An OnVault pool is a pointer to a Cloud Storage bucket or a backup vault that is used to store backup data. They are referenced in the resource profiles. The resource profiles are used along with an OnVault policy to send backup data to the assigned OnVault pool.
Auto-created OnVault pool with a Cloud Storage bucket
For backup/recovery appliances deployed with version 11.0.2 or higher, an OnVault pool that points to a Cloud Storage bucket is automatically created by the service account attached to the appliance, as required. This OnVault pool holds VM instance configuration and metadata and gets automatically created at run time, when a backup template is assigned to a Compute Engine instance. The location of the Cloud Storage bucket is determined based on the persistent disks snapshots storage location or region as configured in the backup template.
In the management console, you can view these OnVault pools by navigating to Manage > Storage Pools to open the Storage Pools page. The auto-created OnVault pools in the Storage Pools page are displayed with the same name as of the storage buckets as <backup/recovery-appliance-name>-<random-string>-<region/multi-region>. You cannot edit or delete the automatically created OnVault pools.
OnVault pools are created automatically during the following scenarios:
- A backup template assigned to a Compute Engine instance does not have a pool.
- A backup template is updated to use a different region or multi-region, then the pool is auto-created after the first snapshot ran successfully. The service thus ensures that both the Persistent Disk data and the instance VM configuration are co-located.
- A policy override is applied to a protected Compute Engine instance that changes it to use a different region or multi-region, if a pool does not exist in that location, then the pool is auto-created after the first snapshot ran successfully.
IAM roles and permissions
Before adding an OnVault pool, you need to assign the
Backup and DR Cloud Storage Operator
role that has the required permissions
to the project where the bucket is located or to the bucket itself.
Granting permissions at the bucket level is a more granular way.
This role allows the service account attached to the appliance to perform OnVault operations and has all the permissions required to store and manage backups in OnVault pools—including accessing backup data, copying backup data from one Cloud Storage bucket to another and expiring stored backups. You can validate the permissions for this role by navigating to IAM & Admin > Roles and then select Backup and DR Cloud Storage Operator.
If you don't want to assign the Backup and DR Cloud Storage Operator
role,
you can also create a
custom role and assign
the following permissions.
storage.buckets.create
storage.buckets.get
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
Add an OnVault pool
OnVault pools require access to Cloud Storage. Before adding an OnVault pool, complete the following:
Identify or create a storage bucket to hold the backup data:
- All storage classes and locations are supported. Use an appropriate class based on your data retention. don't use the archive class without consulting with your sales or support organization first.
Versioning and retention on the Cloud Storage bucket must be disabled.
Soft delete policy on the Cloud Storage bucket must be disabled.
Access control should be set to uniform on any new bucket.
Google-managed encryption keys (GMEK) and customer-managed encryption keys (CMEK) are supported.
For the appliance running version 11.0.2 or later, you need to do the following:
- Add the service account of the backup/recovery appliance to the bucket as a principal with the required roles and permissions. You need to do this for each user-created bucket.
- Have the storage bucket details as the service account field is automatically populated upon selecting the appliance since it uses the service account attached to the backup/recovery appliance.
Ensure that the service account has access to the bucket with a role with the required permissions at either the project level or the bucket level.
For an appliance running a version prior to 11.0.2:
- Create or identify a service account with the required roles and permissions.
- Create a private key for the service account. See Service account Keys for more information on service account keys.
- Collect the service account ID, private key, and bucket name to use during creation of the OnVault pool.
You can create any number of OnVault pools on a backup/recovery appliance using the same backup/recovery appliance service account. The procedure to add an OnVault pool varies based on the software version of the backup/recovery appliance. To determine which version is in use, navigate to Manage > Appliances and check the Version column.
The following table highlights the behavior of an OnVault pool with the deployed appliance version.
