Earlier this year, Veeam Kasten launched support for exporting of secure snapshots to VDC Vault. This allows Kasten admins to protect their Kubernetes stateful data and take advantage of the built-in security and redundancy protection features natively provided by VDC Vault as a securely managed storage platform. The new integrated model allows Kubernetes admins to check three key application data protection and mobility requirements from their enterprise policy compliance list: ransomware protection, application migration, and cost.
Data is Everywhere (Even in Your K8s Clusters)
There’s no speculation with the exponential growth of enterprise data, nor would anyone disagree that this data is becoming more valuable and more at risk to malicious actors targeting ransomware attacks against active data and data backups. But trying to narrow down specific volumes and patterns pinpointing where that data is coming from and where it’s stored (and at risk) is conjecture-city, and things just get murkier when we start looking at Kubernetes data volumes, locations, and patterns. Massive volumes of highly valuable data that need protection throughout the enterprise application infrastructure? Yes. Unified systems for protecting that data at creation, during transport, and at rest specifically for Kubernetes? Not so much —unless we’re talking about protecting stateful Kubernetes data in fully managed, secure storage. Enter Veeam Kasten and Veeam Data Cloud (VDC) Vault.
Protecting stateful Kubernetes data is no small feat if you are not using the correct tools. Maintaining protection for that data throughout complete lifecycle (creation, local snapshots, encryption, exporting to an external secure repository, enforcing WORM and immutability policies against that repository, etc.) can be daunting at best and dangerous at worst — where some components are not fully secured and/or are left unmanaged.
Migrating and Securing Kubernetes Data with Veeam Kasten and VDC Vault
Earlier this year, Veeam Kasten launched support for exporting of secure snapshots to VDC Vault. This allows Kasten admins to protect their Kubernetes stateful data and take advantage of the built-in security and redundancy protection features natively provided by VDC Vault as a securely managed storage platform. To export snapshots to a specific VDC Vault storage account from an instance of Kasten, the admin simply needs to register their Kasten instances with VDC, enable Kasten uploads to a secure container in their VDC Vault account, and configure a new Kasten location profile. This can be used to protect any application within the cluster.
This new integrated model allows Kubernetes admins to check three key application data protection and mobility requirements from their enterprise policy compliance list:
- Ransomware Protection — By offering encrypted (using Kasten keys or those from the enterprise) immutable snapshot exports from the cluster to VDC Vault. This provides immutable protection by default; enterprises can protect their stateful Kubernetes data from the cluster throughout lifecycle, covering creation, transport, and storage at rest. When that data needs to be restored in a clean room after a breach, the admin knows the exported data to VDC Vault is exactly how it left the Kubernetes cluster with Kasten when it was originally backed up.
- Application Migration — Although persistent data in a Kubernetes cluster is, by definition, persistent to that cluster, Kubernetes clusters themselves can often be ephemeral by nature. They are created on-demand in specific locations and destroyed when no longer needed, for example. For the two worlds of persistent data and ephemeral clusters to marry well together, having the ability to migrate that data between clusters becomes imperative. The combination of Kasten and VDC Vault provides administrators a path to securely migrate persistent data from one cluster to another (or one cluster to many clusters), all while maintaining the data’s secure origin. This is an ideal solution for migrating from one infrastructure to another, such as moving from on-prem clusters to fully managed AKS clusters in Azure, for example.
- Cost — VDC Vault offers predictable pricing; Pay for what you need when you need it. As the needs of an enterprise Kubernetes application protection or migration needs increase, scale up VDC Vault to store more persistent data. As those needs pare back, scale down the data stored in VDC Vault. Consume only what you need at fixed pricing.
How to Use VDC Vault for Secure Kasten Exports: Step-by-Step Technical Guide
Follow the process below to configure VDC Vault to support secure Kasten exports and assign a backup policy in Kasten to use the VDC Vault integration.
To get started in your own environment, you will need Kasten UI access to a Kasten cluster, while some of the steps below can also be configured via a GitOps workflow. More information on how to access the Kasten UI can be found here, and on how to build the appropriate Kasten resources and secrets via the Kubernetes API can be found here.
1. Veeam Account Registration
Prior to creating a Veeam Data Cloud Vault location profile within Veeam Kasten, a Kasten instance must first be registered with Veeam Data Cloud. This first step allows the Kasten instance to consume VDC Vault storage account details from the admin’s Veeam account. To start the registration process within the Kasten UI, choose Settings-> Registration from the left navigation pane.
Then, you will be walked through authentication against your existing Veeam VDC account. This method configures the secure credentials necessary for Kasten to interact with the VDC Vault storage accounts configured for that admin. It then brings the admin back to the Kasten UI to complete the next few steps in configuring a new VDC Vault location profile.
