Data Protection in VMware Cloud on AWS

Since VMware is now available on AWS as well, one of my customer using VMware on-premise have started playing with VMC on AWS. They like the same management console and similar GUI but have certain inhibitions, mostly towards data protection in VMC on AWS. AWS, truth being said still does not offer enterprise level data protection services for IT to function without having a heart attack. Fortunately,  Dell EMC is one of the first provider to bring cloud-enabled, self-service data protection for VMware’s enterprise class Software-Defined Data Center to the AWS Cloud. Whether expanding services on-premises or in the public cloud, Dell EMC provides the same world class data protection with superior compression and deduplication. Dell EMC Data Protection for VMware Cloud on AWS is available as a single bundle and includes the data protection software and protection storage needed to protect your data and applications running on VMware Cloud on AWS. For those of whom are new to the idea of VMware Cloud on AWS the following write up can help you to bring up to speed. Below schematic shows the high-level overview of VMware Cloud on AWS:

VMwarecloud onAWS_2

VMware Cloud on AWS can also allow you to migrate and move data to native AWS cloud also as shown in figure below.

VMC on AWS

Dell EMC offers a bundle for customers wanting to protect their VMware Cloud on AWS environments that includes Dell EMC Data Protection Software and Data Domain Virtual Edition (DD Virtual Edition). Below are some salient features of the licensing bundle:

  • Similar pricing to VMware Cloud on AWS pricing: Pricing is per host – 1 or 3 year subscription model.
  • Best-in-class deduplication lowers cloud consumption costs.
  • vSphere integration and attractive pricing that makes it painless to protect VMware workloads on VMware Cloud on AWS
  • DD Virtual Edition now expands to 96 TB, leveraging object storage for even more cost efficiencies
  • File based backups and recoveries, VM image based backups and restores etc. supported.

The solution for Data Protection in VMC on AWS includes: NetWorker, DDVE, CB and AVE, which can be used as per requirement by customers. The solution allows to take backups on S3 or on EBS devices devices as per performance and cost requirements. DellEMC DPS solution offers below functionalities as of now.

VMC on AWS -1

Customers can also leverage Cloud DR (spinning up VMware VMs in AWS or VMC in AWS in case of DR) functionality from DellEMC as well in case of a disaster. Hence making another use case of DR to VMC from on-premise a possibility for customer now. With this feature added now DellEMC Data protection software allows customers:

  • to keep long term retention data on object storage such as S3, Azure LRS etc.
  • to leverage public clouds like Azure, AWS and VMC on AWS as a DR site
  • to run production workloads on public clouds by providing data protection in public cloud as well.

VMC on AWS -3

More details about DellEMC Data Protection Solution in VMC on AWS can be read here.

Advertisements

Why DellEMC DPS for Azure Data Protection ?

Azure Backup is the Microsoft’s cloud-based service you can use to back up and restore your data in Microsoft Azure. Azure Backup offers multiple ways to deploy the solution based on what you want to backup.  All solution options, regardless of on-premises or cloud resources, can be used to backup data to a Recovery Services vault in Azure. Within the Azure portal in the Recovery Services vault, Microsoft provides a simple wizard to help determine which solution to deploy based on your needs.  You simply select either On-Premises or Azure as well as what you want to backup and you are provided with instructions based on the appropriate solution required. There are four primary ways to utilize Azure Backup. Each of these options are describe below:

  • Azure Backup Agent
  • System Center Data Protection Manager
  • Azure Backup Server
  • Azure IaaS VM Backup

Azure Backup Agent

Azure Backup Agent is a server-less agent that installs directly on a physical or virtual Windows Server.  The servers can be on-premises or in Azure.  This agent can backup files, folders      and system states directly to an Azure Recovery Services Vault up to 3 times per day.  This agent is not application aware and can only restore at the volume level.  Also, there is no support for Linux.

