There are many thousands of IBM Storwize and SVC systems implemented in the world. They have in common that they all run the IBM Spectrum Virtualize software which is regarded as one of the leading software defined storage products in the market for many years. They also have in common that they have a very interesting feature that hardly anybody knows about.
Most of you probably did not know, that IBM V7000 systems based on Spectrum Virtualize can transparently tier data to the cloud so you can offload older or snapshot data to your cloud object storage provider to free up space, improve performance and lower cost?
Transparent Cloud Tiering is a licensed function that enables volume data to be copied and transferred to cloud storage.
The system supports creating connections to cloud service providers to store copies of volume data in private or public cloud storage.
With transparent cloud tiering, administrators can move older data to cloud storage to free up capacity on the system. Point-in-time snapshots of data can be created on the system and then copied and stored on the cloud storage.
An external cloud service provider manages the cloud storage, which reduces storage costs for the storage system. Before data can be copied to cloud storage, a connection to the cloud service provider must be created from the system. A cloud account is an object on the system that represents a connection to a cloud service provider by using a particular set of credentials. These credentials differ depending on the type of cloud service provider that is being specified. Most cloud service providers require the host name of the cloud service provider and an associated password, and some cloud service providers also require certificates to authenticate users of the cloud storage.
Proficiency uses IBM Cloud Object Storage as it’s Trusted Technology Partner for delivery of Cloud Object Storage services to our clients, but we can also connect to AWS S3 object storage or other S3 compatible Object Storage services.
The benefitis of using Cloud Object Storage are numerous: cost savings at large by freeing up expensive on prem storage capacity, performance gains at your production system, reduction of management efforts, security improvements, workload portability, IT resilience.
Benefits of Transparent Cloud Tiering on V7000 and other IBM Spectrum Virtualize based storage environnments include:
- Does not require an additional storage system to copy and/ore move data to the cloud
- Provides flexibility by supporting a choice of multicloud options
- Creates an alternative storage tier
- Enables massive storage capacity (never run out of capacity anymore)
- You can migrate data to the cloud
- Frees up resources, increases performance
- Improves flexibility
- Reduces TCO
- Introduces Hybrid Cloud model for existing storageFlashCopy
How it works for your V7000 (and other Spectrum Virtualize based systems).
You can just use the easy to use Spectrum Virtualize management GUI or command-line interface to enable a cloud connection to IBM Cloud!
With transparent cloud tiering enabled you will have implemented your hybrid cloud storage environment for IBM Spectrum Virtualize. To be able to use transparent cloud tiering you will need to purchase the license on your V7000. The licensing goes per enclosure (like most other V7000 features). You also need (or the Full Feature which includes copy license. Transparent Cloud Tiering license plus FlashCopy license combined per enclosure will cost you a maximum of euro 3.400,00 excl. VAT. In addition you would require encryption feature to encrypt data.
Implementation is fast and not so complicated. Once implemented it is runs smoothly and you can automate the operations.
Important note: ” Planning for transparent cloud tiering involves purchasing a licensed function and then activating and enabling the function on the system.”
Transparent cloud tiering on the system is defined by configuration limitations and rules.
There are many possibilities, but also some specific restrictions to transparent cloud tiering and cloud snapshots. Some basic guidelines:
- One cloud account per system.
- A maximum of 1024 volumes can have cloud-snapshot enabled volumes.
- The maximum number of active snapshots per volume is 256.
- The maximum number of volume groups is 512.
- Cloud volume traffic is allowed only through management interfaces (1 G or 10 G).
- Different kind of volumes can used, but not all, e.g. metro / global mirror volumes, VVOLs, file system volumes.
- A volume cannot be used for a restore operation if the following conditions are valid:
- A Virtual Volume, including FlashCopy volumes that are used internally for Virtual Volumes restoration functions.
- A file system volume.
- Part of a remote copy relationship (Metro Mirror, Global Mirror, active-active) master, auxiliary, or change volume.
Key takeaway here is that we always recommend an initial planning session, in which we explain “how it works” , discover with you which volumes are to be considerated for cloud tiering and make sure you understand not only the possibillities and benefits, but also the requirements, guidelines and no go’s. A technical specialist can help you in the initial setup and configuration.
Before you create the cloud account, complete the following prerequisites:
- Ensure that you have a service contract with a supported cloud service provider (e.g. IBM Cloud, AWS S3)
- Purchase the license for transparent cloud tiering for your system. Only Storwize® V7000 2076-524 and Storwize V7000 2076-624 and Storwize V7000 2076-U7A models support transparent cloud tiering.
- Ensure that a DNS server is configured on the system. During the configuration of the cloud account, the wizard prompts you to create a DNS server if one is not already configured. All public cloud service providers use host names to identify themselves across the public network. The system requires a Domain Name System (DNS) to convert these host names to IP addresses to establish a cloud account. Domain Name System (DNS) translates IP address to host names.
- Before you create a connection to a cloud service provider, ensure that you specify at least one DNS server to manage host names. You can have up to 2 DNS servers that are configured on the system. To configure DNS for the system, enter a valid IP address and name for each server. Both IPv4 and IPv6 address formats are supported.
- Determine whether encryption is required for your connection to the cloud account. If you are accessing a public cloud solution, encryption protects data during transfers to the external cloud service providers from attack. To encrypt data that is sent to the cloud service provider, the system requires an encryption license for each enclosure that supports the function and that encryption is enabled on the system.
Security considerations for cloud accounts
Whenever the system accesses outside networks, the potential for unintentional or intentional exposure of sensitive data is a risk. When you are connecting the system to a cloud service provider over a public network, you can use encryption to protect data that is transferred to the cloud service provider.
The first level of encryption-based security provides secure communications between the system and the cloud service provider. The standard protocol, Transport Layer Security (TLS), protects these connections by encrypting data that are transferred between the system and the cloud service provider. Secure communications is mandatory for these connections and requires that public certificates are exchanged between the cloud service provider and the system. With secure communications, data is encrypted while it is transferred to the cloud, but might be stored on the cloud decrypted. Each cloud service provider has its own security measures to protect data once it is located in cloud storage; however, breaches can still occur and data can be compromised. Clients that use cloud service providers can add extra encryption methods to protect their data after it is stored on the cloud.
Since the V7000 system supports encryption of at-rest data, you can optionally configure encryption key management to further protect data that are stored on the cloud storage. If key management is configured on the system, data is encrypted before it leaves the system and is stored on the cloud. The system supports key management through either a USB flash drive or an encryption key server. When encryption is configured, master encryption key is created and is stored separately on either a USB flash drive or key server. When you create snapshots of data to send to the configured cloud service provider, each volume and each cloud account have separate encryption keys. The encryption key that is used by the cloud account protects encryption keys for the volumes. The master encryption key protects the encryption key that is used by the cloud account. Because the master encryption key is physically present on the USB flash drive or key server, you must ensure that security measures are implemented to protect master encryption key from theft or loss. When the data is transmitted between the system and the cloud service provider, the data is also encrypted by certificates that are configured for secure communications. The master encryption key also protects the data in transit and the data remains encrypted while it is stored on the cloud storage. Data also remains encrypted with the encryption master key when it transferred back to the system from the cloud during restore operations. Finally, data can be decrypted when it arrives at the system or it can be stored on an encrypted volume on the system.
When a connection to a cloud service provider is configured, you must decide whether to encrypt data at rest in the cloud for this account. After you decide, the encryption setting for the account cannot be changed without restoring all data from the cloud, reconfiguring the account, and re-creating cloud snapshots for the data.