Veeam Backup & Replication 9.5 Update 4 - Top Features for Veeam Cloud & Service Provider (VCSP) Partners
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Veeam Backup & Replication 9.5 Update 4 Top Features for Veeam Cloud & Service Provider (VCSP) Partners Anthony Spiteri Senior Global Technologist
Contents Introduction................................................................................................................................................................ 2 Cloud Tier................................................................................................................................................................... 3 Cloud Mobility ............................................................................................................................................................. 6 vCloud Director Support for Cloud Connect Replication .................................................................................................... 8 Gateway Pools for Cloud Connect ................................................................................................................................ 11 Tape as a Service for Cloud Connect Backup ................................................................................................................ 14 vSphere RBAC Self-Service Portal ................................................................................................................................ 19 Resources................................................................................................................................................................. 22 © 2019 Veeam Software. Confidential information. All rights reserved. 9.17.2019 | 1 All trademarks are the property of their respective owners.
Introduction In January 2019, Veeam® Software announced general availability for new Cloud Data Management™ capabilities as part of Veeam Availability Suite™ 9.5 Update 4. The new functionalities deliver cost-effective data retention, easy cloud migration and data mobility, cloud-native backup and protection for Amazon Web Services (AWS), portable cloud-ready licensing, increased security and data governance, and solutions to make it easier than ever for Veeam Cloud & Service Provider (VCSP) partners to deliver Veeam-powered services to market. In this whitepaper, we share the new core features included in Update 4, how they work, what’s in it for partners, and key resources to help you take full advantage of these powerful enhancements. For more information on Update 4, visit Veeam’s What’s New page. © 2019 Veeam Software. Confidential information. All rights reserved. 9.17.2019 | 2 All trademarks are the property of their respective owners.
Cloud Tier
Without question, one of the hardest and most challenging aspects of designing backend storage is facilitating storage
consumption and growth. The thirst to put backup workloads into the cloud continues to grow and with it comes the growth of
that data and the need to store it for longer.
Cloud Tier in Update 4 fundamentally changes the way in which the initial landing zone for backups is designed. With the ability
to offload backup data to cheaper storage, the Cloud Tier, which is part of the Scale-out Backup Repository™, allows for a more
streamlined and efficient Performance Tier of backup repository while leveraging scalable Object Storage for the Capacity Tier.
How it Works
The innovative technology Veeam has built into this feature allows for data to be stripped out of Veeam backup files (which are
part of a sealed chain) and offloaded as blocks of data to Object Storage, leaving a dehydrated Veeam backup file on the local
extents with just the metadata remaining in place. This is done based on a policy that is set against the Scale-out Backup
Repository that dictates the operational restore window of which local storage is used as the primary landing zone for backup
data and processed as a Tiering Job every four hours. The result is a space-saving, smaller footprint on the local storage
without sacrificing any of Veeam’s industry-leading recovery operations. This is what truly sets this feature apart and means
that even with data residing in the Capacity Tier, you can still perform:
• Instant VM Recoveries
• Entire computer and disk-level restores
• File-level and item-level restores
• Direct Restore to Amazon EC2, Azure and Azure Stack
© 2019 Veeam Software. Confidential information. All rights reserved. 9.17.2019 | 3
All trademarks are the property of their respective owners.What this Means for VCSP Partners Cloud Tier is highly recommended for providers who want to offload backup data to cheaper storage while maintaining a high- performance landing zone for more recent backup data. If there are existing space issues on the local SOBR repositories, implementing Cloud Tier will relieve pressure and in reality allow VCSP partners to not have to seek further hardware purchases to expand the storage platforms backing those repositories. When it comes to Cloud Connect Backup, the potential for savings is significant because Backup Copy Jobs are statistically the most used form of off-site backup sent to VCSP partners. Self-contained GFS backup files are prime candidates for the Cloud Tier offload, and given that they are generally kept for extended periods of time, means that it also represents a large percentage of data stored on repositories. Here is an example of a Cloud Connect Backup Copy Job from the VCSP side when browsing from Explorer: You can see the GFS files are all about 22MB in size. This is because they are dehydrated VBKs with only metadata remaining locally. Those files where originally about 10GB before the offload job was run against them. Summary With the small example shown above, VCSP partners can start to understand the potential impact Cloud Tier can have on the way they design and manage their backup repositories. The ability to leverage Amazon S3, Azure Blog and any S3-Compatible Object Storage Platform means that VCSP partners have a choice as to what storage they use for the Capacity Tier. © 2019 Veeam Software. Confidential information. All rights reserved. 9.17.2019 | 4 All trademarks are the property of their respective owners.
