Cohesity Platform for Data Protection of VMware Cloud on AWS
search cancel

Cohesity Platform for Data Protection of VMware Cloud on AWS


Article ID: 324697


Updated On:


VMware Cloud on AWS


This article provides information about Cohesity Platform for Data Protection of VMware Cloud on AWS.

Disclaimer: The partner solution referenced in this article is a solution that is developed and supported by a partner. Use of this product is also governed by the end user license agreement of the partner. You must obtain from the partner the application, support, and licensing for using this product. For more information, see

This section includes summary of target data protection:

Use cases

Cohesity provides a policy driven approach for data protection of VMs in VMware Cloud on AWS. The use cases covered in this section are:
  • Data Protection in VMC
  • Extended Retention
  • VM level Recovery
  • Granular File & Folder Recovery

Solution Architecture

Cohesity provides end-to-end data protection for application-driven modern infrastructure that spans from core to the cloud and edge. Customers benefit from the same user-friendly interface for managing backup of VMware environments, both on-premises and in VMware Cloud on AWS.

This section focuses on Cohesity Platform for protection of workloads in VMware Cloud on AWS (VMC) Platform. Cohesity Data Protection solution can be deployed in two form factors to protect VMC workloads, either as a VMware VM deployed inside VMC SDDC (called Cohesity Virtual Edition) or running on Amazon EC2 instances in the regular AWS account (called Cohesity Cloud Edition).

Cohesity Virtual Edition deployment is suitable for protecting small VMC environments and Cloud Edition for medium-large VMC environments.

The illustration below shows Cohesity Virtual Edition (VE) deployed in VMC SDDC to protect VMC VMs and optionally store the backups in AWS S3 or S3 Glacier for long term retention.

Fig: VMC Data Protection using Cohesity Virtual Edition

Cohesity Cloud Edition (CE) is an Amazon EC2 instance-based deployment of Cohesity Platform. It is deployed in the customer AWS account. Cohesity Cloud edition communicates with VMware SDDC via proxy VM(s) called Hybrid Extenders (HyX) which are installed within VMC SDDC.

The picture below shows Cohesity Cloud Edition deployment in AWS account for VMC data protection with Proxy VMs running inside SDDC. All the vSphere APIs and the VDDK calls are routed through the HyX VM(s). VM backups are performed using hotadd transport mode via the HyX VM(s). VM recovery is done by creating a VM with empty disks and using hotadd transport mode to copy over the data via HyX VM.

Fig: VMC Data Protection using Cohesity Cloud Edition

Solution Components

Cohesity Platform leverages the vSphere Storage APIs – Data Protection (VADP) and the Virtual Disk Development Kit (VDDK) to integrate with vSphere & vSAN in VMC to provide extremely efficient virtual machine image level data protection with best in class global deduplication, data resiliency with strict consistency and  software-based encryption using the AES-256 standard, with optional FIPS certification for data encryption in-flight and at rest. An easy to manage UI and policy-based management allow customers to achieve strict business SLAs.

Cohesity Virtual Edition based solution provides data protection in VMC through the deployment of Cohesity Virtual Appliance in VMC SDDC. More information on the Virtual Edition specifications can be found at

Cohesity Cloud Edition based solution provides VMC Data protection through the deployment of Cohesity Cloud Edition in the AWS account. It uses proxy VM(s) called “Hybrid Extender” to communicate with VMC vCenter & ESXi hosts for backup and recovery. More information on the Cloud Edition specifications can be found at

Operational Overview

The following concepts and activities are part of knowledge transfer for enterprise customers deploying Cohesity Platform for VMC Data protection.

