VMware Backup Guide: Methods and Best Practices
Backup remains the best approach to data protection for physical and virtual machines, even in the face of new threats to data integrity and accessibility. However, virtual machine backup presents a challenge to IT admins in terms of storage, VM performance, resource efficiency, security, and recovery times. There are multiple methods to choose from to back up VMs.
This post explains the advantages and disadvantages of 3 backup methods. Read on to discover the best practices that allow you to perform reliable VMware backups.
VMware Backup Options and Methods
You can back up virtual machines in a VMware environment using different approaches. The three main options are file-based backup, agent-based guest-level backup, and agentless host-level backup.
VM file backup
VMware virtual machines store data in VMDK files located on ESXi datastores. VMDK files are virtual disk image files. The file-based VM backup method involves copying VMDK files to a backup location.
In addition to virtual disk files, VMware VMs also use configuration files, snapshot files, Changed Block Tracking files, etc. You should also back up these files to make it possible to restore the entire VM.
When it comes to recovery from file-based backups, you can only recover a full VM. This means that if you need to recover specific files, you first need to recover the entire VM and then access the particular files.
NOTE: Don’t confuse file-based VM backup with file-level backup, which involves backing up individual files inside a VM.
| Pros | Cons |
|
|
Agent-based backup
You are probably familiar with the traditional approach to physical machine backup, whereby backup agent software is installed in the guest operating system. This agent performs scheduling, quiescing, and data transfers. A local area network (LAN) is used to copy data to a backup destination. Technically, you can use this method to back up virtual machines like you would physical machines (for example, this method can currently be used for Proxmox VE backup with NAKIVO Backup & Replication).
VMware best practices usually recommend against backing up virtual machines as physical machines because of the high overhead involved and generally the poor performance in virtualized environments. Your VMware infrastructure can become overloaded when copying data by using a backup agent for physical machines installed on VMs.
VM backup is performed at the guest level when using a backup agent in a VM. A backup doesn’t contain information about VM configuration, virtual disk settings, etc. Guest-level backup is not the recommended method for virtual environments because it’s not resource-efficient. Read more about host-level backup vs. guest-level backup.
You may have difficulties backing up a vCenter Server Appliance (VCSA), which is a virtual machine running Photon OS. If you run vCenter on Windows, it is technically possible to install the agent and back up data. However, only VCSA is supported in vSphere 7.0 and newer versions.
| Pros | Cons |
|
|
Agentless host-level backup
To protect virtual machines, you can use a dedicated VMware backup solution operating at the ESXi host level, that is, at the hypervisor level. Backup solutions enabling host-level backup use the API of the hypervisor vendor for interaction with the host and VMs residing on the host. This VMware VM backup method is the most efficient.
A host-level VM backup solution creates a VM image backup. This VM backup includes virtual disks, VM configuration, and other files. An image-based VMware backup solution interacts with the ESXi host via special VMware APIs to use virtualization features, such as snapshot technology and quiescing.
| Pros | Cons |
|
|
How to Back up VMware VMs with the NAKIVO Solution
The effective way to back up VMware vSphere VMs is using NAKIVO Backup & Replication. This solution allows you to follow VMware backup best practices and is managed in a user-friendly web interface.
- Prepare your environment for a backup:
- Add ESXi hosts and vCenter servers to NAKIVO the inventory. The added ESXi hosts contain VMs that must be backed up.
- You can create a backup repository or use the default onboard backup repository. VMware VM backups will be stored there.
- Go to Jobs, click + to add a new job and click Backup for VMware.
- At the Source step of the new backup job wizard for VMware, select the VMs you want to backup. You can select multiple VMs residing on different ESXi hosts and vCenter servers. Hit Next at each step of the wizard to continue.
- Select a backup repository where to store VMware VM backups at the Destination step. We select the onboard repository in this example.
- Configure scheduling and retention settings for a VM backup job. The NAKIVO solution provides a set of advanced features to configure a schedule and retention flexibly. You can create multiple schedules for a backup job, for example, the first schedule to back up a VM every day, the second schedule to back up a VM weekly and the third schedule to back up a VM monthly.
Each schedule has retention settings. You can set how long to retain backups (recovery points) for each schedule and configure retention to meet the GFS retention policy. This way, you keep daily backups for 10 days, weekly backups for 2 months and monthly backups for two years (for example).
You can enable immutability for a higher level of backup protection and reduce the risk of losing the backup data in case of a ransomware attack.
- Configure VMware backup job options. Enter a job name. At this step, you can enable a wide set of useful features that improve backup speed, security, reliability, and other useful options, including:
- Application-aware mode – using Volume Shadow Copy mechanisms in Windows VMs to make application-consistent backups when data is being written inside a running VM.
- Change Block Tracking – a native VMware feature for effective incremental backup.
- VM verification – testing a backup after creation.
- Storage saving options – exclude swap files or partitions, truncate Exchange or MS SQL Server logs.
- Full backup options – configure how often to perform a full backup and the method to create a full backup. This approach reduces the risk of losing data if a chain of incremental backups corrupts.
Hit Finish to save settings and run the job on schedule or Finish & Run to save and run the job immediately.
- Select a job run scope and schedule if you are running the job right now and click Run.
VMware Backup Best Practices
There are some best practices that you should follow to streamline the backup and recovery processes within your organization. These techniques improve data protection in your environment and maximize efficiency.
1. Identify critical workloads and assign RTOs/RPOs
Critical virtual machines and VMs used intensively may need to be backed up more frequently and have lower RPO values. Additionally, critical VMs should be recovered quickly, which means that they must have lower RTO values as well. You can set longer RTO and RPO values for non-critical VMs to use storage space and hardware resources rationally and avoid server overload. Incremental backup allows you to create more recovery points and achieve a shorter RPO.
2. Create image-based backups and don’t rely on snapshots
Back up your VMware vSphere VMs at the host level rather than the guest level. In this case, you get a data backup of the entire VM as an image. The backup image capturing the virtual disks and other VM files can be saved at a backup destination in specific formats. The host-level image-based approach allows you to avoid overloading ESXi servers and the entire infrastructure. For this purpose, use a VMware backup solution designed to work in virtual environments, for example, NAKIVO Backup & Replication.
Don’t backup VMs at the guest OS level, which is a legacy backup approach used for physical machines. Legacy solutions require backup agents to be installed on each VM. This approach is inefficient in a virtualized environment with unnecessary resource consumption, which causes degradation of VM performance. These ESXi hardware resources are put to better use for VM workloads.
Don’t use snapshots as backups. Some VMware administrators may think that they have a backup to use for recovery when they have a snapshot on a virtual machine. Then, when corruption or loss happens due to any number of factors, they discover that they cannot recover the VM or the data on those VMs. We have already covered the topic of snapshots vs backups, and snapshots are not backups.
Snapshots are a part of VM files and are dependent on VM disks. This is why they are referred to as snapshot “chains”. For valid VMware backups, they need to be able to recreate the virtual machine without any of the source virtual machine files or source infrastructure available to them.
Note that VMware snapshot best practices recommend using snapshots for a short time only. Creating many snapshots and preserving snapshots for a long time reduces VM performance and consumes too much storage space.
Application-aware backup
Virtual machines can run transactional applications such as databases, email servers, Active Directory domain controllers, etc. You should ensure data consistency and freeze or quiesce the running VM to back up data. Quiescing ensures data consistency because the data is frozen and is in the proper state before being copied. There must be no writing transactions when starting to back up data.
Backups made with the quiescing technology for VMs with running applications are called application-consistent or app-aware backups. Applications must support this functionality to pause data writing and continue data writing after the data is backed up.
VMware VMs running Windows use Microsoft Volume Shadow Copy Service (VSS) to quiesce applications inside VMs to prepare them for backing up. VMware Tools must be installed on the guest operating system because they contain a driver working with VSS, and VM backup software must support interacting with VSS in the guest OS.
3. Create a retention policy and schedule based on RPOs
Use backup scheduling depending on the RPO value for a particular VM or VM group. Scheduling for backups of critical VMs should be configured with lower intervals to ensure that the amount of data lost between the latest recovery point and the data loss event is minimal.
Define how long to retain backups and their recovery points. Some VMs may require old recovery points to ensure that it is possible to recover data even if data corruption or deletion was not noticed immediately after such an event. Use the grandfather-father-son retention policy (GFS).
4. The 3-2-1 backup strategy and storage tiering
Having secondary backup copies is a must for any organization that considers its data as important. Having at least one other backup copy offsite ensures that if the physical production location with your backup infrastructure is down, your backup copy is safe and can still be used for recovery.
Also, these days, many have been hit with a ransomware infection that has not only corrupted and encrypted production resources but also backup resources. If a user with administrator permissions is hit with ransomware, the ransomware may likely have access to production and backup systems, including backup repositories, etc.
You can create an additional copy of a backup stored in the primary production location and send it to a secondary backup repository. Ideally, this backup copy repository is in a different physical location either close by or in another geographic region. As long as you have network connectivity to your backup repository, you can copy that data across to the secondary backup repository.
The 3-2-1 backup rule has long been a staple of designing an enterprise VM backup solution that is robust enough to effectively handle multiple kinds of disaster recovery scenarios. The rule states that you need to have (3) copies of your data, on (2) different kinds of media, and at least (1) of those offsite (e.g., in the cloud). There is certainly wisdom in this approach, because if you have all copies of your data in one location and that location experiences disaster, you may lose not only production data, but also VM backup data.
