EMC Avamar For vCloud Director
Backup and Recovery Services for Multi-Tenant
Private, Public and Hybrid Clouds
This white paper describes features introduced in EMC®
to extend VMware
Director’s service delivery and Virtual Data Center capabilities to include
EMC WHITE PAPER
TABLE OF CONTENTS
EXECUTIVE SUMMARY 4
Business Case 4
Solution Overview 4
Key Results 4
EMC AVAMAR OVERVIEW 5
Avamar: Industry Leading Backup for VMware 5
EMC AVAMAR FOR VCLOUD DIRECTOR WORKFLOW OVERVIEW 6
VMware vCloud Roles 6
Backup Resource Mapping and Assignment 7
Backup Policy Configuration and Assignment 8
Extending the vCloud Director REST APIs 9
Service Providers (SPs) face the challenge of providing easy to use backup solutions that integrate seamlessly with their hosted
VMware vCloud Director (vCD) environments. Providing a simple portal-based graphical solution, which allows their technical and
non-technical vCD customers to easily backup and restore virtual applications is critical to the successful adoption of this type of
offering. In addition, any portal-based Backup as a Service (BaaS) solution of this type must integrate into Service Provider
orchestration, management, and portal infrastructures. In addition it must integrate into tenant portal infrastructures to enable a
seamless Hybrid Cloud.
Existing dedicated, standalone, disk-based or tape-based backup offerings don’t provide the ease of use or deep integration with vCD
that Service Providers require. Therefore, these solutions do not enable providers to offer differing levels of backup as a service to
This enhanced capability being introduced in the Avamar 7.1 release accommodates service providers with the ability to offer backup
services to all of their customers, regardless of their technical abilities or usage model.
This white paper describes a scalable solution to augment VMware vCloud
Director environments with backup resources, including the backup components
involved, as well as the associated portal and orchestration integration
This solution can be used to provide backup services for public or private cloud-
based VMware vCloud Director environments.
This white paper validates the integration of the solution’s components and
provides broad guidelines about how this type of solution can be built and
integrated into the service provider’s environment.
Key solution components include:
EMC Avamar® 7.1 — to provide centralized and scalable backup environment with deduplication and replication capabilities.
VMware vCloud™ Director™—to orchestrate the provisioning of Software-Defined Data Center services as complete Virtual Data
Centers that are ready for consumption in a matter of minutes.
Backup as a Service enables service providers to fundamentally change the way in which they provide backup services for customers
who have purchased their hosted vCloud Director environments. By leveraging industry leading backup and recovery resources that
have been enhanced to integrate and augment into native ITaaS infrastructures such as VMware’s vCloud, service providers can
provide robust and uniform data protection capabilities and bring a truly differentiated service offering in the marketplace. The
delivery of Avamar backup services for VMware in the Public Cloud is truly an enabling technology for Enterprise Cloud.
This solution demonstrates that BaaS:
Can provide a simple ‘one-click’ backup experience
Can be leveraged through direct or channel sales
Improves flexibility and simplifies application deployment
Enables users to focus on revenue generating activities and other projects instead of equipment logistics
Figure 1: Avamar vCD services
This white paper is intended for EMC employees, partners, and customers including IT planners, system architects and
administrators, and any others involved in evaluating, acquiring, managing, operating, or designing a BaaS infrastructure
environment leveraging EMC technologies. Throughout this white paper we assume that you have some familiarity with the concepts
and operations related to backup and virtualization technologies, and their use in cloud and data center infrastructures.
Service providers can offer BaaS to customers who need a flexible, on-demand backup infrastructure, but prefer not to purchase,
configure, or maintain it by themselves. In other cases, customers may have on premise backup resources in their private cloud, yet
are looking for backup and recovery capabilities for public cloud resources they are consuming to augment on premise infrastructure.
The features introduced in our latest release of Avamar, which our outlined here, focuses on demonstrating how a service provider
can easily leverage Avamar to provide integrated and easy-to-consume backup and recovery resources in their vCloud Director
Fundamentally, as with any BaaS offering, this solution enables customers to consume data protection services in much the same
manner as they consume compute, memory and storage resources today in vCD. The key is that users consume and pay for these
resources without needing to understand or maintain the component devices and infrastructure required to provide the service.
Furthermore, customers can draw on the elastic resources that cloud infrastructure delivers and pay only for the backup service they
The BaaS environment typically consists of:
Hosted vCloud Director environments
Secure multi-tenant-enabled shared infrastructure
EMC AVAMAR OVERVIEW
Developed to solve the challenges associated with traditional backup, EMC Avamar deduplication backup software and system,
equipped with integrated global, client-side data deduplication technology, provide fast, next-generation daily full backups for virtual
environments, NAS systems, desktops/laptops, remote offices and business critical applications. EMC Avamar reduces the size of
backup data at the client—before it is transferred
across the network and ultimately stored. Unlike
traditional backup, Avamar delivers fast, daily full
backups via existing IP networks, and makes recovery
fast and easy with single-step restore.
Avamar also deduplicates backup data globally across
applications and sites worldwide to reduce the total
required backup storage by up to 30x. As a result,
Avamar provides the benefits of efficient long-term
retention on disk while dramatically lowering capital
and operating expenses including floor space, power,
Avamar backups can be quickly recovered in just one
step—eliminating the hassle of restoring the last good
full and subsequent incremental backups to reach the
desired recovery point.
Avamar software, similar to the other components in
the Data Protection Suite, is integrated for multi-streaming backups to EMC Data Domain deduplication storage systems for efficient
and highly scalable backup of specific data types and applications, simplifying management and maximizing existing IT investments.
Avamar: Industry Leading Backup for VMware
Figure 2: Avamar deduplication moves less data
provides variable-length client-side deduplication to accelerate the
virtualization journey by providing extremely fast and efficient backup and recovery
for the VMware environment. Avamar protects virtual machines (VMs) by
deduplicating data at the client—so that only new, unique, sub-file, variable-length
data segments are sent during daily full backups. This dramatically reduces the daily
impact on the virtual and physical infrastructure by up to 99 percent as compared to
traditional full-backup methods. While traditional backup software moves upward of
200 percent of the primary backup data on a weekly basis, Avamar moves as little as
two percent over the same seven-day period—removing backup bottlenecks and
enabling even greater levels of virtualization. Avamar backs up data globally across
physical and virtual servers. For virtualized environments, flexible backup options
include guest- and image-level backups. Avamar is certified component of VCE®
Systems and VSPEX®
converged infrastructure platforms.
Avamar is tightly integrated to the vStorage APIs for Data Protection (VADP) for agentless backups. Deduplication and backup
executes on a multi-threaded universal proxy VM, off-loading the backup from any of the VMs where the applications are running.
Through vSphere, each VM is dynamically mounted to the proxy without physically moving data across the network, enabling
Avamar to back up numerous virtual machines in just minutes. To maximize backup throughput, Avamar uses a load balancing
algorithm across multiple proxy VMs. Instead of being locked into using only a single proxy for a set of VMs, Avamar leverages
numerous proxies and sends a backup job to an available proxy. Avamar also takes advantage of VMware’s Changed Block Tracking
(CBT) to further speed up the backup and restore processes. VMware presents only changed blocks to the Avamar software, where
each block is broken into variable length segments and further evaluated for uniqueness. Only the unique segments are sent for
backup, achieving the fastest backup possible. Conversely, the restore process also leverages CBT for faster recovery. Avamar
understands the current state of the VM and determines the required blocks from the last backup, restoring the VM in just minutes.
Avamar enables full VM or file-level restore to the original VM, an existing VM or a new VM—directly from the Avamar user interface.
Also available with image backups is disk-level granularity that enables Avamar to back up specific virtual disks, thus reducing
backup times and backup storage. Thin provisioned recovery speeds up the restore process and reduces required storage.
EMC AVAMAR FOR VCLOUD DIRECTOR WORKFLOW OVERVIEW
The following sections of this white paper will walk end to end through a typical service provider ITaaS model and how backup
resource and policy creation, assignment, and consumption occurs within an Avamar powered vCloud Director protection solution.
VMware vCloud Roles
Before we dive into each process, let’s review the specific administrator roles involved in a typical vCD workflow:
The cloud administrator and team manage the infrastructure and overall management of providing consumable
services and provisioning those services for consumption by individual tenant orgs. In the case of an SP, each
tenant would be a distinctly different client consuming ITaaS resources offered by the SP. As we will discuss
further in the sections below, the cloud administration team will manage EMC Avamar systems as the foundation
of Backup Resources included in new or existing tenant service catalogs. This includes allocation of underlying backup repositories to
each vCD tenant, creating backup policy service-level templates, and enforcing resource usage quotas in those policies.
The Organization Admin (Org Admin) plays a hybrid role within the vCD workflow. While acting as a consumer of
resources provided and assigned by the SP, the Org Admin is also a provider and administrator of virtualized
application (vApp) services to sub-tenants who are often the organization’s lines of business admins. Within the
vCD environment the Org Admin has full rights to manage and deploy the vApp instances control and rights are
Figure 3: Avamar VM image backup
limited and controlled by the policy SLAs delivered by the Cloud Admin. For backup resources, while the cloud admin instantiates
backup policy templates into backup policies, the Org Admin can manipulate these polices, assign them as default to VDCs and
assign them explicitly to vApps.
Line of Business Admin
The line of business admin (LOB Admin) is a pure consumer of the vApp resources provisioned by the Org
Admin, and administers the business critical applications running on those vApp instances for end-users.
Working together with the Org Admin to assure availability of applications for backup and recovery operations,
LOB Admins have full control to run ad-hoc backups and recoveries as necessary to protect vApps as needed
but have limited control and require collaboration with the Org Admin to set backup schedule and retention.
Unlike other solutions offering protection for vCloud Director resources, Avamar natively integrates within vCloud’s Role-Based
Access Control mechanisms to map access to backup and recovery resources and policies without the requirement for creating
additional service accounts and access rights for each role within Avamar. Seamlessly applying backup and recovery services within
the existing vCD workflow was a top requirement for development of this functionality.
Backup Resource Mapping and Assignment
As mentioned above, Avamar introduces through tight integration with vCD the ability to provision and assign backup resources to
tenants and sub-tenants. Let’s take a closer look at how physical infrastructure implemented via Avamar along with its integration
with Data Domain systems can be incorporated and leveraged within vCD.
The foundation of consumable backup resources is the “Backup Appliance.” A Backup Appliance can be an Avamar Data Store,
Avamar Virtual Edition, or Avamar with one or more Data Domain systems. For the illustration shown in Figure 2 below, the process
begins with the Cloud Administrator. A member of the cloud administration team is responsible, and is provided with the capabilities
to manage all the backend backup appliances and corresponding physical infrastructure.
As we begin working through the multi-tenant structure, the Cloud Admin creates “Backup Repositories” that have a Many:1
relationship to Backup Appliances. Using the Backup Repository abstraction, the pool of Backup Appliances can now be split amongst
tenants who will consume their resources. While a repository can only be created using one Backup Appliance, a single backup
appliance can support multiple backup repositories. This is ultimately what allows multiple tenants to be assigned and logically
partitioned on a single backup appliance.
As you can see in Figure 3, the right-most backup appliance is hosting both Repository 3 and Repository 4. This is a similar paradigm
to how multiple Organizational VDCs are assigned to a single Provider VDC in vCloud Director.
Figure 4: Backup resource mapping
For this example, illustrated are two organizations or tenants represented as “Org VDC A” and “Org VDC B”. The cloud administrator
upon enrolling each tenant, or adding backup services to an already existing tenant, will map a desired repository to each tenant.
Repository mappings to Org VDCs were designed with flexibility in mind to meet the needs of each tenant. In this example, we are
mapping Repository 1 to Org VDC B and Repository 2 to Org VDC A. By doing this we are able to dedicate physical backup appliances
to a tenant for regulatory purposes. As hosted-cloud and public clouds are in their nature agile and flexible, depending on the
capacity and changing performance requirements for particular tenants it may be necessary to map multiple Backup Repositories to
a particular Org VDC.
In this scenario we are also assigning Repository 4 to Org VDC B and Repository 3 to Org VDC A. The majority of cases will find
tenants sharing a backup appliance by assigning multiple repositories to each backup appliance. When multiple repositories are
assigned to an Org VDC only one repository is considered “active” at a time. It is the responsibility of the Cloud Administrator to
determine which repository should be “Active” for a specific tenant. Repositories in an Active state will service any new incoming
backup requests while “non-active” repositories simply retain previously run backups and service restores. In this example, upon
adding Repositories 3 and 4, Repositories 1 and 2 are no longer active.
The backup repository construct also serves another purpose for the cloud administrator, the ability to enable and configure service
quotas for specific tenants. Both total capacity usage quotas as well as daily capacity usage quotas can be configured on each
repository, therefore controlling consumption of tenants and sub-tenants and assuring control of agreed upon service-level
agreements. This is similar to how Org VDCs allow limits to the consumption of compute, network, and storage resources.
Finally, once assigned to the Org VDCs, backup repository resources are able to be consumed and leveraged for protection of vApps
and VMs by both Org Admins as well as LOB Admins. End-to-end these mappings provide appropriate layers of abstraction for
secure and efficient consumption and integration, but without losing flexibility and control for those customers requiring it.
Backup Policy Configuration and Assignment
When creating and scheduling backup policies for vCD, the cloud administrator must first create a series of backup policy templates.
As illustrated in Figure 5, a policy template contains a schedule, retention, and an option set that you define based on Desired SLAs
being offered. For example, this option set could take advantage of advanced options for in-flight encryption or to control guest file
system quiescing for VMs that are sensitive to VMware snapshots. Overall the attributes of each component of the specific template
is tailored to meet a desired service-level that the service provider is offering to the tenant. Usually these policy templates are
designated and created to provide “Gold, Silver, or Bronze” levels of service that have a corresponding tiered cost structure for
services rendered, for example. Upon enrolling a new tenant, or adding a new VDC for an existing tenant, the cloud admin will create
a policy catalog and then create new or insert existing policy templates into it. With the policy templates now grouped together in the
catalog each tenant can employ and assign those policies to Org VDCs. This now makes the policy templates available for selection
and application as a default policy for all vApps or to customize and assign to specific virtual applications.
Figure 5: Backup policy configuration workflow
If we refer back to our vCloud Director Roles we outlined earlier, we mentioned that the Org Admin has a hybrid role as a consumer
and a provider. Looking more specifically at the role from a backup policy workflow, the Org Admin will select a policy from the
catalog that was pre-assigned to his VDC and assign these policies as the default policy or customize certain attributes, if allowed by
the provider, and assign them to specific vApps. With this policy assignment and provisioning approach it allows the org admins the
flexibility they needs, while providing the cloud administrator with the control to make sure the tenant is operating within agreed
upon and paid for SLAs. Once the backup policies are assigned and in place, the backup scheduler will take care of backups
Extending the vCloud Director REST APIs
We have detailed up to this point how Avamar provides data protection resources that mimic vCloud hierarchy and are able to be
deployed at “vCloud scale.” We briefly pointed out for you how unlike other solutions, Avamar’s implementation approach is to
embed native backup service extensions inside of vCloud Director’s already existing management and role based access control
mechanisms. The benefits of this approach are that Avamar requires no other tools or management interfaces to enable current
vCloud Director Admin Roles. The familiar vCloud Director REST API including its authentication and authorization capabilities is all
that is needed for integration of Avamar backup services. Additionally, this means that since all backup and recovery operations are
executed leveraging vCloud Director REST APIs, compatibility with any other tools in VMware’s vCloud Suite utilizing those APIs is
Ultimately, this provides service providers with a streamlined approach to including backup services to their tenants in a
straightforward and cost effective manner while helping to accelerate Hybrid Cloud adoption by end users that will be more confident
in consuming Public Cloud resources.
This solution covered in this white paper provides service providers with a simple to use, easy to implement, native, and scalable
multi-tenant data protection solution for VMware vCloud Director. While we didn’t review all of the great foundational technology
some of you already know Avamar employs for virtual machine backup and recovery, all of those industry leading features such as
the following are included:
Full image backups of running virtual machines
Utilizes efficient transport (SCSI hotadd), which avoids copying the entire vmdk image over the network
Fully leverages the VMware vSphere APIs for Data Protection, including Changed-Block Tracking for both VM Image backup and
Leverages virtual backup and recovery proxy server load balancing to achieve parallelism for superior backup throughput
It’s cloud ready data protection built on an innovative technology leading foundation and long track record as the fastest in the
industry for VMware data protection.