Skip to main content
Sign Out

Welcome to Dell

My Account
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Enjoy members-only rewards and discounts
  • Create and access a list of your products
  • Manage your Dell EMC sites, products, and product-level contacts using Company Administration.
Sign In Create an Account Dell Financial Services Premier Sign In Partner Program Sign In
Contact Us

Your Dell.com Carts

Dell EMC PowerProtect DDVE on Google Cloud Platform 7.9 Installation and Administration Guide

PDF

Security best practices

Avoid public IP address

To prevent brute force attacks on the DDVE, do not configure DDVE with a public IP address.

Secure access

DDVE supports the authentication methods that are listed in the following table:

Table 1. Access types and authentication
Access Type Authentication Methods
UI Username and password X509 certificates
SSH Username and password
SSH key pair
REST API Username and password X509 certificates
For better security, it is recommended that you disable username and password-based user authentication. If username and password-based authentication is required, configure it with a strong password.
NOTE Do not disable password-based login if you want to configure Avamar Virtual Edition, NetWorker, or other backup software to connect to DDVE in GCP. These products use password authentication for communication between them.

Security best practices

Because GCP is a public cloud, pay attention to the security in your deployment. These best practices are recommended:

  • Use public key based authentication for SSH access.
  • Use certificate-based authentication for DDSM access.
  • Do not configure public IP for DDVE in GCP.
  • Enable encryption for DDFS and replication.
  • Use an external KMIP server to store encryption keys.
  • Use OAuth 2.0 authentication method for access to the cloud storage.

When deploying DDVE from the Google cloud console, you cannot assign a password for the DDVE default user sysadmin. But you can assign a public key for the sysadmin.

Note the important differences between the DDVE and the standard Linux flavor in GCP:

  • After deployment, the DDVE SSH user and password login is enabled. The default password is the instance ID (instanceid) of the DDVE. On first login, you must change the password.
  • If you assign a public key when deploying DDVE from the Google cloud console, you can access DDVE over SSH key pair.
  • For DDVE, the public key is applied only to the sysadmin user. In standard Linux, if you provide a public key with the format ssh-rsa [KEY_VALUE] [USERNAME], and then create a USERNAME, this public key is applied only to this user.

IP Tables feature

After protecting the DDVE using secure setup, in DDVE you can filter the network traffic that enters by using the iptables feature. The Net Filter section of the DDOS Command Reference Guide provides more configuration information.

Firewall rule settings

The DDVE instance on GCP is always running in a VPC. Configure the VPC so that only required and trusted clients can access the DD system. The following tables show the TCP and UDP ports that the DD system uses for inbound and outbound traffic for the services that use them. Consider the following information when configuring VPC firewall rules. GCP firewall rules provides more information.

Inbound control

The following table lists the inbound ports that are used by DDVE.

Table 2. Inbound ports used by DDVE
Port Service Description
TCP 22 SSH SSH (CLI) access and configuring DDVE.
TCP 443 HTTPS DDSM (UI) access and configuring DDVE.
TCP 2049 DD Boost, NFS Main port used by NFS. You can modify using the nfs set server-port command, which requires SE mode.
TCP 2051 Replication, DD Boost, Optimized Duplication Used only if replication is configured (run replication show config on DD system to determine). You can modify this port using replication modify.
TCP 3009 SMS (system management) Used for remotely managing a system with DD System Manager. This port cannot be modified. This port must be open if you plan to configure replication from within the DD System Manager. The replication partner must be added to the DD System Manager.
Depending on the protocol that is used to backup data to DDVE, additional ports are enabled with inbound firewall rules. Ports for inbound traffic provides a complete list of all ports that are enabled for inbound traffic for DD systems.

Outbound control

The following table lists the outbound ports that DDVE uses.

Table 3. Outboard ports used by DDVE
Port Service Description
UDP 123 NTP Used by the DD system to synchronize to a time server.
TCP 443 HTTPS Used for DDVE to communicate with outside services.
TCP 2049 DD Boost, NFS Main port used by NFS - can be modified using the nfs set server-port command which requires SE mode.
TCP 2051 Replication, DD Boost, Optimized Duplication Used only if replication is configured (run replication show config on DD system to determine). This port can be modified using replication modify.
TCP 3009 SMS (system management) Used for remotely managing a system using DD System Manager. This port cannot be modified. This port must be opened if you plan to configure replication from within the DD System Manager. The replication partner must be added to the DD System Manager.
Depending on the other applications and services that are being used, additional ports are enabled for outbound firewall rules. For a complete list of ports that are enabled for outbound traffic for DD systems, see Ports for outbound traffic table.

Rate this content

Accurate
Useful
Easy to understand
Was this article helpful?
0/3000 characters
  Please provide ratings (1-5 stars).
  Please provide ratings (1-5 stars).
  Please provide ratings (1-5 stars).
  Please select whether the article was helpful or not.
  Comments cannot contain these special characters: <>()\