White Paper: Sageza - Strategic Snapshot
This white paper describes features introduced in EMC Avamar to extend VMware vCloud Director's service delivery and Virtual Data Center capabilities to include BaaS.
1. EMC Avamar For vCloud Director Environments Backup and Recovery Services for Multi-Tenant Private, Public and Hybrid Clouds ABSTRACT This white paper describes features introduced in EMC Avamar to extend VMware vCloud Directors service delivery and Virtual Data Center capabilities to include BaaS. April, 2014 EMC WHITE PAPER 2. Copyright 2014 EMC Corporation. All Rights Reserved. EMC believes the information in this publication is accurate as of its publication date. The information is subject to change without notice. The information in this publication is provided as is. EMC Corporation makes no representations or warranties of any kind with respect to the information in this publication, and specifically disclaims implied warranties of merchantability or fitness for a particular purpose. Use, copying, and distribution of any EMC software described in this publication requires an applicable software license. For the most up-to-date listing of EMC product names, see EMC Corporation Trademarks on EMC.com. VMware, vSphere, vCenter, and vCloud Director are registered trademarks or trademarks of VMware, Inc. in the United States and/or other jurisdictions. All other trademarks used herein are the property of their respective owners. Part Number H12940 3. TABLE OF CONTENTS EXECUTIVE SUMMARY 4 Business Case 4 Solution Overview 4 Key Results 4 Audience 5 INTRODUCTION 5 EMC AVAMAR OVERVIEW 5 Avamar: Industry Leading Backup for VMware 5 EMC AVAMAR FOR VCLOUD DIRECTOR WORKFLOW OVERVIEW 6 VMware vCloud Roles 6 Backup Resource Mapping and Assignment 7 Backup Policy Configuration and Assignment 8 Extending the vCloud Director REST APIs 9 CONCLUSION 9 4. 4 EXECUTIVE SUMMARY BUSINESS CASE Service Providers (SPs) face the challenge of providing easy to use backup solutions that integrate seamlessly with their hosted VMware vCloud Director (vCD) environments. Providing a simple portal-based graphical solution, which allows their technical and non-technical vCD customers to easily backup and restore virtual applications is critical to the successful adoption of this type of offering. In addition, any portal-based Backup as a Service (BaaS) solution of this type must integrate into Service Provider orchestration, management, and portal infrastructures. In addition it must integrate into tenant portal infrastructures to enable a seamless Hybrid Cloud. Existing dedicated, standalone, disk-based or tape-based backup offerings dont provide the ease of use or deep integration with vCD that Service Providers require. Therefore, these solutions do not enable providers to offer differing levels of backup as a service to their customers. This enhanced capability being introduced in the Avamar 7.1 release accommodates service providers with the ability to offer backup services to all of their customers, regardless of their technical abilities or usage model. SOLUTION OVERVIEW This white paper describes a scalable solution to augment VMware vCloud Director environments with backup resources, including the backup components involved, as well as the associated portal and orchestration integration capabilities. This solution can be used to provide backup services for public or private cloud- based VMware vCloud Director environments. This white paper validates the integration of the solutions components and provides broad guidelines about how this type of solution can be built and integrated into the service providers environment. Key solution components include: EMC Avamar 7.1 to provide centralized and scalable backup environment with deduplication and replication capabilities. VMware vCloud Directorto orchestrate the provisioning of Software-Defined Data Center services as complete Virtual Data Centers that are ready for consumption in a matter of minutes. KEY RESULTS Backup as a Service enables service providers to fundamentally change the way in which they provide backup services for customers who have purchased their hosted vCloud Director environments. By leveraging industry leading backup and recovery resources that have been enhanced to integrate and augment into native ITaaS infrastructures such as VMwares vCloud, service providers can provide robust and uniform data protection capabilities and bring a truly differentiated service offering in the marketplace. The delivery of Avamar backup services for VMware in the Public Cloud is truly an enabling technology for Enterprise Cloud. This solution demonstrates that BaaS: Can provide a simple one-click backup experience Can be leveraged through direct or channel sales Improves flexibility and simplifies application deployment Enables users to focus on revenue generating activities and other projects instead of equipment logistics Figure 1: Avamar vCD services 5. 