Rubrik Basics – Multi-tenancy – Create An Organization

I covered multi-tenancy with Rubrik some time ago, but things have certainly advanced since then. One of the useful features of Rubrik CDM (and something that’s really required for Envoy to make sense) is the Organizations feature. This is the way in which you can use a combination of LDAP sources, roles, and tenant workloads to deliver a packaged multi-tenancy feature to organisations either within or external to your company. In this article I’ll run through the basics of setting up an Organization. If you’d like to see how it can be applied in a practical sense, it’s worth checking out my post on deploying Rubrik Envoy.

It starts, as these things often do, by clicking on the gear in the Rubrik CDM UI. Select Organizations (located under Access Management).

Click on Create Organization.

You’ll want to give it a name, and think about whether you want to give your tenant the ability to do per-tenant access control.

You’ll want an Org Admin Role to have particular abilities, and you might like to get fancy and add in some additional roles that will have some other capabilities.

At this point you’ll get to select which users you want in your Organization.

Hopefully you’ve added the tenant’s LDAP source to your environment already.

And it’s worth thinking about what users and / or groups you’ll be using from that LDAP source to populate your Organization’s user list.

You’ll also need to consider which role will be assigned to these users (rather than relying on Global Admins to do things for tenants).

You can then assign particular resources, including VMs, vApps, and so forth.

You can also select what SLA Domains the Organization has access to, as well as Archival locations, and replication targets and sources. This becomes important in a multi-tenanted environment as you don’t want folks putting data where they shouldn’t.

At this point you can download the Rubrik Envoy OVA, deploy it, and connect it to your Organization.

And then you’re done. Well, normally you would be, but I didn’t select a whole lot of objects in this example. Click Finish and you’re on your way.

Assuming you’ve assigned your roles correctly, when your tenant logs in, he or she will only be able to see and control resources that belong to that particular Organization.

 

Rubrik Basics – Envoy Deployment

I’ve recently been doing some work with Rubrik Envoy in the lab and thought I’d run through the basics. There’s a new document outlining the process on the articles page.

 

Why Envoy?

This page explains it better than I do, but Envoy is ostensibly a way for service providers to deliver Rubrik services to customers sitting on networks that are isolated from the Rubrik environment. Why would you need to do this? There are all kinds of reasons why you don’t want to give your tenants direct access to your data protection resources, and most of these revolve around security (even if your Rubrik environment is secured appropriately). As many SPs will also tell you, bringing private networks from a tenant / edge into your core is usually not a great experience either.

At a high level, it looks like this.

In this example, Tenant A sits on a private network, and the Envoy Tenant Network is 10.0.1.10. The Rubrik Routable Network on the Envoy appliance is 192.168.0.201, and the data management interface on the Rubrik cluster is 192.168.0.200. The Envoy appliance talks to tenant hosts over ports 12800 and 12801. The Rubrik cluster communicates with Envoy over ports 7500 and 7501. The only time the tenant network communicates with the Rubrik cluster is when the Envoy / Rubrik UI is used by the tenant. This is accessed over a port specified when the Organization is created (see below), and the Envoy to cluster communication is over port 443.

Other Notes

Envoy isn’t a data mover in its current iteration, but rather a way for SPs to present some self-service capabilities to tenants in a controlled fashion without relying on third-party portals or network translation tools. So if you had a bunch of workloads sitting in a tenant’s environment, you’d be better served deploying Rubrik Air / Edge appliances and then replicating that data into the core. If your tenant has a vCenter environment with a few VMs, you can use the Rubrik Backup Service to backup those VMs, but you couldn’t setup vCenter as a source for the tenant unless you opened up networks between your environments by some other means and added it to your Rubrik cluster. This would be ugly at best.

Note also that the deployment assumes you’re creating an Organization in the Rubrik appliance that will be used to isolate the tenant’s data and access from other tenants in the environment. To get hold of the Envoy OVA appliance and credentials, you need to run through the Organization creation process and connect the Envoy appliance when prompted. You’ll also need to ensure that you’ve configured Roles correctly for your tenant’s environment.