Resources Harness the power of cloud storage for long-term retention with Veeam Cloud Tier Glossary Object Storage Repository: Name given to repository that is backed by Amazon S3, S3, Azure Blob or IBM Cloud Capacity Tier: Name given to extent on a SOBR using an Object Storage Repository Cloud Tier: Marketing name given to feature in Update 4 © 2019 Veeam Software. Confidential information. All rights reserved. 9.17.2019 | 5 All trademarks are the property of their respective owners.
Cloud Mobility
The Cloud Mobility feature is the new umbrella name for Veeam’s Restore to functionality. Prior to Update 4, we had the ability
to Restore to Microsoft Azure only. With the release of Update 4, we have added the ability to Restore to Microsoft Azure Stack
and Amazon EC2. It’s important to point out that this is a disaster recovery feature set; you can’t rely on this feature in the
same way that Cloud Connect Replication allows you to power on VM replicas on demand for DR.
Though you could configure restore tasks to run on demand via PowerShell commands and have systems in a ready state after
recovery, it is difficult to attach an RPO/RTO to the recovery process and therefore Cloud Mobility should be used for migrations
and testing. In essence, this is why it is called Cloud Mobility: It gives users and service providers the flexibility to shift
workloads from one platform to another with ease.
Restore to EC2
The ability to restore directly to EC2 is something that is demanded these days, and the addition of this feature to Update 4 was
one of the most highly anticipated. In enabling the restoration of workloads into EC2, we have made it possible for our
customers and partners to have the option to back up workloads from the following:
• vSphere or VMware vCloud Director using Veeam Backup & Replication
• Microsoft Hyper-V VMs using Veeam Backup & Replication
• Microsoft Windows or Linux machines created using Veeam Agent for Microsoft Windows or Veeam Agent for Linux
• Backups of Nutanix AHV VMs created using Veeam Availability for Nutanix AHV
These backups, once stored in the Veeam Backup File format, ensure absolute portability of those workloads. In terms of
restoring to EC2, the process is straight forward and can be done via the Veeam Backup & Replication console or
via PowerShell.
Again, the focus of this feature is to enable migrations and testing. It should also be noted that to perform a recovery, only the
most recent restore point can be used.
© 2019 Veeam Software. Confidential information. All rights reserved. 9.17.2019 | 6
All trademarks are the property of their respective owners.Summary The addition of Restore to EC2 and Azure Stack can be used by manager service providers and service providers to offer true Cloud Mobility to their customers. While a lot of organizations are moving to the public cloud, they do sometimes want to get workloads out of those platforms and back on-premises or to service provider clouds. With these new Update 4 features Veeam customers have more choice than ever. References Veeam Backup & Replication 9.5 Update 4 User Guide: Restore to Amazon EC2 Automatic restore of multiple machines from Veeam to AWS © 2019 Veeam Software. Confidential information. All rights reserved. 9.17.2019 | 7 All trademarks are the property of their respective owners.
vCloud Director Support for Cloud
Connect Replication
VMware vCloud Director is the de facto standard for service providers who offer Infrastructure as a Service (IaaS) based on
VMware. Veeam has had a long history supporting vCloud Director, with the industry’s first support for vCloud Director-aware
backups released in Veeam Backup & Replication v7 following on with the first stand-alone Self-Service Backup Portal in v9.5.
With the release of Update 4, we have added support for Veeam Cloud Connect to replicate directly into vCloud Director virtual
data centers, allowing both our VCSP partners and customers to take advantage of the enhancements VMware has built into the
platform. While this has been a long time coming, this support represents a significant enhancement to the way in which our
VCSP partners offer DRaaS.
With tenants consuming vCloud Director resources, it allows them to take advantage of more powerful features when dealing
with full disaster, or the failure of individual workloads. Full and partial failovers will be more transparent with the use of the
vCloud Director HTML5 Tenant UI which will also allow tenants to see what is happening to workloads as they boot and interact
with the guest OS directly. This takes the pressure of the VCSP partners’ helpdesk and gives tenants more control of their
replicas once failed over.
Enhanced Edge Networking with NSX
From a networking point of view, being able to access the NSX Edge Gateway for replicated workloads means that tenants can
leverage the advanced networking features available on the NSX Edge Gateway. While the Network Extension Appliance did a
great job in offering basic network functionality, the NSX Edge offers:
• Advanced Firewalling and NAT
• Advanced Dynamic Routing (BGP, OSPF and more)
• Advanced Load Balancing
• IPsec and L2VPN
• SSL VPN
• SSL Certificate Services
© 2019 Veeam Software. Confidential information. All rights reserved. 9.17.2019 | 8
All trademarks are the property of their respective owners.Once a failover has been triggered from the Veeam Backup & Replication Console or via the VCSP partners’ own Portals, the
ability to manage and configure everything through the vCloud Director HTML5 UI utilizing NSX via vCloud Director enhances
Cloud Connect Replication for both service providers and tenants.