5 Audience This white paper is intended for EMC employees, partners, and customers including IT planners, system architects and administrators, and any others involved in evaluating, acquiring, managing, operating, or designing a BaaS infrastructure environment leveraging EMC technologies. Throughout this white paper we assume that you have some familiarity with the concepts and operations related to backup and virtualization technologies, and their use in cloud and data center infrastructures. INTRODUCTION Service providers can offer BaaS to customers who need a flexible, on-demand backup infrastructure, but prefer not to purchase, configure, or maintain it by themselves. In other cases, customers may have on premise backup resources in their private cloud, yet are looking for backup and recovery capabilities for public cloud resources they are consuming to augment on premise infrastructure. The features introduced in our latest release of Avamar, which our outlined here, focuses on demonstrating how a service provider can easily leverage Avamar to provide integrated and easy-to-consume backup and recovery resources in their vCloud Director services catalog. Fundamentally, as with any BaaS offering, this solution enables customers to consume data protection services in much the same manner as they consume compute, memory and storage resources today in vCD. The key is that users consume and pay for these resources without needing to understand or maintain the component devices and infrastructure required to provide the service. Furthermore, customers can draw on the elastic resources that cloud infrastructure delivers and pay only for the backup service they consume. The BaaS environment typically consists of: Hosted vCloud Director environments Self-service portal Secure multi-tenant-enabled shared infrastructure EMC AVAMAR OVERVIEW Developed to solve the challenges associated with traditional backup, EMC Avamar deduplication backup software and system, equipped with integrated global, client-side data deduplication technology, provide fast, next-generation daily full backups for virtual environments, NAS systems, desktops/laptops, remote offices and business critical applications. EMC Avamar reduces the size of backup data at the clientbefore it is transferred across the network and ultimately stored. Unlike traditional backup, Avamar delivers fast, daily full backups via existing IP networks, and makes recovery fast and easy with single-step restore. Avamar also deduplicates backup data globally across applications and sites worldwide to reduce the total required backup storage by up to 30x. As a result, Avamar provides the benefits of efficient long-term retention on disk while dramatically lowering capital and operating expenses including floor space, power, and cooling. Avamar backups can be quickly recovered in just one stepeliminating the hassle of restoring the last good full and subsequent incremental backups to reach the desired recovery point. Avamar software, similar to the other components in the Data Protection Suite, is integrated for multi-streaming backups to EMC Data Domain deduplication storage systems for efficient and highly scalable backup of specific data types and applications, simplifying management and maximizing existing IT investments. Avamar: Industry Leading Backup for VMware Figure 2: Avamar deduplication moves less data 6. 6 EMC Avamar provides variable-length client-side deduplication to accelerate the virtualization journey by providing extremely fast and efficient backup and recovery for the VMware environment. Avamar protects virtual machines (VMs) by deduplicating data at the clientso that only new, unique, sub-file, variable-length data segments are sent during daily full backups. This dramatically reduces the daily impact on the virtual and physical infrastructure by up to 99 percent as compared to traditional full-backup methods. While traditional backup software moves upward of 200 percent of the primary backup data on a weekly basis, Avamar moves as little as two percent over the same seven-day periodremoving backup bottlenecks and enabling even greater levels of virtualization. Avamar backs up data globally across physical and virtual servers. For virtualized environments, flexible backup options include guest- and image-level backups. Avamar is certified component of VCE VblockTM Systems and VSPEX converged infrastructure platforms. Avamar is tightly integrated to the vStorage APIs for Data Protection (VADP) for agentless backups. Deduplication and backup executes on a multi-threaded universal proxy VM, off-loading the backup from any of the VMs where the applications are running. Through vSphere, each VM is dynamically mounted to the proxy without physically moving data across the network, enabling Avamar to back up numerous virtual machines in just minutes. To maximize backup throughput, Avamar uses a load balancing algorithm across multiple proxy VMs. Instead of being locked into using only a single proxy for a set of VMs, Avamar leverages numerous proxies and sends a backup job to an available proxy. Avamar also takes advantage of VMwares Changed Block Tracking (CBT) to further speed up the backup and restore processes. VMware presents only changed blocks to the Avamar software, where each block is broken into variable length segments and further evaluated for uniqueness. Only the unique segments are sent for backup, achieving the fastest backup possible. Conversely, the restore process also leverages CBT for faster recovery. Avamar understands the current state of the VM and determines the required blocks from the last backup, restoring the VM in just minutes. Avamar enables full VM or file-level restore to the original VM, an existing VM or a new VMdirectly from the Avamar user interface. Also available with image backups is disk-level granularity that enables Avamar to back up specific virtual disks, thus reducing backup times and backup storage. Thin provisioned recovery speeds up the restore process and reduces required storage. EMC AVAMAR FOR VCLOUD DIRECTOR WORKFLOW OVERVIEW The following sections of this white paper will walk end to end through a typical service provider ITaaS model and how