
In the Backup policy to apply list, choose a backup policy that must be used as part of the installation process.
If you allocate all cloud resources specified in the policy to the company, the chosen backup policy will configure backup job settings after installing Veeam backup agents. You can select No policy if you do not want to configure backup job settings as part of installation.
By default, read-only access is enabled for all Veeam backup agents. To disable the read-only access mode for Veeam backup agents, set the Enable read-only UI access for the backup agent toggle to Off.
Step 6: Check the result via portal and VM:
Step 4: Configure Recovery Settings for Migrate
- Instances handing after recovery: Default.
- Power Settings: Power on recovered vApps.
- Network Settings: Apply preconfigured network settings on migrate (configured in step2)
- Click NEXT
Step 5: Review and click FINISH
Step 6: Expectation result:
Failover in Progress: You will notice Migrate in Progress with % progress in the Detailed Status.
Once the migration task is completed, confirm on
STATUS, VM:
APP1:
- Recovery state = Failed-Over,
- Replication Type = On-Premise Protection,
- Overall health = Green.
DB1:
- Recovery state = Not stated,
- Replication Type = On-Premise Protection,
- Overall health = Green.
Migrate completed successfully. The workload is running in the HI GIO cloud, and the workload is no longer protected.
Step 4: Expectation result:
The VM APP1 is running on the HI GIO site now. The VM is no longer protected.
The VM APP1 is power off on-premises - automatic by vCDA.
On-premises Site
No.
Item
Description
IP Address
Note
1
vcsa7.lab.local
vCenter
192.168.137.77
2
vcda7.lab.local
VMware Cloud Director Availability On-premises
192.168.137.78
3
HI GIO Site
No.
Item
Description
IP Address
Note
1
ASG000001-Customer01
Organizations
2
ADC.lab.local
Secondary Domain controller
192.168.137.201
3. Environment System Configuration
#
App Name
Hostname
On-prem IP address
HI GIO's Network
HI GIO IP address
Remark
1
APP1
APP1.lab.local
192.168.140.14
[L2]VM140
192.168.140.14
2
APP1
A DNAT rule translates the IP address and, optionally, the port of packets received by an organization VDC network that are coming from an external network or another organization VDC network.
A NO DNAT rule prevents the translation of the external IP address of packets received by an organization VDC from an external network or another organization VDC network.
The public IP addresses must have been added to the edge gateway interface where you want to add the NAT rule.
Firewall rule will be applied to the local IP address by default configuration. If you want to specify a firewall rule for the Public IP address, please change the "Firewall Match" configuration to "Match External Address" on the Advanced option
Step 1: In the top navigation bar, click Networking and Edge Gateways.
Step 2: Select the edge gateway that you want to edit
Step 3: Under Security, click NAT
Step 4: Click New.
Step 5: Configure an DNAT
Name: [Name of rule]
Description: [optional]
Interface type: Select DNAT\No DNAT
External IP: Enter the public IP address of the edge gateway
External Port: [optional - Enter a port into which the DNAT rule is translating]
Internal IP: Enter IP or range IP to receive traffic from the external network
Application: [optional – select application profile with port]
Advanced Settings: (Optional)
- State: Enable or disable the NAT rule.
- Logging: Toggle the Logging button to enable logging
- Priority: A lower value means a higher priority. The default is 0. A No SNAT or No DNAT rule should have a higher priority than other rules.
- Firewall Match: The available settings are
Match External Address - The firewall will be applied to external address of a NAT rule.
For SNAT, the external address is the translated source address after NAT is done.
For DNAT, the external address is the original destination address before NAT is done.
Match Internal Address - Indicates the firewall will be applied to internal address of a NAT rule.
For SNAT, the internal address is the original source address before NAT is done.
For DNAT, the internal address is the translated destination address after NAT is done.
Bypass - The packet bypasses firewall rules
Step 6: Click Save
Step 1: In the top navigation bar, click Networking and Edge Gateways.
Step 2: Select the edge gateway that you want to edit
Step 3: Under Security, click NAT
Step 4: Click New.
Step 5: Configure an SNAT
Name: [Name of rule]
Description
Step 1: Right-click on the file and choose “Version“ to check the file versioning
Step 2: Choose the “Version” you want to download
You must enable versioning for the file Bucket to save file versions.
Optionally, use the following steps to deploy a secondary NSX-T Autonomous Edge (Layer 2 VPN client) in HA mode in your on-premises environment:
#
OVF Template Name
Port Group
Primary Node
Step 1: Follow the steps in until you reach the Customize template step.
Step 2: On the Customize template step, do the following instead:
In the Application section, do the following:
With the option of Instant recovery, you can recover VM quickly. VM will mount workload images to a host directly from the backup stored on backup repositories. However, it will be limited I/O performance; you must migrate the VM to production when successfully restored.
Check your available resources.
Create a new vApp to restore the VM
*** During recovery
You can only restore and migrate each VM in turn.
*** If you want to restore and migrate many VMs at the same time
Please contact HI GIO support.
Choose the VM and point that needs to be restored with Instant Recovery.
Select Restore mode.
Verify status restore.
Migrate and Verify VM.
Step 1: From the main menu vCD Portal, select More -> Data Protection with Veeam
Step 2: Select tab VMs
This short manual guide is designed to help HI GIO users navigate
How to install vCDA On-Premises
How to complete the vCDA Configuration Wizard
Before installing the VMware Cloud Director Availability On-Premises Appliance, verify that the on-premises site meets the deployment requirements. Also, allow the network communication within the on-premises site and to the cloud site
vCenter Requirements. 6.5U3, 6.7U3, 7.0 (GA-U3), 8.0 (GA, U1). (We also support vCenter 6.0U3, 5.5U3 only for migration purpose)
Network Requirements. To get a list of the required firewall ports to be opened, see VMware Cloud Director Availability Network Ports.
Link:
Organization virtual data center (VDC) networks enable vApps\VMs to communicate with each other or with external networks outside the organization.
Depending on the connection of the organization VDC network, there are several different types of organization VDC networks:
An isolated (internally connected) network is one that only VMs within the VDC network can connect to.
A routed network (externally connected) provides access to machines and networks outside the VDC via the edge gateway.
Step 1: Creating an Isolated VCD Network
In the top navigation bar, click Networking.
On the Networks tab, click New to Open New Organization VDC Network window.
HI GIO supports a distributed firewall service for data center groups. You create a single default security policy applied to the data center group.
It can inspect every packet and frame coming to and leaving the VM regardless of the network topology. Packet inspection is done at the VM virtual NIC (vNIC) level, which enables access-control lists (ACLs) to be applied closest to the source.
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<RasdItemsList xmlns="http://www.vmware.com/vcloud/v1.5" xmlns:vmext="http://www.vmware.com/vcloud/extension/v1.5" xmlns:ovf="http://schemas.dmtf.org/ovf/envelope/1" xmlns:vssd="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_VirtualSystemSettingData"
…………………………………..
………………………………….
<Link rel="edit" href="https://iaas-hcmc02.higiocloud.vn/api/vApp/vm-6cc0d2ef-6823-421a-bed5-8bb0f92a7bca/virtualHardwareSection/networkCards" type="application/vnd.vmware.vcloud.rasdItemsList+json"/>
<Item>
<rasd:Address>00:50:56:02:10:2c</rasd:Address>
<rasd:AddressOnParent>0</rasd:AddressOnParent>
<rasd:AllocationUnits xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:nil="true"/>
<rasd:AutomaticAllocation>true</rasd:AutomaticAllocation>
<rasd:AutomaticDeallocation xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:nil="true"/>
<rasd:ConfigurationName xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:nil="true"/>
<rasd:Connection xmlns:ns10="http://www.vmware.com/vcloud/v1.5" ns10:ipAddressingMode="Manual" ns10:ipAddress="10.10.11.20" ns10:primaryNetworkConnection="true">10.10.11.0/24</rasd:Connection>
<rasd:ConsumerVisibility xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:nil="true"/>
…………………………………………………………………….
<rasd:ResourceSubType>VMXNET3</rasd:ResourceSubType>
<rasd:ResourceType>10</rasd:ResourceType>
<rasd:VirtualQuantity xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:nil="true"/>
<rasd:Weight xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:nil="true"/>
</Item>
</RasdItemsList>host16.lab.local
ESXi host
192.168.137.50
4
DC.lab.local
Primary Domain controller
192.168.137.200
DB1.lab.local
192.168.141.14
[L2]VM141
192.168.141.14
Interface type: Select SNAT\No SNAT
External IP: Enter the public IP address of the edge gateway
Internal IP: Enter IP or range IP to receive traffic from the external network
Destination IP: [Optional]
Advanced Settings: (Optional)
- State: Enable or disable the NAT rule.
- Logging: Toggle the Logging button to enable logging
- Priority: A lower value means a higher priority. The default is 0. A No SNAT or No DNAT rule should have a higher priority than other rules.
- Firewall Match: The available settings are
Match External Address - The firewall will be applied to external address of a NAT rule.
For SNAT, the external address is the translated source address after NAT is done.
For DNAT, the external address is the original destination address before NAT is done.
Match Internal Address - Indicates the firewall will be applied to internal address of a NAT rule.
For SNAT, the internal address is the original source address before NAT is done.
For DNAT, the internal address is the translated destination address after NAT is done.
Bypass - The packet bypasses firewall rules
Step 6: Click Save
Note: Please do not remove SNAT/DNAT rules name starting with HIGIO- (if any)
Step 7: Add Edge Firewall rules for SNAT/DNAT after completing NAT rules.
Set the System Root User Password.
Set the CLI "admin" User Password.
Select the Is Autonomous Edge checkbox.
Leave the remaining fields empty.
NSX Edge core services do not start unless you enter passwords meeting these requirements:
At least 12 characters
At least one uppercase letter
At least one lowercase letter
At least one digit
At least one special character
At least five different characters
In the Network Properties section, do the following:
Set the Hostname.
Set the Management Network IPv4 Address. This is the management IP for the autonomous edge.
Set the Management Network Netmask. This is the management network prefix length.
Set the Default IPv4 Gateway. This is the default gateway of the management network.
In the DNS section, do the following:
In the DNS Server list field, enter the DNS server IP addresses separated by spaces.
In the Domain Search List field, enter the domain name.
In the Services Configuration section, do the following:
Enter the NTP Server List.
Enter the NTP Servers, separated by spaces.
Select the Enable SSH checkbox.
Leave External section empty.
In the HA section, do the following:
-Enter the HA Port details in the following format: VLAN_ID, Exit Interface, IP, Prefix Length.
For example: 137,eth2,192.168.137.81,24. Replace the following values:
VLAN ID: VLAN ID of the uplink VLAN
Exit Interface: interface ID reserved for uplink traffic
IP: IP address reserved for the uplink interface
Prefix Length: prefix length for the uplink network
-In the HA Port Default Gateway field, enter the default gateway of the management network
-Select the Secondary API Node checkbox.
-In the Primary Node Management IP field, enter the management IP address of the primary autonomous edge.
-In the Primary Node Username field, enter the username of the primary autonomous edge (for example, "admin").
-In the Primary Node Password field, enter the password of the primary autonomous edge.
-In the Primary Node Management Thumbprint field, enter the API thumbprint of the primary autonomous edge.
You can get this by connecting using SSH to the primary autonomous edge using admin credentials and running the command: “get certificate api thumbprint”
Step 3: Complete the remaining OVF template deployment steps to deploy the secondary autonomous edge (on-premises Layer 2 VPN client).
PowerOn the second NSX autonomous edge
Step 4: Validate:
It will take some minutes to sync.
Log in to both NSX autonomous nodes, check High Availability, L2VPN\
-Primary node:
-Secondary node:
-Port ID, Tunnel ID, exit interfaces are same on both nodes.
Step 5: Failover test:
To test the NSX autonomous failover:
-Ping from on-premises to HI GIO cloud.
-Shutdown NSX autonomous primary node
-Result:
NSX autonomous secondary status will change to ACTIVE, L2 VPN = UP
The connection drop ~ 5-10 seconds
After powering on the NSX autonomous primary node, the HA status between the nodes was re-established. The secondary edge remains active, and the primary will become active only in case of additional failure.
Second Node (optional)
Remark
1
Network 0
Management
192.168.137.79
192.168.137.80
2
Network 1
Uplink
192.168.138.77
–
must to have access to internet
3
Network 2
Trunk
–
–
4
Network 3
– (HA, optional)
192.168.137.81
192.168.137.82
Step 3: Select VM need to restore --> Instant Recovery
Step 4: On Restore Point
Select backup date want to restore --> Next
Step 5. On Restore mode
There are 2 modes:
*** Restore to the original location: Quickly restore the selected VM to its original location with the original name and settings. This option minimizes the chance of user input error.
VM restore will override the original VM.
VM original will be shut down and deleted when you successfully restore.
>> Please follow step 5.1
*** Restore to a new location or with different settings: Customize the restored VM location and change its settings. The wizard will automatically populate all controls with the original VM settings as the defaults.
This mode will increase your resources, so please check your available resources and contact HI GIO-Sales if you want to add more resources to restore the VM.
You need to create a new vApp to restore the VM.
>> Please follow step 5.2
5.1.1 Select Next
5.1.2 On Summary
Verify VM restore information → select Power on VM automatically → Finish
5.2.1 Select Next
5.2.2 On Destination
Specify vApp to restore the virtual machine to, and type in the restored VM's name.
Click Choose
Select vApp has been created before
Change VM name → Next
5.2.3 On Network
Keep default → Select Next
5.2.4 On Summary
Verify VM restore information → select Power on VM automatically → Finish
Step 6: Verify Status VM restore
Select tab VMs → History to check the status of VM restore
Back to vCD portal, VM restore had power-on
When Instant Recovery is performed: Veeam Backup & Replication uses the Veeam vPower technology to mount a workload image to an ESXi host directly from a compressed and deduplicated backup file. DO NOT shutdown\Power Of VM to avoid data loss.
Please process step 7 & 8 to complete the recovery.
Step 7: Migrate to Production
*** After checking the data on VM restore, if it contains the data you want, you need to migrate to production to ensure I/O performance for the VM.
Back to Data Protection with Veeam → Instant Recovery
Select VM restore → Migrate to Production
On Destination → Select Choose...
Select Storage Policy → OK
Select Next
On Ready → Finish
To check the status of the migrated VM restore, select VMs → History
Select VM restore
VM restore has migrated to production
Step 8: Verify VM restore information
*** To make sure VM restore has run with the correct configuration, go back to vCD portal and check:
Hard disk (Size, IOPS, Storage Policy)
Compute (CPU, Memory)
Hardware Requirements. From a hosting perspective, the VMware Cloud Director Availability On-Premises Appliance is a virtual machine with the following hardware requirements
4 vCPUs
4 GB RAM
10 GB Storage
Deployment Requirements. In ESXi hosts, a VMkernel interface can be dedicated for the replication traffic. By default, ESXi handles the replication traffic through its management VMkernel interface. As a best practice, you can separate the management traffic from the replication traffic by creating a dedicated VMkernel interface. Use following tags when creating a VMkernel interface for the replication traffic
Use the vSphere Replication tag to configure the ESXi host for the Outgoing Replication Traffic
Use the vSphere Replication NFC tag to configure the ESXi host for the Incoming Replication Traffic
Configure the replication VMkernel interface in its own IP subnet and connect the VMware Cloud Director Availability On-Premises Appliance to the same virtual port group. Using this configuration, the replication traffic between the ESXi hosts and the VMware Cloud Director Availability On-Premises Appliance stays in the same broadcast domain. As a result, uncompressed replication traffic avoids crossing a router and saves the network bandwidth
The tenant deployment process is similar to all typical VMware OVF deployments. The tenant must install the vCloud Availability On-Premises Appliance OVA into the vCenter.
Please download OVA file from this link
VMware-Cloud-Director-Availability-On-Premises-4.5.0.5226630-ab9eb01ccb_OVF10.ova
Once downloaded, log into your vSphere Client and Deploy OVF Template
Select an OVF template. Install from a local file. Browse to the location of the previously downloaded OVA. Select the vCDA OVA file and click Next
Select a name and folder. Type in your desired virtual machine (appliance) name. Next, select a location for your virtual machine
Select a compute resource. Choose a host or a cluster for the appliance. Click Next
Review details. This is a chance for you to evaluate and verify the template
License agreement. Check the I accept all license agreements checkbox and click Next
Select storage. Configure optional storage options for the deployment and click Next
Select networks. Choose a destination network for every individual source network
Customize template. During this step of the wizard, customize the deployment
Root Password. Defining a root password is mandatory. However, you will need to change it when you log in to vCDA for the first time. So, you don’t need to define a very strong password at this point
Enable SSH. Select the Enable SSH checkbox
NTP Server. Enter the NTP server address the vCDA appliance will use. vCenter Server, ESXi, vCloud Director, Platform Services Controller, and the vCloud Availability appliance MUST all use the same NTP server
Log in to your vCDA appliance at https://your-appliance-IP/ui/admin. Use the root/password defined during OVA deployment
Change the root password. Set and confirm a new password. Create a strong password with at least eight (8) characters. Make sure to use lowercase, uppercase, numeric, and special characters.
To get started, you will need to configure a Lookup Service Endpoint. To do so, select Run Initial Setup Wizard
Lookup Service. Enter your connection details to set up the lookup service along with SSO admin credentials
Lookup service address. Type in the following URL, adding the IP address of your vCenter: https://Ip-of-your-vcenter:443/lookupservice/sdk
Enter SSO admin account credentials in the Username and Password field
Site Details. In it, type your Site Name and optionally, a short Description about the site. Click Next
Proceed to the configure Cloud Details by pairing up your vCloud and vCDA sites
Service Endpoint Address, Organization Admin and Organization Password is provided by HI GIO Support
Configure your organization’s credentials for logging in to the cloud site. Type in Organization Admin (user@org) and Organization Password
Optional: Select Allow Access from Cloud. If you select this feature, the cloud provider and organization administrators can access and perform certain operations through the vCloud Availability Port
Click Next and accept the SSL certificate of the vCenter Server Lookup to continue
Move on to Ready to Complete. It shows the details you have provided in the previous steps. Verify that everything is accurate
Check Configure local placement now to enable cloud to datacenter replications. Leaving the box unchecked requires additional set up to configure the replications
On the Select Network Type page, select Isolated >> Next.
Enter a Name and description (optional) for the network.
To enable dual-stack networking (enable the network to have both IPv4 & IPv6 subnet), turn on the Dual-Stack Mode toggle.
Enter the Classless Inter-Domain Routing (CIDR) settings for the network >>Next
Format: network_gateway_IP_address/ subnet_prefix_length like 192.168.100.254/24
In Static IP Pools, enter the ranges of IP addresses that you want to use, click Add >> Next
Configure the DNS settings (Optional).
You can put Primary DNS\Secondary DNS\DNS suffix >> Next
Review your settings and click Finish.
Step 2: Creating a Routed VCD Network
In the top navigation bar, click Networking.
On the Networks tab, click New to Open New Organization VDC Network window.
On the Scope page, select Organization Virtual Data Center or Data Center Group which to create the network, and click Next
On the Select Network Type page, select Routed >> Next.
Enter a Name and Description (optional) for the network.
To enable dual-stack networking (enable the network to have both IPv4 & IPv6 subnet), turn on the Dual-Stack Mode toggle.
Enter the Classless Inter-Domain Routing (CIDR) settings for the network >>Next
Format: network_gateway_IP_address/ subnet_prefix_length like 192.168.100.254/24
In Static IP Pools, enter the ranges of IP addresses that you want to use, click Add >> Next
Configure the DNS settings (Optional).
You can put Primary DNS\Secondary DNS\DNS suffix >> Next
Review your settings and click Finish.
Step 3: View the Available Organization VDC Networks
In the top navigation bar, click Networking.
In the Networks tab, you will see a list of the available networks that you can also edit, increase the scope, or delete the Organization VDC network
OS: CentOS is 8 Stream, running kernel 4.18.0-500.el8.x86_64
Veeam repository: veeam-release-el8-1.0.8-1.x86_64.rpm
Veeam Agent: veeam-6.0.3.1221-1.el8.x86_64
Step 1: Download Veeam repository:
The Veeam repository for Linux can be found at Index of /backup/linux/agent/rpm/el/8/x86_64/. On this page select "veeam-release-el8-1.0.8-1.x86_64.rpm".
Step 2: Install Veeam:
This will download an RPM file. It is likely that you will be unable to download this directly from this page to your Linux machine, as your server will most likely not have a GUI and a web browser. To get around this it is best to download the RPM to your workstation, then use WinSCP or MobaXterm to copy the RPM file to your server via SSH.
Once the RPM is on your server, install it.
This will install the required packages for the Veeam agent, including a kmod-veeamsnap package; however, you will notice that there are still issues with the Linux kernel module for veeamsnap. If we inspect the files installed with kmod-veeamsnap, and compare it with our current kernel version, we can see that the kernel module is not installed for our version. The difference is very minute.
