Backup is like an insurance policy. You want it for the peace of mind, but you don’t want it to dominate your workday (also, nights and weekends!). You need to protect data on your virtual machines to guard against hardware/storage failures and user errors. You may also have regulatory and compliance requirements to protect data for the longer term.
VMware made virtual machine data protection easy for administrators by introducing vStorage APIs for Data Protection (VADP). VADP is a set of APIs (Application Programming Interfaces) made available by VMware for backup software vendors. These APIs make it possible for backup software vendors to embed the intelligence needed to protect virtual machines by integrating with vSphere. Through these APIs, the backup software can create snapshots of virtual machines and copy those to backup storage.
Choosing a backup product that supports VADP may look like an overwhelming task; especially when vendors are clogging the social media channels with campaigns and promotions. What is the best way to choose a solution for protecting virtual machines?
If your organization in a transition phase to virtualized infrastructure, see what backup product is currently in use for protecting physical infrastructure. Most of the leading backup vendors have support for VADP. Symantec NetBackup, Symantec Backup Exec, IBM TSM, EMC NetWorker, CommVault Simpana are examples. No need to go shopping; most of these products have matured over years to handle modern workloads in vSphere and take advantage of VADP.
If you are not currently invested in a backup product or unhappy about the current solution, there are a number of things for you need to consider. VMware has a free product, called vSphere Data Protection (VDP, not to be confused with VADP) that supports some of the capabilities of VADP. It is an easy-to-use virtual appliance with which you can schedule backups and store them in deduplicated storage. There are also point products (Quest vRanger, Veeam Backup & Replication etc.), which work only on virtualized infrastructure. Established backup software vendors, like Symantec, also provide solutions tailored for VM infrastructure (e.g. Symantec Backup Exec V-Ray edition) that are built for virtual infrastructure, but that also support workloads on physical systems.
Now that we know VADP support is available in most backup solutions, it is a good idea to dissect VADP capabilities and the problems it solves in virtual environments. Not all backup products support all VADP capabilities. Hence, it is important to create a checklist of features that are important for your environment to enable you to ask the right questions while in the market looking for VM backup solutions. To begin, there are three key questions that will help you narrow down the selection.
Virtual MachineQuiescence and Security
First key question to ask: Does your solution require backup admin to have access to application and/or guest operating system credentials?
Explanation: Using VADP, the backup software can interact with guest operating system through virtual machine tools (VMware vSphere tools that you install on each guest operating system). This is how the backup software quiesces file systems and applications inside the guest. For smaller environments, where a single trusted individual acts as the administrator for applications, guest operating systems, vSphere infrastructure and backup server; you may choose solutions where the backup server software can use guest operating system credentials to access what is inside the virtual machine. The caveat here is, of course, the fact that the individual managing backups have full access and visibility to everything in the production environment. For example, the backup admin may be able to browse the contents from backup image of a virtual machine hosting Microsoft Exchange and potentially breaking privacy/security barriers without any trails.
Enterprise grade backup applications eliminate the security risk by making use of agent-assisted backups. In this method, a lightweight agent is installed on virtual machine hosting mission critical applications with sensitive data. The agent runs in the security context of the application owner inside the guest. This agent does the file system and application quiescence as well as the application object enumeration on behalf of the backup server. After that, the backup server takes over and creates the virtual machine snapshot using VADP. As the guest/application credentials is not saved in backup server, the backup administrator does not have access to the actual sensitive application content.
Data Transport Methods
Second key question to ask: What are the VADP data transport methods you support?
Explanation: Once a VM snapshot is created. VADP provides four different methods to move data from vSphere data store to backup storage.
- SAN Transport: The backup server is zoned to see the SAN storage where vSphere data stores are located. The backup server reads data directly from SAN storage using the APIs, bypassing the production ESXi infrastructure. This method is the most preferred over other methods as it is a true off-host backup. However this method works only when vSphere data store is on Fibre Channel or iSCSI SAN environments.
- NBD Transport: NBD stands for Network Block Device. In this method, the ESXi host presents the snapshot of the VM over network as if it is a block device. The backup server can read data through network. This is the simplest method to maintain, as there are no configuration and management required. However, this method does use resources from ESXi kernel (VMkernel).
- NBD SSL Transport: This is the same as NBD but inflight data stream is secure because of SSL. Recommended for environments where network traffic must be protected from sniffing.
- Hot-add Transport: One or more dedicated virtual machines with backup software (known as backup proxies) must be installed to use this method. In this case, the snapshot disks from VMs are mounted on proxy VM and streamed to backup server. Recommended for small environments and remote/satellite offices.
It is recommended to choose a solution that supports all transport methods even if some of these methods may not be applicable for you today. This will avoid unnecessary operational complexity and switching costs down the line.
Think outside VADP
Third key question to ask: What do you recommend for protecting my environment where VADP cannot be used?
Explanation: While VADP is one of the greatest innovations in virtual machine protection, it is not the end-all. There are scenarios where VADP will not fit the bill. You don’t want to be taken by surprise. Hence, you need to ask the third question if any of the following are true:
- You have virtual machines with Fault Tolerance (FT) enabled. Note that FT protects against local hardware failures only. To protect against user errors, vulnerability attacks and site loss; backup is essential
- You have virtual machines using Raw Device Mappings (RDM)
- You have your vCenter servers and/or vCenter databases hosted on dedicated physical servers
- You have more than one hypervisor in use (e.g. Hyper-V, KVM…)
- You have physical systems for specialized workloads
- You have NAS devices
- You have applications/databases with granular recovery requirements in the security context of application/database owner
Plan for a multi-hypervisor world sprinkled with even a few purpose-built physical systems as your business grows. While VADP is a boon for VMware vSphere based virtual machine protection, you are in control if you avoid getting locked into a single hypervisor platform. A good backup solution will not only address the data protection needs, but it can also act as a migration tool in heterogeneous data centers and clouds.
Conclusion: VMware vSphere Virtual Machine backup has been simplified with the wide adoption of vStorage APIs for Data Protection by most backup software vendors. While evaluating a solution for VM protection, it is imperative to consider the operating model for data security, data transport methods and things that may require more than just VADP integration.