#Backup Data... without network access?

Good evening!
So this is a doozy.. we are fielding a new backup solution for our PKI. In our environment, our NetApp datastore sits behind a backend switch, which has our hosts on the other side of it. Those hosts then have additional connections to a production network facing switch. We manage the NetApp via Jumpbox that sits on both networks but remains offline until we need it. In our previous solution (AD CS), we could export our CA databases and configs onto a share we are using SVM DR with. This new solution runs as a Linux based VMware VM and unfortunately can only really be restored as an entire VM, so throwing our config/database backup on our share will no longer work. We have another site which would be perfect to do some Unified Replication to, we would just need to hook up the NetApp to the network facing switch and set it all up.

Unfortunately due to the nature of the data we are protecting, leadership is completely against moving the NetApp outside of that backend network so here we are. Looking for some guidance/advice on backup solution for my unique use case. Obviously leveraging any one of NetApp's robust backup solutions would be ideal, but I need to find a way to back up data. FWIW, we are really only concerned with backing up that one VM, all of the other VM's on that stack could actually be easily rebuild and the services we provide have geographical site redundancy. I've looked a bit into NDMP backup.. but that seems to be more for tape to tape backup? It seems the solution that I need seems to be.. the ability to export a volume into some kind of file, move it off the NetApp, move it off the backend network and onto our production network, then manually put it on a NetApp at a different site. Then be able to import that data onto its original NetApp to restore the VM to a previous state should we need to. I honestly have no idea if this is something that can be done but I thought i'd try my luck. Thanks in advance

To start, what kind of backup media do you want this on?

What about creating a dedicated ipspace for replication. Place the intercluster lifs in that ipspace. Replicate over the encrypted connection. Can be a single volume or an entire SVM (if NAS, SAN data won’t replicate in SVM replication)

SnapMirror to tape? 😄

Put a tape drive on the Netapp.
Get a cheap backup app. Like BackupExec or ArcServ and send it to tape

Or get another small NetApp and make a dedicated backend-backend network with the two clusters and replicate

Well, the requirement would be to still back up the data to our other site across the country. I have two seperate NetApps running a share with SVM DR, from my primary site on the east coast to secondary on the west coast. They sit in the same rack as the backend NetApps.

Ideally would leverage those, I'm only using half of my data ports on those SVM DR NetApps, so maybe i could connect them also to the backend network switch. Maybe do a double SnapMirror? I forget what thats called, from box 1 to 2 to 3

Then to restore the data... snapmirror restore twice?

cascade is what you are looking for

or you could possibly find a way to mount the data from the destination or send a mirror the opposite direction...plenty of ideas I suppose

Was on the tip of my tongue

Will have to check the docs for that when I get to work - hoping that fits because I’m honestly out of ideas beyond that

I pitched the idea of cascading between primary to secondary to off-site tertiary - leadership likes the idea however security is concerned with data traveling from the production network back into the private network in the event of a restore, not really sure what to say to give them a warm and fuzzy

I think i can set up an IPsec tunnel between each system for data-in-flight encryption?