From this, we can see that the kernel module was installed for 4.18.0-477.10.1.el8_7.x86_64, but our current kernel is 4.18.0-500.el8.x86_64.
Without this kernel module, our agent based Veeam backups will fail.
We can confirm that this module has not loaded by running lsmod, and grepping for Veeam. We will see that grep returns 0 lines of output.
Fortunately, the difference in these kernel versions is small enough that the veeamsnap.ko file will still work for us.
First, we must create the /extra/ directory for our kernel version, then copy the kernel module to this directory.
Step 3: Insert module veeamsnap:
Important: If the server boots with Secure Boot, we can’t insert the module → Must run step 3 on Secure Boot below first.
We need to load the module into the currently running kernel using insmod:
At this point, our agent based backups will run fine; however, the loaded module will not persist if we reboot. We will need to create a file called /etc/modules-load.d/veeam.conf, and make sure that it has the name of the kernel module in it. We will also need to run depmod to add the loaded kernel module into the kernel module dependencies list.
Now, once we reboot the CentOS server, the veeamsnap module will automatically be loaded as a kernel module.
And our agent-based backups will now work correctly.
Step 1: Download Veeam repository:
The Veeam repository for Linux can be found at . On this page select "veeam-release-el8-1.0.8-1.x86_64.rpm".
Step 2: Install Veeam:
This will download an RPM file. It is likely that you will be unable to download this directly from this page to your Linux machine, as your server will most likely not have a GUI and a web browser. To get around this it is best to download the RPM to your workstation, then use WinSCP or MobaXterm to copy the RPM file to your server via SSH.
Once the RPM is on your server, install it.
Organization virtual data center networks in different organizations
Between an organization's virtual data center network and an external network
Fulfill IPSec parameters.
Step 1: In the top navigation bar, click Networking and click the Edge Gateways tab.
Step 2: Click the edge gateway.
Step 3: Under Services, click IPSec VPN.
Step 4: To configure an IPSec VPN tunnel, click New.
Step 5: Enter a Name and a description (optional) for the IPSec VPN tunnel.
Step 6: To enable the tunnel upon creation, toggle on the Status option.
For the Security Profile – we keep it as Default and configure it later once the VPN tunnel has been created.
Step 7: Click NEXT to select Authentication mode.
Step 8: Select a peer authentication mode and NEXT.
HI GIO supported 02 option for Authentication Mode:
Step 9: On Endpoint Configuration windows, we put some parameters (follow in the prepare step):
IP address [Local Endpoint]: Enter public IP (HI GIO’s public IP).
Networks [Local Endpoint]: Enter at least one local (HI GIO’s network) IP subnet address for the IPSec VPN tunnel.
IP address [Remote Endpoint]: Enter public IP (remote site, ex: Office’s public IP).
Networks [Remote Endpoint]: Enter at least one remote IP (ex: Office’s network) subnet address for the IPSec VPN tunnel.
Step 10: Enter the remote ID (optional) for the peer site.
In case we use a Certificate for Authentication mode
The remote ID must match the SAN (Subject Alternative Name) of the remote endpoint certificate, if available. If the remote certificate does not contain a SAN, the remote ID must match the distinguished name of the certificate that is used to secure the remote endpoint, for example, C=US, ST=Massachusetts, O=VMware, OU=VCD, CN=Edge1.
Step 11: Click Next.
Step 12: Review your settings and click Finish.
The newly created IPSec VPN tunnel is listed in the IPSec VPN view. The IPSec VPN tunnel is created with a default security profile.
Step 13: To verify that the tunnel is functioning, select it and click View Statistics.
If the tunnel is functioning, Tunnel Status and IKE Service Status both display Up.
Once the IPSec VPN tunnel has been created. We can change the IPSec VPN configuration by security profile, it must fit with the remote site.
Step 1: In the top navigation bar, click Networking and click the Edge Gateways tab.
Step 2: Click the edge gateway.
Step 3: Under Services, click IPSec VPN.
Step 4: Select the IPSec VPN tunnel and click Security Profile Customization.
Step 5: Change the configures of the VPN tunnel as you prepared (
Step 1: Preparing IP set for firewall rule (can use dynamic\static group also).
IP set detail:
Step 2: Create 02 the firewall rules (Edge gateway firewall) for the IPsec tunnel:
+ HI GIO to Local (remote site)
+ And Local (remote site) to HI GIO
If we used Distributed firewall, we also need to create firewall rules to allow VPN’s traffic (remote site to HI GIO).
To create distributed firewall rules and add them to a data center group, you need to define some things:
Name: Name for the rule.
Source: IP Sets\Dynamic Groups\Static Group (1.1, 1.2, 1.3, 1.4)
Destination: IP Sets\Dynamic Groups\Static Group (1.1, 1.2, 1.3, 1.4)
Application: Select applications with port to apply rule (1.5)
Action: Allow\Reject\Drop
IP Protocol: IPv4/IPv6 or both
Add an IP Set to the Data Center Group:
IP sets are groups of IP addresses and networks to which the distributed firewall rules apply (as Source and Destination). Combining multiple objects into IP sets helps you reduce the total number of distributed firewall rules to be created
Step 1: In the top navigation bar, click Networking and then click the Data Center Groups tab
Step 2: Click the data center group name
Step 3: Under Security, click IP Sets
Step 4: Click New.
Step 5: Enter a meaningful Name, a Description for IP Sets
Step 6: Enter an IPv4 address, IPv6 address, or an address range in a CIDR format, and click Add.
Step 7: To modify an existing IP address or range, click Modify and edit the value.
Step 8: To confirm, click Save.
Create a Static Security Group:
Static security groups are data center group networks to which distributed firewall rules apply (as Source and Destination). Grouping networks helps you reduce the total number of distributed firewall rules that need to be created.
Step 1: In the top navigation bar, click Networking and then click the Data Center Groups tab
Step 2: Click the data center group name
Step 3: Under Security, click Static Groups.
Step 4: Click New.
Step 5: Enter a Name, a Description for the static group, and click Save.
The static security group will appear in the list.
Step 6: Select the newly created static security group and click Manage Members.
Step 7: Select the data center group networks that you want to add to the static security group >> Save
Assign Security Tags to VM:
Security tags you create and assign to virtual machines help you define edge gateway and distributed firewall rules.
Step 1: In the top navigation bar, click Networking.
Step 2: Click Security Tags.
Step 3: Click Add Tag.
Step 4: Enter a tag name.
Step 5: From the list of virtual machines in the organization, select the ones to assign the newly created tag.
Step 6: Click Save.
Create a Dynamic Security Group:
You can define dynamic security groups of virtual machines based on specific criteria (VM Name or Tag Name) to which to apply distributed firewall rules.
Step 1: In the top navigation bar, click Networking and then click the Data Center Groups tab
Step 2: Click the data center group name
Step 3: Under Security, click Dynamic Groups.
Step 4: Click New.
Step 5: Enter a Name and a Description for the dynamic security group.
Step 6: To create a Criterion for inclusion in the group, add up to four rules that apply to a VM Name or a VM security tag.
VM Name: a rule that applies to VM names containing or starting with a term you specify.
VM tag: a rule that applies to VM tags that equal, contain, start with, or end with a term you specify.
As figured out, I created 02 rules
VM Name: Start With “demo”
VM Tag: Equals “non-prd” (That you created in 1.3)
Step 7: Click Save.
Add a Custom Application Port Profile:
You can use preconfigured and custom application port profiles to create distributed firewall rules.
Application port profiles include a combination of a protocol and a port or a group of ports, used for firewall services.
Step 1: In the top navigation bar, click Networking and then click the Data Center Groups tab
Step 2: Click the data center group name
Step 3: Under Security, click Application Port Profiles
Step 4: In the Custom Applications pane, click New.
Step 5: Enter a Name and, a Description for the application port profile.
Step 6: From the Protocol drop-down menu, select the protocol: TCP, UDP, ICMPv4, ICMPv6
Step 7: Enter a port, or a range of ports, separated by a comma, and click Save.
We have predefined Objects in the previous. We will create the distributed firewall rules as below:
In the top navigation bar, click Networking and then click the Data Center Groups tab
Click the data center group name
3. Click the Distributed Firewall tab on the left.
4. Click Edit Rules.
Assume your VM has already installed OS and VMware tools and is preconfigured.
Prerequisites: VMware Tools must be installed & VM is powered off.
Step 1: On the Virtual Data Center dashboard screen, click the card of the virtual data center you want to explore, and from the left panel, select Virtual Machines.
Step 2: Click card view
Step 3: On the card of the virtual machine that you want to start, click DETAILS.
Step 4: To enable\disable Hot-add for CPU\Memory, Click Compute > Edit (CPU section or Memory section)
Attention: VM’s state must be powered off.
Step 5: Enable toggle and click Save
Attention: vSphere restriction attention: vSphere restriction
VMware has set a maximum value for hot-add memory. By default, this value is 16 times the memory assigned to the virtual machine. ()
If you are running WM with Linux OS having less than 3GB RAM, you can change the memory to only 3GB RAM in total if you need more. You must power off the VM, increase memory to, for example, 4 GB RAM, and power it on again. ().
Step 6: To customize Guest OS, Click Guest OS Customization > EDIT
TIP: Guest OS Customization will help you prepare the logon, change the password, \ Join the Domain (just for Windows) in the first boot after deploying.
Step 7: On Edit Guest Properties
Depends on the guest OS – Linux or Windows. The view of this page has some differences:
The Enable guest customization check box is selected.
Change the SID option (for Windows OS)
Select Allow local administrator password
Select Require administrator to change the password on the first login to require all administrators to change the password upon initial login (Administrators must know the old password)
Step 8: Click Save
Step 1: On the Virtual Data Center dashboard screen, click the card of the virtual data center you want to explore, and from the left panel, select Virtual Machines.
Step 2: Click card view
Step 3: On the card of the virtual machine that you want to start, click ACTIONS.
Step 4: Click Create Template
On the Add to Catalog page
Step 5: Select the catalog that will store this template
Step 6:
This document is for installing the Veeam Backup Agent Linux on CentOS 9 Stream.
OS: CentOS 9 Stream, running kernel 5.14.0-344.el9.x86_64
Veeam repository: veeam-release-el9-1.0.8-1.x86_64.rpm
Veeam Agent: veeam-6.0.3.1221-1.el9.x86_64
Step 1: Download Veeam repository:
The Veeam repository for Linux can be found at . On this page, select "veeam-release-el9-1.0.8-1.x86_64.rpm".
