I am very excited about something new with Data Protection Manager (DPM) that I was able to announce during my Enterprise Backup session @ Microsoft Ignite (http://meme.ms/d5gpbrq). It is DPM Backup As A Service (BaaS). I wanted to blog about it with even more information about this new functionality in DPM.
Well what is DPM BaaS? In a nutshell it is Backup as a Service in Azure Pack powered by Data Protection Manager. This is a new resource provider built by the DPM team. It lights up the functionality for tenants to protect VM’s in Azure Pack. Here is a screenshot of what the new BaaS in Azure Pack looks like for a tenant:
DPM has always had a role in the Microsoft Private Cloud story. This role has been on the backend through backing up the Private Cloud fabric components that power Private Cloud (Windows Server, Hyper-V, System Center). The following image is the framework of Microsoft Private Cloud:
DPM has also been used for protection of front end tenant workloads such as websites, SQL databases and virtual machines. However protecting tenant workloads had no visibility or control by the tenants themselves. This story changes with the introduction of BaaS for Azure Pack giving the control for tenants to choose if they want to protect their virtual machines from their cloud!
NOTE: As of now BaaS for Azure Pack can only protect virtual machines in tenant clouds. If you would like to see BaaS extended to protect other areas of the Private Cloud such as SQL databases or websites feel free to reach out to me.
Now let’s pick apart this new DPM BaaS to gain a better understanding of it in the rest of this post.
DPM BaaS in Azure Pack Architecture
So what do you need for this new BaaS? The following components make up BaaS:
You can deploy many DPM servers for scale as your Private Cloud grows. The rest of the components are standard with a Private Cloud so if you already have Azure Pack running you simply need to add DPM and the DPM BaaS Resource Provider.
As previously stated BaaS only protects virtual machines. A DPM agent needs to be installed to Hyper-V hosts. The BaaS in Azure Pack does not do this for you. The DPM agent will not be required inside VM’s. The agent will be installed on Hyper-V hosts only.
Now let’s take a look at what can and admin do with BaaS. NOTE: The BaaS is still under development so some of these features may change. If you have any feedback about the features and functionality you would like to see feel free to contact me. Let’s explore the BaaS admin perspective through a series of screenshots.
Here is a shot of the VM Backup within the Azure Pack admin site. Here is where you would register the resource provider with SPF, you could also add a DPM server, or create a server group. Note that you still need to deploy your DPM servers before you can add them to BaaS. BaaS will not deploy the DPM servers for you.
A server group allows you to logically group DPM servers and then add DPM servers to the group and you can set settings based on a group and then add this to a plan for a tenant. An admin of the Resource Provider will set the Protection Group policy settings that will be used for all subscriptions to a particular plan.
The next two screenshots show creating a new group.
This screenshot shows the registration of a DPM server. Notice you have the ability to add the DPM server to a group. Adding the DPM server to a group is optional.
The next three screenshots give you an idea of what settings you can set for a group. These settings will help you apply limits to the tenant that will be assigned this group via a plan. Notice that some of the settings will look familiar to what you see in DPM when setting up a Protection Group.
This final screenshot is of the Usage & Metering within for the Resource Provider. The cool thing about this is we do not have a dashboard like this in DPM. This monitoring can be scoped per VM or All Up of the BaaS Resource Provider. Here is what you can see as the part of this monitoring:
- Retention Days
- Number of Restore Points
- Size used
So we walked through what and administrator can do in the BaaS let’s look at the tenants perspective. Here is what a tenant can do with BaaS?
Ability to add a VM under protection. This essentially adds the VM to a DPM protection group on the backend. If a Protection Group does not exist for this tenant’s subscription yet one will be created.
Ability to back up a protected VM. This creates a Recovery Point in DPM on the backend. An admin of the BaaS resource provider has the option to allow this or not allow this to tenants.
Ability to restore a protected VM. This will restore a VM from a Recovery Point in DPM on the backend. Self-service restore of a deleted VM that is protected is out of scope as DPM doesn’t have VMM information (cloud, etc.) to correctly reassign it to a tenant. However an administrator with direct access to DPM could still go and restore the VM.
Ability to remove a VM’s protection. The protection group for the tenant subscription will be created when the first VM is protected and destroyed when the last VM is removed.
For more information:
My Microsoft Ignite session on this:
Download the DPM BaaS Resource Provider: