Take your vSAN data protection storage usage in your VMware Cloud Foundation (VCF) deployment to the next level with broader site and VM protection and recovery capabilities enabled through VMware Advanced Cyber Compliance integration.

vSAN data protection built into VCF

If you are already familiar with the benefits of local data protection snapshot capabilities of vSAN ESA, then you have some experience with one of the services in the combined protection and recovery appliance that is part of the ACC solution.

If you are not already leveraging local snapshots for operational recovery and better data storage management, check out these resources:

• vSAN Data Protection in VMware Cloud Foundation – The Solution You Already Own
• VCF Storage (vSAN) blogs
• Using vSAN Data Protection
• vSAN Data Protection documentation

Extend VM Protection and Recovery

Now let’s dive into the combined value of vSAN data protection and VMware Advanced Cyber Compliance to enable robust, confident recovery from cyberattacks and other disasters.. The protection and recovery appliance included in the disaster recovery capabilities of the Advanced Cyber Compliance solution, has three services – all combined into a single easy-to-deploy and -manage appliance: 

1. vSAN ESA snapshot service
2. Enhanced vSphere replication
3. Protection group and recovery orchestration

The combination of these appliance services along with vSAN ESA storage capabilities increases opportunities for broader multisite protection and recovery of your VM workloads in VCF.

Configure a Secondary Recovery Site

Within your VCF deployment topology, simply enable another vSAN ESA cluster at a second site or location. A second site implies an additional vCenter environment in a VCF workload domain. For simplicity and reference purposes, we’ll call these two sites “SiteA” and “SiteB” and deploy them in the same VCF instance, as shown below.

NOTE: For more detailed information about possible VCF deployment designs, please visit the online blueprints documentation.

To maximize the value  of all three services mentioned above and extend your vSAN data protection between these sites, you will need to license the orchestration capability. The protection and recovery orchestration capability is required to manage vSAN data protection options for protection groups that need to include the replication features.

NOTE: The enhanced vSphere replication and vSAN data protection snapshot service capabilities are already included in the VCF licensing.

At the new secondary site, deploy your vSAN ESA cluster for the corresponding vCenter along with another instance of the combined appliance. In many cases, the vCenter appliances as well as these protection and recovery appliances will be installed into the VCF management domain.

Once the two sites are configured, it’s a pretty simple process of establishing the enhanced vSphere Replication between the ESX hosts at each site.

Extend Protection Policy Scope

VMware Advanced Cyber Compliance includes fully-orchestrated disaster recovery across on-premises VCF sites and with vSAN ESA datastores at these multiple sites, you can now build a more robust data protection and disaster recovery solution across the enterprise.

With a multisite, combined Advanced Cyber Compliance and vSAN ESA setup in place, the protection groups that you define within vSAN data protection for local recovery can now take advantage of the additional two options (2 & 3 below) that involve replication and protection coordination between the two sites:

1. Local protection – snapshot protection within a single site
2. Replication – VM data replication to a secondary site
3. Local protection and replication – VM data replication between sites plus local snapshots and remote snapshot retention

Let’s look more closely at an example of a vSAN data protection setup between the two sites that can be used for disaster recovery if the original site becomes unavailable or inoperative. For this review, we’ll create a new protection group and work through the policy configuration setup as shown below. The setup process is just a few steps that include:

• Set the properties of the protection policy
• Identify the inventory of VMs being protected
• Configure the local snapshot schedules
• Configure the site-to-site replication and retention parameters

For the Protection type, we have selected the “Local protection and replication” option. This adds the creation steps 4 & 5 (shown below) into the protection group policy definition respectively.

The local snapshot schedules (step 4) define the recovery points that will be available for the local vSAN ESA datastore VMs selected. Each protection group policy can have several schedules which define the frequency and the retention period for keeping them.

NOTE: This protection group policy definition is also leveraging the VM selection criteria that exploits both naming patterns (step 2) and individual selection (step 3) shown in the figure above. This provides a high degree of optionality when defining the VM inventory details for protection.

Snapshots and replication have separate policy configuration choices. Data between Site A and Site B in this example will be replicated independently of the local snapshots that are being taken through policy schedules. This also means that the replication process is conducted separately from the local snapshot processes.

With VMware Advanced Cyber Compliance disaster recovery, the replication frequency of vSphere replication—or primary Recovery Point Objective (RPO)—to the secondary site for each VM can be as low as 1 minute. 

When configuring the replication details, you also specify the retention of snapshots at the remote site that define the depth of recoverability at your secondary site.

When completing a protection group policy definition with the vSAN data protection interface, you can see the various details of schedules, retention, and replication frequency as shown in the screenshot below:

NOTE: Protection groups defined with vSAN data protection methods that include replication options will be discovered by the protection and recovery orchestration framework and added as replication and protection groups entries in the orchestration inventory as called out in the information block shown above.

Recovery Orchestration Integration

If we switch our view to this interface, you will see this is shown below for our “Example-Multi-Site-Protection-Group” policy that has been imported into the protection group inventory along with existing protection groups defined solely within the protection and recovery orchestration UI.

Also, any of the VMs included in the protection group defined with vSAN data protection methods are also included in the Replications inventory and identified with appropriate Type, as shown below:

From the orchestration UI, if you need to modify the protection group that has been created with vSAN data protection, it is easy to navigate back to that UI from the protection group orchestration interface. You can see the context link in the image below (just above the highlighted Virtual Machines area):

Summary

By leveraging vSAN data protection and the disaster recovery capabilities of VMware Advanced Cyber Compliance together in your VCF deployment, you can now benefit from improved local VM protection for operational recovery needs as well as remote VM protection useful for disaster recovery purposes.

For additional information, please visit the websites for each of these solutions at:

• VMware vSAN
• VMware Advanced Cyber Compliance