Step 2: Install Veeam and dependencies:
This will download an RPM file. You will likely be unable to download this directly from this page to your Linux machine, as your server will likely not have a GUI or web browser. To get around this, it is best to download the RPM to your workstation and then use WinSCP or MobaXterm to copy the RPM file to your server via SSH.
Once the RPM is on your server, install it and its dependencies:
An edge gateway firewall monitors North-South traffic to provide perimeter security functionality, including firewall, Network Address Translation (NAT), and site-to-site IPSec and SSL VPN functionality.
Firewall rules to apply to an edge gateway firewall to protect the virtual machines in an organization's virtual data center from outside network traffic
To create firewall rules and add them to an edge gateway, you need to define some things:
Name: Name for the rule.
Source: IP Sets\Dynamic Groups\Static Group (1.1, 1.2, 1.3, 1.4)
Destination: IP Sets\Dynamic Groups\Static Group (1.1, 1.2, 1.3, 1.4)
Application: Select applications with port to apply rule (1.5)
Action: Allow
In this manual, you will find detailed information on how to prepare & create a VM from the template.
This API creates a VM with the default name (VM name of template), default network "VM Network," and default compute and storage.
Step 1: Preparation
Log in to IAM portal -> vCD portal: collect the information
{{vcd_url}}
{{vdc_uuid}}: Login vCD portal -> select VDC-> take a look and note vdc_uuid on the URL
{{network_uuid}}: On the vCD portal -> Networking -> Networks -> New
#iptables -I OUTPUT -p udp --dport 53 -j ACCEPT
#iptables -I OUTPUT -d {Cloud Gateway address} -p tcp --dport 6180 -j ACCEPT
#iptables-save#iptables -D OUTPUT -d {Cloud Gateway address} -p tcp --dport 6180 -j ACCEPT
#iptables-save# dnf clean all
# rpm -hi veeam-release-el8-1.0.8-1.x86_64.rpm
# dnf install -y veeam
Select the Allow Root SSH logins checkbox.
IP. IP address ( e.g. 192.168.1.186/24 )
Gateway. Gateway address
MTU. MTU ( e.g. 1500 )
DNS Server. IP DNS Server. It needs to resolvable the domain name of vCenter Server and Service Endpoint
Search Domains. List of search Domains ( e.g. abc.local )
Ready to complete. Review the settings. You can also select Power on after deployment. Click Finish to deploy the Appliance
If you leave this feature deselected, configuring new replications will only be accessible to users authenticated to the on-premises vCloud Availability Portal. Additionally, no existing replications will be reversed from the Portal
Service Endpoint Address, Organization Admin and Organization Password is provided by HI GIO Support
This will install the required packages for the Veeam agent, including a kmod-veeamsnap package; however, you will notice that there are still issues with the Linux kernel module for veeamsnap. If we inspect the files installed with kmod-veeamsnap, and compare it with our current kernel version, we can see that the kernel module is not installed for our version. The difference is very minute.
From this we can see that the kernel module was installed for 4.18.0-477.10.1.el8_7.x86_64, but our current kernel is 4.18.0-500.el8.x86_64.
Without this kernel module, our agent based Veeam backups will fail.
We can confirm that this module has not loaded by running lsmod, and grepping for Veeam. We will see that grep returns 0 lines of output.
Fortunately, the difference in these kernel versions is small enough that the veeamsnap.ko file will still work for us.
First, we need to create the /extra/ directory for our kernel version, then copy the kernel module over to this directory.
Step 3: Enrolling Veeam Kernel Module Key:
Install the package that contains the public key for pre-built Veeam kernel module by using the following command:
We will have the notification like this:
Reboot the computer to enroll the Veeam public key into the UEFI database.
During reboot, when prompted, press any key to perform MOK management.
Important: The prompt will time out in 10 seconds. If you don't press any key, the system will continue booting without enrolling the key. If you don't enroll the key at reboot, you will have to reconfigure the key by reinstalling the ueficert package and reboot again
At the first step of the wizard, select Enroll MOK and press [Enter].
At the Enroll the key(s) step, select Yes and press [Enter].
Provide the password for the root account and press [Enter].
At the final step, select Reboot and press [Enter].
Step 4: Insert module veeamsnap:
We need to load the module into the currently running kernel using insmod:
At this point, our agent based backups will run fine; however, the loaded module will not persist if we reboot. We will need to create a file called /etc/modules-load.d/veeam.conf, and make sure that it has the name of the kernel module in it. We will also need to run depmod to add the loaded kernel module into the kernel module dependencies list.
Now, once we reboot the CentOS server, the veeamsnap module will automatically be loaded as a kernel module.
And our agent-based backups will now work correctly.
Remember that the security settings must match the remote site's security settings.
VALIDATE: Tunnel static is UP with Traffic
Option
Description
Pre-Shared Key
Choose a pre-shared key to enter. The pre-shared key must be the same on the other end of the IPSec VPN tunnel.
Certificate
Select site and CA certificates to be used for authentication.
NOTE: Each traffic session is checked against the top rule in the firewall table before moving down the subsequent rules in the table. The first rule in the table that matches the traffic parameters is enforced
6. Configure the rule
Name: [Name of rule]
State: [Enable or disable rule by toggle]
Applications: Select default profiles or custom profiles that created in 1.5
Context: (Optional) Select context profile for the rule.
Source: Select Any or Object created in 1.1, 1.2, 1.3, 1.4
Destination: Select Any or Object created in 1.1, 1.2, 1.3, 1.4
Action: Allow\Reject\Drop
IP Protocol: IPv4/IPv6 or both
Logging: [Enable or disable by toggle] enable to have the address translation performed by this rule logged
7. Click Save.
Please do not remove the rules name starting with HIGIO (if any)
Select Auto Generate password or Specify password (if you want to define it yourself).
Join Domain (this session is for Windows OS)
Step 7: Select Customize VM setting and click OK to process
The modules bdevfilter and blksnap will be created in /lib/modules/$(uname -r)/extra
We can confirm that this module has not loaded by running lsmod, and grepping for blksnap. We will see that grep returns 0 lines of output.
Step 3: Insert modules bdevfilter and blksnap:
Important: If the server boots with Secure Boot, we can’t insert the module → Must run step 3 on Secure Boot below first.
We need to load the module into the currently running kernel using insmod:
At this point, our agent-based backups will run fine; however, the loaded module will not persist if we reboot. We must create a file called /etc/modules-load.d/bdevfilter.conf and/etc/modules-load.d/blksnap.conf , and make sure that it has the name of the kernel module. We must also run depmod to add the loaded kernel module to the kernel module dependencies list.
Once we reboot the CentOS server, the veeamsnap module will automatically be loaded as a kernel module.
And our agent-based backups will now work correctly.
Grand permission for 3 scripts:
# chmod u+x one-time-setup sign-modules dkms-sign-module
Create 2 files for signing modules to the UEFI database.
Run the file one-time-setup first and then reboot:
During the reboot, when prompted, press any key to perform MOK management.
At the wizard's first step, select Enroll MOK and press [Enter].
At the Enroll the key(s) step, select Yes and press [Enter].
Provide the password for the root account and press [Enter].
At the final step, select Reboot and press [Enter].
After that, sign 2 modules by running file sign-modules:
Step 4: Insert modules bdevfilter and blksnap:
We need to load the module into the currently running kernel using insmod:
At this point, our agent-based backups will run fine; however, the loaded module will not persist if we reboot. We must create a file called /etc/modules-load.d/bdevfilter.conf and/etc/modules-load.d/blksnap.conf , and make sure that it has the name of the kernel module. We must also run depmod to add the loaded kernel module to the kernel module dependencies list.
Once we reboot the CentOS server, the veeamsnap module will automatically be loaded as a kernel module.
And our agent-based backups will now work correctly.
Step 1: Download Veeam repository:
The Veeam repository for Linux can be found at Index of /backup/linux/agent/rpm/el/9/x86_64/ . On this page, select "veeam-release-el9-1.0.8-1.x86_64.rpm".
Step 2: Install Veeam and dependencies:
This will download an RPM file. You will likely be unable to download this directly from this page to your Linux machine, as your server will likely not have a GUI or web browser. To get around this, it is best to download the RPM to your workstation and then use WinSCP or MobaXterm to copy the RPM file to your server via SSH.
Once the RPM is on your server, install it and its dependencies:
The modules bdevfilter and blksnap will be created in /lib/modules/$(uname -r)/extra
We can confirm that this module has not loaded by running lsmod, and grepping for blksnap. We will see that grep returns 0 lines of output.
Step 3: Enrolling Veeam Kernel Module Key:
Create a directory /root/module-signing:
Download 3 scripts from the link: and put it in the directory just created:
Grand permission for 3 scripts:
# chmod u+x one-time-setup sign-modules dkms-sign-module
Create 2 files for signing modules to the UEFI database.
Run the file one-time-setup first and then reboot:
During the reboot, when prompted, press any key to perform MOK management.
At the wizard's first step, select Enroll MOK and press [Enter].
At the Enroll the key(s) step, select Yes and press [Enter].
Provide the password for the root account and press [Enter].
At the final step, select Reboot and press [Enter].
After that, sign 2 modules by running file sign-modules:
Step 4: Insert modules bdevfilter and blksnap:
We need to load the module into the currently running kernel using insmod:
At this point, our agent-based backups will run fine; however, the loaded module will not persist if we reboot. We must create a file called /etc/modules-load.d/bdevfilter.conf and/etc/modules-load.d/blksnap.conf , and make sure that it has the name of the kernel module. We must also run depmod to add the loaded kernel module to the kernel module dependencies list.
Once we reboot the CentOS server, the veeamsnap module will automatically be loaded as a kernel module.
And our agent-based backups will now work correctly.
IP Protocol: IPv4/IPv6 or both
Add an IP Set:
Step 1: IP sets are groups of IP addresses and networks to which the firewall rules apply (as Source and Destination).
Step 2: In the top navigation bar, click Networking and click Edge Gateways.
Step 3: Select the edge gateway that you want to edit
Step 4: Under Security, click IP Sets
Step 5: Click New.
Step 6: Enter a meaningful Name, and a Description for IP Sets
Step 7: Enter an IPv4 address, IPv6 address, or an address range in a CIDR format, and click Add.
Step 8: To modify an existing IP address or range, click Modify and edit the value.
Step 9: To confirm, click Save.
