Wednesday, November 4, 2015

Multi-tenancy in EMC Avamar for vSphere Data Protection

VMware vSphere Data Protection (VDP) has the capability to replicate backup data to another VDP virtual appliance and to EMC Avamar. This is ideal for an organization who wants to replicate backup data offsite for disaster recovery purposes. Replication is efficient and secure as only unique data segments are sent from the source to the target and the data is encrypted. Replication occurs after the backup data has been deduplicated in the VDP appliance.

Multi-tenancy is another topic that is frequently asked about. A popular use case an organization with multiple sites and/or departments who prefer that site or department managers only see their own backup data/restore points. Another popular use case is a service provider enabling a backup data hosting service. The service provider must ensure that a customer can only see backup data/restore points that belong to that customer. This article briefly covers how to enable multi-tenancy on EMC Avamar for backup data replicated from VDP.

It is assumed a REPLICATE domain is already in place on the Avamar server. In this case, an Avamar Virtual Edition virtual appliance is used.

Normally, a subdomain can be created using the Avamar Administrator user interface. However, that option is grayed out for the REPLICATE domain.

A subdomain can be created from the command line. Log in to the console of the Avamar server as root and run:
avmgr newd --duplicates-okay --path=/REPLICATE/organization
“Organization” at the end of the command is the subdomain name and is typically the name of the company or organization. In the example below, “customer_a” is used.

Optionally, you can add subdomains under a subdomain - for example, the name of a department. The command would look similar to this:
avmgr newd --duplicates-okay --path=/REPLICATE/organization/department

A unique user must be created for the subdomain to provide and limit access only to the organization’s replicated data. A password and specific permissions are also needed. Run this command to create a new user with the proper permissions only to the subdomain:
avmgr addu --path=/REPLICATE/organization --u=username --ud=avamar --p=password --pr=password --pv=create,read,backup,access,move,delete,fullmanage,maint,enabled,noticketrequired

“Organization” must, of course, match the subdomain just created. In the example below, “user_a” is the username.

vSphere Data Protection replication can now be configured to utilize the subdomain created. When a replication job is configured, the username, password, and path (subdomain) are configured. An example is show below.

After the vSphere Data Protection replication job has run at least once, the name of the vSphere Data Protection appliance name will appear as a subdomain beneath the “organization” subdomain, as shown below.

Only restore points in the user’s subdomain will be available for restore. The restore points are access using the vSphere Data Protection user interface by selecting the “Restore” tab and clicking the “Recover replicated backups” button.

Click the top radio button to select a destination in use by an existing replication job. The credentials used when configuring the replication job, “user_a” in the example below, are used to access the restore points in the “customer_a” subdomain on the Avamar server.

After clicking the “Verify Authentication“ button and clicking “Next”, only the restore points in the organization’s subdomain, “customer_a” in the example, are available for restore.

This approach effectively separates and isolates each customer’s backup data while still providing self-service restore capabilities through the vSphere Data Protection user interface.


No comments:

Post a Comment

Note: Only a member of this blog may post a comment.