With a flurry of announcements and new capabilities offered in VMware Cloud Foundation (VCF) 9.0, it is sometimes easy to overlook relatively new features hidden in plain sight. Protecting data in a private cloud has been a hot topic as of late, extending well beyond just typical data recovery requirements. Customers are looking to devise practical strategies to protect themselves against ransomware attacks and disaster recovery using solutions that are easy to manage at scale.
vSAN Data Protection initially debuted in vSAN 8 U3, as a part of VMware Cloud Foundation 5.2. Perhaps the most overlooked aspect of vSAN Data Protection is that it is a part of the VCF license! Why is this so important? If you are running vSAN ESA in your VCF environment, you have everything you need to locally protect your workloads using vSAN Data Protection. It can serve as a terrific way to augment your existing protection strategies or serve as the foundation for more comprehensive protection.
Let’s take a brief look at what this local protection can do for you, and how you can adopt it in a simple and scalable way.
Local Protection the Easy Way
As a part of your VCF license, vSAN Data Protection gives you the ability to use snapshots the way you always envisioned. Using vSAN ESA’s native snapshotting engine, it allows you to:
- Easily define groups of VMs and their protection and retention schedules — retaining up to 200 snapshots per VM.
- Create crash-consistent snapshots of VMs at regular intervals with little to no impact on performance.
- Easily restore one or more VMs directly in vCenter Server using the vSphere Client, even if they have been removed from inventory.
Since vSAN Data Protection protects at the VM level, protecting and restoring discrete VMDKs within a VM is not possible at this time.
Simple and Flexible Recovery
While the reasons for data recovery vary, vSAN Data Protection gives virtualization administrators the ability to execute common operational recovery tasks without involving any other teams in their organization.
Maybe an upgrade of a VM’s operating system failed, or perhaps there was a misconfiguration. vSAN Data Protection is ready for simple and fast recovery. Or, suppose a VM was accidently deleted from inventory. Historically, VMware snapshots of any type would not allow you to recover a snapshot from a deleted VM. vSAN Data Protection has you covered.
Figure 1. Recover a VM accidentally deleted from inventory.
Notice that recovery of these VMs in the demonstration above occur directly within the vSphere Client connected to vCenter Server. There are not any other applications to use, and since it is based on the VM, recovery is intuitive and safe, since you do not need to consider the complexities of recovery using array-based snapshots.
For our customers who have adopted vSAN Data Protection, this ease of recovery has been a consistent highlight of its capabilities.
Fast and Flexible Cloning
The benefits of automated snapshots created through vSAN Data Protection extend beyond data recovery. With vSAN Data Protection, you can easily create clones of VMs from one of the existing snapshots. This is an extremely easy and space efficient way to have multiple VMs available for a variety of use cases. Cloning from snapshots could be used for software development and testing as well as application administration and testing. Virtualization administrators could easily incorporate this capability into their day-to-day IT operations and lifecycle management tasks.
Figure 2. Creating clones from snapshots in vSAN Data Protection.
Let’s see what this type of rapid cloning of a large database would look like in the UI.
Figure 3. Creating a clone from an existing snapshot of a SQL Server VM.
Note that a cloned VM created from a snapshot taken in vSAN Data Protection is in the form of a linked clone. The clone cannot be subsequently protected using protection groups and snapshots in vSAN Data Protection. The cloned VM can be added to a protection group, but a health check warning of “Protection Group Health” will be triggered upon the next protection interval for that protection group, indicating that it failed to create a snapshot for the cloned VM(s). Manual snapshots of these linked clones can be taken outside of vSAN Data Protection (via the UI, or VADP) which means that VADP based backup solutions can protect these linked clones.
How to Get Started
With data protection capabilities included in your VCF license, how do you get started? Let’s take a brief look.
Install the Virtual Appliance used for vSAN Data Protection
The protection capabilities described above require the installation of a virtual appliance, typically one appliance per vCenter Server. This VMware Live Recovery (VLR) virtual appliance provides the vSAN Data Protection service included in VCF provides local protection. This appliance simply helps orchestrate and manage the snapshots, and does not interfere with the data path, nor is it a single point of failure. The steps below reflect the basic steps needed to deploy and configure the appliance to take advantage of vSAN Data Protection.
- Download the appliance used for data protection on the Broadcom portal.
- Use the vSphere Client to log into the vCenter Server you wish to deploy the appliance, and deploy it in the same manner as any other OVF.
- Once the OVF has been installed, point a web browser to it using its associated IP address, and complete the configuration of the appliance.
For more information, see “Deploy the VMware Live Recovery Appliance” for VCF 9.0 on TechDocs.
Configure Protection Groups
Protecting VMs comes through the use of “protection groups” which define the desired protection outcome of your VMs. You control what VMs are protected, how often they are protected, snapshot retention schedules.
Figure 4. Conceptual understanding of a protection group in vSAN Data Protection.
Protection groups also allow you to define if the snapshots should be immutable, all through a simple checkbox. Immutability ensures that the snapshots cannot be altered or deleted in any way. This option provides basic protection against malicious activities, and serves as the foundation for more sophisticated cyber resilience capabilities.
Let’s see how easy this is in the UI. First, we will look at the configuration of a protection group in the vSphere Client.
Figure 5. Configuring a protection group in vSAN Data Protection..
The protection groups will adhere to the defined outcomes as soon as you create the first snapshot. It is a great example of the “set it and forget it” protection capabilities in vSAN Data Protection, and sets the stage for easy and intuitive recovery of one or more VMs when the need arises.
Recommendation: If you are using dynamic VM name patterns with your protection groups, ensure that your VMs created from snapshots in vSAN Data Protection do not fall within that name pattern that automatically include them in a protection group. Otherwise, this will trigger a health alert indicating that the linked clone VM cannot be protected using a protection group.
Extended Functionality in VCF 9.0
Several enhancements made to vSAN Data Protection in VCF 9.0 make it easier and more capable than ever.
- Unified virtual appliance. Whether you are just using the local protection capabilities of vSAN Data Protection, or are using the enhanced replication and DR capabilities, this is now just a single virtual appliance that can be downloaded here. This single appliance reduces resources and makes management easier, and allows you to extend functionality for DR and ransomware protection by simply adding a license key.
- Protect VMs to other vSAN clusters. While vSAN Data Protection provides a simple and easy way to protect your workloads locally, new technology introduced in VCF 9.0 allows you to protect workloads to another vSAN cluster – known as vSAN-to-vSAN replication.
For vSAN-to-vSAN replication, you will need an add-on license. If you do not have the add-on license, you can continue to use vSAN Data Protection’s ability to protect data locally. But the add-on license isn’t just about remote replication. It provides additional capabilities for comprehensive data protection and orchestration to meet your disaster recovery and cyber security requirements.
Figure 6. vSAN-to-vSAN replication courtesy of vSAN Data Protection and the add-on license.
In other words, you can achieve all of your basic, local protection capabilities using vSAN Data Protection. When you are ready to extend your protection capabilities to account for disaster recovery and cyber recovery scenarios, this is simply a matter of activating these capabilities using the add-on license.
For common questions about vSAN Data Protection, see the “vSAN Data Protection” section in the latest vSAN FAQs.
Summary
VCF customers running vSAN ESA as a part of VCF 5.2 or 9.0 have an extraordinarily powerful capability built into the solution they already own. vSAN Data Protection provides the ability to protect workloads locally with no additional licensing required. What are you waiting for?
Discover more from VMware Cloud Foundation (VCF) Blog
Subscribe to get the latest posts sent to your email.