backup resource and policy creation, assignment, and consumption occurs within an Avamar powered vCloud Director protection solution. VMware vCloud Roles Before we dive into each process, lets review the specific administrator roles involved in a typical vCD workflow: Cloud Admin The cloud administrator and team manage the infrastructure and overall management of providing consumable services and provisioning those services for consumption by individual tenant orgs. In the case of an SP, each tenant would be a distinctly different client consuming ITaaS resources offered by the SP. As we will discuss further in the sections below, the cloud administration team will manage EMC Avamar systems as the foundation of Backup Resources included in new or existing tenant service catalogs. This includes allocation of underlying backup repositories to each vCD tenant, creating backup policy service-level templates, and enforcing resource usage quotas in those policies. Organization Admin The Organization Admin (Org Admin) plays a hybrid role within the vCD workflow. While acting as a consumer of resources provided and assigned by the SP, the Org Admin is also a provider and administrator of virtualized application (vApp) services to sub-tenants who are often the organizations lines of business admins. Within the vCD environment the Org Admin has full rights to manage and deploy the vApp instances control and rights are Figure 3: Avamar VM image backup 7. 7 limited and controlled by the policy SLAs delivered by the Cloud Admin. For backup resources, while the cloud admin instantiates backup policy templates into backup policies, the Org Admin can manipulate these polices, assign them as default to VDCs and assign them explicitly to vApps. Line of Business Admin The line of business admin (LOB Admin) is a pure consumer of the vApp resources provisioned by the Org Admin, and administers the business critical applications running on those vApp instances for end-users. Working together with the Org Admin to assure availability of applications for backup and recovery operations, LOB Admins have full control to run ad-hoc backups and recoveries as necessary to protect vApps as needed but have limited control and require collaboration with the Org Admin to set backup schedule and retention. Unlike other solutions offering protection for vCloud Director resources, Avamar natively integrates within vClouds Role-Based Access Control mechanisms to map access to backup and recovery resources and policies without the requirement for creating additional service accounts and access rights for each role within Avamar. Seamlessly applying backup and recovery services within the existing vCD workflow was a top requirement for development of this functionality. Backup Resource Mapping and Assignment As mentioned above, Avamar introduces through tight integration with vCD the ability to provision and assign backup resources to tenants and sub-tenants. Lets take a closer look at how physical infrastructure implemented via Avamar along with its integration with Data Domain systems can be incorporated and leveraged within vCD. The foundation of consumable backup resources is the Backup Appliance. A Backup Appliance can be an Avamar Data Store, Avamar Virtual Edition, or Avamar with one or more Data Domain systems. For the illustration shown in Figure 2 below, the process begins with the Cloud Administrator. A member of the cloud administration team is responsible, and is provided with the capabilities to manage all the backend backup appliances and corresponding physical infrastructure. As we begin working through the multi-tenant structure, the Cloud Admin creates Backup Repositories that have a Many:1 relationship to Backup Appliances. Using the Backup Repository abstraction, the pool of Backup Appliances can now be split amongst tenants who will consume their resources. While a repository can only be created using one Backup Appliance, a single backup appliance can support multiple backup repositories. This is ultimately what allows multiple tenants to be assigned and logically partitioned on a single backup appliance. As you can see in Figure 3, the right-most backup appliance is hosting both Repository 3 and Repository 4. This is a similar paradigm to how multiple Organizational VDCs are assigned to a single Provider VDC in vCloud Director. Figure 4: Backup resource mapping 8. 8 For this example, illustrated are two organizations or tenants represented as Org VDC A and Org VDC B. The cloud administrator upon enrolling each tenant, or adding backup services to an already existing tenant, will map a desired repository to each tenant. Repository mappings to Org VDCs were designed with flexibility in mind to meet the needs of each tenant. In this example, we are mapping Repository 1 to Org VDC B and Repository 2 to Org VDC A. By doing this we are able to dedicate physical backup appliances to a tenant for regulatory purposes. As hosted-cloud and public clouds are in their nature agile and flexible, depending on the capacity and changing performance requirements for particular tenants it may be necessary to map multiple Backup Repositories to a particular Org VDC. In this scenario we are also assigning Repository 4 to Org VDC B and Repository 3 to Org VDC A. The majority of cases will find tenants sharing a backup appliance by assigning multiple repositories to each backup appliance. When multiple repositories are assigned to an Org VDC only one repository is considered active at a time. It is the responsibility of the Cloud Administrator to determine