System Center Data Protection Manager (DPM)

DPM provides a robust enterprise backup and recovery solution with the ability to backup on-premises and in Azure. A DPM server can be deployed on-premises or in Azure.  DPM can be used to backup Application-aware solutions such as SQL Server, SharePoint, and Exchange.  DPM can also backup files and folders, System states, Bare Metal Recovery (BMR), as well as entire Hyper-V or VMWare VMs.  DPM can store data on disks, tape, or within Azure Recovery Services Vault. DPM supports backups of Window 7 or later client machines and Windows 2008 R2 SP1 or later servers. DPM cannot backup any Oracle, DB2 etc. workloads.Support for Linux-based machines is based on Microsoft’s endorsed list found here 

Azure Backup Server

Microsoft Azure Backup Server (MABS) is merely a slightly scaled-down version of System Center DPM. MABS is for customers that do not already have System Center DPM. MABS does not require any System Center licenses. MABS requires an Azure subscription to be active always. The primary differences between MABS and System Center DPM are as follows:

    • Does not support tape backups
    • No centralized System Center administration
    • Unable to back up another MABS instance
    • Does not integrate with Azure Site Recovery Services

Azure IaaS VM Backup

All Azure VMs can be directly backup up to a Recovery Services Vault with no agent installation or additional infrastructure required.  You can also backup all attached disks to a VM. This works for both Windows and Linux VMs. You can back up only once per day and only to Azure; on-premises backup is not supported. VMs are only restored at disk level. DellEMC’s approach is far ahead than what is being offered by native Azure options. We have multiple options which can be used to protect workloads in Azure:

1. Cloud Snapshot Manager for Azure:

This is a SaaS based offering which allows protection of Azure managed VMs to be protected on a snapshot basis in Azure object storage. The licensing is based on number of instances on subscription basis. No backup server or infrastructure is required for such configuration. More importantly, customer can have multiple Azure accounts and subscriptions and all can be protected and managed by a single CSM console User Interface. It literally takes 5-7 mins to start your first backup.

2. NetWorker and Data Domain / Avamar and Data Domain:

NetWorker and Avamar are DellEMC’s flagship software which can be deployed in a Azure VM and can be made to write to Data Domain Virtual Edition in Azure. NetWorker and DD allow customers to have no media servers by virtue of client direct and since DD has a single deduplication pool the storage savings are magnanimous. With continued investment in DD engineering we have now the functionality to deploy DD in Azure on object Storage which allows for more storage savings than ever. Since we are leveraging NetWorker and Avamar we get the functionality to integrate with any application or database that is hosted in Azure. The main benefits from such a solution are below:

    • No media servers required in Azure
    • Ability to protect data in de-duplicated format in Azure object storage
    • Wide application and database support.
    • Enterprise level backup performance and de-duplication
    • Both Data Domain and Avamar are available in Azure marketplace.

VOTF OCT_1

3. Data Domain and DDBEA:

Data Domain can protect workloads without integrating with any backup software and can protect both SQL and No SQL databases, by leveraging BOOST and BOOSTFS integration respectively. Customer can run the BOOSTFS tool and with help of DellEMC make any customer application write backups on DD with source based deduplication as well.  DDVE is available up to 96 TB in a single instance in Azure, the capacity of 96 TB comes from Azure BLOB storage so it is extremely cost efficient.

DellEMC DPS is one stop solution for enterprise data protection in and to Azure. Below are some market place links for DellEMC DPS solutions in Azure.

https://azuremarketplace.microsoft.com/en-us/marketplace/apps/dellemc.dell-emc-avamar-virtual-edition  — Avamar in Azure Marketplace

https://azuremarketplace.microsoft.com/en-us/marketplace/apps/dellemc.dell-emc-datadomain-virtual-edition-v4 — Data Domain in Azure Marketplace

https://azuremarketplace.microsoft.com/en-us/marketplace/apps/dellemc.dell-emc-networker-virtual-edition — NetWorker in Azure Marketplace

SaaS Data Protection for AWS – Cloud Snapshot Manager

Few weeks back DellEMC released a newer version of Cloud Snapshot Manager. Just in case if you are not aware, it is a Software as a Service solution, fully operated by DellEMC providing our customers the control, automation and visibility over their AWS workload protection in cloud. Cloud Apps specifically applications in AWS are agile and can scale really fast due to nature of service in AWS, they need different kind of data protection. Yes we have NetWorker, DDVE, AVE and CloudBoost in AWS and they have their own use case. AWS workloads are a bit different, we do not see the hypervisor (which is by the way customized XEN) and have limited abilities in AWS (courtesy AWS.), this makes data protection in AWS a bit different. Below are some reasons which make traditional data protection not a complete solution for AWS workloads.