Original appliance version | Appliance upgraded version | OnVault pool JSON key usage | Auto OnVault Pool creation pool usage |
---|---|---|---|
11.0.1* | 11.0.2 (or higher) | Any existing OnVault pools continue to use JSON keys. You still need to add the OnVault pool for Compute Engine and agent/VMware backups. You can also choose to replace this pool with a new "JSON-less" pool using the procedure here. However, if you are adding a new OnVault pool, you no longer need a JSON key. | Does not have the support for an auto-created OnVault pool. |
11.0.2 or higher | Not relevant | Does not require JSON keys. | OnVault pool is auto-created based on the default cloud credentials. Refer to the Auto-created OnVault pool. |
*Appliances deployed prior to January 2023 were probably deployed on version 11.0.1.
Add an OnVault pool for an appliance running version 11.0.2 or later
Use the following instructions to add an OnVault pool for an appliance running version 11.0.2 or later.
- Click Manage and select Storage Pools from the drop-down menu.
- Click Add OnVault Pool from the top right corner of the page.
- Enter the OnVault Pool Name. Valid characters are letters, numbers, spaces, hyphens (-), and underscores (_).
Select the Pool Type. Select the default, Cloud Storage. The Cloud Storage pool type supports all storage classes and must be used unless backward compatibility with a legacy OnVault pool is required. You can't change the pool type after the OnVault pool is created.
From the Appliance drop-down, select the appliance you want to add the OnVault pool to.
The read-only service account field auto-populates.
In the Bucket field, enter the name of the storage bucket that holds your data. The bucket must already exist, and ensure the bucket name is correct. Get the bucket name from the Google Cloud console page, click Cloud Storage then Buckets. The service account displayed in step five needs permission to access the bucket either at the bucket level or the project level. Coldline and Nearline require Fine Grain ACL on the bucket.
Specify if the data in the OnVault pool should be stored in compressed or uncompressed format. Compressing data reduces storage costs but requires additional compute capacity for backup/recovery appliances to compress the data before transmitting. In most cases you want to keep the compression box checked. Compression also reduces network traffic.
Under Advanced Options, complete the following:
Select the Object size. Values range from 64KB to 8MB. The default value of 1MB is the best choice in most cases. Changing the object size can adversely affect the performance and the cost of storage service used for OnVault.
If using a proxy, enter the proxy server's address and port number.
Click Save.
Add an OnVault pool for an appliance running a version prior to 11.0.2
To create an OnVault pool for a backup/recovery appliance running a version prior to 11.0.2, you need to manually supply the service account and upload the JSON key as well as supply the bucket details.
Use the following instructions to add an OnVault pool for an appliance running a version prior to 11.0.2.
- Click Manage and select Storage Pools from the drop-down menu.
- Click Add OnVault Pool from the top right corner of the page.
- Enter the OnVault Pool Name. Valid characters are letters, numbers, spaces, hyphens (-), and underscores (_).
Select the Pool Type. If specifying a bucket that was created to be used for this pool, but has no data in it yet, select the default, Cloud Storage. If connecting to a bucket that already has been used as an OnVault pool target, select the same type that was used by the first OnVault pool to use that bucket. This may be Coldline, Nearline, or the default Cloud Storage. Coldline and Nearline require Fine Grain ACL on the bucket. You can't change the pool type after the OnVault pool is created.
From the Appliance drop-down, select the appliance where you want to add the pool.
Enter a Service account. It is the service account access ID, in email format, that is used to access the storage. For more information, see Service account.
In the Private Key File field, paste the private key, or click Choose file to import a saved private key file. See Service account keys for more information on service account keys.
In the Bucket field, enter the name of the storage bucket that holds your data. The bucket must already exist. You can get the bucket details from the Cloud Storage console page.
Specify if the data in the OnVault pool should be stored in compressed or uncompressed format. Compressing data reduces storage costs but requires additional compute capacity for backup/recovery appliances to compress the data before transmitting. In most cases you want to keep the compression box checked. Compression also reduces network traffic.
Under Advanced Options, complete the following:
- Select the Object size. Values range from 64 KB to 8 MB. The default value of 1MB is suitable in most cases. Changing the object size can adversely affect the performance and the cost of storage service used for OnVault. Note: Don't change the object size from default unless advised to do so.