which repository should be Active for a specific tenant. Repositories in an Active state will service any new incoming backup requests while non-active repositories simply retain previously run backups and service restores. In this example, upon adding Repositories 3 and 4, Repositories 1 and 2 are no longer active. The backup repository construct also serves another purpose for the cloud administrator, the ability to enable and configure service quotas for specific tenants. Both total capacity usage quotas as well as daily capacity usage quotas can be configured on each repository, therefore controlling consumption of tenants and sub-tenants and assuring control of agreed upon service-level agreements. This is similar to how Org VDCs allow limits to the consumption of compute, network, and storage resources. Finally, once assigned to the Org VDCs, backup repository resources are able to be consumed and leveraged for protection of vApps and VMs by both Org Admins as well as LOB Admins. End-to-end these mappings provide appropriate layers of abstraction for secure and efficient consumption and integration, but without losing flexibility and control for those customers requiring it. Backup Policy Configuration and Assignment When creating and scheduling backup policies for vCD, the cloud administrator must first create a series of backup policy templates. As illustrated in Figure 5, a policy template contains a schedule, retention, and an option set that you define based on Desired SLAs being offered. For example, this option set could take advantage of advanced options for in-flight encryption or to control guest file system quiescing for VMs that are sensitive to VMware snapshots. Overall the attributes of each component of the specific template is tailored to meet a desired service-level that the service provider is offering to the tenant. Usually these policy templates are designated and created to provide Gold, Silver, or Bronze levels of service that have a corresponding tiered cost structure for services rendered, for example. Upon enrolling a new tenant, or adding a new VDC for an existing tenant, the cloud admin will create a policy catalog and then create new or insert existing policy templates into it. With the policy templates now grouped together in the catalog each tenant can employ and assign those policies to Org VDCs. This now makes the policy templates available for selection and application as a default policy for all vApps or to customize and assign to specific virtual applications. Figure 5: Backup policy configuration workflow 9. 9 If we refer back to our vCloud Director Roles we outlined earlier, we mentioned that the Org Admin has a hybrid role as a consumer and a provider. Looking more specifically at the role from a backup policy workflow, the Org Admin will select a policy from the catalog that was pre-assigned to his VDC and assign these policies as the default policy or customize certain attributes, if allowed by the provider, and assign them to specific vApps. With this policy assignment and provisioning approach it allows the org admins the flexibility they needs, while providing the cloud administrator with the control to make sure the tenant is operating within agreed upon and paid for SLAs. Once the backup policies are assigned and in place, the backup scheduler will take care of backups automatically. Extending the vCloud Director REST APIs We have detailed up to this point how Avamar provides data protection resources that mimic vCloud hierarchy and are able to be deployed at vCloud scale. We briefly pointed out for you how unlike other solutions, Avamars implementation approach is to embed native backup service extensions inside of vCloud Directors already existing management and role based access control mechanisms. The benefits of this approach are that Avamar requires no other tools or management interfaces to enable current vCloud Director Admin Roles. The familiar vCloud Director REST API including its authentication and authorization capabilities is all that is needed for integration of Avamar backup services. Additionally, this means that since all backup and recovery operations are executed leveraging vCloud Director REST APIs, compatibility with any other tools in VMwares vCloud Suite utilizing those APIs is Simple. Ultimately, this provides service providers with a streamlined approach to including backup services to their tenants in a straightforward and cost effective manner while helping to accelerate Hybrid Cloud adoption by end users that will be more confident in consuming Public Cloud resources. CONCLUSION This solution covered in this white paper provides service providers with a simple to use, easy to implement, native, and scalable multi-tenant data protection solution for VMware vCloud Director. While we didnt review all of the great foundational technology some of you already know Avamar employs for virtual machine backup and recovery, all of those industry leading features such as the following are included: Full image backups of running virtual machines Utilizes efficient transport (SCSI hotadd), which avoids copying the entire vmdk image over the network Fully leverages the VMware vSphere APIs for Data Protection, including Changed-Block Tracking for both VM Image backup and recovery. Leverages virtual backup and recovery proxy server load balancing to achieve parallelism for superior backup throughput Its cloud ready data protection built on an innovative technology leading foundation and long track record as the fastest in the industry for VMware data protection.