VMware vSAN Protection and Recovery Deployment

vSAN Protection and Recovery provides a simple way to back up and restore VMs locally using vSAN Express Storage Architecture (ESA). It enables administrators to define groups of VMs along with the backup/snapshot schedule and retention times. These are crash-consistent backups that can be restored using the vSphere Client even if the VMs have been removed from inventory. Perhaps best of all is that this functionality is included with your VCF 9 license.

I plan on writing a series of blog articles about vSAN Protection and Recovery. This first article summarizes the deployment of the Protection and Recovery virtual appliance that enables this functionality. If you would like to read more about the solution itself, see the articles below.

Superior Snapshots using VMware vSAN Data Protection (2024)

vSAN Data Protection in VMware Cloud Foundation – The Solution You Already Own (2025)

VMware vSAN Protection and Recovery Enhancements for VCF 9.1 (2026)

If you read the articles above, it is easy to see that the engineers have been busy making enhancements to the feature. As such, I am going to focus on the deploying the latest version included with VCF 9.1.

First, you must download the Protection and Recovery ova from the Broadcom Support site. In this case, I grabbed the Protection-and-recovery-9.1.0.0100.25419587.ova, which was the latest version when this article was written. The numbers will be different as newer versions are released.

There are prerequisites you will need before deploying the virtual appliance from the ova file.

• Fully-qualified domain name (FQDN)/hostname for the appliance, e.g., protect02.vmware.lab
• Forward and reverse DNS lookup working properly for that FQDN, its IP address, and the FQDN and IP address of your vCenter instance.
• Hint: Use the nslookup command line interface
• Passwords to use for the appliance root account and the admin account
• You'll use admin and the corresponding password to log into the appliance UI
• NTP server
• Default gateway IP address
• Domain name and search path, e.g., vmware.lab
• Appliance IP address
• DNS server IP addresses
• Network prefix, i.e., subnet mask, e.g., 24

Deploy the appliance using the information you gathered above. Power it on after it finishes deploying and wait a few minutes to ensure it is fully booted. Access the UI by entering https://<fqdn>:5480

For example, https://protect02.vmware.lab:5480

Log in with admin and the password you set for the admin account.

Click the Configure Appliance button on the Summary page.

This starts the configuration wizard where you pair the Protection and Recovery appliance with your vCenter instance. The first step is providing information about the vCenter instance you are connecting to.

The second step simply shows the vCenter instance you specified.

The third step has a few more configuration items. Provide a descriptive site name. This might be a street or city name, a regional name, or something else that uniquely describes the environment's location. Add an email address for system notifications. In most cases, you will leave the default settings for Local Host and the Protection and Recovery Extension ID.

The appliance will perform the initial configuration after you click Finish. You will end up back at the Summary page, which shows Protection and Recovery appliance information along with the vCenter instance it is paired with.

This process installs a plugin for the vSphere Client. You will likely see a banner at the top of the vSphere Client suggesting you refresh the browser window. Click the Refresh Browser button.

If you click on the "hamburger" (three horizontal lines) ini the top left corner of the vSphere Client, you should see Protection and Recovery in the menu.

The Protect and Recovery feature is now ready for use.  We'll get to that in upcoming articles.