1. Initial Setup and Configuration

Cohesity VE Deployment

Deploy and configure Cohesity Virtual Edition OVA in VMC SDDC. Steps to download, install and setup Cohesity Virtual Edition can be found in Cohesity Virtual Edition Setup Guide available at

Cohesity CE Deployment:
  1. Deploy Cohesity Cloud edition (CE) in AWS either via GUI over CLI. GUI based installation is available for Cohesity’s SaaS Management Platform (Helios).
Steps to setup Cohesity Cloud Edition via Helios are available at
Alternatively, Cohesity Cloud Edition can be setup via CLI as well, the steps are available at
  1. Deploy Hybrid extender (HyX) proxy VMs on VMC SDDC and configure HyX with the CE using steps below:
    1. Download HyX OVA and HyX configuration file from Cohesity UI
    2. Deploy the OVA to VMC SDDC
    3. After the OVA has been deployed, upload the HyX configuration file to the HyX VM
      1. URL: http://[HyX ip-address]:29994/upload
    4. Check the HyX status on Cohesity UI shows as “Connected”
Fig:  Download HyX OVA from Cohesity Platform
Fig:  Deploy the Hybrid Extender in the SDDC
Fig:  Upload the Hybrid Extender configuration files
Fig:  Hybrid Extender(s) will show as “Connected”

2. Register vCenter as Data Source

Add SDDC vCenter as a data source in Cohesity platform to discover the VMs running on VMC.

3. Register S3 bucket for Extended Retention (Optional)

Create an S3 bucket in your AWS account and register it as an External Target on Cohesity Platform. This step is required to store backups outside of the Cohesity platform for long term retention.

4. Create Protection Policies and Protection Groups

A Protection Policy defines periodicity and retention of backup, and their archival and replication.  A Projection Job defines which objects are backed up. A Protection Policy can be used for many Protection Groups.

For example, the screenshot above shows a Protection Policy called “Archive Group C” which does the following:
  • Take a Snapshot every 4 hours and retain it for 1 week on Cohesity Platform
  • Retry capturing Snapshots 3 times 5 minutes apart before reporting an error
  • Send a copy of Snapshot to AWS S3 bucket and retain it for 2 weeks.

A Protection Group specifies Source, Objects to be backed up from that source and a Policy to be used for the backups. The screenshot above shows a new Protection Group being created to backup a few VMs from vCenter in SDDC and using a Policy called “Archive - GroupC”.

Auto-Protect Feature
While creating Protection Group, you can optionally choose Automatic protection at any hierarchical level e.g. a folder level. Every time a new VM is added to the folder, the VM is automatically protected with the previously defined policy and job. This enables the administrator to be hands off for VM data protection while still ensuring that data protection SLAs are met.

Fig: Cohesity Auto-Protect Feature

Fig: Protection Groups on Cohesity Platform
5. VM level Recovery

Cohesity provides the ability to recover Protected Objects (such as VMs) from a Snapshot created earlier by a Protection Group. You can choose a snapshot on Cohesity Platform stored either locally or on AWS S3 external target for recovery. You can recover VMs to the same Logical network in VMC or a different logical network.
Recover task extracts the VM files (such as the VMDK files) stored in Snapshots and creates new instances of the VMs in their original locations or in a new location depending on the options you choose during recovery:
  • Recover to Original Location—Recover the VM(s) to their original Resource Pool, datastores, VM folder and logical network in VMC
  • Recover to New Location—Recover the VM(s) to an alternate resource pool, datastore, VM folder or logical network in VMC.
  • Cohesity provides an intuitive user interface for recovery workflows. Screenshot above shows how users can initiate recovery by searching for the objects to recover. Object names or Protection Group names can be used for search filters.

6. File and Folder Recovery

Cohesity Platform provides the ability to recover files and folders from a Snapshot created earlier by a Protection Group. Files and folders can be recovered to the original VM or a different VM. You can choose to retain the recovered files' and folders' original (at the time of the backup) permissions and attributes. You can also download files and folders from selected Snapshots. However, only items that were indexed when the Snapshot was created can be downloaded.

Recover task extracts the files stored in Snapshots and creates new instances of them in the original VM or a different VM depending on the options you choose during recovery. You can also choose to download files and folders.

