33:58 Video
Best Practices for Kubernetes Data Protection
In this hands-on session, learn how to best implement Portworx backup and data protection solutions to achieve true application-level backups, multi-cloud resiliency, and seamless application portability.
Click to View Transcript
Hello, everyone. Welcome to PR. Accelerate Tech 1st 2022. I'm the reason I'm a product manager at Port Works by pure storage. Today, I'm going to talk about the best practises for doing humanities data protection The right there. Let's look at what the challenges with given
data protection are in this new modern cloud native world. Additional backup solutions are typically time consuming and error prone. If you're using them to protect you're Cuban, it is applications. And that's because traditional backup solutions are usually mission focused and focused on protecting the data, not necessarily the full application itself,
and don't really work in a seamless way to protect both the application configuration as well as the data. In one simple click, they require users to protect the data separately and then find a way to protect the applications separately, which can be very time consuming with their approach and not really scalable, especially if you're deploying cloud applications at scale.
Traditional backup solutions also don't let users backup and restore their applications on any cloud seamlessly, whereas cloud native applications are really born for the portability and flexibility they provide in having your APP live anywhere on any cloud or an orange brain, or in a hybrid deployment seamlessly and migrate without any change in how they are deployed and protected between clouds and between body mind system.
Traditional backup solutions also make it really difficult to maintain compliance for Cuba Nitties applications because the definition of compliance for giving us this application changes from just protecting their data to protecting the entire application itself, the armed conflict, the data, all of them from a single entity for climate applications. So then it complaints requirements require you
to protect the entire NTP and meet complaints to comments for the entire entity. And lastly, but perhaps most importantly, um, traditional solutions do not really give you a seamless way to protect your, uh, from ransomware attacks from malicious attacks and from disasters. And the rather focus on protecting the data part of it. Whereas the app confident up data reeling
becomes a responsibility of the end user, uh, protect against these attacks and disasters. Uh, this is where picks back up from Port works can really, uh, provide a comprehensive solution for customers and organisations looking to protect their club native applications. Uh, picks back up provides a single click back up and restore of the applications themselves.
So this would include the armed conflict, the given to subjects, the data, everything that's needed for the applications to be deployed and migrated and restored anywhere in any cloud. So all of that with a single click without protecting only the data, only they have conflict. Um, takes backup treats the application, and that application is single entity,
while providing the granularity for the customers and users to choose what they want to protect within a given application takes backup also provides seamless migration capabilities for applications across any cloud. Um, an application can be born and Bram and then migrated to a public cloud. Render our vice versa really seamlessly, and the data protection schedules would continue to operate on the application and will
continue to protect the application we expect. It also provides a simplified compliance and regulatory, uh, features that ensure that the entire application is protected and meet compliance requirements by providing features such as, uh, rollbacks access control it really granular permissions and personas that can be enabled easily in the UI as well as he made the ice. It also provides native 321.
Backup. Full support, which means the ex backup can maintain a local copy of the data and the remote offset copy of the data through a single backup schedule seamlessly to ensure that your compliance requirements are met at every point during the apps. Lifetime and this would work irrespective of the application is deployed, are where it's migrated to and lastly.
But perhaps most importantly, picks back up provides native capabilities for ransomware protection and disaster protection. So breaks backup integrates with back applications that the object like enabled. Uh, it's various seamless integration points in the UI at the point of application backup to decide whether you want those applications to be ransomware protected and have them easily backed up either manually or via straddle to a
ransom, well protected backup target location. So in this section, I will talk about how communities that protection is different from what we've seen. Your traditional applications, um, so far in enterprise world, uh, and how you should really protect your applications and not just your data, and I'll be expected enable Start with providing you grand,
let backup and restore workforce. I will also look at how we can do cross cloud and crossroads and data protection. Um, that enables even better, uh, recover capabilities and availability capabilities. We'll talk about our back and the rules that we expect that natively provides, as well as the custom roles that you can create on your own.