Please do not remove IP Sets name starting with HIGIO- (if any)
Create a Static Security Group:
Static security groups are data center group networks to which distributed firewall rules apply (as Source and Destination). Grouping networks helps you reduce the number of distributed firewall rules that need to be created.
Step 1: In the top navigation bar, click Networking and click Edge Gateways.
Step 2: Select the edge gateway that you want to edit
Step 3: Under Security, click Static Groups.
Step 4: click New.
Step 5: Enter a Name and a Description for the static group, and click Save.
The static security group will appear in the list.
Step 6: Select the newly created static security group and click Manage Members.
Step 7: Select the data center group networks that you want to add to the static security group >> Save
Assign Security Tags to VM:
Security tags you create and assign to virtual machines help you define edge gateway and distributed firewall rules.
Step 1: In the top navigation bar, click Networking.
Step 2: Click Security Tags.
Step 3: Click Add Tag.
Step 4: Enter a tag name.
Step 5: From the list of virtual machines in the organization, select the ones to assign the newly created tag.
Step 6: Click Save.
Create a Dynamic Security Group:
You can define dynamic security groups of virtual machines based on specific criteria (VM Name or Tag Name) to which firewall rules should be applied.
Step 1: In the top navigation bar, click Networking and Edge Gateways.
Step 2: Select the edge gateway that you want to edit
Step 3: Under Security, click Dynamic Groups.
Step 4: Click New.
Step 5: Enter a Name and a Description for the dynamic security group.
Step 6: To create a Criterion for inclusion in the group, add up to four rules that apply to a VM Name or a VM security tag.
VM Name: a rule that applies to VM names containing or starting with a term you specify.
VM tag: a rule that applies to VM tags that equal, contain, start with, or end with a term you specify.
As figured out, I created 02 rules
VM Name: Start With “demo”
VM Tag: Equals “non-prd” (That you created in 1.3)
Step 7: Click Save.
Add a Custom Application Port Profile:
You can use preconfigured and custom application port profiles to create firewall rules.
Application port profiles include a combination of a protocol and a port or a group of ports used for firewall services.
Step 1: In the top navigation bar, click Networking and click Edge Gateways.
Step 2: Select the edge gateway that you want to edit
Step 3: Under Security, click Application Port Profiles
Step 4: In the Custom Applications pane, click New.
Step 5: Enter a Name and a Description for the application port profile.
Step 6: From the Protocol drop-down menu, select the protocol: TCP, UDP, ICMPv4, ICMPv6
Step 7: Enter a port or a range of ports, separated by a comma, and click Save.
We have predefined Objects in the previous. We will create the edge gateway firewall rule as below:
Step 1: In the top navigation bar, click Networking and click Edge Gateways
Step 2: Select the edge gateway.
Step 3: Select Firewall under Services on the left.
Step 4: Click Edit Rules.
Step 5: To add a firewall rule, click New on Top.
Each traffic session is checked against the top rule in the firewall table before moving down the subsequent rules in the table. The first rule in the table that matches the traffic parameters is enforced.
Step 6: Configure the rule
Name: [Name of rule]
State: [Enable or disable rule by toggle]
Applications: Select default profiles or custom profiles that created in 1.5
Source: Select Any or Object created in 1.1, 1.2, 1.3, 1.4
Destination: Select Any or Object created in 1.1, 1.2, 1.3, 1.4
Action: Allow\Reject\Drop
IP Protocol: IPv4/IPv6 or both
Logging: [Enable or disable by toggle] enable to have the address translation performed by this rule logged
Step 7: Click Save.
After creating the firewall rules, they appear in the Edge Gateway Firewall Rules list. You can move up, down, edit, or delete the rules as needed.
Please do not remove the rules name starting with HIGIO- (if any)
Note that the network name must be “VM Network”
Select the “VM Network” -> take a look and note the network uuid on the url
{{vappTemplate_uuid}}: On the vCD portal -> Content Hub -> Catalogs ->HIGIO Shared Catalogs
-> vApp Templates -> select the template that you want to create VM -> take a look the vappTemplate_uuid on the url
{{Bearer Token}}: Please follow “Api token login” document
Step 2: Create VM from template
Postman:
POST https://{{vcd_url}}/api/vdc
/{{vdc_uuid}}/action/instantiateVAppTemplate
Authorization: {{Bearer Token }}
Headers:
- 'Accept: */*;version=37.2
- ‘Content-type’: application/vnd.vmware.vcloud.instantiateVAppTemplateParams+xml; charset=ISO-8859-1
Body: {{select raw, copy, paste and edit the code below}}
SEND request.
[root@centos8 ~]# uname -r
4.18.0-500.el8.x86_64
[root@centos8 ~]# dnf download kmod-veeamsnap
Last metadata expiration check: 0:32:53 ago on Mon 07 Aug 2023 04:10:27 PM +07.
kmod-veeamsnap-6.0.3.1221-1.el8.x86_64.rpm
[root@centos8 ~]# rpm -qlp kmod-veeamsnap-6.0.3.1221-1.el8.x86_64.rpm | grep ko$
/lib/modules/4.18.0-147.el8.x86_64/extra/veeamsnap.ko
/lib/modules/4.18.0-193.el8.x86_64/extra/veeamsnap.ko
/lib/modules/4.18.0-240.el8.x86_64/extra/veeamsnap.ko
/lib/modules/4.18.0-305.el8.x86_64/extra/veeamsnap.ko
/lib/modules/4.18.0-348.el8.x86_64/extra/veeamsnap.ko
/lib/modules/4.18.0-372.9.1.el8.x86_64/extra/veeamsnap.ko
/lib/modules/4.18.0-425.10.1.el8_7.x86_64/extra/veeamsnap.ko
/lib/modules/4.18.0-425.3.1.el8.x86_64/extra/veeamsnap.ko
/lib/modules/4.18.0-477.10.1.el8_8.x86_64/extra/veeamsnap.ko
/lib/modules/4.18.0-80.el8.x86_64/extra/veeamsnap.ko[root@centos8 ~]# lsmod | grep veeam -c
0[root@centos8 ~]# mkdir -p /lib/modules/$(uname -r)/extra
[root@centos8 ~]# cp /lib/modules/4.18.0-477.10.1.el8_7.x86_64/extra/veeamsnap.ko /lib/modules/$(uname -r)/extra/.
[root@centos8 ~]# ls /lib/modules/$(uname -r)/extra
veeamsnap.ko[root@centos8 ~]# insmod /lib/modules/$(uname -r)/extra/veeamsnap.ko
[root@centos8 ~]# lsmod | grep veeam
veeamsnap 225280 0[root@centos8 ~]# depmod
[root@centos8 ~]# echo veeamsnap > /etc/modules-load.d/veeam.conf
[root@centos8 ~]# cat /etc/modules-load.d/veeam.conf
veeamsnap[root@centos8 ~]# uptime && lsmod | grep veeam
14:55:59 up 0 min, 1 user, load average: 0.00, 0.00, 0.00
veeamsnap 225280 0# dnf clean all
# rpm -hi veeam-release-el8-1.0.8-1.x86_64.rpm
# dnf install -y veeam[root@centos8 ~]# uname -r
4.18.0-500.el8.x86_64
[root@centos8 ~]# dnf download kmod-veeamsnap
Last metadata expiration check: 0:32:53 ago on Mon 07 Aug 2023 04:10:27 PM +07.
kmod-veeamsnap-6.0.3.1221-1.el8.x86_64.rpm
[root@centos8 ~]# rpm -qlp kmod-veeamsnap-6.0.3.1221-1.el8.x86_64.rpm | grep ko$
/lib/modules/4.18.0-147.el8.x86_64/extra/veeamsnap.ko
/lib/modules/4.18.0-193.el8.x86_64/extra/veeamsnap.ko
/lib/modules/4.18.0-240.el8.x86_64/extra/veeamsnap.ko
/lib/modules/4.18.0-305.el8.x86_64/extra/veeamsnap.ko
/lib/modules/4.18.0-348.el8.x86_64/extra/veeamsnap.ko
/lib/modules/4.18.0-372.9.1.el8.x86_64/extra/veeamsnap.ko
/lib/modules/4.18.0-425.10.1.el8_7.x86_64/extra/veeamsnap.ko
/lib/modules/4.18.0-425.3.1.el8.x86_64/extra/veeamsnap.ko
/lib/modules/4.18.0-477.10.1.el8_8.x86_64/extra/veeamsnap.ko
/lib/modules/4.18.0-80.el8.x86_64/extra/veeamsnap.ko[root@centos8 ~]# lsmod | grep veeam -c
0[root@centos8 ~]# mkdir -p /lib/modules/$(uname -r)/extra
[root@centos8 ~]# cp /lib/modules/4.18.0-477.10.1.el8_7.x86_64/extra/veeamsnap.ko /lib/modules/$(uname -r)/extra/.