2. Kasten Assignment to a VDC Vault Storage Account
Once that instance of Kasten has been registered against the VDC account, you then need to configure VDC Vault to allow Kasten to export snapshots to a particular VDC Vault account and location.
As a VDC Vault admin, you’ll be able to set up multiple VDC Vault storage accounts. These map back to diverse VDC Vault subscriptions, plans, and Azure regions. They provide the most flexibility for data protection and security via VDC Vault against their enterprise requirements and policies. For example, you may choose to secure your most valuable production data by exporting Kasten snapshots to a VDC Vault location in the same region, but non-production snapshots may be backed up into a different Azure region.
To choose a specific VDC Vault storage account and location repository in that account, you need to:
- log into your VDC account
- choose a specific VDC Vault storage account from the list of Vaults in the VDC UI, or select the backup server that was registered in the first step
- click through a specific VDC Vault storage account to see a list of available regions
Within the region boxes, you can then choose to enable Kasten by setting the storage status to “Connected”.
3. Create a New Kasten Location Profile
After Kasten has successfully connected to a Vault account in Veeam VDC, the next step is to create a new Kasten location profile. This securely exports Kubernetes snapshots to the selected VDC Vault storage account.
Once VDC Vault has been registered, the new location profile process is exactly the same as using VDC Vault unchanged for any other storage providers.
To create a new location profile, you can either click on the link provided in the Registration page after VDC registration is complete, or you can navigate to “Profiles” -> “Location Profile” in the left navigation menu.
Once on the location profile page, click on the “Create New Profile” button. This will start the process of creating a new export location to VDC Vault. You can then give the new location any profile you would like. From the Storage Provider drop-down list, choose the Veeam Data Cloud Vault option. This will instruct Kasten to query VDC Vault for a list of Vault storage accounts available to you (any of the options that were assigned to Kasten in the previous step).
At this point, choose the appropriate VDC Vault storage account that you would like to use for secure snapshot exports from any of your protected Kubernetes applications. Kasten supports different location profiles for each protected application. Therefore, in this case you would choose the VDC Vault storage location for the application data you wish to export to this specific VDC Vault storage account and location.
Finally, choose the Protection Period (immutability) you would like to use for all snapshot data exported via this location profile. For VDC Vault, it’s highly recommended that the value for Protection Period match the immutability value configured in your VDC Vault account. Typically, this is 30 days for both systems, however if a custom immutability period has been configured in VDC Vault then the Kasten Protection Period should be set to the same value.
Creating a new Kasten location profile for VDC Vault has two results:
- Kasten will create a separate immutable container within the VDC Vault storage account and location that was previously connected. This keeps Kasten exports separated from other application data within the same VDC Vault storage account and location. In the case where multiple Kasten instances are writing to the same VDC Vault storage account and location, the secure content from each Kasten instance is kept separate in the Kasten container by directory hierarchy. Each Kasten instance then maintains its own parent directory within the container.
- Kasten will validate that the location profile can successfully communicate with the specific VDC Vault account chosen, and the location profile will now be available for assignment to any application protected by Kasten.
4. Creating a New Backup Policy with VDC Vault
Once a new location profile is successfully created, it can now be used to construct new application protection policies throughout Kasten. A single location profile can be used to export secure snapshots from multiple applications within Kasten.
To create a new backup policy, choose “Policies”-> “Policy” from the left navigation pane and select the “Create New Policy” button. At this point the admin will configure a new backup protection policy that meets your needs and/or your organization’s backup policy. Kasten provides options for backup frequency, export cadence, and so on.
5. Success!
Once a new backup policy has been configured and scheduled, Kasten will begin exporting encrypted and immutable snapshots to the VDC Vault storage account previously configured based on the schedule set in the policy.
Kasten + VDC Vault: Better Together
Kasten was designed from the ground up to provide immutable protection for the most critical Kubernetes-persistent data within an enterprise, with the flexibility to configure and store those protected exports anywhere the enterprise needs. VDC Vault was built as a fully managed, secure cloud storage platform, safeguarding enterprise data on Zero Trust storage that’s always immutable and logically air-gapped from production. Together, Kasten and VDC Vault provide a complete Kubernetes application protection solution which is always secure, always available, and always predictable. Now that’s secure Kubernetes storage made easy!
For more information on the fully integrated Kasten and VDC Vault solution for application protection, please watch this on-demand webinar.
The post Secure Kubernetes Storage Made Easy appeared first on Veeam Software Official Blog.
from Veeam Software Official Blog https://ift.tt/OASktqC
Share this content: