Getty Images/iStockphoto

Tip

Ensure VM security with VMware CDP integration

CDP protects data in the case of a disaster -- an essential part of any security procedure. But CDP can introduce high throughputs, which can affect network performance.

There are options to use continuous data protection in your VMware environments products from Veeam, Zerto, Cohesity or Rubrik. However, continuous data protection does have some limitations at both the hypervisor level and at the VM level, such as infrastructure incompatibility and resource issues. This makes critical VMs that have a high volume of data changes per day the primary use case for continuous data protection.

CDP products use the VMware vSphere APIs for I/O Filtering (VAIO) framework to offer VM and workload protection as well as achieve recovery time objectives (RTOs) as low as a few seconds. CDP doesn't use a hypervisor's snapshots, which makes a low RTO possible.

CDP at a glance

VMware relies on VAIOs for the CDP framework, which enables third-party backup vendors to develop filters that install and run on the ESXi hypervisor. These filters intercept any I/O requests from a guest OS to a virtual disk. The filters won't issue or commit the I/O requests to a disk without first processing those requests by I/O filters created by those third-party products.

VAIO diagram example
VSphere APIs for I/O filtering framework

A CDP filter -- formerly known as a vSphere Installation Bundle (VIB) file -- is now called a vSphere component, which is essentially a group of VIBs. A VIB -- also known as a filter driver -- installs onto ESXi hosts within your data center. The filter drivers then attach to VMs that require high protection, otherwise known as a low RTO. A low RTO enables you to lose fewer data in case there is a disaster.

CDP applies at the VM level, so you might have VMs with CDP protection while other VMs only have traditional backup technology based on a hypervisor's snapshots. CDP is best for some workloads, but not necessary for all workloads.

There are different VM protection requirements. Critical VMs that have a high volume of data changes per day are perfect candidates for CDP. Noncritical VMs that have a low volume of data changes per day are better off with traditional backup or replication technology.

CDP requirements and limitations

Infrastructure compatibility is one of CDP's limitations. If you use older infrastructure, most backup vendors won't be able to provide CDP protection.

CDP also puts more pressure on your data resources. This is because CDP saves and backs up every bit of new data or change almost in real time, so data throughputs are high with CDP technology. Your existing network might be unable to handle that much throughput, so it's best not to activate CDP for all your VMs.

Data replication and recovery with VMware CDP

VMware provides the VAIO framework that partners require to develop backup products. There are currently 16 different vendors that provide products built for the VAIO framework, according to the VMware compatibility page for VAIO frameworks.

Each vendor has its own backup and replication product, which is sometimes simply referred to as data protection to prevent exposing too many details about the underlying technology. VMware invented the VAIO framework and it's up to the vendors to build their products around the framework and provide integration.

VMware itself doesn't have an exclusive product that uses CDP. The vendor's existing replication product, known as vSphere Replication, uses traditional hypervisor snapshot technology to replicate and protect VMs.

VSphere Replication is strictly a VMware framework, so check with your current backup vendor and see whether your latest backup and replication software supports vSphere Replication.

Implement a CDP product into your VMware data center

Setups might differ depending on the CDP product you use. For example, the Veeam Backup & Replication product sets up workloads as a continuously running policy-based job. The job repeatedly monitors VMs and the data gathered is sent across a wire to the ESXi host based on a schedule you set within the job.

Each product also has its own installation and usage guide. Figure 1 shows the installation screen from a lab that exposes the installation of VAIO filter to a vSphere cluster. The Veeam Backup & Replication installation assistant guides you to install the VAIO filter package to the selected cluster.

Screenshot of Veeam Backup & Replication I/O filter installation
Figure 1: Example of installation of I/O filter example with Veeam Backup & Replication

CDP is a promising technology based on the VAIO framework, but its usage should stay reserved for only critical VMs that require low RTO. If you implement CDP with very low RTOs, you incur higher network throughput or higher CPU consumption.

You're less likely to incur these issues if you design your infrastructure ahead to support increased throughputs or CPU consumption. Networking hardware such as NICs with 2x40 Gbps can help reduce network throughput. You should also implement network components -- including switches or routers -- that can support those speeds and throughputs.

Dig Deeper on Securing a VMware environment

SearchServerVirtualization
SearchVirtualDesktop
SearchDataCenter
SearchCloudComputing
Close