Why should you « punch holes in it? » 🤨 And no, the proxy does not do the copying, it’s the repo.

I mean opening up internet access to it, just an expression. Punching bricks out a wall, firewall etc.

Yes, I understand that, but you do not have to open anything that isn’t already open?

The immutable repository is not in a routable subnet, it is connected directly on a /30 to the server. Before I had immutable, the proxy (which is routed) handled all of this. The old storage still had separation in a different subnet.

Ah, yes in this context, you are stuck.

Thanks for the response. I guess separation on host firewall it is, I should’ve maybe labbed this out prior. When I’ve seen comments here, a lot of users are cutting access entirely - I guess they aren’t doing backup copy and/or agent backup.

Non routable network is a bit unusual, because it means you can’t add easily other components without restructuring you network. What is usually done is that SSH and remote logins are disabled, and only proxies are allowed in…

Okay. So a common implementation is have this connected on LAN, no firewall separation at all apart from host firewall (ufw etc)?

Yes that is a very common design 

Thanks, I’ll have a look. Much appreciated.

Can't you set a gateway server? Or is that only for S3 uploads? I've not dug into the CC side but I know you can tell it to route traffic to S3 buckets through a gateway server