MSP Architecture

The MSP infrastructure in NAKIVO Backup & Replication consists of the following components:

  • MSP Console: The centralized control hub that enables service providers to efficiently manage the entire cloud backup and replication processes. It is available to users with an MSP license, Beta instance, Promo license, or Trial license.

  • MSP Dashboard: The Master Tenant Dashboard that is available for a multi-tenancy product with a non-MSP license.

  • Director: This core solution component orchestrates and coordinates the other components of the NAKIVO Backup & Replication infrastructure for MSPs, ensuring a cohesive and streamlined operation.

  • Transporter: Transporters are responsible for efficiently moving data between different components and optimizing the backup and replication processes.

  • Backup Repository: These are storage locations within the NAKIVO Backup & Replication cloud infrastructure. Backup repositories are designed to store the backups of local tenant workloads. As primary and secondary backup storage, backup repositories can be used to implement the recommended 3-2-1 backup strategy.

  • Master Site and Remote Site(s): These terms encompass the main NAKIVO Backup & Replication infrastructure components (that is, Director, Transporter(s), and Backup Repositories) in an MSP setting. The Master site (on the MSP side) serves as the central point for managing multiple Remote sites (client sites).

  • Remote Tenant: This is a tenant with a standalone NAKIVO Backup & Replication instance installed in single-tenant mode in their infrastructure and added to the multi-tenant installation of the MSP for monitoring purposes by the Master tenant (the MSP).

  • Local Tenant: This is a tenant created and managed by the Master tenant (MSP) to provide backup and disaster recovery as a service to clients. To establish a connection with client remote resources, the MSP should enable Direct Connect.

    Notes

    • Only users with an MSP license, Beta instance, Promo license, or Trial license can additionally access the MSP Console and the Licensing > Tenants tab. This allows them to efficiently oversee all independent instances of NAKIVO Backup & Replication associated with a managed service provider (MSP) as well as local tenants from a unified interface, eliminating the need to navigate through individual tenants. Users with multi-tenant instances of NAKIVO Backup & Replication without these license types only have access to the MSP Dashboard.

    • Multiple remote tenants, each tied to a separate client environment, can connect to a single instance of the MSP Director.

    • Only local tenants consume MSP workloads. Since remote tenants are licensed independently, they have their own workloads.

    • The Master tenant (MSP) operates each remote tenant independently from other tenants, managing and facilitating a specific tenant's backup, replication, and recovery operations.

    • The Direct Connect feature allows the NAKIVO Backup & Replication instance installed at the MSP site to access the resources at the remote site of a client via a single port connection (the port should be exposed on the client’s infrastructure) without the need to establish a VPN connection.

    The MSP architecture in NAKIVO Backup & Replication empowers the MSP Director to oversee and synchronize with each tenant (client). It ensures the establishment of secure and isolated communication channels, facilitating both data exchange and administration within the distinct data protection environment of each tenant.

    To establish these isolated communication channels, the MSP initiates the creation of a remote tenant account for standalone users. After a remote tenant at the MSP Director is created, the client with a standalone instance of NAKIVO Backup & Replication can use the provided credentials to connect to the MSP’s NAKIVO Backup & Replication instance. Refer to Creating a Remote Tenant for more details.

    Once the setup is done on both sides, the MSP can manage the Remote tenant like a regular user instance on the remote tenant side. This way, the MSP (Master tenant) manages the remote tenants (client sites) with a single tenant from the NAKIVO Backup & Replication instance installed on another Director. For more information, refer to Managing an MSP Connection.

    A managed service provider (MSP) can also use the MSP Console to create and manage local tenants. To do this, the MSP can enable Direct Connect to establish a connection with client remote resources.

Running an MSP Connection

The general workflow for running a connection between the remote tenant instance and the MSP’s instance of NAKIVO Backup & Replication is as follows:

  • At startup, each remote tenant connects to the MSP Director to establish and maintain a single TCP connection (using port 4443) for various types of traffic, including:

    • MSP Dashboard traffic (between MSP and remote tenant): the established connection on port 6702 TCP for bidirectional communication between the MSP Dashboard and the storage transporter on the client side.

    • Remote tenant traffic: All remote tenant-related activities, including drill-through into data, remote tenant actions, and other communication between the MSP and the storage transporter.

  • In the course of initial connection establishment, the MSP informs the remote tenant about the listening port used.

  • MSP opens the port in the firewall.

  • Each remote tenant then maintains a dedicated and separate TCP connection with the MSP Director (using port 6702 TCP) for bidirectional communication.

  • The MSP Director, in turn, uses a separate listening port (6702 TCP by default) for communication with a remote tenant’s instance (while 4443 TCP is used for initial MSP - remote tenant connection setup/checks only).

  • These connections serve as the conduits for all data transfers, administrative commands, monitoring, and management actions related to the specific remote tenant.

  • Both ports, 6702 TCP and 4443 TCP, use TLS for securing the communication channels between the MSP Director and each remote tenant. TLS ensures encryption, authentication, and data integrity for the traffic exchanged between these components, maintaining data security for each tenant’s connection.

  • The ports used by the MSP Director (6702 TCP) and the initial connection setup port (4443 TCP) can be configured or customized by the MSP using Expert Settings to suit specific deployment requirements or security protocols.

  • If the MSP changes the listening port used, the connection may be interrupted. For more information on the required TCP ports, see the MSP Console section in Feature Requirements.

  • During a product update (on the Master tenant or Remote tenant side) the connection is suspended. After the update is completed, the remote tenant continuously tries to reestablish the connection with the Master tenant. In turn, the Master tenant side starts listening to the connection attempts from the Remote tenant side until the connection is reestablished.

  • In case of a network connectivity issue, the connection between the MSP and the remote tenant can be lost. Once the issue is resolved, the Remote tenant side initiates infinite attempts to reestablish the connection with the Master tenant side. In turn, the Master tenant side starts listening to the connection attempts from the remote tenant side until the connection is reestablished. Alternatively, the connection can be reestablished manually.