We can't be expected to enable everything from the right administration and back up capabilities in the organisation to self service back up and restore to Iraq developers. We'll also talk about the ransomware protection capabilities that we expect to pass and how you can easily enable that, Um, just like any other backup location that you can't figure. We also talk about the two different picks back up deployment models that are available for you
to use one is the self manage picks, back up deployment that you deploy within your own data centre, as well as the backup service offering that lets you consume all of these back up features on Assad's control plane for even more simplicity and scale. So let's look at what really is a big difference between traditional applications and communities applications. The traditional applications,
irrespective of whether they're virtualised or non bachelors, really have three paradigms. There's an application that consumes compute from a bunch of servers, and then those hours consume storeys that's attached to it. Where NASA sander, That's what any other model. So all of this is really mission centric. When you talk about data protection in this world, we're talking about protecting,
um, the data volumes that are attached to the storage or the Arab conflict that's sitting on a particular set of surface, whereas in the Cuban it is world. Everything really is ab centric without having any strong integrations or not necessarily to the type of hardware, or serve our storeys that's attached to it. Applications can live on multiple different heterogeneous deployment models,
whether on or in the cloud and migrate between them. And you typically see higher scale uh, with given these applications because of the agility and speed the provide in the in how quickly they can be configured and and deleted, even if required, uh, so that customers can quickly spin up and down applications without worrying about the resources that are attached underneath it are getting logged into.
The resources that are attached underneath are worrying about where the applications need to decide. They can always be seen to be migrated to the right location. So what makes backup really does is provide a little backup and restore, uh, for these new New Age humanity's applications.
Um, users can choose to back at the end of that application or a set of the resources that they really want to be backed up, along with the data to any, uh, backup location that they choose, whether that's a compromise or in the cloud, whether that's AWS s three or as your blob storage or Google Cloud. And then it was picked up where the data is. Bathtub users can then choose to restore it to
any communities cluster running anywhere. So you could have backed up an application that was urgently running on Prem ises in your own communities. Cluster to AWS s three and then restore the application to a Cuban. It is cluster running on as your gas. It's really seamlessly without, without having to worry about any LA kings or any kind of limitations in terms of where they
are. Lives are is backed up our restaurant, and let's look at how that's really achieved through a short demo on the X factor. So what I have here is, uh, picks back up as a service Instance that it can simply access by going to central dot co dot com. You can log in with your registered email address and password or if you have already see, can't figure you can just log in with your exes.
So So I have already You can't figure it. I'm gonna log in with necessary to be X back up as a service, I have one instance of the expected as a service that's running here. I could add multiple instances of the expected as a service here for my dependency. But for the purpose of this demo, we're just going to go with in this one instance and start to use the features of the X backup itself. So each instance here is a fully,
uh, fully isolated deployment of the expect up that you can use to protect your data. So I have two clusters added here for this particular instance. These are two Cuban, these clusters that are running, uh, in aws. Uh, and that's that's also notified by the icon that you see against the cluster name. It's really simple to add clusters.
I'll show that later in the demo. What we'll do is going to one of these clusters. Um, then I'll be able to see all of the applications and name spaces that are available in the cluster for me. I can select an application. Then I can select the resources that we want to protect for this application and names best. So here you can see that I have two different
types of resources that are associated with this particular application. I have a deployment, which is my scale, and I have the PVC for the deployment, which is in my escalator. Now it's completely up to me to back up all of it, or I can back up only the abuse in this case. Or I can back up only the deployment in this
case, and I can click, apply and the then click on back up, and I'll now be redirected to this simple pop up screen that lets me define a few parameters for the backup. So let me define a name for this back up, so I'm gonna call it my SQL 20 choose a backup location. Um, I can choose whether I want to do a manual
backup or a scheduled backup. So I'm just gonna do a manual backup for consistency Reasons. I can also choose a pre exact rule or a post Brexit rule. And also add backup labels for creating this backup. Uh, and then we use this backup parameters when you use that label for future backups. So I'm just gonna I'm not adding any rules here,
but you could easily do so for a consistent citizens. I'm just gonna clean this back up really quickly. So once you click and create backup, you'll be redirected to the backup screen where you can see that backup is in progress. Uh, your question. I have already created one backup that succeeded earlier as well,
going back to the backup screen just to look at the level of granularity that's available to you as a new user. Uh, To protect your application, you can choose what type of communities resources you want to back up for any or all of your applications. By default, all will be selected here. You could select and then say I want to. I only want to back up a demon second
deployment and let's say the BBC or any other considerations that you would need. Then once I select that, if you figure to select the application again the you I will show me that these are the sort of resources that are actually going to get back up, and I click back up here. So it's really, uh it provides a lot of flexibility to the users on how they're backing up their applications.
