VMware Tanzu Mission Control Expands Data Protection Capabilities

June 10, 2021 Pradeep Kumar Chaturvedi

Last year, VMware Tanzu Mission Control introduced data protection capabilities to help enterprises safely and confidently run critical workloads on Kubernetes. With this unique feature, enterprises can centrally manage data protection on their clusters across multiple environments, easily backing up and restoring their Kubernetes clusters and namespaces.

Today, we are very excited to share the latest features of data protection in Tanzu Mission Control. Building on our core data protection feature set, Tanzu Mission Control now supports more storage options, allowing customers to bring their own self-provisioned AWS S3 bucket or S3-compatible on-prem storage locations so they can leverage existing storage or additional storage for a given cluster. It also supports recurring backups with a backup schedules feature—simply set a schedule and Tanzu Mission Control ensures that all backups happen on time. Customers can also now restore a namespace or resources into a different namespace than where they were backed up originally, which unlocks use cases like namespace cloning and data recovery in a new location for test or development purposes.

Data protection for Kubernetes

Data protection is a primary driver of business continuity, disaster recovery, workload migration, and data management. As Kubernetes matures and enterprises deploy more modern, containerized applications, providing adequate data protection in a multi-cloud, distributed environment becomes a challenge that must be addressed.

In the CNCF 2020 survey, 55 percent of respondents said they use stateful applications in containers in production. Stateful workloads need persistent storage for application data, so to support the needs of modern application deployments, an ecosystem has evolved and support for storage and stateful applications with Kubernetes has matured. With this rise in stateful workloads, data protection solutions are needed to back up and recover both the state and data of these applications.

Beyond your application’s state, Kubernetes maintains its own operational state by storing it in the cluster itself. It includes resources such as config maps, custom resource definitions, and secrets stored in the Kubernetes control plane. Just like application data, these resources are critical to your clusters’ operation. And as with any other element of your IT infrastructure, protecting that data is essential.

Data protection in Tanzu Mission Control

Tanzu Mission Control is a centralized platform for Kubernetes operators to manage Kubernetes clusters consistently and securely across multiple teams and clouds. Its data protection feature is built upon a solid open source foundation using the Velero project, the most popular open source project for Kubernetes data protection. Velero lets you back up and restore both Kubernetes cluster resources and persistent volumes. 

As with Kubernetes itself, Velero is constrained to a single cluster. With enterprises running  hundreds of clusters across public and private clouds, installing, configuring, and running Velero for backup and restore at each cluster is a daunting task. Tanzu Mission Control centrally manages the entire lifecycle of Velero across your cluster fleet, which drastically reduces the amount of toil involved when compared to running Velero in a DIY fashion. Users can take advantage of this data protection feature on any cluster under management, regardless of whether it was provisioned by Tanzu Mission Control or is attached.

Tanzu Mission Control allows administrators to provide data protection to their cluster fleet from a central UI console, CLI, and API. From there, they can back up and restore entire clusters and namespaces or perform custom partial backups using Kubernetes label selectors, with Velero managing the retention of backup files.

Customer-provisioned storage 

When Tanzu Mission Control performs a backup operation, it makes copies and stores them in a backup target location. When we introduced the data protection feature last year, we supported automated management of an Amazon AWS S3 object store in your account as the backup target location. We called this Tanzu Mission Control-provisioned storage. Because this object store is in your own AWS account, VMware is never in possession of your application data. Backups go directly from clusters in your environment to storage controlled by you.

Tanzu Mission Control-provisioned storage requires very little configuration by customers so they can quickly get started with data protection. However, some customers already have established storage devices, don’t want to copy their backups across the internet, or pay for additional storage in AWS.

To support those customers, we recently introduced customer-provisioned storage. With customer-provisioned storage, enterprises can leverage their existing storage investments for backups, reducing network and cloud storage costs, and allowing them to apply their existing storage policies, quotas, and encryption. This also allows them to take advantage of high-speed on-premises networks running between their clusters and storage instead of backing up over the internet.

In Tanzu Mission Control, backup storage is added to the platform as a “target location” by the platform operator. These locations can then be shared with various clusters or cluster groups and used when creating backups. When a backup begins, it will be written to the target location that is configured for that backup. This allows different target locations to be used by different cluster groups as needed, and also allows for different backups to write to unique storage as needed.

Users are able to select target locations for their backups in Tanzu Mission Control’s UI

Our first iteration of customer-provisioned storage allows you to add your own AWS S3 bucket or an S3-compatible storage such as MinIO or Dell ECS. Though we only support S3 and S3-compatible storage today, our feature architecture lays the foundation for Tanzu Mission Control to support other storage types in the future, such as Microsoft Azure Blob, Google Cloud storage, and Dell EMC Data Domain.

Flexible backup target configurations

With the introduction of customer-provisioned storage for backups, multiple backup locations for each cluster can be configured. This gives operators the flexibility to create different backup schedules or unique backups for different portions of a cluster using namespaces or label selectors—and send them to different locations. For example, customers may choose to back up critical applications to a highly available storage location while they back up non-critical applications on local storage. Or they may want to make separate backups to a data recovery site and use different target locations for each of them.

Tanzu Mission Control’s cluster data protection backup grid shows individual backup target locations in the “Storage Location” column

Namespace cloning

Tanzu Mission Control data protection now supports the restoration of backups to an alternative namespace in the cluster. This allows you to restore data without changing or disrupting the source namespace. Developers can use this feature to perform namespace or resource cloning.

Namespace cloning allows developers to test new features against a “point in time” dataset or verify a new integration with a “known good” version of another application. 

Cloning a namespace can also assist in troubleshooting, as users can create a copy of an application and run it side by side with a production application in the same cluster, allowing developers to work on an issue without impacting production applications.

Users are able to clone a namespace by providing a different name for a target namespace while restoring a point-in-time backup

Data protection schedules

Data protection schedules allow you to configure recurring backups for your clusters. Tanzu Mission Control now supports setting a schedule for your backups with a standard set of templates for common and simple recurring schedules such as daily, weekly, or monthly. You can also configure more complex schedules by using custom cron expressions for maximum scheduling flexibility.

Users can configure the data protection schedule as part of the backup creation workflow

With more and more stateful applications running on Kubernetes, it is essential for enterprises to incorporate these deployments into their data protection plans. Tanzu Mission Control provides unique, fleet-wide data protection capabilities for enterprises to protect their most mission-critical data across clusters and clouds with efficiency and flexibility. 

Designed to tackle the multicluster and multi-cloud challenges of running and managing Kubernetes today, Tanzu Mission Control offers enterprises the best data protection solution.  Go here to learn more about Tanzu Mission Control, and get more details about Tanzu Mission Control capabilities in the documentation.

About the Author

Pradeep Kumar Chaturvedi is a product manager for Tanzu Mission Control focused on developing and expanding data protection capabilities for VMware Tanzu’s enterprise customers. Pradeep has 18+ years of experience delivering enterprise-scale IT management solutions that simplify the complexity of managing multi-cloud environments.

More Content by Pradeep Kumar Chaturvedi
Securing VMware Tanzu Mission Control with Access Policies
Securing VMware Tanzu Mission Control with Access Policies

Tanzu Mission Control has a lot of power, so verifying that proper user permissions are in place is critica...

Security Measures in VMware Tanzu Mission Control
Security Measures in VMware Tanzu Mission Control