Professional Documents
Culture Documents
IMPLEMENTATION AND
ADMINISTRATION
PARTICIPANT GUIDE
PARTICIPANT GUIDE
Table of Contents
Appendix ................................................................................................. 33
Dell EMC Cloud Tier enables the movement of data from the active tier of a
PowerProtect DD appliance to low-cost, high-capacity object storage in the public,
private, or hybrid cloud. Data is moved to the cloud for long-term data retention.
Only unique, deduplicated data1 is sent from the PowerProtect DD appliance to the
cloud or retrieved from the cloud.
Backup Data
Cloud storage in the public, private,
Cloud Tier Architecture
or hybrid cloud for long-term data
retention.
Cloud Tier
Cloud Tier
Cloud Unit 1
Considerations
Cloud Unit 2
1Sending only deduplicated data ensures that the data being sent to the cloud
occupies as little space as possible.
Model Sizing
Here the supported physical memory and storage requirements for each
PowerProtect DD model.
DD3300 48 16
(8 TB
Capacity)
DD3300 48 32
(16 TB
Capacity)
DD3300 64 64
(32 TB
Capacity)
DDVE* 60 128
(64 TB
Capacity)
DDVE* 80 192
(96 TB
Capacity)
* Dell EMC Cloud Tier is supported on DDVE for on-premises implementations only.
2The minimum metadata size is a hard limit. Dell Technologies recommends that
you start with 1 TB for metadata storage and expand in 1 TB increments. The
DDVE Installation and Administration Guide provides more details about using
Cloud Tier with DDVE.
Active Tier
Data Movement
Policy Cloud Tier
Cloud Unit 1
The Dell EMC Cloud Tier is managed through a single namespace. There is no
separate cloud gateway or virtual appliance required. The native PowerProtect DD
policy management framework supports the data movement.
Cloud storage supports Dell EMC Elastic Cloud Storage (ECS), Alibaba, Amazon
Web Services S3, Google Cloud Provider, S3 Flexible provider cloud unit, and
Microsoft Azure. Extra storage is required to hold metadata associated with the
data in the cloud tier. Deduplication, cleaning, and replication operations use
metadata.
Extra metadata storage is required to support the cloud tier. The amount of
required metadata storage is based on the PowerProtect DD model.
Active Tier
Data Movement
Policy Cloud Tier
Cloud Unit 1
Cloud Unit 2
Dell EMC Cloud Tier supports one or two cloud units on each PowerProtect DD
appliance.
• Each cloud unit has the maximum capacity of the active tier3.
• Each cloud unit maps to a cloud provider4.
• Metadata shelves5 store metadata for both cloud units.
This example shows a system with an active tier and two cloud units. Each cloud
unit has a capacity equal to that of the active tier. Data that is stored on the active
tier provides local access to data and can be used for operational recoveries. The
cloud tier provides long-term retention for data that is stored in the cloud.
3You can scale the cloud tier to maximum capacity without scaling the active tier
any larger.
5The number of metadata shelves you need depends on the cloud unit physical
capacity.
The NFS, CIFS, and DD Boost protocols are supported for data movement to and
from the cloud tier.
PowerProtect DD VTL Tape Out to Cloud is supported with DDOS version 6.1 and
later. DD VTL Tape Out to Cloud supports storing the VTL vault on Cloud Tier
storage.
There is no support for vDisk pools as used with Dell EMC ProtectPoint.
PowerProtect DD Appliance
Cloud Tier
Cloud units each have their own
deduplication pools.
Cloud Unit 1
• Each cloud unit has its own segment index and metadata and thus each cloud
is a deduplication unit by itself6.
• The cloud tier uses the same compression algorithm7 as the active tier.
• Cloud deduplication does not do the packing phase.
• Cloud tier cleaning can be schedule-based or on demand8.
• The schedule for cloud tier cleaning is set relative to active tier cleaning9.
8 Cleaning of the active tier and the cloud tier cannot take place simultaneously.
9 The schedule specifies to run cloud tier cleaning after every Nth run of active tier
cleaning. By default, cloud tier cleaning runs after every 4th scheduled active tier
cleaning.
10 On-demand cleaning can be run from either the DD System Manager or CLI.
11 When all segments within a region are dead, the entire object is deleted.
12 The cloud storage is accessed to delete objects in the cloud with no live data and
to perform some copy forward of container metadata-related activities.
Secure HTTP (HTTPS) is used for the transfer of data between a PowerProtect
DD appliance and the cloud.
Active tier encryption is not required to enable encryption on the cloud tier.
13You are prompted for the security officer username and password to enable
encryption.
14Encryption of the active tier is only applicable if encryption is enabled for the
system.
Replication
You can enable Dell EMC Cloud Tier on one or both systems in a replication pair.
If the source system is Cloud Tier-enabled, data may be read from the cloud if the
file was already migrated to the cloud tier from the active tier. A replicated file is
always placed first in the active tier on the destination system even when Cloud
Tier is enabled.
17
Before sending any data to the cloud the decision to encrypt data or not must be
made.
It is possible to migrate the system data from and older appliance that is configured
with Dell EMC Cloud Tier to a newer appliance. Migrating to a newer appliance can
improve performance, add additional capacity, and provide access to new features.
The migration process migrates the active tier storage, and the locally stored cloud
tier metadata from the existing system to a new system. During the migration, the
source system operates in a restricted mode.
The procedure to initiate the Cloud Tier migration is only available through the CLI.
See the Dell EMC DDOS Administration Guide, available on the Dell EMC Support
site for more information about migrating Cloud Tier.
Configure Storage
With Dell EMC Cloud Tier storage, the PowerProtect DD appliance holds the
metadata for the files residing in the cloud18.
The cloud tier requires a local store for a local copy of the cloud metadata. To
configure Cloud Tier, you must meet the storage requirement for the licensed
capacity.
If creating a file system, the cloud tier can be enabled at the time that the new file
system is created. To create a file system, select Create File System and then
configure the active tier of the system.
In Data Management > File System, the main panel displays statistics for the
active and cloud tiers.
The statistics viewable in the DD System Manager for both the active and cloud tier
are:
• Size
• Used
• Available
• Pre-Compression
• Total Compression Factor (Reduction %)
• Cleanable
• Space Usage
To provide more information to the user, the DD System Manager displays the
reasons why the cloud storage is in error state.
19You must have Port 443 or Port 80 open to the cloud provider networks for both
endpoint IPs and provider authentication IP for bi-directional traffic. Remote cloud
provider destination IP and access authentication IP address ranges must be
enabled through the firewall.
20 Downloaded certificate files have a .crt extension. Use OpenSSL to convert the
file from .crt format to .pem. For additional information, see that the Dell EMC
DDOS System Administration Guide on the Dell EMC support site.
The links on
this page
contain
configuration
information
Alibaba Cloud Amazon Web Services Flexible Cloud
and the
S3 Tier Provider
procedure to
Framework for
create cloud
S3
units on
supported
cloud
platforms.
Overview
All interactions with cloud providers are authenticated with a signature protocol.
Support for S3 flexible cloud providers that support S3 authentication with signature
V4 is now part of DDOS.
A new field S3 Signature Version is added to display the cloud profile version.
In the output of cloud profile show, DDOS displays two possible values: s3v2
or s3v4.
Once set, the signature version of the cloud profile cannot be modified.
Movie:
Data Movement
21Used for all files older than a set number of days. For example, all files older than
90 days.
22All files older than X days, but younger than Y days. For example, all files older
than 30 days but younger than 365 days.
Agent
Recall is the act of bringing data from the cloud to the active tier. Restore is the act
of recovering data from the active tier and making it available to the client.
Data can be recalled from the cloud tier using the DD System Manager (DDSM) or
the CLI.
Tape Out to cloud storage offers the ability to store offsite and retrieve tapes for
long-term retention (LTR) use cases.
Movie:
Architecture
Metadata
Data
Active Unit Cloud Unit
Active CP Cloud CP
(metadata)
Index, container metadata,
directory manager
Metadata to support the cloud is maintained in the cloud tier shelf of the local
storage. This metadata is used in operations such as deduplication, cleaning, and
replication. Using local storage for metadata minimizes writes to the cloud. The
metadata includes the index, the Directory Manager (DM) for managing the
namespace and container metadata. Some metadata, including container
metadata, is also stored with the data in the cloud for disaster recovery purposes.
Benefits
Cloud Tier provides a scalable
solution for long-term data
storage. With Cloud Tier, users
can store up to two times the
maximum active tier capacity in
the cloud for long-term
retention of data. With cloud
tiering policies, data is in the
right place at the right time.
Data is scheduled to be moved
to the cloud using policies
based on the age of the data.
Considerations
Here are a few considerations when deciding to implement Cloud Tier:
• A cloud capacity license is required for Cloud Tier. Use the Dell EMC Electronic
License Management System (ELMS) file to apply the license.