To follow the best way to back up VMware VMs, make sure your data protection solution has the functionality allowing for backup copies to be placed locally, remotely, or even in public clouds (such as AWS or Azure). This can give you flexibility and resiliency to withstand various types of disasters. Utilizing a public cloud to store VMware VM backups is a great way to achieve geographic diversity, as your data can live in different geographic locations around the world.
Using fast local storage, slow local storage, tape and cloud according to a chosen storage tiering model can help you save costs. You can store backups of the most critical VMs on fast storage and their backup copies on slow storage or in the cloud. Older backups can be copied or moved to slower storage or recorded to tape.
5. Ransomware protection with immutability
The recent wave of ransomware has shown that no data is safe from attacks, not even backup data. To make sure that your backups are safe from modification and encryption by ransomware, send backup copies to immutable destinations.
An immutable backup repository can be located in the cloud, for example, Amazon S3, in a protected partition or local directory of a server managed by special software, or on special hardware that supports immutability like tape and disks. These options use the WORM, or write-once-read-many model, to allow access to the stored backup data without allowing any changes to it.
This means that if a ransomware attack hits your production and backup infrastructure after the immutable backup was created, you can still use it for a successful and swift recovery.
6. Optimal data transfer modes (LAN free, etc.)
When choosing a modern VM backup solution for your VMware vSphere environment, pay attention to products that are efficient from a network standpoint and offer a LAN-free data transfer mode, so you can rest assured that the load on production networks doesn’t impact production workloads.
Some of these data protection solutions enable Direct SAN (Storage Area Network) access, allowing you to bypass production networks for copying backup data from production VMware environments. Generally, this involves reading data directly from/to the SAN device using either Fiber Channel or iSCSI, which provides a significant improvement in performance that directly impacts the time required to run VMware VM backup jobs.
Additionally, by offering a Hot Add feature, modern data protection solutions can read and write data both to/from VMware virtual machine snapshots through the storage I/O stack, bypassing the host’s TCP/IP stack, which helps alleviate network congestion and reduce the duration of VM backup jobs.
Generally, using a VM backup solution applying the best available VM backup mechanisms, while providing for SAN connectivity, you can be confident that your VMware VM backups are made in the best way possible with the least amount of overhead on the production network infrastructure.
7. Automate processes
Running backups manually can lead to backup and retention gaps and job overlaps. Schedule backup jobs to run them automatically and follow backup schedule best practices to avoid overlaps and overloading your infrastructure with a large number of VM backups at the same time.
Distribute backup jobs over time when scheduling them to avoid overloads and overlaps if possible. If you have a small backup window, for example, a few hours at night, ensure the network bandwidth and hardware performance are sufficient to back up large amounts of data at high speed.
Having the ability to automate data protection plans by utilizing a powerful HTTP API-driven interface allows you to programmatically interact, monitor, automate, and orchestrate the overall process of backing up your VMware infrastructure. For instance, you can monitor the health state of product components, including backup repositories, automate backup decommissioning, improve compliance with reporting, etc. (see the diagram below).
VM backup solutions that allow chaining backup jobs and making them interact with determined sequencing can also facilitate VMware VM backup automation. Ensuring the VM backup process automation is essential if you want to pursue the best way to backup VMware VMs.
VMware provides different APIs for software integration and data protection. These APIs allow developers to create VM backup software that interacts directly with VMware vSphere environments and uses available virtualization features for effective data backup.
The VMware vSphere API for data protection is one of the most interesting APIs from the perspective of VM data backup. This API allows backup applications to offload backup processing off an ESXi host and provides unique features to back up VMs. NAKIVO Backup & Replication uses vSphere APIs for efficient VM backup.
8. Verify backups and test recoveries
Knowing how to back up VMware virtual machines is important. However, these backups should be tested regularly for validity to ensure successful recovery without any unpleasant surprises. Testing can help you detect possible recovery issues.
If you do not verify your VMware VM backups, you are setting yourself up for failure. There have been many horror stories from administrators who have not verified their VM backups and learned that these VM backups were corrupted or didn’t allow restoring critical data as expected only in true disaster recovery scenarios. Thus, you’d rather look for a data protection solution that provides an automated way to verify VM backups (for example, with screenshots), as performing manual verification is tedious and time-consuming. VM backup verification is an essential best practice to ensure the best way to back up VMware virtual machines.
9. Monitor your environment
Some backup solutions provide VMware vSphere monitoring tools that give you complete visibility over your infrastructure. With such features, you can keep an eye on all key metrics in real time and generate reports to optimize the performance of your virtual environment and resolve bottlenecks.
10. Update your backup solution to the latest version
Having the latest version of a backup solution provides advantages such as improved security, added new features, bug fixes, and improved existing features. It allows you to stay tuned and be ready for the latest challenges in terms of data protection.
