Air Gap for HyperScale X

Air Gap for HyperScale X delivers secure, isolated backup copies using native Commvault capabilities. By enforcing strict control over replication paths and storage access, it ensures organizations always have a clean, recoverable copy of data, even in the event of a sophisticated cyberattack.

How Air Gap Works in HyperScale X?

Air Gap for HyperScale X protects backup data from cyber threats by isolating the air-gapped storage environment from the production environment immediately after replication is complete.

Features of Air Gap for HyperScale X

Air Gap for HyperScale X provides the following key features to ensure secure and controlled replication and isolation:

1. Dedicated Network for Replication

Air Gap replication uses a dedicated network path between the source storage MediaAgents and the Air Gap MediaAgents. This ensures that replication traffic is isolated from production and management traffic.

2. One-Way Outbound Communication

Communication is initiated only from the Air Gap cluster using a one-way outbound tunnel. No inbound connections from the production environment to the Air Gap cluster are allowed.

3. Minimal Port Exposure

Replication communication requires only CVFWD Commvault port to be opened, reducing the overall attack surface.

4. Pull-Based Replication Architecture

Replication follows a pull-based model:

• The Air Gap cluster determines when to pull data.
• The Air Gap cluster initiates auxiliary copy jobs.
• Replication continues until the Air Gap copy is synchronized.

Air Gap copies are not added to system-defined or user-created auxiliary copy schedules.

5. Prompt Isolation

The Air Gap cluster isolates itself immediately after replication is complete. This is not a fixed window-based approach; isolation occurs dynamically once synchronization is achieved.

6. Control Within Air Gap Cluster

All Air Gap control logic is implemented within the Air Gap cluster, not in the CommServe. This ensures that even if the production CommServe environment is compromised, the Air Gap cluster retains control over replication and isolation.

7. Predefined Network Topology

Air Gap establishes a one-way outbound network topology from the Air Gap MediaAgents.

• Communication occurs only over the Commvault firewall daemon port.
• Only a single Commvault port needs to be opened in the firewall in the Air Gap environment.
• No inbound connections from production to the Air Gap cluster are allowed.

This controlled communication model reduces the attack surface and simplifies firewall configuration.

8. Isolation Outside Replication Windows

Outside of replication windows, the Air Gap cluster remains isolated.

Air Gap supports two levels of isolation:

• Physical Isolation

  The network port on Air Gap HyperScale X nodes used for replication from the production environment are brought down. This prevents any network communication during non-replication periods.

• Logical Isolation

  Commvault communication tunnels are air-gapped. When the cluster is in an isolated state:

  • New connection attempts are rejected.
  • Existing services cannot establish new connections/tunnels.
  • Incoming connections are not accepted.

  This layered isolation model ensures that the Air Gap storage environment is not accessible outside controlled replication windows.

9. Continuous Replication During Cyber Recovery Testing

Air Gap replication does not require interruption during cyber recovery testing. Replication can continue while testing activities are in progress, ensuring that backup data remains up to date without affecting validation workflows.

In the event of an actual cyber incident, you can enable permanent Air Gap mode, which stops all replication activity and fully isolates the environment from the production system.

Air Gap supports two replication modes:

• Randomized replication

  Replication is initiated at varying times based on internal parameters, such as the amount of data pending replication. This adds an additional layer of security by making it difficult for a malicious actor to predict when the Air Gap storage environment will become temporarily reachable.

• Replication at a fixed time of the day

  Replication is initiated at a configured time of day. After replication starts, it continues until the Air Gap copy is fully synchronized. Once synchronization is complete, the Air Gap cluster isolates itself automatically.

  This mode is useful when you want replication to begin at a predictable time, such as during periods of low activity, while still benefiting from automatic isolation after completion.

10. Protection Against Cyber Threats

Air Gap is designed to protect backup copies from cyber threats originating in the production environment. Even if the production environment is compromised, the Air Gap cluster remains isolated outside controlled replication windows, reducing the risk of backup data tampering or deletion.