If using a proxy, enter the proxy server's address and port number.
Click Save.
Edit an OnVault pool
The procedure to add an OnVault pool varies based on the software version of the backup/recovery appliance. To determine which version is in use, navigate to Manage > Appliances and check the Version column.
Edit an OnVault pool for an appliance running version 11.0.2 or later
Use the following instructions to edit an OnVault pool that is associated with the appliance running version 11.0.2 or later.
- Click Manage and select Storage Pools from the drop-down menu.
- Select the OnVault pool to edit and click the Edit button on the bottom right corner of the page.
- Edit the OnVault Pool Name and Bucket details as needed. Enable or disable Compression as needed. You cannot edit the Service Account.
Under Advanced Options, change the Object size and Proxy Server as needed. Changing the object size can adversely affect the performance and the cost of storage service used for OnVault.
Click Update.
Edit an OnVault pool for an appliance running version prior to 11.0.2
Use these instructions to edit an OnVault pool that is associated with the appliance running a version prior to 11.0.2. You must upload the private key whenever you update the OnVault pool details.
- Click Manage and select Storage Pools from the drop-down menu.
- Select the OnVault pool to edit and click the Edit button.
- Edit the OnVault Pool Name, Bucket name, and Compression as needed.
- Paste or upload the Private Key file, this is required if any changes have been made to any other field.
Under Advanced Options, change the Object size and Proxy Server as needed. Changing the object size can adversely affect the performance and the cost of storage service used for OnVault.
Click Update.
Replace a JSON key OnVault pool with a service account based OnVault pool
If you have an OnVault pool that is created using a JSON key for authentication, you cannot switch that OnVault pool to use with the appliance service account authentication. Instead, create a new OnVault pool and use the same bucket details that was previously used to create it with a JSON key.
Use the following instructions to replace a JSON key OnVault pool with an appliance service account pool.
- Add a new OnVault pool and in the Bucket field use the same bucket name that is used for creating an OnVault pool with JSON key.
- In the management console, go to Backup Plans > Profiles.
- Select the profile that uses the old OnVault pool created with the JSON key.
- Click Edit.
- In the OnVault pool drop-down, select the new OnVault pool that is created with a service account.
Click Save.
All new images are created in the newly defined OnVault pool. Note that you cannot delete the old OnVault pool until all images previously created in that pool are expired.
Delete an OnVault pool
Use the following instructions to delete an OnVault pool.
Ensure that there are no backup plan resource profiles specifying the pool.
Expire all OnVault images in the pool. The last OnVault image never expires unless the application is unprotected or the image is explicitly expired.
Use these instructions to delete an OnVault pool from an appliance:
- Click Manage and select Storage Pools from the drop-down menu.
- Right-click the OnVault pool that you want to delete and select Delete.
- Click Confirm.
Access data in an OnVault pool
Once you have a Resource Profile that uses an OnVault pool and a backup template that contains an OnVault policy, from the Backup Plans tab you can apply the Resource Profile and Backup Template to applications and VMs. The OnVault policy runs according to its schedule and the captured image is written to the OnVault Pool specified in the Resource Profile.
After the initial full backup, snapshot to OnVault policies follow Backup and DR's incremental forever model where only the data changes are captured and sent to storage.
After the first capture operation has completed, data in OnVault pool's storage location can be accessed according to the following rules:
- Backup/recovery appliances can create clones from OnVault data.
- Backup/recovery appliances cannot create LiveClones from OnVault data.
- Backup/recovery appliances can mount OnVault data.
- Backup/recovery appliances can mount data in an OnVault pool, however, it copies all data to the snapshot pool first, then does the mount.
- Backup/recovery appliance can perform application aware mounts of data in an OnVault pool.
Send backups to an OnVault pool
Snapshot to OnVault and direct to OnVault policies control the transfer of data to storage. They provide a schedule for when to send the data as well as a definition of how long to retain data. The combination of the resource profile and the OnVault template forms the backup plan for the applications to which they are applied. To create an OnVault pool, see Add an OnVault pool.
