Cohesity’s protection solution
The solution consists of extending VMware Cloud Foundation with the help of Fortify app. Cohesity Data Protection for VMware Cloud Foundation provides an option to meet VMware’s best practices for Data Protection of VCF environments with both file-level and image-level backups for all the critical management components.
This solution provides the following features.
- Automated Discovery using native APIs of your VCF environment (workload and management domains)
- Automatic configuration of File-Based Backups of NSX Manager, SDDC Manager, and vCenter, including schedules, retention, and on-demand backups (where supported).
- Provides Secure FTP (sFTP) service and persistent storage to hold encrypted backed-up datasets.
Solution Architecture
This App runs as an application on the Cohesity cluster. It consists of the following components.
- UI: This component acts as the interface to the Backend service. It provides the user with an option to register an SDDC manager, configure SFTP server on the SDDC manager, view the protection job status and manage the SFTP users for the SFTP server component.
- SFTP Server: This component is where the file-based backup for the VCF components are stored. You can use the UI component to manage the users for this SFTP server. This SFTP server stores data on a Cohesity Internal view which is protected by a Cohesity Protection job.
- Backend: This component is responsible for making REST API calls to both Cohesity internal services and the VCF API endpoints. Using these API calls, the Backend services perform the following operations on the VCF side:
- Authenticates the SDDC credentials.
- Fetches an Inventory of all management components in the Management and Workload domains.
- Configures the following components for SFTP File-Level Backups in accordance with VMware best practices:
- SDDC manager
- NSX Manager
- vCenter
- Starts file level backup (On Demand or On Scheduled) for VCF components wherever applicable.
Summary of all the operations this application performs:
- Perform a single connection to the VCF environment (management domain) and then detect the linked workload vCenter systems and establish connections to them.
- Use Restful APIs to configure the sFTP destination, rotation schedule, and credentials.
- Host the sFTP service directly on Cohesity and protect it natively using Magneto.
- Permit credential rotation using CyberArk EPM (a bank requirement).
Operational Overview
This section provides steps on configuring and using Cohesity’s Fortify App for protecting VMware Cloud foundation.
Configuration Requirements
For environment requirements, please consult the latest product documentation at https://support.cohesity.com.
Install and Configure the Fortify App
The steps to install this app is the same as any other application on the Cohesity App Marketplace. The detailed steps to install this App can be found on here Cohesity documentation.
Configure the App
- On the Welcome page for the DCM Backup App, click Get Started!
- You will be navigated to the DCM Backup User Management page. On this page, you will find the option to create users for the SFTP server.
- After you create a user, you will be able to view the list of users on this page. You can manage the users by either updating the password for a user or deleting the user.
Note: We currently do not support password rotation for these users, because that would break the backup workflow.
- After you have created SFTP users, you can register the SDDC manager and configure the SFTP endpoint on the SDDC manager using 1 of the users you created in the previous step.
- Before you go to the next step, make sure you make a note of the SFTP user you created in step 6. You will need the user details when configuring the SFTP endpoint on the SDDC manager.
- In order to get started with VCF protection, click on the gear icon on the top right corner and select the Manage VCF option.
- Click on the Register button to register the VCF endpoint.
- Enter the SDDC credentials and click Connect.
Note: The Credentials required here need to be in the @vsphere.local domain and have the SDDC Manager role assigned to facilitate proper discovery and authentication.
- The DCM Backup App will fetch the domain details for this SDDC manager which will be listed as a tree view. You will also see an option to configure the SFTP details for file-based backup for the SDDC manager. Review the domain details and click on SFTP Details.
- Fill in the SFTP form, using the data that you captured in step 9 and click Submit.
Note: The Encryption passphrase is used to encrypt the files before they are sent over the wire. Even though they are stored securely on Cohesity, and transferred securely using the sFTP protocol, some VCF backup files do store passwords in clear-text. So while Encryption Passphrase Use is not mandatory in all components of the VCF stack if configured manually, it is required by Cohesity for implementation. Please record this separately. If you do not, it is unrecoverable, and thus your backup files will be unusable.
- You are redirected to the VCF sources page where you can see the registered VCF sources.
- You can perform a bunch of operations for this VCF sources as shown in the screenshot:
- Perform the Backup now operation if you want to do an on demand backup
- You should use the refresh operation when,
- A new component is added to any domain in the VCF Environment, including a new workload domain.
- SFTP endpoint is updated
- To get the detailed protection status for all the components, click on the VCF endpoint column in the list.
- This will take you to the details page where you will the list of all domains (Management and Workload)
- Click on the domain to see more details about the individual component protection as shown in this screenshot.