If, for some reason, you need to change or view the IP configuration of the Envoy appliance, it’s important to note that the articles on the Rubrik support site are a little out of step with CentOS 7 (i.e. written for Ubuntu). I don’t know whether this is because I’m using Rubrik Air appliances in the lab, but I think it’s maybe just a shift. In any case, to get IP information, you need to login to the console and go to /etc/sysconfig/network-scripts. You’ll find a couple of files (ifcfg-eth0 and ifcfg-eth1) that will tell you whether you’ve made a boo boo with your configuration or not.

 

Conclusion

I’m the first to admit it took a little while to understand the utility of something like Envoy. Most SPs struggle to deliver self-service capabilities for services that don’t always do network multi-tenancy very well. This is a good step in the direction of solving some of the problems associated with that. It’s also important to understand that, if your tenant has workloads sitting in VMware Cloud Director, for example, they’ll be accessing Rubrik resources in a different fashion. As I mentioned before, if there is a bit to protect on the edge site, it’s likely a better option to deploy a virtualised Rubrik appliance or a smaller cluster and replicate that data. In any case, I’ll update this post if I come across anything else useful.

Retrospect Announces Retrospect Backup 18 and Retrospect Virtual 2021

Retrospect recently announced new versions of its Backup (18) and Virtual (2021) products. I had the opportunity to speak to JG Heithcock (GM, Retrospect) about the announcement and thought I’d share some thoughts here.

 

What’s New?

New Management Console & Workflow 

  • Simplified workflows
  • Comprehensive reporting through an updated management console

The Retrospect Management Console now supports geo tracking with a worldwide map of all users, Retrospect Backup servers, and remote clients, down to the city.

[image courtesy of Retrospect]

Cloud Native

  • Deploy directly in the cloud
  • Protect application data

Note that cloud native means that you can deploy agents on cloud-based hypervisor workloads and protect them. It doesn’t mean support for things like Kubernetes.

Anti-Ransomware Protection

Enables users to set immutable retention periods and policies within Amazon S3, Wasabi and Backblaze B2 and supports bucket-level object lock in Google Cloud Storage and Microsoft Azure.

Pricing

There’s a variety of pricing options available. When you buy a perpetual license, you have access to any new minor or major version upgrades for 12 months. With the monthly subscription model you have access to the latest version of the product for as long as you keep the subscription active.

[image courtesy of Retrospect]

 

Thoughts And Further Reading

I’ve mentioned in my previous coverage of Retrospect that I’m fan of the product, if only for the fact that the consumer and SME space is screaming out for simple to use data protection solutions. Any solution that can help users develop some kind of immunity to ransomware has to be a good thing, and it’s nice to see Retrospect getting there in terms of cloud support. This isn’t as fully featured a product as some of the enterprise solutions out there, but for the price it doesn’t need to be.

Ultimately, the success of software like this is a balance between usability, cost, and reliability. The Retrospect folks seem cognisant of this, and have gone some way to fill the gaps where they could, and are working on others. I’ll be taking this version for a spin in the lab in the very near future, and hope to report back with how it all went.

Rubrik Basics – Rubrik CDM Upgrades With Polaris – Part 2

This is the second part of the super exciting article “Rubrik CDM Upgrades With Polaris”. In the first episode, I connected my Polaris tenancy to a valid Rubrik Support account so it could check for CDM upgrades. In this post, I’ll be covering the actual update process using Polaris. Hold on to your hats.

To get started, login to Polaris, click on the Gear icon, and select CDM Upgrades.

If there’s a new version of CDM available for deployment, you’ll see it listed in the dashboard. In this example, my test Edge cluster has an update available (5.3.1-p3). Happy days!

You’ll need to get this update downloaded to the cluster you want to install it on first. Click on the ellipsis and select Download.

You can then choose to download the release from Rubrik or locally.

Click on the version you want to download and click Next.

You then get the opportunity to confirm the download. Click on Confirm to do this.

It will then let you know that it’s working on it.

Once the update has downloaded, you’ll see “Ready for upgrade” on the dashboard.

Select the cluster you’d like to upgrade and click on Upgrade.

At this point, you’ll get the option to schedule the upgrade, and select to rollback if the upgrade fails for some reason.

Confirm the upgrade and you’ll be on your way.

Polaris lets you know that it’s working on it.

You can see the progress in the dashboard.

When it’s done, it’s done.

And that’s it. This highlights the utility of something like Polaris, particularly when you’re managing a large number of clusters and need to keep things in tip-top shape.

