Sendense Documentation

SNA Enrollment Overview

How Sendense Node Appliances enroll with SHA and why deployments often include more than one.

Documents Home

Guide

SNA Enrollment Overview

How Sendense Node Appliances enroll with SHA and why deployments often include more than one.

ReadyCurrentsnaenrollmentbackup-proxy

Definition

SNA means Sendense Node Appliance. It is a supported Sendense virtual appliance that acts as a backup proxy and runs the EBA Smart Transport role.

Enrollment connects an SNA to SHA so it can be coordinated for backup, recovery, relay, and site-side operations. After enrollment, the SNA reports reachability and readiness and receives assigned work for its site or deployment role.

When To Deploy An SNA

Deploy an SNA when a site or protected environment needs:

  • Backup proxy services for protected workloads.
  • EBA Smart Transport data movement.
  • Restore or restore-to-server site access.
  • Controller relay paths in deployment shapes where those are used.
  • Platform-local operations for supported source or target environments.
  • Additional backup concurrency, load balancing, or fault tolerance.

Connectivity Model

The SNA always initiates its connection to SHA; SHA never needs to reach into the customer site. Each SNA maintains a single always-on outbound encrypted connection to SHA, using one outbound TCP port (443 by default). No inbound firewall rules are required at the site for normal operation.

SNA to SHA connectivity

Every site connects outbound to SHA over one encrypted connection. That connection carries enrollment, control, health heartbeats, backup data, and hub-routed replication.

SNA to SHA connectivityCUSTOMER SITE ASENDENSE HUBCUSTOMER SITE BCONTROL PLANESHAOrchestration hubNODE APPLIANCESNABackup proxy for Site ANODE APPLIANCESNABackup proxy for Site BOutbound TCP 443Outbound TCP 443
Encrypted appliance connection (outbound only)

What the connection carries

Enrollment, control and health heartbeats, backup data streams, and hub-routed replication traffic all travel inside the one encrypted appliance connection.

Firewall model

Sites only need to allow the SNA's outbound connection to SHA. Direct site-to-site replication, where enabled by the replication route policy, is the one case where SNAs communicate across sites.

Enrollment

SNA enrollment uses a pairing and approval workflow. Because an SNA can enroll over the internet where the design permits it, location should be planned around connectivity, routing, performance, load, and fault tolerance rather than a single fixed placement rule.

Enrollment flow

Generated in SHA

Pairing Code

An administrator generates a short-lived pairing code and optionally pre-assigns a site.

Initiated by the SNA

Enrollment Request

The appliance submits its identity with the pairing code and appears in SHA as pending approval.

Administrator decision

Review And Approve

The administrator verifies the appliance identity fingerprint, assigns the site, and approves or rejects.

Managed appliance

Connected

The SNA reports health and heartbeats and receives work for its approved site-side workflows.

Health States

Online
The SNA is enrolled and communicating.
Degraded
The SNA is reachable but one or more required services or checks need attention.
Offline
SHA is not currently receiving heartbeats from the SNA.
Pending enrollment
The SNA has requested approval but is not yet trusted for operations.
Maintenance
The SNA is intentionally set aside for planned work and does not receive new work where enforced.

Heartbeat vs health

After approval, the SNA sends heartbeats about every 30 seconds. Heartbeat shows whether SHA is receiving current contact from the SNA; health shows whether the SNA is ready for assigned work. When heartbeats stop, SHA treats the appliance as offline and routes work to other healthy SNAs at the site where they exist.

Scale And Resilience

Customers commonly deploy multiple SNAs for load balancing and fault tolerance. A useful starting point is around one SNA for every five concurrent backup jobs, refined by workload size, storage performance, network capacity, recovery workflows, and required resilience. SHA balances work across the healthy SNAs at a site and skips appliances that are unhealthy, stale, or in maintenance mode.

Lifecycle And Updates

After enrollment, the SNA lifecycle covers site assignment changes, health and heartbeat review, version and update status, source and target connectivity checks, restore-to-server destination testing, maintenance mode before planned appliance work, support evidence collection, and safe removal or replacement.

  • Operators can see each SNA's current and available version.
  • Updates show progress and final status, and are health-gated where supported.
  • Failed or rolled-back updates need operator review.
  • Update availability can show as unavailable when version information cannot be checked.

What An SNA Is Not

  • An SNA is not snagent, the CloudStack KVM hypervisor host agent.
  • An SNA is not a Sendense Controller, the per-VM DR target appliance.
  • An SNA is not EBA; it moves backup data, it does not store recovery points.
  • SNA enrollment is not the same as source infrastructure discovery.

Related Docs