Uh, in their entirety. Only the data, only a subset of the application can fit all of all of that, depending on what your application is and what it requires. So that's the simplicity as well as the future richness that picks back up, up. Right. So we go back to the backup section here and this my school 20 backup that we just take a minute ago has succeeded.
So that's the sex. Aside from that, you see against the name of the backup itself. Yes. Okay, so that that's that was about the ab granularity of, uh, backup capabilities that makes backup enables. Um, restore also provides a similar AB granularity with even more features.
So just let's take a quick look at how that would work So we did. We did back the South, Um, just a few minutes ago. So my point is that we just created Let's say I want to historic. Now, uh, take a note that this is, uh, the eks cluster that we are backing up. This application from is Prashant. That's one.
So if you click on restore, I can add a name for the restore itself. So let's call it my secure restore 20 and choose the destination cluster. Have two clusters here. Um, that's one is the cluster from which we took the backup. I could distract me, too. I just choose another one, and it then gives me a lot of options to decide how I want
existed to be executed. I can have everything default, and by default, all of the resources that are there in the back up selected, I could then choose whether I want to restore. All of the resources are only a subset of the resources here. I could un select the deployment, which, in which case, only the PVC be restored to the destination.
Last, uh, medical resources. Um, Okay, I have the option to replace the existing resources in case. Um, similar resources exist on the destination cluster. This new restore would replace them so that you have the most current washing of the backup that's restored in the destination cluster. I could also do a custom restore, which gives even more options for me.
I could do a custom restore. I can do a name space mapping. I have the short name space, which is default, which is what we backed up the destination name space would say default. Or I could, uh, restored it to a completely different name. Space. This is these are the name spaces that are actually available in this cluster.
Uh, I demo what the UI is doing here. What we expect is doing here is actually reading the name space list in the cluster and providing you the option to choose which name space you want to restore it to. Similarly, um, I can again choose the resources if you want to change them here and, um, restore what I want to restore from the whole set of backup,
whether all of the resources are only a subject of the resources I'm not gonna do restore here. Just demonstrating all of the options that the users have when they want to do a backup and restore the expected. The other option, uh, another capability that we expect to provide is cross cloud and cross region backup and restore. You do not have to back up and destroyed within
the same cloud or within the same compromised data centre at all. You could do it across clouds. Let's take a look at how that that would work. Now, if you go back to the clusters that have added, uh, in my backup instance, have two classes here Bus one until I demo. Um, if I go look at, um the, uh, conflict for that you would see that
Bus one is in us west to region. So this is the reason that the speaker's clusters running. And if you go look at the cue conflict for the other cluster, which is P I demo. This is running at us East one. Um, although tourniquets cluster as well, uh, it's a different region with an Amazon. This could as well be in a case cluster running in azure.
Um, it would all work the same. Now I'm going to go to the backup that have taken within this us rest, um, two regions. It gets cluster. Um, so I'm gonna click on restore. Um and I'm gonna try and restore this, uh, two.
The us is to one cluster. So this is a region. This is a cluster running in a completely different region. I'm just gonna go with default Farrell affair, um, replace existing resources if they exist. Um, and just click on the storey. So what I'm doing really here is restoring this, uh, from the cluster in a different region of AWS to a completely different region of
AWS. And it will take me to the other, cluster the destination cluster, and automatically show that the progress of the restore here. So this is cross region restore within AWS. But you could seamlessly do this across clouds as well. So there's no limitation in terms of how you restore it and very distorted, um, and very back up to as well.