[root@centos8 ~]# ls /lib/modules/$(uname -r)/extra
veeamsnap.ko# dnf install veeamsnap-ueficert -yCertificate /etc/uefi/certs/veeamsnap-ueficert.crt has been imported successfully, please reboot this computer to enroll it into the UEFI database.[root@centos8 ~]# insmod /lib/modules/$(uname -r)/extra/veeamsnap.ko
[root@centos8 ~]# lsmod | grep veeam
veeamsnap 225280 0[root@centos8 ~]# depmod
[root@centos8 ~]# echo veeamsnap > /etc/modules-load.d/veeam.conf
[root@centos8 ~]# cat /etc/modules-load.d/veeam.conf
veeamsnap[root@centos8 ~]# uptime && lsmod | grep veeam
14:55:59 up 0 min, 1 user, load average: 0.00, 0.00, 0.00
veeamsnap 225280 0# dnf clean all
# rpm -hi veeam-release-el9-1.0.8-1.x86_64.rpm
# dnf install epel-release -y
# dnf install dkms python3 make gcc perl kernel-modules-extra -y
# dnf update
# dnf install blksnap veeam -y# dnf clean all
# rpm -hi veeam-release-el9-1.0.8-1.x86_64.rpm
# dnf install epel-release -y
# dnf install dkms python3 make gcc perl kernel-modules-extra -y
# dnf update
# dnf install blksnap veeam -y[root@centos9 ~# ls /lib/modules/$(uname -r)/extra bdevfilter.ko.xz blksnap.ko.xz[root@centos9 ~]# lsmod | grep blksnap 0[root@centos9 ~]# insmod /lib/modules/$(uname -r)/extra/bdevfilter.ko.xz
[root@centos9 ~]# insmod /lib/modules/$(uname -r)/extra/blksnap.ko.xz
[root@centos9 ~]# lsmod | grep blksnap
blksnap 217088 0
bdevfilter 20480 1 blksnap
[root@centos9 ~]# depmod
[root@centos9 ~]# echo bdevfilter > /etc/modules-load.d/bdevfilter.conf
[root@centos9 ~]# echo blksnap > /etc/modules-load.d/blksnap.conf
[root@centos9 ~]# cat /etc/modules-load.d/bdevfilter.conf
bdevfilter
[root@centos9 ~]# cat /etc/modules-load.d/blksnap.conf
blksnap[root@centos9 ~]# uptime && lsmod | grep blksnap
17:43:06 up 18 min, 1 user, load average: 0.00, 0.00, 0.00
blksnap 217088 0
bdevfilter 20480 1 blksnap# echo POST_BUILD=../../../../../../root/module-signing/dkms-sign-module > /etc/dkms/bdevfilter.conf
# echo POST_BUILD=../../../../../../root/module-signing/dkms-sign-module > /etc/dkms/blksnap.conf# /root/module-signing/one-time-setup
# reboot# /root/module-signing/sign-modules /lib/modules/$(uname -r)/extra/bdevfilter.ko.xz
# /root/module-signing/sign-modules /lib/modules/$(uname -r)/extra/blksnap.ko.xz[root@centos9 ~]# insmod /lib/modules/$(uname -r)/extra/bdevfilter.ko.xz
[root@centos9 ~]# insmod /lib/modules/$(uname -r)/extra/blksnap.ko.xz
[root@centos9 ~]# lsmod | grep blksnap
blksnap 217088 0
bdevfilter 20480 1 blksnap[root@centos9 ~]# depmod
[root@centos9 ~]# echo bdevfilter > /etc/modules-load.d/bdevfilter.conf
[root@centos9 ~]# echo blksnap > /etc/modules-load.d/blksnap.conf
[root@centos9 ~]# cat /etc/modules-load.d/bdevfilter.conf
bdevfilter
[root@centos9 ~]# cat /etc/modules-load.d/blksnap.conf
blksnap[root@centos9 ~]# uptime && lsmod | grep blksnap
17:43:06 up 18 min, 1 user, load average: 0.00, 0.00, 0.00
blksnap 217088 0
bdevfilter 20480 1 blksnap<?xml version="1.0" encoding="UTF-8"?>
<vcloud:InstantiateVAppTemplateParams
xmlns:ovf="http://schemas.dmtf.org/ovf/envelope/1"
xmlns:vcloud="http://www.vmware.com/vcloud/v1.5"
deploy="false"
name="your vapp name"
powerOn="false">
<vcloud:Description>VApp Description</vcloud:Description>
<vcloud:InstantiationParams>
<vcloud:NetworkConfigSection>
<ovf:Info>NetInfo</ovf:Info>
<vcloud:NetworkConfig networkName="VM Network">
<vcloud:Configuration>
<vcloud:ParentNetwork
href="https:// {{vcd_url}}/api/network/{{network_uuid}}"
name="VM Network"
type="application/vnd.vmware.vcloud.network+xml"/>
<vcloud:FenceMode>bridged</vcloud:FenceMode>
</vcloud:Configuration>
</vcloud:NetworkConfig>
</vcloud:NetworkConfigSection>
</vcloud:InstantiationParams>
<vcloud:Source
href="https://{{vcd_url}}/api/vAppTemplate/{{vappTemplate_uuid}}"
name="HIGIO"
type="application/vnd.vmware.vcloud.vAppTemplate+xml"/>
</vcloud:InstantiateVAppTemplateParams>
Turn on / off the tunnel
Authentication
Pre-Shared Key, Certificate
How to authenticate parties when raising a tunnel
Local Endpoint IP Address
The public IP address from HI GIO
Local Endpoint Network
List of the network share in the HI GIO cloud accessible through the tunnel
Remote Endpoint IP Address
The public IP address of the remote router from which you are connecting
Remote Endpoint Network
List of remote networks accessible through the tunne
Remote ID (Optional)
IKE Profile (Phase 1)
IKE Version
IKEv1, IKEv2
Encryption
AES 128, AES 256, AES-CGM 128, AES-CGM 192, AES-CGM 256
Tunnel Configuration (Phase2)
Enabled perfect forward secrecy (PFS)
Encryption
AES 128, AES 256, AES-CGM 128, AES-CGM 192, AES-CGM 256
DPD Configuration
Interval
VPN Tunnel Name
Enabled
[root@centos9 ~]# ls /lib/modules/$(uname -r)/extra
bdevfilter.ko.xz blksnap.ko.xz[root@centos9 ~]# lsmod | grep blksnap
0# mkdir module-signing/# echo POST_BUILD=../../../../../../root/module-signing/dkms-sign-module > /etc/dkms/bdevfilter.conf
# echo POST_BUILD=../../../../../../root/module-signing/dkms-sign-module > /etc/dkms/blksnap.conf# /root/module-signing/one-time-setup
# reboot# /root/module-signing/sign-modules /lib/modules/$(uname -r)/extra/bdevfilter.ko.xz
# /root/module-signing/sign-modules /lib/modules/$(uname -r)/extra/blksnap.ko.xz[root@centos9 ~]# insmod /lib/modules/$(uname -r)/extra/bdevfilter.ko.xz
[root@centos9 ~]# insmod /lib/modules/$(uname -r)/extra/blksnap.ko.xz
[root@centos9 ~]# lsmod | grep blksnap
blksnap 217088 0
bdevfilter 20480 1 blksnap[root@centos9 ~]# depmod
[root@centos9 ~]# echo bdevfilter > /etc/modules-load.d/bdevfilter.conf
[root@centos9 ~]# echo blksnap > /etc/modules-load.d/blksnap.conf
[root@centos9 ~]# cat /etc/modules-load.d/bdevfilter.conf
bdevfilter
[root@centos9 ~]# cat /etc/modules-load.d/blksnap.conf
blksnap[root@centos9 ~]# uptime && lsmod | grep blksnap
17:43:06 up 18 min, 1 user, load average: 0.00, 0.00, 0.00
blksnap 217088 0
bdevfilter 20480 1 blksnapDigest
SHA1, SHA 2-256, SHA 2-384, SHA 2-152
Package Integrity Control Hash Algorithm
Diffie-Hellman Group
Group 2,
Group 5,
Group 14, Group 15, Group 16, Group 19, Group 20, Group 21
Encryption Public Key Size
Association Life Time (seconds)
Digest Algorithm
SHA1, SHA 2-256, SHA 2-384, SHA 2-152
Package Integrity Control Hash Algorithm
Diffie-Hellman Group
Group 2,
Group 5,
Group 14, Group 15, Group 16, Group 19, Group 20, Group 21
Association Life Time (seconds)
How to Test Failover, Failover, Reverse, or Migrate
Configuring a migration allows later migrating a vApp or a virtual machine to a remote organization and running the workload in the destination site
The target recovery point objective (RPO) for a migration is 24 hours
If you log in to VMware Cloud Director Availability On-Premises Appliance, then :
Outgoing Replications are replication and failover VM from the on-premises vCenter Server to a cloud site
Incoming Replications are replication and failover VM from the cloud site to the on-premises vCenter Server
If you login to VMware Cloud Director Availability Tenant Portal (provided by Services Provider) then :
Incoming Replications is replication and failover VM from the on-premises vCenter Server to a cloud site
Outgoing Replications are replication and failover VM from cloud site to on-premises vCenter Server or Cloud to Cloud
In the left pane, choose a Replication Direction – Choose Outgoing Replication – Create New Migration
Select the VMs you want to migration by checking the corresponding box(es). Click Next
On the Destination VDC and Storage policy page, select the virtual data center for the replication destination and the storage policy for placing the recovered virtual machines, and click Next.
On the Settings page, configure the following replication settings and click Next
To apply compression on the replication data traffic for reducing the network data traffic at the expense of CPU, leave Compress replication traffic selected
To start the replication when the wizard finishes, leave Delay start synchronization deselected. Alternatively, to schedule the start of the replication, select it and enter the local date and time for starting the replication
If you selected Exclude disks, on the Replicated Disks page select the virtual machine disks for replicating and click Next
On the Ready to complete page, verify that the replication settings of the migration are correct and click Finish
After the replication finishes, for the vApp and its virtual machines in the Replication type column, you see a Migration state
Configuring a protection allows protecting a vApp or a virtual machine from one organization to another, while keeping the workload running in the source site. If the source site is unavailable, after a successful replication you can fail over and power on the source virtual machine in the destination site
If you login to VMware Cloud Director Availability On-Premises Appliance then :
Outgoing Replications is replication and fail over VM from the on-premises vCenter Server to a cloud site
Diagram for Replication State
Test Failover: By performing a test failover you can validate that the data from the source site replicates correctly in the destination site
In the left pane, choose a replication direction
This is a document for which the agent supported:
Management (MGMT) Agent Compatibility
Management Agent OS and Infrastructure support
Backup Agent Compatibility
Backup Agent OS and Infrastructure support
Documentation References
Management Agent (Management Agent line):
Backup Agent Windows:
Backup Agent Linux:
Linux Backup Agent module:
From the VDC VM placement policy drop-down menu, select an organization VDC placement compute policy for the recovered virtual machines
(Optional) To select specific hard disks of the virtual machines for replicating to the destination site for reducing the replication data network traffic, select Exclude disks
(Optional) To select a previous copy of the virtual machines in the destination site for reducing the replication data network traffic, select Configure Seed VMs
Incoming Replications is replication and fail over VM from cloud site to on-premises vCenter Server
If you login to VMware Cloud Director Availability Tenant Portal (provided by Services Provider) then :
Incoming Replications is replication and fail over VM from the on-premises vCenter Server to a cloud site
Outgoing Replications is replication and fail over VM from cloud site to on-premises vCenter Server or Cloud to Cloud
In the left pane, choose a Replication Direction – Choose Outgoing Replication – Create New Protection
Select the VMs you want to protect by checking the corresponding box(es). Click Next
On the Destination VDC and Storage policy page, select the virtual data center for the replication destination and the storage policy for placing the recovered virtual machines, and click Next.