Fig: Granular Search for File & Folder level Recovery

Recover Files or Folders—Recover files or folders to the original location or to a new location.
Download a File or Folder—Download files or folders from an existing Snapshot.

VM Backup Flow

VM backup is done using hotadd transport mode and although high-level steps are the same, it varies slightly for Virtual Edition and Cloud Edition. For Cloud Edition all the vSphere related control calls and the data calls to pull the data go via HyX. Cohesity performs steps below during the VM backup workflow:
  1. Cohesity software takes a snapshot of the VM
  2. The VMDKs associated with the snapshot is opened using VDDK library via HotAdd transport mode.
  3. CBT is leveraged to perform incremental backups.
  4. Once all the data is copied, VM snapshot is released.
  5. VM backup on Cohesity is readily available for recovery from the fully hydrated Cohesity snapshots.
Fig: VM Backup Flow in Cohesity Virtual Edition Deployment
Fig: VM Backup Flow in Cohesity Cloud Edition Deployment

VM Recovery Flow

VM recovery is done using hotadd transport mode and although high-level steps are the same, it varies slightly for Virtual Edition and Cloud Edition. For Cloud Edition all the vSphere related control calls and the data calls to pull the data go via HyX. Cohesity performs steps below during the VM recovery workflow:
  1. Cohesity software clones the VM files (such as the VMDK files) stored in Snapshots to a temporary Cohesity View. A View is a Cohesity representation of a datastore.
  2. Cohesity software creates the target VM(s) with blank disks on the VMC SDDC vCenter based on VM configuration associated with the selected snapshot.
  3. Data is copied from VMDK files from the cloned view to the VMDKs attached with the recovered target VM.
  4. Recovered VM is powered ON or left powered off based on user selection.
Fig: VM Recovery Flow in Cohesity Virtual Edition Deployment
Fig: VM Backup Flow in Cohesity Cloud Edition Deployment

Additional Information

 Support Information

Troubleshooting (logs, procedures, and techniques):
  • Cohesity cluster provides a secure remote tunnel for Cohesity Support personnel to access the cluster and examine and monitor the health of the cluster and troubleshoot to help customers resolve issues.
  • Cohesity uses a Time capsule to aggregate and capture logs in an offline bundle for clusters that are not accessible via the remote tunnel.

Indicate whether the solution supports vMotion, HA, and FT:
  • Cohesity leverages and protects VMs and application workloads using vSphere features including vMotion, HA, and SMP-FT.

Link to product documentation, and specific reference points in those documents (example, Page Numbers of content referenced)
Link to the downloads site
Support Process
Cohesity support currently offers 3 different support channels for engaging with our customers
Web Portal
Login credentials are required to access our secure Support Web portal:
From the Cohesity Support Portal you can:
  • Manage your profile
  • Submit new cases
  • Manage existing cases
  • Browse our knowledge base
  • Explore our Product Documentation
  • Participate in our community with other customers and power users
  • United States & Canada:  +1-855-9COHESITY, option 2
  • United Kingdom:  +44 (0)113 8681096, option 2 
  • India:  +91 80 67347095
  • Japan:  +81 6 4560 2923 



Hybrid Extender Requirements
  1. A minimum of (1) Hybrid Extender must be deployed per ESXi cluster in the VMC on AWS environment
  2. Multiple HyX VMs can be deployed in the VMC on AWS environment if necessary and the backups will scale
  3. Hybrid Extender VM resource requirements: vCPU: 4, Memory: 4 GB, Disk: 64 GB
  4. AWS security group:
    1. Allow HyX to / from the CE cluster access for the following ports: 22, 29991, 11117
    2. Allow access from CE to VMC SDDC on ENI security group
    3. to the following ports: 22, 29991, 11117
  5. VMC on AWS:
    1. Connectivity between SDDC to AWS VPC must be configured
    2. Enable access between the CE and HyX access and HyX access to VMC on AWS vCenter
      1. HyX to the SDDC vCenter
      2. HyX to Cohesity CE cluster (Bi-directional)