Best Practices for Network Security

Recommended Network Configurations

The following are recommended network configurations for the installation of the CommServe server, MediaAgent, and Virtual Server Agent (VSA) within an AWS environment. Note the following:

• The only Commvault requirements are HTTPS port 443 and Custom TCP rule with ports 8400–8403. Any other rules in the security groups or network access control lists can be determined by the customer.

• In the illustrations for each configuration, the MediaAgent and VSA appear as separate instances, but they can be hosted on the same server.

• In the security group sg-1a2b3c4d, the label "All traffic sg-1a2b3c4d" appears for inbound and outbound traffic. This security group configuration allows instances that are part of this security group to communicate with each other.

Recommended Network Configuration 1

The following network configuration is recommended when the CommServe server is on-premises, when there is a private network, and when the customer wants to accept traffic coming from the CommServe server only, blocking all other incoming traffic.

Recommended Network Configuration 2

The following network configuration is recommended when the CommServe server is on-premises, when there is a private network, and when the customer wants to accept all other incoming traffic.

Recommended Network Configuration 3

The following network configuration is recommended when all Commvault components are located in the AWS environment.

Other Best Practices

In-Flight

By default, all communication with Cloud Libraries use HTTPS, which ensures that all in-flight traffic is encrypted between the MediaAgent and the Cloud Library end-point, but traffic between Commvault nodes is not encrypted by default. As a best practice, any network communications between Commvault modules that route over the public Internet should be encrypted to ensure data security. You can configure network routes using standard Commvault network configurations (two-way and one-way) and enable encryption on those routes.

At-Rest

Data stored in a public cloud is usually on shared infrastructure logically segmented to ensure security. As a best practice, add an extra layer of protection by encrypting all at-rest data. Most cloud providers require that any seeded data is shipped in an encrypted format. An example of seeding data in AWS is with the use of AWS Snowball or AWS Snowball Edge devices.

HTTPS Proxies

Identify any HTTP or HTTPS proxies between MediaAgents and endpoints. whether using the public Internet or a private network, because this might have a performance impact on any backup or restore operations using an object storage endpoint. Where possible, configure Commvault software to have direct access to an object storage endpoint.

Restricting Access to Security Group

As a best practice, restrict access using a security group to control access at the protocol and port level. Also, apply the principle of "least privilege" when you design and implement rules in your security groups. Only allow the access that is needed, and do not apply overly permissive access because this can increase the risk of security breaches and vulnerabilities.

Related Topics

The following pages provide information about Commvault networking requirements and features:

• Network

• Configuring a Firewall to Install the Virtual Server Agent on a Cloud VM or Instance

• Setting Up Network Gateway Connections Using a Predefined Network Topology