To set the SLA settings of the replication, select any of the preconfigured SLA profiles. Click Next
From the VDC VM placement policy drop-down menu, select an organization VDC placement compute policy for the recovered virtual machines
(Optional) To select specific hard disks of the virtual machines for replicating to the destination site for reducing the replication data network traffic, select Exclude disks
(Optional) To select a previous copy of the virtual machines in the destination site for reducing the replication data network traffic, select Configure Seed VMs
To manually configure the SLA settings, select Configure settings manually
Target recovery point objective (RPO): If you selected Configure settings manually, set the acceptable period for which data can be lost if there is a site failure by using the slider or by clicking the time intervals. The available RPO range for a protection is from one minute to 24 hours
Retention policy for point in time instances: If you selected Configure settings manually, to preserve multiple rotated distinct instances to which the virtual machines can be recovered, select this option, select the number of replication instances to keep, and select the retention time distance and unit. The retention distance unit must be greater than RPO
Compress replication traffic: If you selected Configure settings manually, to apply compression on the replication data traffic for reducing the network data traffic at the expense of CPU, select this option
Delay start synchronization: If you selected Configure settings manually, choose the following option
To schedule the start of the replication, select this option and enter the local date and time to start the replication.
To start the replication when the wizard finishes, leave this option deselected.
VDC VM placement policy: Select an organization VDC placement compute policy for the recovered virtual machines
Exclude disks: To select specific hard disks of the virtual machines for replicating to the destination site for reducing the replication data network traffic, select this option
Configure Seed VMs : To select a previous copy of the virtual machines in the destination site for reducing the replication data network traffic, select this option
Create a Replication Seed: Use one of the following methods for creating a seed VM in the destination site
Offline data transfer: Export the VM as an OVF package into removable media and send it to Cloud service administrator imports the package to your cloud organization
Copy over the network: Copy a source VM to the cloud organization and transfer the source data to the destination site by using other means than VMware Cloud Director Availability (FTP, OneDrive, Google Drive, …)
Instances: Select how many rotated instances participate in the current retention rule. The total number of instances in this example matches the maximum of 24 rotated instances
Distance: Select the time distance that the rotated instances spread apart in the current retention rule
Unit: Select the time unit for spreading the rotated instances in the current retention rule. Select one from: Minutes – Hours – Days – Weeks – Months – Years
On the Disks page you must select the hard disks to replicate and click Next
On the Ready to complete page, verify that the replication settings of the protection are correct and click Finish
Select the protected vApp or virtual machine to test the failover and click All actions > Test Failover
On the Recovery Settings page, configure the recovered workload and click Next
Power on recovered vApps: Select to power on the virtual machines in the destination site after the task completes
Network settings:
Select Apply preconfigured network settings on failover, to assign the network configured during the virtual machine replication
Select Connect all VMs to network and from the drop-down menu select a network to connect the replicated virtual machines to
On the Recovery Instance page, configure the recovery point in time and click Next
Synchronize all VMs to their current state: Creates an instance of the power on workload with its latest changes and uses that instance for the test failover
Manually select existing instance: Select an instance without synchronizing the data for the recovered workload
On the Ready To Complete page, review the test details and click Finish
In the Last changed column, you can monitor the progress of the test. After the test finishes, for the vApp and its virtual machines in the Recovery state column you see a Test image ready state
To Delete the Test Failover results, select the replication to clean. Click All actions > Test Cleanup.
The Cleanup Deletes All recovered vApps and virtual machines
Perform a Failover Task: If the protected source site is unavailable, in the destination site perform a workload disaster recovery operation
Select the protected vApp or virtual machine to fail over and click All actions > Failover
In the Failover wizard, configure your selected workload for the failover
Consolidate VM disks: Select this option for a better performance of the recovered virtual machines at the expense of the failover task taking longer to complete
Power on recovered vApps: Select this option to power on the virtual machines on the destination site after the task completes.
Network settings:
Select Apply preconfigured network settings on failover, to assign the network configured during the virtual machine replication
Select Connect all VMs to network and from the drop-down menu select a network to connect the replicated virtual machines to
On the Recovery Instance page, configure the recovery point in time and click Next
On the Ready To Complete page, review the task details and click Finish
After the failover task finishes, the failed over workload is running in the destination site and the workload is no longer protected upon the task completion. For the vApp and its virtual machines, in the Recovery state column you see a Failed-Over state
Perform a Reverse Task:
After performing failover or migration, return the workload data from the destination site back to the original source site by reversing the replication.
After failing over or migrating from the source site to the destination site, the workload runs on the destination site. A subsequent reverse task replicates the failed-over or migrated workload data back to the original source protected vApp or virtual machine
When reversing a replication from a cloud site back to an on-premises site, VMware Cloud Director Availability uses the original datastore for the placement of the workload, regardless of the current on-premises local placement setting
Select the vApp or the virtual machine that are failed-over and All actions > Reverse
In the Reverse window, to confirm the reversal click Reverse. Reversing the replication enables the replication traffic and allows the replication to be recovered back to the source
After the reverse task finishes, the reversed replication overwrites the source vApp or virtual machine. The reversed workload runs in the destination site with a workload protection in the original source site. For the vApp and its virtual machines, in the Recovery state column you see a Reversed state
Perform a Migrate Task: By migrating an existing replication to a remote organization, the workload runs in the destination site and the source workload is powered off
Select the protected vApp or virtual machine to migrate over and All actions > Migrate
On the Migrate Settings page, configure the recovered workload and click Next
All source vApps will be powered-off after successful recovery
Consolidate VM disks: Select this option for a better performance of the recovered virtual machines at the expense of the failover task taking longer to complete
Power on recovered vApps: Select this option to power on the virtual machines on the destination site after the task completes.
Network settings:
Select Apply preconfigured network settings on failover, to assign the network configured during the virtual machine replication
Select Connect all VMs to network and from the drop-down menu select a network to connect the replicated virtual machines to
On the Ready To Complete page, review the task details and click Finish
After a successful recovery, all source virtual machines are synchronized and then powered off. The migration completes when in the Recovery state column of the replication you see Failed-Over
A manual (offline) sync runs. If the source workload is powered on, then it is powered off and a manual sync runs. Then the vApp or virtual machines are recovered on the destination site
x
Veeam Agent Linux v6.2
x
Veeam Agent Windows v6.3
x
Veeam Agent Linux v6.3
x
MGMT Agent v8.0 and below
MGMT Agent v8.1
x (will auto-update)
MGMT Agent v9
x
Version 9
64-bit versions of the following operating systems are supported except Server Core installations for server OS:
Microsoft Windows Server 2025
Microsoft Windows Server 2022
Microsoft Windows Server 2019
Microsoft Windows Server 2016
Microsoft Windows Server 2012 R2
Microsoft Windows Server 2012
Microsoft Windows 11
Microsoft Windows 10 (starting from version 1909)
Microsoft Windows 10 LTSC versions (1607, 1809)
Linux kernel versions 2.6.32 – 6.10 are supported if you use kernels supplied by your distribution.
Only 64-bit versions of the following operating systems are supported:
Rocky Linux 8.10, 9.3 – 9.6 and 10.0
AlmaLinux 8.10, 9.3 – 9.6 and 10.0
Debian 10.13 – 12.11
Ubuntu 16.04, 18.04, 20.04, 22.04, 22.10, 23.04, 23.10, 24.04, 24.10 and 25.04
RHEL 6.4 – 9.6 and 10.0
CentOS 7
Oracle Linux 6 – 9.6 and 10.0 (RHCK)
Oracle Linux 6 (starting from UEK R2) – Oracle Linux 8 (up to UEK R6)
Oracle Linux 8 (UEK R7) – for information on installing Veeam Agent,
Oracle Linux 9 (UEK R8) – for information on installing Veeam Agent on Oracle Linux 9 with UEK R8,
SLES 12 SP4, 12 SP5, 15 SP1 – SP6
SLES for SAP 12 SP4, 12 SP5, 15 SP1 – 15 SP6
Fedora 36, 37, 38, 39
openSUSE Leap 15.3 – 15.6
openSUSE Tumbleweed (experimental support)
Consider the following limitations:
Linux kernel version 2.6.32 or later is supported as long as you use kernels supplied by your distribution.
Fedora and openSUSE Tumbleweed are supported up to kernel 6.14.
Linux kernel 2.6.32 - 754.6.3 in CentOS / RHEL and Oracle Linux (RHCK) is not supported.
Automatic deployment from the Veeam Service Provider Console is not supported for the following distributions:
Agent Version
Supported
Veeam Agent Windows v5 & below
Veeam Agent Linux v5 & below
Veeam Agent Windows v6
x
Veeam Agent Linux v6
x
Veeam Agent Windows v6.1
x
Veeam Agent Linux v6.1
x
Version
Windows
Linux
Limit
VBR
6.2.0.101 (Linux) 6.2.0.121 (Windows)
Both 64-bit and 32-bit (where applicable) versions of the following operating systems are supported:
Microsoft Windows Server 2022
Microsoft Windows Server 2019
Microsoft Windows Server 2016
Microsoft Windows Server General Availability Channel (from version 1803 to version 20H2)
Microsoft Windows Server 2012 R2
Microsoft Windows Server 2012
Microsoft Windows Server 2008 R2 SP1
Microsoft Windows 11 (from versions 21H2 to version 23H2)
Microsoft Windows 10 (from version 1909 to version 22H2)
Microsoft Windows 10 Long-Term Servicing Channel (versions 2015, 2016, 2019)
Microsoft Windows 8.1
Microsoft Windows 7 SP1
Linux kernels from version 2.6.32 to version 6.10 are supported.
Veeam Agent for Linux supports 64-bit versions of the following distributions:
Debian 10.13–12.6
Ubuntu 16.04, 18.04, 20.04, 22.04, 22.10, 23.04, 23.10 and 24.04
RHEL 6.4–9.4
Rocky Linux 9.3 and 9.4
AlmaLinux 9.3 and 9.4
CentOS 7
Oracle Linux 6–9.4 (RHCK)
Oracle Linux 6 (starting from UEK R2) – Oracle Linux 8 (up to UEK R6)
Oracle Linux 8 (UEK R7)
Oracle Linux 9 (up to 5.15.0-209.161.7.2.el9uek)
SLES 12 SP4, 12 SP5, 15 SP1–15 SP6
SLES for SAP 12 SP4, 12 SP5, 15 SP1–15 SP6
Fedora 36, 37, 38 and 39
openSUSE Leap 15.3–15.6
openSUSE Tumbleweed has an experimental support status
For 32bit:
RHEL 6 and Oracle Linux 6 distributions only.