Issues with AWS DP

Now taking snaps from native EC2 (Elastic Cloud Compute – VM in AWS), EBS, RDS etc. by CSM has many benefits some of which are listed below:

  • Snapshots provide incremental forever protection, CSM calls and retains same snapshots which AWS natively uses, only this time with added benefits which we will see.
  • Snapshot are of EBS, EC2 storage, RDS machines, whereas native snapshots only support protection of EBS and RDS workload.
  • Snapshots are incremental forever and are compressed before they are written to S3 storage, since S3 is globally available data is in secure and durable storage.
  • Native snapshots cannot be restored in another region (without massive scripting), but by CSM its a simple restore, this also is beneficial in case a complete AWS region goes away.
  • Since CSM leverages AWS APIs for the snapshot and CSM portal infra is managed by DellEMC, customers do not have to manage backup server, backup storage etc. as I mentioned this is a SaaS service. This is not the case with Veritas Cloudpoint which is lot more difficult to manage. The same is true with Commvault, Veeam and Rubrik. They all have to deploy a backup server in AWS to get the backups started, with CSM you can start backups in 4-5 mins. That’s the whole promise of CLOUD – AGILITY.
  • Restores are much faster when restoring from Snapshots and snapshots can be taken even if the RDS, EC2 machines are down.
  • The only way to protect RDS – Relational Database service in AWS (which hosts Oracle, MSSQL, PostgreSQL, Aurora, Maria DB and MySQL) is via Snapshots, which CSM does promptly and by the way as of now Rubrik does not support data protection for RDS machines in AWS at all.

VOTF4

  • CSM allows you to have any retention in AWS (more than 35 days) for EC2, EBS, RDS etc. which is not possible with native AWS data protection.
  • CSM allows for resources such as EC2, EBS, RDS to be automatically protected by native AWS TAGS (tags are metadata specific to an organization that can be added to cloud resources). Tags can help in reporting, compliance, show-back and charge-back etc. CSM allows for automatic assignment of resources to protection policies to achieve auto-scaling for data protection. So that you can set it and forget it.
  • CSM supports multi-tenancy, support for backup of multiple AWS account, multiple regions, multiple availability zones with ONE CONSOLE, which as of today no other vendor has.
  • With new release of CSM, we have support for file level recovery from the snapshots! Native AWS snapshots do not support FLR from snapshots.
  • CSM has also added copying the snapshots to another region, which enables customer to have a proper DR plan, since if region X gets lost, they do not need to worry, since their backup console is with DellEMC and not in region X and their snapshots are at DR site (region Y).
  • CSM also can quiesce applications using VSS architecture for a application consistent snapshot for the Microsoft applications.
  • Normal scripting / AWS native snapshots etc. do not provide audit logs, reporting etc. whereas, the HTML 5 console of CSM does it all for any number of AWS accounts, regions etc.

Just in case you want to try it yourself, take it for a spin or ask your customer to use the trial version for 30 days at Cloud Snapshop Manager – Data Protection | Dell EMC US

VMware Cloud on AWS

Almost after a year of the announcement, VMware Cloud on AWS is available to customers. At VMWorld 2017, both the companies highlighted the benefits of the partnership. Existing businesses using VMware stack can easily extend their virtualized data center to Amazon’s public cloud. When it comes to infrastructure, VMware can ride on top of Amazon’s global footprint. Customers across the globe can choose a region closer to their data center for public cloud migration. When Amazon announces a new region, VMware can piggyback on it without the CapEx and the management expertise. This comes as a huge win to VMware and its ecosystem. But this write up is about the nuts and bolts of the solution and how it affects our day to day operations. VMware Cloud on AWS comes with three components to it:

  1. Compute (Virtualized) – ESXi
  2. Storage (Virtualized) – vSAN
  3. Network (Virtualized) – NSX

VMwarecloud onAWS_1

All of these are managed by vSphere. This is an On-demand service which delivers software defined Data Centers (SDDC) as a cloud service. Click a button in console or make an API call and you can deploy a complete running VMware cloud in AWS with all above mentioned Software defined components which are installed, configured and  ready to use. VMware maintains and manages these components for you, so it will patch, upgrade all of these components. So if you add a new host to a cluster, ESXi is already configured on the host, same goes for vSAN and NSX. Since this is running on AWS infrastructure, it has dynamic capacity in terms of compute, storage and network.