Network Automation During Partial Failovers with the NEA
There are a number of options that can be used to extend the tenant network to the service provider cloud network when
actioning a partial failover. Tenants and service providers can configure:
• Custom IPsec VPN
• IPsec or L2VPN via the NSX Edge Gateway
• NEA to NEA L2 VPN
The Network Extension Appliance is still available for deployment in the same way as before Update 4, and can be used directly
from within a vCloud Director virtual data center. The NEAs automate the extension of a tenant network so that the failed over
workload can be accessible from the tenant network, even though it resides in the service provider’s environment. The NEA to
NEA option is the simplest and most effective way to extend the tenants network to the cloud network.
© 2019 Veeam Software. Confidential information. All rights reserved. 9.17.2019 | 9
All trademarks are the property of their respective owners.Summary DRaaS is something that is only just becoming recognized as something that organizations require as part of their overall data protection strategy. Veeam has had a strong offering delivered through our VCSP partners for some time, with a strong focus on network automation (which is typically the hardest part of any DRaaS offering). With Cloud Connect Replication now targeting vCloud Director, we now have a very compelling DRaaS product that is simple, flexible and reliable, yet still delivers enterprise-grade functionality. © 2019 Veeam Software. Confidential information. All rights reserved. 9.17.2019 | 10 All trademarks are the property of their respective owners.
Gateway Pools for Cloud Connect
Cloud Connect has become the central mechanism for connectivity and communication between multiple Veeam services. When
first launched with Cloud Connect Backup in Veeam Backup & Replication v8, the Cloud Connect Gateways were used for all
secure communications between tenant backup server instances and the VCSP Cloud Connect backup infrastructure. This
expanded to support Cloud Connect Replication in v9 and from there we have added multiple products that rely on
communications brokered by Cloud Connect Gateways.
As of today, Cloud Connect Gateways facilitate:
• Cloud Connect Backup
• Cloud Connect Replication
• Full and Partial Failovers for Cloud Connect Replication
• Remote Console Access
• Veeam Availability Console Tenant and Agent Management
• Veeam Backup for Microsoft Office 365 Self Service
Prior to Update 4 the only way in which a VCSP partner could design and deploy the Gateways was in an all-or-nothing
approach when it came to configuring the IP address and DNS for the service endpoint. When considering VCSP partners that
also provide connectivity such as MPLS for their customers, it meant that to leverage direct connections that might be private,
the options were to either use the public address or setup a whole new Cloud Connect environment for the customer.
Now with Update 4 and Gateway Pools a VCSP partner can configure one or many Gateway Pools and allocate one or more
Cloud Connect Gateways to those pools. From there, tenants can be assigned to Gateway Pools.
© 2019 Veeam Software. Confidential information. All rights reserved. 9.17.2019 | 11
All trademarks are the property of their respective owners.Cloud Gateways in a Gateway Pool operate no differently to regular Cloud Gateways. As with previous Cloud Gateways, if the primary gateway is unavailable, the logic built into Veeam Backup & Replication will failover to another Cloud Gateway in the same pool. If tenants are not assigned a Cloud Gateway Pool, they can use only gateways that are not a part of any Cloud Gateway Pool. That situation is warned in the UI when configuring the gateways. © 2019 Veeam Software. Confidential information. All rights reserved. 9.17.2019 | 12 All trademarks are the property of their respective owners.
Summary: The introduction of Cloud Connect Gateway Pools in Update 4 was undertaken due to direct feedback from our VCSP partners who wanted more flexibility in the way in which the Cloud Gateways where deployed and configured for customers. Not only can they be used to separate tenants connecting from public and private networks, but they can also be used for Quality of Service by assigning a Gateway Pool to specific tenants. They can also be used to control access into a VCSP Cloud Connect infrastructure if located in different geographic locations. For a great overview and design considerations of Cloud Connect Gateway Pools and Gateways themselves, check out the Veeam Cloud Connect Reference Architecture. References: Veeam Backup & Replication 9.5 Update 4 User Guide: Cloud Gateway Pool © 2019 Veeam Software. Confidential information. All rights reserved. 9.17.2019 | 13 All trademarks are the property of their respective owners.