• The Cloud Tier feature may consume all available bandwidth in a shared WAN
link, especially in a low-bandwidth configuration (1 Gbps). The Cloud Tier
feature may impact other applications sharing the WAN link.
• On systems with a dedicated management interface, reserve that interface for
system management traffic (using protocols such as HTTP and SSH). Backup
and cloud tier data traffic should be directed to other interfaces, such as eth1a.
Prerequisites
Complete the following tasks on the new system before beginning the migration
operation:
1. Verify both the source and destination systems are running DDOS 7.3.0.5 or
higher. Cloud Tier migration is not supported on DDVE instances.
2. Add a Cloud Tier license on the new system.
3. Add other feature licenses as required on the new system.
4. If a passphrase is configured on the existing system, set the same passphrase
on the new system. The passphrase store-on-disk setting should not be less
secure on the destination than on the source.
5. If encryption is configured on the existing system, set the same encryption
values including key manager settings and FIPS compliance on the new
system.
6. If automatic key rotation is configured on the existing system, disable it before
starting the migration. Reenable it on the new system after the migration.
7. If encryption is configured on the existing system, back up the key export files
from the existing system.
8. If Retention Lock Compliance is enabled on the existing system, enable RLC on
the new system.
9. Record the cloud profile and cloud unit information from the existing system.
10. Create the file system on the new system, but do not enable it.
Restricted Mode
While the PowerProtect DD appliance is in restricted mode, the active tier storage
is available for backup operations, but I/O on the cloud tier storage is not permitted.
The following operations are not permitted while the migration is in progress:
• Sending active tier data to cloud tier storage.
• Recalling data from cloud tier storage.
• Cleaning the cloud tier storage.
• Restoring files directly or reading from the cloud tier storage.
• File system cleaning on the source system.
• System sanitization cannot be performed on the source system.
• Enabling or disabling file system encryption.
• Enabling, disabling, or setting the embedded key manager or an external key
manager.
• Creating, destroying, deleting, or syncing keys from the embedded key manager
or an external key manager.
24For AWS and Azure cloud providers, download the Baltimore CyberTrust root
certificate.
Adding a Certificate
After downloading a certificate file, add the CA Certificate:
1. Go to Data Management > File System > Cloud Units.
2. Click Manage Certificates from the tool bar.
3. Click Add, and select one of the options from the Add CA Certificate for Cloud
screen.
4. Click Add.
Configuration
Regions are configured at the bucket level instead of the object level. All objects
that are contained in a bucket are stored in the same region. A region is specified
when a bucket is created, and cannot be changed once it is created.
The Alibaba Cloud user credentials must have permissions to create and delete
buckets and to add, modify, and delete files within the buckets they create.
Procedure
Configuration
AWS offers a range of storage classes. The Cloud Providers Compatibility Matrix,
available from https://elabnavigator.emc.com/eln/elnhome provides up-to-date
information about the supported storage classes.
For enhanced security, the Cloud Tier feature uses Signature Version 4 for all AWS
requests. Signature Version 4 signing is enabled by default.
The AWS user credentials must have permissions to create and delete buckets and
to add, modify, and delete files within the buckets they create.
Procedure
Configuration
The Cloud Tier feature supports qualified S3 cloud providers under an S3 Flexible
provider configuration option.
Procedure
Configuration
The Google Cloud Provider user credentials must have permissions to create and
delete buckets and to add, modify, and delete files within the buckets they create.
Procedure
Configuration
Microsoft Azure offers a range of storage account types. The Cloud Providers
Compatibility Matrix, available from
http://compatibilityguide.emc.com:8080/CompGuideApp/ provides up-to-date
information about the supported storage classes.
Procedure
The schedule can be viewed at Data Management > File System > Summary.
The data movement schedule is set at Data Management > File System > Cloud
Units > Settings > Data Movement.
If a cloud unit is inaccessible when cloud tier data movement runs, the cloud unit is
skipped in that run. Data movement on that cloud unit occurs in the next run if the
cloud unit becomes available. The data movement schedule determines the
duration between two runs. If the cloud unit becomes available and you cannot wait
for the next scheduled run, you can start the data movement manually.
For nonintegrated backup applications, you must recall the data to the active tier
before you can restore it. Backup administrators must trigger a recall or backup
applications must perform a recall before cloud-based backups can be restored.
Once a file is recalled, aging is reset and starts again from 0, and the file is eligible
based on the age policy set. A file can be recalled on the source MTree only.