Compute

VMware cloud on AWS is deployed directly on Bare Metal inside in an AWS EC2 environment. So its not a nested virtualization, its all ESXi sitting directly on Bare Metal servers. Hardware servers being used have below specifications:

  • I3.16XL Equivalent
  • 36 cores / 72 vCPUs
  • 512 GiB  RAM
  • 15 TiB NVMe All Flash Memory Storage
  • 25 Gb ENA (network)

This is almost the same ESXi software that you would run on-premise, however you can start as low as 4 host cluster and go up to 32 host cluster. A single customer can have multiple clusters. These are maintained by VMware and there is no direct SSH / root access to ESXi host or a VIBs or third party plugins to ESXi host.

Storage

From a storage perspective, VMware is using vSAN which actually aggregates the local storage of each host and after a suitable RF setting provides the necessary usable capacity for VMs. We cannot attach EBS or EFS to the existing hosts, from a data store perspective. The existing NVMe drives are used for the aggregate storage of vSAN pool. We can however add EFS volumes to the VMs as NAS shares if need be. All necessary VMware storage policies still apply as per requirement, so you can create individual VMware storage policies to choose the number of parity bits that are set for each VM.

Network

NSX is being used for virtualization of Network, which basically creates logical networks. This is not running directly inside AWS subnet. So VMs are not attached to a AWS subnet, but to an overlay network, you can create Layer -2 networks which are connected into Compute and  Management Gateways. The Compute Gateway is basically a VM running to provide gateway services for all your compute nodes and Management Gateway manages and controls the NSX control center and vCentre traffic. Gateways actually act as an IGW (if you are not familiar what an IGW is in AWS click here.) except in this case, there are a few additional things which they do. They also act as IP-sec termination points for IP-sec VPN tunnels, they perform NAT and perform the North-South fire walling.

vSphere

This is the best part about VMware cloud on AWS, since an IT administrator does not need to learn a new tool, since its vSphere, which he or she has been managing for ages now. It is managed by VMware, it is its own single sign on domain and you are delegated rights to an account  that allows you to actually manage your workload. VMware introduced a new feature called Hybrid Linked Mode, which allows you to connect the single sign on domain which is running inside of  VMware Cloud on AWS into your on-premises environment.

So if, you look at the big picture, the whole setup looks like a much awaited #HybridCloud. This has three pillars namely, Customer DC (on-premises), VMware Cloud on AWS, and AWS Cloud, see image below.VMwarecloud onAWS_2

Lets talk a little bit about accounts, since there are two different accounts in play when you manage VMware Cloud on AWS. When you sign up for the service, VMware is going to create a brand new AWS account, this will be owned and operated by VMware, they will pay for this account and you as a customer will have no visibility to this. They use this account to create and run all the SDDC resources which are needed to run VMware Cloud on AWS environment. This account is called VMware Cloud SDDC Account. There is a second account which is your own AWS account. This is owned, operated and paid by you as a customer, this can have a private connectivity to VMware Cloud on AWS. This runs all native AWS services and its bill is paid by you to AWS, when compared to VMware Cloud SDDC Account for which you pay the bill to VMware.

Getting Started:

  1. Go to https://vmc.vmware.com/ , this is the VMware Cloud on AWS console.
  2. Login using my.vmware.com credentials and you can create organizations.
  3. VMware also has Identity and Access Management (not the same as AWS IAM but similar to it), here you can go ahead your users and groups. Assign permissions to users etc.
  4. Create a new SDDC, by giving a new SDDC name.
  5. Choose number of hosts (4 – 32).
  6. Choose the AWS region in which the SDDC will run. (AWS EU (London) RegionAWS US East (N. Virginia)region and AWS US West (Oregon) region)
  7. Connect VMware Cloud on AWS to your existing AWS account.
  8. Connect VMware Cloud on AWS to your existing on-premise VMware account.

Once this is all done, we can manage the resources in our SDDC in VMware Cloud on AWS via vmc.vmware.com or even via vSphere HTML 5 Web Client. Remember, the whole SDDC is delivered as a service, so

  1. AWS manages the physical resources (servers, DC, hardware, cooling, power etc.).
  2. VMware manages the hypervisor and management components.
  3. You manage the VMs and applications running on them.

Access via vCentre is through a delegated permission model, so you do not have root access, you will have a cloud admin account which will have delegated rights.

Use Cases

  1. Expansion of Current DC’s without buying new hardware – Disaster recovery, backup and continuity of operations.
  2. Consolidation and Migration –  data center consolidation and migration, application migration, getting out of on-premise DC completely.
  3. Workload Flexibility – Prod, Dev, Test, Lab and Training, Burst Capacity for new application and workloads.

VMwarecloud onAWS_3