So that that's one of the key, uh, functionalities that gets back up, provides Let's look at, uh, the arbour capabilities and the roles that we expect enables there are three kind rules that are available. Uh, there's Of course, the ability to create custom roles as well. Out of the box picks back up enables the intra admin app,
admin and the APP uh, user role. So these rules have different permissions between them. What the what typically happens with the infraction role is they have complete access to everything within the expected, and they can configure the cloud accounts. They can configure the backup policies. They can set up the backup target they can set up the backup schedules basically set up all of
the backup infrastructure and policies that their end users can can then use. So they can also, of course, set up our back itself. So either that, users added, their abusers invite users to a particular role. Now the APP, admin or the owners personal can use the cloud accounts that are created by the Redman um, and set up the situation rules that need to apply to their specific
applications. So they want to set up pre executive post exact rules. If they want to set up a particular schedule, which is periodic our daily of Italy, they can set all of that up for the application that they are trying to protect And then the APP developer or the abuser can do self service in terms of backing up and restoring their own applications, uh,
and deciding what's the granularity of the application backup and understood that they decide. So the backup restore work for that we saw earlier where I could choose which communities resource are rich PVC to back up. That's something in a developer an abuser can do by themselves. So it's really enabled self service for the cloud native world.
Uh, the abuser cannot change. A cloud account cannot change back application cannot change. A backup to do that is left to the admins to configure. And then once it's configured, they can enable that for an apposite. So an apposite can see what shadows are enabled for them. Uh, what, uh, backup targets that are enabled
for them and then back up and restore their applications. Uh, to those locations. Let's look at how simple it is to actually set up rules within, uh, expect. So all I have to do really do is go to, uh, the left pain. Go to picks, back up security,
and you will see the existing rules that are already configured since this is an instance I created, I have by default being assigned the role of an intra add and I can go to rules. Uh, and it will show me the three pre configured rules that we talked about The infra had been the app admitting as well as the abusive. You can also, uh, see more details of it or duplicate that role as well.
You can create a completely custom role, depending on what level of permissions you require and what type of teams and hierarchy are setting up. You all have to do is name the role at the description and then choose the level of access they this particular role requires against these five, uh, capabilities. The cloud accounts, the bank applications,
um, the schedule policies, which lets them create and manage policies rules which has led them, uh, create and manage their own rules and use the rules, which has allowed them to, um, enable new user roles, are invite users to an existing role and and create a custom rollers. And so it's really simple, uh, to, um, use the existing, uh, configure the roles within the ex backup or create multiple
new custom roles for, uh, for your use case. And then once you've created uh, set of rules, you can just click on invite user. Choose the role that we're inviting the user to and enter all the emails by a comma separation, uh, to invite a bunch of users in bulk, uh, into that role. You can also integrate with the ABC and assign roles to a group of users so that they automatically get that role and the logging to
that backup Instance. So really simple to, um, set up a very detailed hierarchy of roles and permissions within PX backup for your organisation so that not just security and compliance, but ease of management is met. Self service is enabled for your and application developers as well. So that was the demo that we just looked at for both custom,
uh, gun rules. Let's look at some of the security features within the ex backup, so picks back up enables are back that we look at the rules that, uh, restrictive level of permissions available to users. It also creates a detailed audit audit trail to track every action taken by every user. So, in case of any malicious access. You would You would have an audit trail to go
back and re confirm what actions performed by what user It enables really fast recovery. So we leverage CSS snapshots whenever available to create a local data copy as well. I talked about 3 to 1 backup complaints so we could have a local copy as well as a remote copy. Uh, in the same backups. Uh, well, the local copy would ensure is really quick, really fast restores.
We can also take advantage of flash performance whenever there is a local copy that's stored on flash stores to increase the speed of restores itself. And the restored, of course, can happen on premise are in the cloud. We fully support air gapped environments. Uh, there's a lot of hair gap testing Me too. You can orchestrate, uh, object replication to enable offset copies.
