StorSimple Řešení hybridního úložiště Matouš Rokos Infrastructure Consultant Mainstram Technologies Windows Azure Storage Like a GIANT hard drive—only better Highly durable and scalable. Multiple copies of your data. Windows Azure Storage Defend against regional disasters Security Storage Account 1. 2. 3. 4. 5. StorSimple CiS Overview Storage Challenges Are Broad Equipment Sprawl Primary Storage Data Growth and Footprint Archival Storage Data Management Complexity Disk-Based Backup Storage Backup Issues Tape Infrastructure and Management Replicated Storage for DR Untested Disaster Recovery Offsite Facility for Georesilience Storage Today = Complex & Expensive 11 Cloud-integrated Storage (CiS) Can Help Azure + StorSimple = 60–80% Lower TCO Cloud-Integrated SAN Storage Primary Storage Automated Cloud-as-a-Tier Archival Storage Thin, Reduced Snapshots Disk-Based Backup Storage Cloud Snapshots Tape Infrastructure and Management Recover in Cloud or Any DC Replicated Storage for DR Use Cloud as Secondary DC Offsite Facility for Georesilience Storage Today = Complex & Expensive 13 Scalability / Performance StorSimple Solution Characteristics 7520 20-100TB* usable local 500TB max capacity 5520 10-50TB* usable local 300TB max capacity 7020 4-20TB* usable local 200TB max capacity 5020 2-10TB* usable local 100TB max capacity Capacity * Denotes usable local storage capacity with compression and de-duplication, varies by use case. * Additional details about appliance specifications can be found at: http://storsimple.xyratex.com/storsimple/specifications 16 Enterprise-class Hardware Platform Highly available - no single point of failure 1. Full MPIOs 2. Dual controllers with auto-failover 3. Dual power 4. Dual cooling 5. RAID drives 6. Hot-spare drives 7. Non-disruptive software upgrades 8. Certified by Microsoft & VMware * 5020, 7020, 5520 and 7520 appliances are built and distributed by Xyratex 17 Primary Storage & Platform StorSimple Cloud-integrated Architecture SAN Storage With Cloud Data Management • iSCSI SAN with auto-tiering (SSD/SAS) • Automated snapshots • Primary dedupe/compress Seamless Cloud Integration for: • Tiered primary + archives • Cloud snapshots: mountable for DR On an Enterprise-Class Platform • Certified: VMware-ready and Microsoft Windows Server-certified • HA: full redundancy + hot swaps + non-disruptive upgrades • Seamless iSCSI integration • Highly efficient storage • • Thin provisioning Primary storage de-duplication • High performance + cloud elasticity • Integrated tiering: SSD, SAS & cloud • Full security for the cloud • • Local keys + encryption of all cloud data Protecting both data-in-motion and data at rest • Fast, automated data protection + recovery • Automated snapshots to cloud • Fast online restores and elimination of tape • Integrated disaster recovery – lowest cost & complexity 19 De-dupe and compression Total data capacity required = 10TB • • • • Maximizes storage of ‘hot or warm data’ onpremise for higher IOPS and/or lower response times for application access. Minimizes size of data transfer and storage in Azure E Data blocks F E F A A B B D A C A D C C B D C D C Works at the block-level and replaces duplicate data blocks with a meta data map (pointers to the original block) 5x de-dupe ratio Metadata map Data blocks Data is de-duped in the SSD tier and compressed in the SAS tier before being tiered to Azure • On-premise data capacity can be increased by 2x – 5x based on the type of data stored • Backup de-dupe: Cloud snapshots are differential and thereby eliminate copies of redundant blocks across backups A Capacity used = 2TB C B D E • • F De-duped Compressed + Cloud-integrated Tiering StorSimple Tiered Architecture SSD Performance, Deduplication and Auto-Tiering to Cloud SSD A B C A B D E Linear Tier SSD E Deduplicated SAS C D D E Deduplicated Compressed E Cloud Deduplicated Compressed Encrypted 23 Backup/Restore & Disaster Recovery Cloud Snapshots: Simplicity in Data Protection & Recovery Backup, Restore & DR Today: Inefficient, Complex, Laborious, and Risky Primary Volume Snapshot Virtual Tape/ Replication Physical Tape Offsite Tape Storage Backup, Restore & DR with StorSimple: Automated, Optimized, Reliable Snapshots Primary Volume Cloud Snapshots 1. Backup copy of data volume created in cloud 2. Changes to local volume automatically transferred 3. Cloud snapshots mountable for restore Benefits • Backup now as easy as snapshots • Very fast restores from off-site backups • Integrated, easy to test disaster recovery • Truly eliminates tape 25 …Enables Seamless Scalability and Rapid Recovery Cloud Snapshots Production Data Production Data Enterprise Data Center 1 Enterprise Data Center 2 Connect Many Servers to Cloud Storage and Scale Data Sets with StorSimple Solution Rapidly Recover to Any Data Center, Location-Independent, via Mounting the Cloud 26 Disaster Recovery Behind the Scenes 1. Configuration import process populates DR appliance with all information from original appliance 2. Registry restore downloads available backup information from the cloud 3. Clone operation fetches volume metadata from the cloud and creates the volume on the DR appliance 4. As and when data is requested, blocks are downloaded from the cloud META DATA DATA 2 3 4 1 Benefits • Quick restore • Download only the required data 4 27 Cloud Snapshots: Up to 100x Faster RTO 90 Days Recovery Time Application Recovery Times from Offsite Backups in a Disaster Regular Cloud Backup 30 Days With 100 Mbps WAN Link 7 Days Tape 1 Day StorSimple Cloud Snapshots 1 Hour With 50 Mbps WAN Link 15 Min. 1 TB 5 TB 20 TB 50 TB 100 TB Primary Data 28 Security Industry-leading Security for Cloud Storage Multiple layers of obfuscation through the system • Original data is broken to storage blocks Application Servers • Blocks are fingerprinted + deduplicated with data from other volumes • Obfuscated blocks are stored in compressed form Encrypt everything before sending to Azure • AES-256 CBC encryption is applied before transmission using customer key • Additional SSL encryption of all data + meta-data operations with Azure Encryption keys stay only with customer • Microsoft/StorSimple doesn’t have access to customer encryption keys • Keys can be imported from customer’s secure key mgmt system or generated from pass phrases Encrypted / compressed / obfuscated blocks stored in Azure • Data is secure even if account gets compromised Local Data Broken into storage blocks, then: • Obfuscated • Deduplicated • Compressed • Blocks encrypted with customer key • SSL communication: • Authentication • Metadata • Data transfer Data in cloud • Deduplicated • Compressed • Encrypted with customer key 30 Cloud Storage Access Security Scenario 1: Access key got compromised Scenario 2: Storage admin employee leaves company Risk mitigation and best practices Compartmentalize information • Azure subscription can have multiple storage accounts • Recommended to use different storage accounts to compartmentalize info – e.g. per dept, project, role, etc. Periodical key rotation • Each account has two 256-bit access keys allows easy key rotation without service disruption • Only requests with valid access keys are allowed to access stored blocks • Data fragments accessed are still obfuscated and encrypted • Frequent key rotation (e.g. every 90 days) is recommended • Ad-hoc/emergency key rotation if a key is compromised StorSimple allows use of up to 64 storage accounts per system 31 Cloud Storage Data-at-Rest Security Scenario 3: Cloud Provider decommissions server hardware or loses physical hard drives in maintenance process. Risk mitigation and best practices Data at-rest is obfuscated • Data is broken to individual small blocks and fingerprinted to comprise a global de-duplication dictionary – no volume, file system or file context • ~16 Million obfuscated blocks per 1TB of Azure storage, spread across multiple hard drives Data at-rest is encrypted • StorSimple systems encrypt data stored in cloud with a customer-provided encryption key. Federal standard AES-256 encryption used. • Up to 64 different encryption keys can be used in one appliance for data-at-rest isolation to complement access compartmentalization practice. • Encryption key is derived from Customer Passphrase or Key generated by Key Management System. Only entered input is accessible in appliance UI. • Microsoft or 3rd parties cannot read data when physical drives are lost, replaced, or repaired in Azure DC 32 Support Support Offerings Support for the StorSimple solution is provided by the ODM (Xyratex) Complete detail about the StorSimple warranty and support services can be found at: https://storsimple.xyratex.com/warranty 34 Support Offerings • Platinum Support ‒ The ODM (Xyratex) will provide customers with Platinum support and onsite spares kit (includes all field serviceable components) ‒ Field engineers are in place to go onsite and help with replacements (4 hour SLA) ‒ For international countries, ODM (Xyratex) has a contract to help with replacement (4 hour SLA) • Gold Support ‒ Gold support customers get replacement parts shipped from UK ‒ Parts replacement will be done NBD (Next Business Day) ‒ Customs or other port-of-entry processing may delay shipments 35 Appendix Appliance configuration and Use Initial Appliance Configuration Use serial console for initial setup • Connect serial console to the Active controller • Run setup command and enter the network info for MGMT interface • Run show command to display current configuration of MGMT interface • Access StorSimple Web UI using MGMT IP address 40 Managing WAN Bandwidth • WAN bandwidth usually a scarce and expensive resource for most customers • At the same time there’s often a surplus capacity after regular work hours and over weekends • StorSimple Quality of Service (QoS) feature can help control how much bandwidth available during what periods • StorSimple QoS supports multiple schedules Example: 7AM – 7PM on Mon, Tue, Wed, Thur Fri 40 Mbps 7AM – 7PM on Sat, Sun 60 Mbps All other times Full WAN bandwidth consumable Alerts and Notifications Alerts and Notifications helps in determining any deviation from the normal working of StorSimple appliance 1. Alert Emails are sent to administrators and optionally to StorSimple Support for proactive support 2. SNMP traps are sent to monitor any change in the network interface settings 42 Email Alerts Email Alerts can be enabled or disabled for specific alerts • Hardware Status – Change notification for hardware changes • Licensed capacity consumption – Capacity consumption thresholds • Cloud Access – Cloud connectivity issues • Upgrade state change Alerts related to upgrade state changes • Appliance restart - Controller restart or cluster failover alerts 43 Reports Reports provide charts for monitoring current and historical metrics. Some key metrics are; Capacity Metrics • De-duplication Ratio • Host Capacity Consumption Storage • IO Latency • IOPS • Read Write Bytes per Second System • CPU • Network Utilization 44 Reports • Current stats can be automatically refreshed on the displayed chart • Historical stats are averaged over a period of time for time resolution • Enabling monitoring on Volume or Cloud allows collection of metrics for individual objects 45 Disaster Recovery Process 1. Import configuration on the new appliance using configuration file 2. Restore registry settings to bring all backup information from the cloud 46 Disaster Recovery Process 3. Select latest backup and clone the required volumes 4. Create new ACR for hosts in DR data center and modify volumes to reflect this information 5. Mount the volumes on new host servers after establishing iSCSI connections to the StorSimple appliance 47