Integrated applications can recall a file directly.
Recall fails if there is no space in the active tier to move the file. This decision is
made before any movement is started. Recall is per file. Dell EMC Cloud Tier
checks for existing data segments on the active tier. Only segments not present in
the active tier are invoked for recall from the cloud.
Select Data Management > File System > Summary. In the Cloud Tier section of
the Space Usage panel, click Recall, or expand the File System status panel at
the bottom of the screen. Click Recall.
The Recall link is available only if a cloud unit is created and has
data. The Recall File from Cloud dialog is displayed.
In the Recall File from Cloud dialog, enter the exact file name (no wildcards) and
full path of the file, for example: /data/col1/mt11/ file1.txt. Click Recall to
start the recall process.
Only four recall jobs are active at any given time. uUp to 1,000 recall jobs can be
queued up to run automatically as previous jobs complete. The recall queue is
automatically regenerated, so if the system is restarted during a recall the recall
continues when the system is back up.
Once the file has been recalled to the active tier, you can restore the data.
The path-name can be a file or directory; if it is a directory, all files in the directory
are listed.
Monitor the status of the recall using the data-movement status [path
{pathname | all | [queued] [running] [completed] [failed]} |
to-tier cloud | all}] command.
If the status shows that the recall is not running for a given path, the recall may
have finished, or it may have failed.
Verify the location of the file using the filesys report generate file-
location [path {<path-name> | all}] [output-file <filename>]
command.
Once the file has been recalled to the active tier, you can restore the data.
Requirements
The Dell EMC Cloud Tier feature must be licensed and enabled on either a physical
or virtual PowerProtect DD appliance. A cloud profile and cloud unit name should
be configured before using the DD VTL Tape Out to Cloud feature.
Both DD VTL and Cloud Tier Capacity licenses are required to use the DD VTL
Tape Out to Cloud feature.
The workflow for backing up and restoring data using the PowerProtect DD VTL
Tape Out to Cloud feature is as follows:
1. Perform the backup server or client configuration and user application setup.
2. Back up to primary disk storage pools
3. During backup, the data is copied while the backup server maintains the
necessary backup catalog and tracking metadata.
4. Data replicates to the DD VTL vault.
5. This replication can be onsite or geographically separated sites. The backup
server tracks the tapes in a “mountable” state.
6. Once the tapes are ready for long-term retention, they are ejected from the tape
storage pool.
7. The backup server tracks tapes in the “nonmountable” state.
8. The backup server continues to monitor the tape while the Long-Term Retention
to Cloud functionality moves the tapes to the cloud tier.
9. Once in the cloud tier vault, the backup server maintains the tape status to be
“Offsite.”
10. Restore process: The PowerProtect DD appliance recalls the tapes from the
cloud tier vault and places them in the DD VTL vault. Once the tapes are in the
vault, they can be moved to the library where the backup application can use
them.
You can manage a DD VTL using the DD System Manager (DDSM) or the
command-line interface (CLI).
End-to-End Workflow
The DD VTL Tape Out to Cloud feature uses these components in the
PowerProtect DD appliance. The user interacts with the system using the DDSM or
CLI. The DD VTL service uses the Tape Out to Cloud functionality built on the DD
file system Long-Term Retention service.
The DD file system uses NFS v3 APIs to access the DD VTL tape pool and send
the virtual tapes in the vault to the cloud tier.
The Tape selection policy is applied at the pool level and sets the age threshold for
data moving to the cloud. The minimum setting is 14 days. If the policy is set to
user-managed, the user uses a command to select one or more tapes to move at
the next scheduled data movement. If the setting is set to none, no tapes are
moved to the cloud.
The cloud data movement schedule defines how frequently vaulted tapes are
moved to the cloud. The cloud data movement schedule can be set to never, to any
number of days/weeks, or run manually.
You can find specific commands that are used to set the tape selection policy, and
cloud data movement schedule in the DDOS Command Reference Guide on the
Dell EMC Support site.
Data movement for VTL occurs at the tape volume level. Individual tape volumes or
collections of tape volumes can be moved to the cloud tier but only from the vault
location. Tapes in other elements of a VTL cannot be moved.
Use the backup application verify the tape volumes that will move to the cloud are
marked and inventoried according to the backup application requirements.
Manually select tapes for migration to the cloud tier (immediately or at the next
scheduled data migration), or manually remove tapes from the migration schedule.
After the next scheduled data migration, the tapes are recalled from the cloud unit
to the vault. From the vault, the tapes can be returned to a library.