Losing My Religion: Virtualization Protection Approaches


In this series of blog posts we are going to cut through the self-serving and competing claims and examine each of the arguments in favor and against the various techniques used for virtual data protection. Today’s post will discuss virtualizaton hypervisor architectures.

From a data protection perspective, what’s important to note here is that protection may occur at the virtualization hypervisor (called the HOS (Host Operating System) level) and within the virtual machine (called the GOS (Guest Operating System) level.)  GOS-level protection is unique to the operating system and applications being protected but is independent of the virtualization hypervisor architecture and implementation.

Microsoft Hyper-V HOS-Level Protection

Microsoft uses a data protection architecture known as VSS (Volume Shadwow Copy Service) to protect their operating systems, applications, and their virtualization.  VSS at the operating system and application level is used not only by Microsoft, but by other virtualization vendors (for example, VMware) to make sure that the data being used by Microsoft operating systems and applications is in a consistent state so that recovery is insured (this is also called “quiescing.”)  However, Microsoft as a virtualization vendor also uses VSS at the HOS-level as well.

Compared to VMware’s HOS-level protection, Microsoft’s HOS-level VSS protection is a bit lower level.  What this means is that data protection vendors must write software for missing functionality when offering Microsoft HOS-level virtualization protection.  The most prominent example of this is CBT (Changed Block Tracking) – which is functionality that Microsoft doesn’t offer within VSS but which VMware offers within its HOS-level protection architecture.  From an IT administrator and user perspective, however, this isn’t visible.

VMware vSphere HOS-Level Protection

After a series of mis-steps culminating in the “clunky” VCB (VMware Consolidated Backup) offering, VMware came back strong beginning in VMware vSphere 4 with its VADP (vStorage API for Data Protection) data protection architecture.  VADP is the leading data protection architecture in the virtualization market today and has advanced functionality such as CBT built-in so that vendors can offer data protection with less effort.

Is there any downside to VMware’s VADP?  Yes.  VMware limits access to their API set to only licensed versions of their hypervisor.  In other words, their free (unlicensed) ESXi product doesn’t support it.  Thus vendors are forced to provide GOS-level protection in this case.  This compares poorly to Microsoft, for example, which has no such limitation on its free Hyper-V Server 2012 or Hyper-V Server 2008 versions of its Hyper-V virtualization platform.

Citrix XenServer HOS-Level Protection

Beginning with its XenSever 5.5 release, Citrix began offering XenServer snapshots.  Snapshots provide a “point in time” disk state that can be used by data protection vendors.  While the details of using snapshots vary based on the type of storage being used and are beyond the scope of this blog post, it suffices to say at a conceptual level XenSever snapshots are simply an implementation of the tried and true snapshot mechanisms other storage and virtualization vendors have used.

Because of their common heritage, quite often people get XenServer and Xen functionality confused.  Note that the data protection functionality described above is a feature of XenServer, not of the Xen open source virtualization platform.

Other Hypervisors HOS-Level Protection

Most other virtualization vendors either don’t offer a data protection architecture or offer an extremely limited one.  In this case, it is typically recommended that protection occur at the GOS-level or via scripts that are written that will execute at the HOS-level which quiesce the virtual environment, take the virtual machines off-line, back them up, and then bring them back online.

We will continue this series next week, so subscribe to our blog to keep informed of new postings, and let us know what you think so far.


Discover how Unitrends can help protect your organization's sensitive data