We validate that the restores, uh, from the second copy, our, uh, complete and are able to bring up the application as required. We also support object like capability, uh, to enable ransomware protection for your applications. So let's look at look at a quick demo of how ransomware protection is integrated, uh, into the expected.
So I'm gonna go back into one of the clusters, uh, and and try to back to a ransom were protected back application, um, to to see how to set up a back applications that ransomware protected. All you have to do is go to settings, go to cloud settings. Uh, this is the location where you had all of your cloud accounts as well as all of your back
applications. Now, adding a backup location is the same process. Irrespective of whether that's a ransomware protected object lock back application. I don't know not to clock back application. You simply provide the name, the cloud, account the path and add the backup patient. But once you add the back application, we automatically detect whether that location is
object lock enabled or not. And when we detect that, we'll show you an icon that that demonstrates that this particular back application is object like enabled. I have to back applications in the first one is not object like enabled. The second one is object like enabled. So it's easy to really seeing the ui what type
of back applications you have. And then I'll go back to, uh, one of the clusters. Um, and let's try to back up this application again, so I'll give a different name. I'm gonna call it. I think we call the last 1 20. I'm gonna call this 30 and the difference now
is to choose this back application. This is not an object like back application, whereas this particular one is and that is not notified by this icon. So if a horror that you can see that this is object marketable again, this is also detected by the expect. You don't really have to, uh, do anything to figure it out. So once I choose the back application,
the rest of the workflow really remains the same. So it's seamlessly integrated into the workflow for creating and managing backups. Uh, if you want to do this as a schedule versus a one time activity, I can click on a schedule. And once I choose a object lock back application, the policy that I choose will be
an object like policy. Um, if I change the backup location to a non object like backups of location, the policy options will automatically change. Like you can see here. My back application is not an object locked and a policy says a general policy, which is not applicable for object locks. When I choose one that choose the back
application, that is object lock, my policy options automatically changed. So I have two policies here, one that says object, lock and done some fabric so I can choose Ransomware protect. It's gotta particular schedule that's associated with it. If you want to see what this policy is, I can actually go to managerial policies from that window.
Uh, and this is the landing page for all Cheryl policies here. You can see that this policy is not up the clock, whereas the other two policies are object like Annabelle Policy. And when you hover the tools that will show you that this policy is for an object like pocket. Uh, the reason for that is object like policies have different configuration options.
Now let's see what the difference would mean. Let's create a test policy that is, uh, for normal. Uh uh, non object like buckets. I can just have this a periodic I can choose the periodicity. I can choose how many snapshots I want to retain. And what the incremental account of the snapshot says.
But let's if I were to call this an object log policy. Then the options changed. I now get the option to auto delete the backups. After the retention period is over. I can have a different scheduled for it, whether it's periodic or daily. But I don't really have to choose how many incremental copies I need or how long to retain snapshots.
And that's because the number of incremental copies is decided by the ex backup based on the protection period that's scheduled at the object like location, as well as the snapshot retention policy. It's automatically detected by the Object lock written retention period that sat on the target back application and idea to. So there's not really an option for the user to
change, uh, the, uh, the retention policy here so we can go back to what we're trying to do, which is trying to create a federal policy back something up into an object lock target location. So it was the same one. I'm gonna call this, uh, my school 30 uh, make a schedule, choose a locked target location.
Choose one of the lock specific federal policy and then I just to create. So once this is created, uh, I've had a schedule. I've chosen a schedule policy that creates a daily back up at three. PM so you can see nothing is triggered here even though, like I said, create backup when that time stamp is met.
That's when the schedule a chicken and a new backup I would start getting written to the get back up location. So that's really how simple it is to set up ransomware protection. And, um, have your applications protected to a object lock enabled backup target. Between the expect up, just a few clicks, it's seamlessly integrated all across the product itself.
