1. Help Center
  2. Backup and Disaster Recovery

Virtual Systems DRaaS with Veeam Architecture Reference

This knowledge base article will answer your questions about Virtual Systems reference architecture for Disaster Recovery as a Service (DRaaS) with Veeam.

Virtual Systems’ DRaaS reference architecture covers most customers’ requirements, but keep in mind that this information doesn’t cover all of the possible options with Virtual Systems for Veeam DRaaS. For example, some solutions can use third-party firewall appliances. Talk to your Virtual Systems project manager to ensure you have the architecture that best suits your environment.

Veeam DRaaS Features

  • Connectivity is simplified due to using two network appliances.
  • Failover Edge allows customers to connect through an IPSec VPN tunnel on the local network or to connect through SSL VPN remotely.
  • An outage only impacts a small subset of workloads.

Veeam DRaaS also gives you the ability to trigger individual failover on a per VM basis. This feature powers the Veeam Network Extension Appliance on the Virtual Systems side and the customer’s side. The two appliances set up seamless connectivity with a layer 2 VPN between the Virtual Systems Recovery VDC and the customer’s environment.

The Reference Architecture

This diagram includes the elements of Virtual Systems’ reference architecture.


  • VPN, using AES-256 encryption, securely carries replication traffic. Veeam automatically establishes and configures the connection.
  • Virtual Systems’ built-in networking includes support that enables you to configure IPsec VPNs.
  • Virtual Systems built-in networking also allows you to configure an SSL-VPN server for remote connections.
  • Virtual Systems’ multiple, highly available Veeam Cloud Connect Gateways handle incoming connections from customers. Customers also have the option of a dedicated Cloud Connect Gateway that prefer a dedicated replication circuit instead of the internet.
  • Virtual Systems’ built-in networking includes firewall, routing, IPsec, VPN, SSL-VPN and load balancing. You also have the option to replace built-in networking with your own virtual or physical networking devices.
  • Your replica VMs run in Virtual Systems’ Secure Cloud during failover testing or actual failover, or you can run always-on VMs in the same environment.

More on the Veeam Network Extension Appliance (NEA)

The Veeam NEA enables seamless communication between VMs at the source data center and the VMs running in failover at Virtual Systems and automatically deploys when you initiate partial failover. Veeam will automatically deploy an NEA in the source data center as part of the initial setup.

The NEA is powered off until a partial failover begins, usually when a small subset of VMs experience an outage. The NEA powers up and establishes a layer 2 VPN, basically extending the network between the two sites.

See our knowledge base on connecting to the service provider for more information.

Virtual Systems Secure Cloud allows us to create a version of your on-premises networks connected to the Failover Edge. This will enable you to preserve your IP address scheme and not change your VM IP address during failover. In addition, it makes testing simpler and eliminates many failover challenges.

Moreover, if failover is required, you won’t have to update DNS records, and the application stack should communicate just as it does in production.

VMs can connect to the Failover Edge by IPsec, VPN, SSL-VP that can use Active Directory for authentication, and public IP addresses.