Rubrik Basics – Rubrik CDM Upgrades With Polaris – Part 1

I decided to break this article into 2 parts. Not because it’s super epic or particularly complicated, but because there are a lot of screenshots and it just looks weird if I put it in one big thing. Should it have been a downloadable article? Sure, probably. But here we are. It’s been some time since I ran through the Rubrik CDM upgrade process (on physical hardware no less). I didn’t have access to Polaris GPS at that time, and thought it would be useful to run through what it looks like to perform platform upgrades via that rather than the CLI. This post covers the process of configuring Polaris to check for CDM updates, and the second post covers deploying those updates to Rubrik clusters.

Login to your Polaris dashboard, click on the Gear icon, and select CDM Upgrades.

Click on Connect to Support Portal to enter your Rubrik support account details. This lets your Polaris instance communicate freely with the Rubrik Support Portal.

You’ll need a valid support account to connect.

If you’ve guessed your password successfully, you’ll get a message at the bottom of the screen letting you know as much.

If you environment was already fairly up to date, you may not see anything listed in the CDM Upgrades dashboard.

And that’s it for Part 1. I can hear you asking “how could it get any more exciting than this, Dan?”. I know, it’s pretty great. Just wait until I run you though deploying an update in this post.

Rubrik Basics – Add A VMware Cloud Director Instance

You’ve deployed your Rubrik virtual appliance (technically I should have used Air but let’s just go with it) and now you want to protect a VMware Cloud Director instance. When you add an instance, Rubrik automatically discovers all of the components of your VCD environment, including:

  • Organizations;
  • Organization virtual datacenters;
  • vApps; and
  • Virtual machines.

You can protect vApps by assigning the SLA Domain at various levels in the VCD hierarchy, and also by assigning it to individual VMs. vApp protection also protects vApp metadata including networks, boot order, and the access list. There are a few limitations with vApp protection to keep in mind as well.

Virtual machines in a vApp Maximum of 128 virtual machines in a vApp. To protect a vApp with more than 128 virtual machines, use the exclude function to reduce the number protected.
Mounts The Rubrik cluster performs all mounts for vApps at the virtual machine level.
Backup exclusion Protection of vApps does not include Cloud Director Object Metadata.
Autodiscovery Rubrik CDM ignores the Cloud Director auto discovery feature.

There’s good support for multi-tenancy and RBAC as well. There’s a bunch of other stuff I could write about VCD and Rubrik but let’s just get started on adding an instance. Click on the Gear and select “vCD Instances”.

Then click on “Add vCD Account”.

+

You’ll then have the opportunity to enter your credentials.

I use all dots for my password too.

Once you’ve added the instance you’ll see it listed under “All vCD Instances”.

If you look under “Virtual Machines” you should see any vApps associated with the instance listed under “vCD Apps”. In this example my tenancy only has one vApp deployed.

And that’s it. This all gets a lot more interesting when you start messing about with the Rubrik VCD plug-in and the API, but that’s a story for another time.

Rubrik Basics – Add Cluster To Polaris

I wrote about Rubrik’s Polaris platform when it was first announced around 3 years ago. When you buy in to the Rubrik solution, you get access to Polaris GPS by default (I think). Other modules, such as Sonar or Radar, are licensed separately. In any case, GPS is a handy tool if you have more than one Rubrik cluster under your purview. I thought it would be useful for folks out there to see how simple it is to add your Rubrik cluster to Polaris. I know that most of these basics articles seem like fairly rudimentary fare, but I find it helpful when evaluating new tech to understand how the pieces fit together in terms of an actual implementation. I’m hopeful that someone else will find this of use as well. Note that you’ll need Internet connectivity of some sort between your environment and the Polaris SaaS environment. You also need to consider the security of your environment in terms of firewalling, multi-factor authentication, RBAC, and so on. It’s also important to note that removing a cluster from Polaris currently involves engaging Rubrik Support. I can only imagine this will change in the future.

When you get onboard with Rubrik, you’ll get setup with the Polaris portal. Access to this is usually via customer.my.rubrik.com. Login with your credentials.

If you haven’t done anything in the environment previously, you’ll be prompted add your first cluster every time you login. Eventually it’ll wear you down and you’ll find yourself clicking on the + sign.

This will give you a single-use token to add to your cluster. Click on Copy to clipboard.