Tape as a Service for Cloud Connect Backup When we introduced Cloud Connect Backup in Veeam Backup & Replication v8, we offered the ability for VCSP partners to offer a secure, remote off-site repository for their tenants. When considering air-gapped backups, though protected at the VCSP end, ultimate control for what was backed up to the Cloud Repository is in the hands of the tenant. From the tenant’s server they could manipulate the backups stored via policy or a malicious user could gain access to the server and delete the off-site copies. In Veeam Backup & Replication 9.5 Update 3 we added Insider Protection to Cloud Connect Backup, which allowed VCSP partners to put a policy on the tenant’s Cloud Repository that would protect backups from a malicious attack. With this option enabled, when a backup or a specific restore point in the backup chain is deleted or aged out from the cloud repository, the actual backup files are not deleted immediately. Instead, they are moved to a _RecycleBin folder on the repositories. In Update 4 we have taken that a step further to add true air-gapped backup options that VCSP partners can create services around for longer-term retention with the Tenant to Tape feature. This allows a VCSP partner to offer an additional level of data protection for their tenants. The tenant sends a copy of the backup data to their cloud repository, and the VCSP partner then configures backup to tape to send another copy to the tape media. If there is a situation that requires recovery if data in the cloud repository becomes unavailable, the VCSP partner can initiate a restore from tape. VCSP partners can also offer tape out services to help their tenants achieve compliance and internal policies without maintaining their own tape infrastructure. Tapes can be stored by the service providers, or shipped back to tenants as shown in the diagram below. © 2019 Veeam Software. Confidential information. All rights reserved. 9.17.2019 | 14 All trademarks are the property of their respective owners.
To take advantage of this new Update 4 feature, VCSP partners will need to configure Tape Infrastructure on the Cloud Connect server. What’s great about Veeam is that we have the option to use traditional tape infrastructure or take advantage of Virtual Tape Libraries (VTLs) which can then be backed by Object Storage such as Amazon S3. Note that there are a number of blogs and white papers available that guide you on the setup of an Amazon Storage Gateway to use as a VTL. Once the Tape Infrastructure is in place, as a VCSP partner with a Cloud Connect license when you upgrade to Update 4, under Tape Infrastructure you will see a new option called Tenant to Tape. A tenant backup to tape job is a variant of a backup to tape job targeted at a GFS Media Pool which is available for Veeam customers with regular licensing. What’s interesting about this feature is that there are a number of options that allow flexibility on how the jobs are created which also leads to a change of use case for the feature depending on which option is chosen. Choosing Backup Jobs will allow VCSP partners to add any jobs that may be registered on the Cloud Connect server, though in reality there shouldn’t be any configured due to licensing constraints. The other two options provide the different use cases. © 2019 Veeam Software. Confidential information. All rights reserved. 9.17.2019 | 15 All trademarks are the property of their respective owners.
Backup Repositories: This allows the VCSP partner to backup to tape one or more cloud repositories that can contain one or multiple tenants, and to backup the Cloud Connect repository in whole to an off-site location for longer-term retention. The ability to archive tenant Cloud Connect Backups to tape can help VCSP partners protect their own infrastructure against disasters that may result in loss of tenant data. It can be used as another level of revenue generating service. As an example, there could be two service offerings for Cloud Connect Backup, one with a basic SLA which only has one copy of the backup data stores and another with an advanced SLA that has data saved in two locations: the Cloud Connect Repository and the tape media. Tenants: This option offers a lot more granularity and gives the VCSP partner the ability to offer an additional level of protection on a per-tenant level. In fact, you can also drill down to the Tenant repository level and select individual repositories if tenants have more than one configured. © 2019 Veeam Software. Confidential information. All rights reserved. 9.17.2019 | 16 All trademarks are the property of their respective owners.
Again, this can be done per-tenant, or there can be one master job for all tenants. It’s important to understand that all tasks within the tenant backup to tape feature are performed by the VCSP partner. Unless the VCSP has created a portal that has information about the jobs, the tenant is generally unaware of the tape infrastructure and the tenant can’t view or manage backup to tape jobs configured or perform operations with backups created by these jobs. There is scope for VCSP partners to integrate such jobs and actions into their automation portals for self service. © 2019 Veeam Software. Confidential information. All rights reserved. 9.17.2019 | 17 All trademarks are the property of their respective owners.