So, uh, you I make sure that you're really aware where you're backing up, uh, your application to whether it's non ransomware protected or to a branch of a protected one, and lets you switch between them seamlessly as well. Let me also introduce uh, Botox back up as a service. Um, in the beginning of this session, I spoke about the two ways you can use protests.
Baca Botox backup is available as a deployment that you can deploy and manage on your own. Um, you can download the ham charts from central Botox dot com as well. Uh, is also available as a backup as a service offering. Uh, that just went, uh, in may. It brings in a whole host of additional features or and about what I just showed you and spoke about with Botox back up.
It gives you a cloud hosted south control plane. Um, you will just have to consume all of the backup capabilities as a simple size suffering. You don't have to deploy anything, manage anything or upgrade, uh, any anything on your backup software. So all of the deployment upgrade, manageability, availability, complexity of running a backup software compromise is taken away. Um, that is provided by port works as he hosted
service for you to simply add your clusters your community clusters and start protecting your applications. It provides auto discovery for a WCS clusters, which means that you can add a cluster into the expectable service with just a few clicks without having to upload your cube configured do any other manual steps. Uh, and that really increases the speed at which you can start protecting your communities
applications. Uh, it brings in multi tenancy support you can have multiple deployments of service within the same organisation, each providing isolation within your organisation to enable different business units are different. Groups are different environments, uh, to consume their own back up to the service instance.
In their own multi tenant fashion, it can connect to communities clusters running anywhere in the cloud. So all of the experts, true cloud flexibility, portability, migration capabilities. All of that is available in backup service, and it enhances the Arabic support that is available with picks back up. So picks back up,
as we saw a little while earlier brings the roles of, uh, mean abuser and custom roles within a six pack of instance. All of that are available in the back of the service with additional roles additional organisational level roles that are available to enable organisations to decide who can create a new backup. Business service instance Who can manage them
at an organisational level, who can set up multi tendency at an organisational level so new rules are, and about what I just showed you in picks back up as well. So all of that available as a choice for customers to deploy either on Prem or as a service. I hope that was useful Overview of the expected. If you have questions, uh, we're more than happy to,
uh, do a deeper dive. Give you give you a lot more information about the expected capabilities. Are use cases at customer storeys. Do reach out to me at, uh storeys dot com. Uh, like I mentioned a project manager on the port side of things. Uh, you can also reach out to, uh, my product marketing manager Janet.
She is available at J wi at your storeys dot com. Either of us will be more than happy to have a longer organisation about the use cases and capabilities that protects back up provides. Uh, you could also try out products back, uh, products back up as a service offering for free by this registering on central at products dot com, which will let you create a free instance of,
uh, products back up as a service and use it to add your applications and try out all of the future set of products backup for free. So the free instance really does not have a future restriction other than a 30 day trial, so you could really use the full, um, 50 set of X back up and try it out for free on your own by just going to central dot gov dot com as well. Thank you.
Um, if more questions, please do email. Aslak, be more than happy to, uh, provide more details. Thank you so much.
Kubernetes provides the flexibility to quickly deploy your applications on any cloud and easily migrate them across clouds or premises. But how do you ensure this flexibility doesn't put your applications at risk?
In this hands-on session, learn how to best implement Portworx backup and data protection solutions to achieve true application-level backups, multi-cloud resiliency, and seamless application portability. With Portworx, you can trust your data will be available and recoverable.
Test Drive Portworx
Accelerate your cloud-native journey. Step into the virtual lab and test drive leading Kubernetes Storage and Data Protection platform according to GigaOm Research.
Meet with an Expert
Let’s talk. Book a 1:1 meeting with one of our experts to discuss your specific needs.
Questions, Comments?
Have a question or comment about Pure products or certifications? We’re here to help.
Schedule a Demo
Schedule a live demo and see for yourself how Pure can help transform your data into powerful outcomes.
Call Sales: 800-976-6494
Media: pr@purestorage.com
Pure Storage, Inc.
2555 Augustine Dr.
Santa Clara, CA 95054
800-379-7873 (general info)