Now login to the Rubrik web UI of the cluster you want to add to Polaris. Click on the Gear icon, and then Cluster Settings (under System Configuration).

Past the token in and click Save.

It might take a minute, but you should be able to see your cluster in the Polaris dashboard.

Rubrik Basics – Add LDAP

I thought I’d run through the basics of adding LDAP support to a Rubrik Edge cluster. I’ve written previously about multi-tenancy considerations with Rubrik, and thought it might be useful to start down that path in the lab to demonstrate some of the process. It’s not a terribly difficult task, but I did find a little trial and error was required. I suspect that’s because of some environmental issues on my side, rather than the Rubrik side of things. Anyway, let’s get started. Click on the Gear / Settings icon in the Web UI. Then select Users under Access Management.

Click on the LDAP Servers tab and click on “Add LDAP Server”.

You’ll be presented with the Add LDAP Server workflow window.

I messed this up a few times in my environment, but this is what worked for me.

Domain name: domainname.com.au

Base DN: dc=domainname,dc=com,dc=au

Bind DN or Username: [email protected]

Password: *******

Click Next to continue.

I pointed to one of the Active Directory servers in the environment. This went better when I added the domain name search to the cluster. The port I used was 389, but I’ve seen variations on that in various articles across the Internet.

If that works, you then have the option to enable MFA integration.

Toggling the button will give you the option to add two-step verification. There are some articles on the Internet that provide further guidance on that, and this video is quite useful too.

Once you’ve added your directory source, it’s time to assign roles to a user.

Click on Assign Roles, then drop down the directory you’d like to search in.

In this example, there’s the local user directory, and the domain source that I added previously.

If I search for people called Dan in this directory, it’s not too hard to find my username.

I can then assign a role to my directory username. By default, the configured roles are Administrator and ReadOnlyAdmin.

Now my AD account is listed under the users and I can login to CDM using my domain credentials.

And that’s it. If you want to read more about Rubrik and AD integration, including some neat automation, check out this article from Frederic Lhoest.

Rubrik Basics – Edge Deployment

It’s been a while since I’ve posted any basic how-to articles, but I’ve recently been doing some work with Rubrik Edge in the lab and thought I’d run through the basics. There’s a new document outlining the process on the articles page.

If you’re unfamiliar with Rubrik Edge, it’s Rubrik’s RO/BO solution in the form of a virtual appliance that comes in 5 and 10TB versions. The product page is here, and the datasheet can be found here. It runs on VMware vSphere, Nutanix AHV, and Microsoft Hyper-V, so it’s pretty handy in terms of supported hypervisor deployment options. The cool thing about Edge is that you can deploy on reasonably small amounts of hardware, which can be a fairly common scenario in edge deployments. You can also have 100 (I think) Edge appliances replicating data back to a Rubrik physical cluster. You can’t, however, use it as a target for replication.

In any case, I’ll be posting a few of these basics articles over the next few weeks to give readers a feel for how easy it is to get up and running with the platform.

Random Short Take #53

Welcome to Random Short Take #53. A few players have worn 53 in the NBA including Mark Eaton, James Edwards, and Artis Gilmore. My favourite though was Chocolate Thunder, Darryl Dawkins. Let’s get random.

  • I love Preston’s series of articles covering the basics of backup and recovery, and this one on backup lifecycle is no exception.
  • Speaking of data protection, Druva has secured another round of funding. You can read Mellor’s thoughts here, and the press release is here.
  • More data protection press releases? I’ve got you covered. Zerto released one recently about cloud data protection. Turns out folks like cloud when it comes to data protection. But I don’t know that everyone has realised that there’s some work still to do in that space.
  • In other press release news, Cloud Propeller and Violin Systems have teamed up. Things seem to have changed a bit at Violin Systems since StorCentric’s acquisition, and I’m interested to see how things progress.
  • This article on some of the peculiarities associated with mainframe deployments in the old days by Anthony Vanderwerdt was the most entertaining thing I’ve read in a while.
  • Alastair has been pumping out a series of articles around AWS principles, and this one on understanding your single points of failure is spot on.
  • Get excited! VMware Cloud Director 10.2.2 is out now. Read more about that here.
  • A lot of people seem to think it’s no big thing to stretch Layer 2 networks. I don’t like it, and this article from Ethan Banks covers a good number of reasons why you should think again if you’re that way inclined.