Key Capabilities

The following are the key capabilities of the system:

1. Logical and Physical Isolation

Air Gap implements both logical and physical isolation mechanisms to protect backup data from cyber threats.

• Physical isolation is achieved by disabling network ports on Air Gap HyperScale X cluster used for replication outside of scheduled replication windows.
• Logical isolation ensures that Commvault communication tunnels are closed, and no new connections can be established when the cluster is in an isolated state.

This dual-layer approach strengthens protection by reducing both network-level and application-level exposure.

2. Controlled Replication

Replication between the production environment and the Air Gap cluster is tightly controlled.

• Only outbound connections are allowed from the Air Gap MediaAgents.
• Communication is restricted to a specific production machine over a specific Commvault port.
• No inbound connections from production to the Air Gap cluster are permitted.

This design ensures that replication occurs in a controlled, predictable manner with minimal exposure.

3. Replication Over Designated Backup Network

Air Gap replication occurs over a designated backup network. Using a designated backup network:

• Separates replication traffic from production traffic
• Reduces exposure to threats originating in the primary network
• Simplifies firewall and segmentation configuration

4. HyperScale X Security Foundation

Air Gap is built on the broader security capabilities of the HyperScale X platform.

HyperScale X provides multiple built-in security mechanisms, including:

• Immutability
• Root access controls
• Ransomware protection (enabled by default)
• Operating System hardening and platform-level security controls

For more information about HyperScale X security features, see the Commvault HyperScale X documentation.

5. Storage Pool-Level Enablement

Air Gap is enabled at the storage pool level. No system-level configuration is required. Protection is configured and applied directly to the designated storage pool.

6. Compliance Lock Protection

Air Gap enables Compliance Lock by default to protect backup data stored in the Air Gap environment.

• Compliance Lock prevents unauthorized or accidental deletion of data from the Air Gap storage.
• It safeguards backup copies from actions performed by rogue or compromised users.
• This ensures that once data is written to the Air Gap storage, it remains protected according to the configured retention policies.

This feature adds an additional layer of protection by enforcing immutability at the storage level within the Air Gap environment.

7. Security Summary

Air Gap, combined with the built-in security capabilities of HyperScale X, provides a highly secure and resilient data protection solution.

By enforcing strict isolation outside controlled replication windows and leveraging platform-level security features such as immutability, access controls, and ransomware protection, the solution ensures that backup data remains protected from unauthorized access and cyber threats.

This layered approach delivers a robust and secure Air Gap architecture without requiring additional ransomware-specific configurations within the Air Gap feature.

Typical Use Cases

Air Gap for HyperScale X primarily supports two key use cases:

1. Cyber Recovery

Recovery of data following a cyber event in the production environment.

2. Cyber Recovery Testing

Periodic testing of recovery workflows to ensure preparedness for a cyber recovery event.

These use cases help organizations ensure that backup data remains isolated, protected, and recoverable even if the primary production environment is compromised.

Cyber Recovery

Air Gap is designed to protect backup copies from cyber threats originating in the production environment. In the event of a ransomware attack or other cyber incident, the Air Gap HyperScale X cluster is isolated from the production environment to prevent any further impact.

When a cyber event occurs, the Air Gap environment is cut off from the production environment until the production environment is sanitized. During this isolation period, customers can establish a control plane within the isolated recovery environment and restore critical data from the Air Gap HyperScale X cluster.

This approach ensures that backup data remains protected and available for recovery even when the production environment is compromised.

This use case ensures:

• Recovery of data after a cyber event.
• Reduced risk of backup data being tampered with during an active incident.

Cyber Recovery Testing

Regular cyber recovery testing validates that the organization can successfully recover data from the Air Gap environment.

This use case supports:

• Periodic validation of recovery processes.
• Verification of replication and isolation mechanisms.
• Assurance that mission-critical workloads can be restored within defined recovery objectives.

Cyber recovery testing helps ensure operational readiness and minimizes uncertainty during actual cyber events.