Restores: VCSP partners can restore tenant data from tape for one tenant or more tenants at the same time. The restore can go to the original location or to a new location or be exported to backup files on local disk. Summary: Tenant to Tape or Tape as a Service for Cloud Connect Backup was a feature that didn’t get much airplay in the lead-up to the Update 4 launch; however, it gives VCSP partners more options to protect tenant data and truly offer an air-gapped solution to better protect that data. References: Veeam Backup & Replication using AWS VTL Gateway - Deployment Guide Backup and archive to AWS Storage Gateway VTL with Veeam Backup & Replication v9 © 2019 Veeam Software. Confidential information. All rights reserved. 9.17.2019 | 18 All trademarks are the property of their respective owners.
vSphere RBAC Self-Service Portal When Veeam Backup & Replication 9.5 was released, one of the top new features was the vCloud Director Self-Service Portal. This was aimed at our VCSP partners that leverage vCloud Director as their Cloud Management Platform to offer self-service capabilities. The portal was part of Veeam Enterprise Manager and uses vCloud Director Organizations and leverages vCloud Director authentication. For Update 4, we have used this feature as a base to release the vSphere RBAC Self-Service Portal. This has been primarily marketed as a non-service-provider feature that enterprises can use to drive self-service backup internally. RBAC for vSphere IaaS: The great thing about this new portal is that it can be used either in conjunction with the vCloud Director Self-Service Portal or standalone in the case that a service provider is not running vCloud Director. That is where this portal will come into play. While there are a number of VCSP partners that do run vCloud Director, the large majority of service providers or managed service providers do not. If they are running IaaS off native vSphere, the portal can be used to offer self-service backup and recovery to their tenants. The self-service permissions can be retrofitted to existing vCenter permissions or can be started fresh by using vSphere Tags. vSphere Tags is the best way to configure the multi-tenancy aspect of the configuration. In the setup, tags are matched to users which will dictate what tenants will be able to see and select when they log in. © 2019 Veeam Software. Confidential information. All rights reserved. 9.17.2019 | 19 All trademarks are the property of their respective owners.
Tenant Functions: Tenants get access to the self-service web portal which the VCSP partner makes available externally. Depending on the user roles and permissions that have been configured, they can select virtual machines to manage backup jobs, as well as restore VMs, files and application items within the bounds of their permissions. Tenants can also manage retention, schedule and notification settings as well as guest OS processing options. To simplify job management for the tenants, advanced job parameters (such as backup mode and repository settings) are automatically populated from the job templates if desired. © 2019 Veeam Software. Confidential information. All rights reserved. 9.17.2019 | 20 All trademarks are the property of their respective owners.
Summary: Once again, the vSphere RBAC Self-Service Portal is one of the sleeper hits for Veeam Backup & Replication 9.5 Update 4 and should be considered by all VCSP partners to offer a level of self-service capability to their tenants. The way in which this has been implemented on the back of Enterprise Manager with a one-to-many portal means this is the best self-service portal for IaaS and/or vCloud Director. This also means we do not need specialized appliances per-tenant, which is a massive upside on how Veeam differentiates itself in this space. References: Using Veeam Enterprise Manager Self Service with VMware vSphere Permissions Veeam Backup & Replication 9.5 Update 4 User Guide: Working with vSphere Self-Service Backup Portal © 2019 Veeam Software. Confidential information. All rights reserved. 9.17.2019 | 21 All trademarks are the property of their respective owners.
Resources About the Author: Anthony Spiteri is a Senior Global Technologist, vExpert, VCIX-NV and VCAP-DCV working in the Product Strategy team at Veeam, focusing on Veeam’s Service Provider products and partners. He previously held Architectural Lead roles at some of Australia's leading Cloud Providers. He is responsible for generating content, evangelism, collecting product feedback, and presenting at events. Anthony can be found blogging on anthonyspiteri.net or on Twitter via @anthonyspiteri. User Guides: Veeam Backup & Replication 9.5 Update 4: Veeam Cloud Connect Guide Veeam Backup & Replication 9.5 Update 4: User Guide for VMware vSphere Veeam Backup & Replication 9.5 Update 4: Enterprise Manager User Guide Veeam Cloud Connect Reference Architecture Veeam Backup & Replication using AWS VTL Gateway - Deployment Guide Blog Articles: Virtualization is Life!: Anthony Spiteri Blog Harness the power of cloud storage for long-term retention with Veeam Cloud Tier Automatic restore of multiple machines from Veeam to AWS Creating policy-based backup jobs for vCloud Director self-service portal with tenant creation A deeper look at Insider Protection in 9.5 Update 3 © 2019 Veeam Software. Confidential information. All rights reserved. 9.17.2019 | 22 All trademarks are the property of their respective owners.
You can also read