Use these instructions to transfer image data to the storage defined by an OnVault storage pool.
- Ensure you have created the OnVault Pool. OnVault storage pools define the object storage used and are specified in a Resource Profile.
In the Backup Plans, create a template that includes either:
- Snapshot to OnVault policy: Use this to schedule the movement of VM, file system, and application data to storage defined by OnVault pool. See OnVault policies.
- Direct to OnVault policy: Use this to schedule the movement of VMware Engine VM data to storage defined by an OnVault pool. For more information, see OnVault policies.
In the Backup Plans, create a resource profile that specifies where to store data locally, if applicable, as well as OnVault pool to which data is sent. See Create a resource profile.
In App Manager, select the data that you want to replicate to the OnVault pool, then apply the backup template and resource profile.
Backup/recovery appliances can complete the following when accessing data in OnVault pool's storage:
- Create clones.
- Mount data.
- LiveClones cannot be created in an OnVault Pool.
Based on your access and recovery requirements of the data stored in the OnVault pool's storage, from the management console you can perform a mount or clone operations from the Access window of the App Manager.
- For information on performing a mount operation, see Mount images.
- For information on performing a clone operation, see Clone overview.
Balance performance and consumption for OnVault images
When mounting an image from OnVault pool, the following four options provide the ability to balance performance versus storage needs for accessing data:
Storage Optimized: Read blocks come from the snapshot pool when possible, otherwise they come directly from the OnVault pool across the network. Writes go to the local snapshot pool.
Use this option to minimize local storage consumption at the cost of read performance since data is constantly pulled across the network.
Balanced: (Default option) Objects read from the OnVault pool are cached in the local snapshot pool so subsequent reads of the same blocks are fulfilled locally. Writes go to the local snapshot pool. Read performance improves over time as more and more data is read and saved to snapshot pool. Local storage use is limited to the data actually required by the applications.
Use this option when local storage is available and high I/O performance is not required.
Performance Optimized: Read blocks are cached in the local snapshot pool so subsequent reads of the same blocks are fulfilled locally. In addition, all blocks are read in the background to the local snapshot pool to create a full local copy. Writes go to the local snapshot pool. Read performance improves rapidly as background process copies data from OnVault to local snapshot pool. Storage requirement is the highest as all data is copied to local storage.
Use this option when both fast access to the data as well as high I/O performance are needed.
Maximum Performance: All blocks are read to the local snapshot pool to create a full local copy and only then will the image be mounted. This option has the same local storage usage as with Performance Optimized as all data is copied to the local snapshot pool.
Use this option when peak performance from local storage is required for all application I/O, and any read latency from the OnVault pool is unacceptable, making it undesirable to give the application access to data before a full local copy is established.
Use OnVault pools
Snapshot to OnVault and direct to OnVault policies control the transfer of data to storage. They provide a schedule for when to send the data as well as a definition of how long to retain data. The combination of the resource profile and the OnVault template forms the backup plans for the applications to which they are applied.
Use these instructions to transfer image data to the storage defined by an OnVault storage pool:
- Ensure you have created the OnVault Pool. OnVault storage pools define the storage used and are specified in a Resource Profile.
In the Backup Plans, create a template that includes either of the following:
- Snapshot to OnVault policy: Use this to schedule the movement of VM, file system, and application data to storage defined by OnVault pool. See OnVault policies.
- Direct to OnVault policy: Use this to schedule the movement of Google Cloud VMware Engine VM data to storage defined by OnVault pool. For more information, see OnVault policies.
In the Backup Plans, create a resource profile that specifies where to store data locally, if applicable, as well as OnVault pool to which data is sent. See Create a resource profile.
In App Manager, select the data that you want to replicate to OnVault pool, then apply the Backup Template and Resource Profile.
Backup/recovery appliances can complete the following when accessing data in OnVault Pool's storage:
- Create clones
- Mount data
- LiveClones cannot be created in an OnVault Pool.
Based on your access and recovery requirements of the data stored in the OnVault Pool's storage, from the management console you can perform a mount or clone operations from the Access window of the App Manager.