Veeam Backup & Replication 12.3 (recommended)
Veeam Backup & Replication 12.2
Veeam Backup & Replication 12.1
Veeam Backup & Replication 12
6.3.2.1207 (Linux) 6.3.2.1205 (Windows)
Both 64-bit and 32-bit (where applicable) versions of the following operating systems are supported:
Microsoft Windows Server 2025
Microsoft Windows Server 2022
Microsoft Windows Server 2019
Microsoft Windows Server 2016
Microsoft Windows Server General Availability Channel (from version 1803 to version 20H2)
Microsoft Windows Server 2012 R2
Microsoft Windows Server 2012
Microsoft Windows Server 2008 R2 SP1
Microsoft Windows 11 (from versions 21H2 to version 24H2)
Microsoft Windows 10 (from version 1909 to version 22H2)
Microsoft Windows 10 Long-Term Servicing Channel (versions 2015, 2016, 2019)
Microsoft Windows 8.1
Microsoft Windows 7 SP1
Linux kernels from version 2.6.32 to version 6.14 are supported.
Veeam Agent for Linux supports 64-bit versions of the following distributions:
Debian 10.13 – 12.11
Ubuntu 16.04, 18.04, 20.04, 22.04, 22.10, 23.04, 23.10, 24.04, 24.10 and 25.04
RHEL 6.4 – 9.6 and 10.0
Rocky Linux 8.10, 9.3 – 9.6 and 10.0
AlmaLinux 8.10, 9.3 – 9.6 and 10.0
CentOS 7
Oracle Linux 6 – 9.6 (RHCK)
Oracle Linux 6 (starting from UEK R2) – Oracle Linux 8 (up to UEK R6)
Oracle Linux 8 (UEK R7) — for information on installation, see .
Oracle Linux 9 (UEK R7 up to 5.15.0-308.179.6.3.el9uek)
Oracle Linux 9 (UEK R8) – for information on installing Veeam Agent on Oracle Linux 9 with UEK R8, see .
SLES 12 SP4, 12 SP5, 15 SP1 – 15 SP6
SLES for SAP 12 SP4, 12 SP5, 15 SP1 – 15 SP6
Fedora 36, 37, 38 and 39
openSUSE Leap 15.3 – 15.6
openSUSE Tumbleweed has an experimental support status. For details about experimental support, see .
Veeam Agent for Linux supports 32-bit versions of:
RHEL 6.
Oracle Linux 6 distributions only.
Veeam Backup & Replication 12.3 (recommended)
Veeam Backup & Replication 12.2
Veeam Backup & Replication 12.1
Veeam Backup & Replication 12
Veeam Agent Windows v6.2
This is a document on how to:
Add New Organizations
Create a Backup Job
Restore on Self-service Restore Portal
Step 1: Log in to HI GIO Portal with your company account.
In the Enter Company\User and Enter password fields, specify the credentials of an authorized user.
The user name must be provided in the Company Name\User format.
Click Log in.
Fedora 36, 37, 38, 39
openSUSE Tumbleweed.
Step 3: In the configuration menu on the left, click Plugin Library, then Click the Veeam Backup for Microsoft 365 plugin tile.
Step 4: In the menu on the left, click Organizations, then at the top of the list, click New.
Step 5: At the Protected Services step of the wizard, select Microsoft services that you want to protect (Exchange Online, SharePoint Online and OneDrive for Business, Microsoft Teams, Teams chats).
You can select Microsoft Teams and Teams chats check boxes only if both Exchange Online, SharePoint Online, and OneDrive for Business check boxes are selected.
Attention: Backing up Teams chats requires using protected APIs and additional billing charges from Microsoft. For details, see Microsoft Docs. For details on configuring your backup infrastructure to back up Teams chats, see this Veeam KB article.
Step 6: At the Connections Settings step of the wizard, select Microsoft Azure region is Default
Step 7: At the Application Settings step of the wizard, select the Register a new Azure AD application automatically option and specify the name of the new Azure AD application.
[If you have selected to protect SharePoint Online and OneDrive for Business] Select allow this application to enable export mode for SharePoint Web Parts check box to allow Veeam Backup for Microsoft 365 to back up web parts of your Microsoft SharePoint sites. For details on web parts, see Microsoft Docs.
Step 8: At the Microsoft 365 Logon step of the wizard, log in to your Microsoft 365 organization:
Click Copy code to copy an authentication code.
Consider that the code is valid for 15 minutes. You can click Refresh code to request a new code from Microsoft.
Click the Microsoft verification portal link.
A web browser window will open.
On the Sign in to your account webpage, paste the code you have copied and sign in to Microsoft Azure.
Make sure to sign in with the user account that has the Global Administrator role. For details on this role, see Microsoft Docs.
Return to the wizard and click Next when the Verification status: Verified
Step 9: Review organization settings and click Finish at the Summary step of the wizard.
From now on, these steps below just need to be done one time
Step 10: Register AzureADServicePrincipal for Tenant
Azure AD application that end users and restore operators from tenant organizations will use to access Restore Portal must be created for a Microsoft 365 organization on a service provider side.
Open the Powershell
Update PowerShell with Winget by below command
Run the Install-Module cmdlet to install the Azure Active Directory PowerShell for Graph module. For more information, see this Microsoft article.
Open a Windows PowerShell Command Prompt window. Depending on the permissions of your logged-in account, you may need to open the PowerShell window in Administrator mode.
To install the v1 module of the SDK in PowerShell Core or Windows PowerShell, run the following command:
This process may take some time to complete.
Run this command to install the beta module:
Run this command to install AzureAD module:
Register AzureADServicePrincipal with Power Shell
Connect to Organization and register AzureADServicePrincipal using the command below.
Connect-AzureAD
This command to log in to Azure Organization, the please user account that has Global Administrator permission
New-AzureADServicePrincipal -AppId "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
The AppId support team will provide for customers.
Example: New-AzureADServicePrincipal -AppId "514abb4a-63c9-44b9-9f88-2b188b32a3cf"
Step 11: Grant admin consent to this application on behalf of all users in the tenant organization
Access Azure Portal https://portal.azure.com/ with a user account that has Global Administrator permission
Find AzureADServicePrincipal by application ID.
Choose tab permission to Grant admin consent.
Step 1: To launch the New Backup Job wizard:
In the menu on the left, click Backup Jobs.
Open the Microsoft 365 Objects tab.
At the top of the jobs list, click Create Job and select Backup Job.
Veeam Service Provider Console will open the New Backup Job wizard.
Step 2: At the Job Name step of the wizard, specify the job name and description.
Step 3: At the Organization step of the wizard, choose an organization to back up:
Click Select.
In the Available Organizations window, select an organization to back up.
Click Apply.
Step 4: At the Backup Mode step of the wizard, select the mode in which you want to create a backup:
In the Backup scope section, specify objects to back up:
Select the Entire organization option to back up the whole organization.
This option is not recommended due to the time it takes to back up the whole organization. We should choose what to back up.
Select the Back up the specified objects option to back up individual objects:
Click Configure.
In the Objects to Back up window, select the type of object to back up: User, Group, Site, Teams, Personal Sites, or Current organization.
The list of available objects depends on which Microsoft Online services are selected in the organization settings.
Click Add. In this guide, I choose User for Objects to back up
Select an object in the list to customize processing options, click Edit Processing Options, or click a link in the Processing Options column.
[For User, Teams, Group, and Current organization object types] In the Edit processing options window, select the necessary processing options and click Save.
Note that processing options for Current organization objects will be applied to all users, groups, sites, and teams in the organization.
[For Teams and Current organization object types] You can modify the Chats and Teams chats check boxes only if the Teams chats protected service is selected in the organization settings.
For details about available object types and their processing options, see the section of the Veeam Backup for Microsoft 365 User Guide.
#Optional: To exclude specific objects, in the Exclusions section, set the toggle to On and specify objects to exclude:
Step 5: Review backup job settings at the wizard's Summary step.
After creating a Backup Job, please contact the support team to apply the daily schedule.
Step 1: Open a web browser on any computer and navigate to the Restore Portal web address https://portal-hcmc02-restore.higiocloud.vn/
Internet Explorer is not supported. To access Restore Portal, use Microsoft Edge (version 79 or later), Mozilla Firefox (version 21 or later), or Google Chrome (version 24 or later).
Log in with the Microsoft Office account that you need to restore items. You must provide a user account in one of the following formats: [email protected] or [email protected].
Click Log In.
Restore Portal will redirect you to the Microsoft authentication portal where you will be prompted to enter your Microsoft 365 user account password.
Step 2: Select a restore point from which you want to explore and restore data from backups created by Veeam Backup for Microsoft 365. For more information on how to view and select available restore points in Restore Portal, see .
To view available restore points and select a restore point that you want to use, do the following:
In the upper-left corner of the Restore Portal window, click Select Restore Point or the restore point timestamp.
In the displayed dialog box, do one of the following:
In the calendar, click the date for which Veeam Backup for Microsoft 365 has available restore points. Such dates are marked in bold. The available restore points for the selected date will be displayed on the right.
Step 3: Example with Exchange Restore
To restore Exchange items, do the following:
Open the Explore tab.
Select a restore point from which you want to explore and restore data. For more information, see .
In the navigation pane, browse through the hierarchy of folders with backed-up data.
Select a folder that contains the data you want to restore.
The Exchange Restore wizard runs to configure the restore operation options.
Step 4: At the Items step, specify the items you want to restore. If you no longer wish to restore an item, select it and click Remove.
Step 5: At the Restore mode step, select where you want to restore the selected items:
Restore to the original location. Select this option if you want to restore the selected items to their original location.
Restore to a new location. Select this option if you want to restore the selected items to another location and specify the folder name in the Restore to the following folder field. If the specified folder does not exist, it will be created automatically.
Step 6: Click Advanced options to open the Restore options dialog.
In the Restore Options dialog, select check boxes next to the additional options that you want to apply during the restore operation and then click Apply:
Restore changed items. Select this check box if you want to restore items that have been changed.
Restore missing items. Select this check box if you want to restore missing items in the target folder.
Mark restored items as unread. Select this check box if you want to mark each restored item as unread.
Default is all options are selected.
#Optional: At the Reason step, specify a restore reason. This information will be available in the Reason column on the Restore Sessions tab, which you can reference later.
Step 7: At the Summary step, review the details of the restore operation and click Finish.
The Restore Portal runs the restore operation immediately and opens the Restore Sessions tab, where you can view details about the restore session's progress and results.
As we can see, restore items were restored to the Restore folder that we chose and marked as unread.
Restore other items. We can do the same step with Restore Exchange items.
winget install --id Microsoft.Powershell --source wingetInstall-Module Microsoft.Graph -Scope CurrentUserInstall-Module Microsoft.Graph.BetaInstall-Module AzureADClick Apply.
Select check boxes next to the necessary Exchange items in the preview pane.
Click Restore.
