Case #

You need to provide a cloud-based backup protection to your on-premise virtual machines, files and sql databases. You also need to provide a cloud-based disaster recovery site (hot site) for all or some of your on-premises virtual machines. This article describes some general planning considerations for using Acronis Cyber Protect Cloud DR solution. It also provides step-by-step guidance on configuring backup and DR protection plans in the Acronis Cyber Protect Cloud web-based management console. Acronis Cyber Protect Cloud provides a fully managed Disaster Recovery As A Service (DRaaS) solution to both end customer and to cloud service providers.

Solution #

Acronis DR planning and design considerations #

In order to implement an Acronis Cloud backup and DR solution, you first need to contact an Acronis official distributor, reseller or partner. They should be able to work with you to audit your environment, assess your business and technical requirements and provide a technical and financial offer. Acronis Cyber Protect Cloud solution is based on a cloud-based (HTTPS) management server portal via which a wide range of features are offered to end customers.

Acronis Cloud complete protection includes the following features at high-level:

• Backup and DR
• Remote monitoring
• Remote patching
• Remote software/hardware scanning
• Remote administrator connectivity (RDP/SSH)
• Remote host OS actions (shutdown/restart/file transfer/etc)
• The cyberfit score and remote SIEM/XDR/SOAR functions for cybersecurity and ransomware protection.

All services are offered on a pay-as-you-go monthly subscription basis. Some features may require the purchase of the so called advanced packs, namely:

• Advanced Backup
• Advanced Disaster Recovery
• Advanced Management
• Advanced Security + XDR

For example, an advanced Acronis Cyber Protect license is needed for Acronis portal menu "Infrastructure - Public Clouds", i.e. where you can use Azure Blob or other cloud object storage for storing Backup and DR workloads, instead of Acronis Cloud Storage.

The Acronis Cloud portal is a fully multi-tenant portal which offers the ability to Acronis partners to create new resellers undeneath them and then create any number of end customers underneath each reseller, all with full permissions segregation in a multi-tenant fashion. The Acronis backup and DR solution is agent-based. The Acronis agent is installed on any supported client or server operating system and can even be installed in all known hypervisor hosts, to allow for backup/DR of guest operating systems in an agentless fashion. Different storage tiers are used by Acronis Cloud for Backup (Cool or Archive) and for DR (hot). So we need two replicas of the same Acronis cloud storage, which are taken from the source VMs, one for backup and one for DR (two backup sets).

During your technical assessment, you will need to include the following requirements in your planning considerations:

1. Do you need immutable storage (Acronis Cloud storage)? This would enable the ability to not allow the deletion of or tampering with any existing backup sets, for security reasons.
2. Which administrative and end-users do you need to be created at your level (cloud service provider) and your end-customer level? You need to provide the RBAC permissions for each user. There are two main roles available, namely the company administrator (full permissions) and the cyberprotection administrator (access only to cyber protection features, including backup and DR).
3. What are your required firewall rules (egress and ingress) for each of the protected virtual machines?
4. What is your network topology? Acronis DR supports three architecture options, namely cloud-only, site-to-site VPN with OpenVPN and multi-site IPSec VPN.
5. What is your expected RPO? The RPO practically refers to how long back in time Acronis will create recovery points for your protected items. The smaller the RPO, the lower the cloud storage costs but this is quite tricky, since having a short RPO can take some time to achieve. Acronis backup will need time to take full backup and then start taking Continuous Data Protection (CDP) backups which should be near real time, before it can actually achieve the desired short RPO. This needs testing in a trial and non-production environment, to ensure that the desired RPO is actually achieved. For example, if you request for an RPO of 15 minutes, you might end up having recovery points available only from 1 hour earlier than the current time, so this means that a hypothetical failover would occur back to the state your virtual machines were in 1 hour from the moment of the disaster event.
   
6. Please note that RTO cannot really be pre-determined. It depends, but in a real trial demo of Acronis DR, I observed 3-5 minutes RTO for bringing up two (2) VMs. It should not take considerably more time for more VMs, since the failover procedure can be run concurrently for any number of VMs.
7. How are you going to handle backup/DR email alerting and technical support? Do you require assistance from your Acronis partner or not?
8. What is your desired data residency of Acronis datacenters? - For Greece there is a region with datacenters Thessaloniki and Athina.
9. What are exactly the metrics of the workloads you are planning to protect? This includes local disk space, RAM memory size, CPU cores for virtual machines, as well as total disk space and expected growth rate for file server shares and SQL Server databases. If you also need to protect other applications via application-aware backups, such as on-premise Exchange Server and Active Directory domain controllers, you will need to include that in your planning considerations as well.

Acronis Cyber Protect DR Cloud configuration procedure #

To configure the Acronis Cyber Protect DR Cloud portal for bakup and DR, carry out the steps below. These steps assume that you already have full admin access to the Acronis Cloud portal, as granted by your Acronis distributor/reseller/partner. It also assumes that your on-premises resources, on which you will be installing the Acronis Cyber Protect agent, have outbound (egress) access on port TCP 443. Also the below instructions assume the "Cloud only" architecture option. If you need S2S VPN or multisite IPSec VPN, you will need to deploy and register an Acronis VPN appliance in your on-premises infrastructure. This appliance only supports HyperV and VMWare virtualization environments.

• Navigate to https://cloud.acronis.com and login using your Acronis Cloud credentials. These could be . Please enable 2FA at your earliest convenience. The portal is HTTPS-based to offer encryption in transit.

• Navigate in the service options section of the portal and familiarize yourself with the various Acronis Cloud service options.
• Now click on "Manage Account" to navigate to the account options section of the portal. Now click again "Manage Service" to go back to the service options section.

 

• In the Service Options section, you have the following options:
  • Monitoring section, which includes the Overview, alerts, activities and threat feed sections.
  • Devices section, which includes the All devices, discovered devices and data protection map sections.
  • Management section, which includes the Protection plans, Remote Management Plans, Scripting Plans, Monitoring Plans, Script Repository, Cloud applications backup, Backup scanning and VM replication sections.
  • Disaster recovery section, which includes three options for Acronis DR, namely the Cloud-only option, the site-to-site OpenVPN option and the Multi-site IPSec VPN option.
  • Protection section, which includes the Incidents, Quarantine, whitelist, organization map, data classifiers, data flow policy and DLP audit log sections.
  • Software management section, which includes the Patches, vulnerabilities and software inventory sections.
  • Backup storage section, which includes the Backups section with all backup locations, backup sizes and list of actual backups.
  • Infrastructure section, which includes the Public Clouds section. This allows you to make use of an Azure Blob Storage or AWS S3 storage bucket to store your Acronis Cloud backups and DR items, by using an Acronis Cloud advanced license.
  • Reports section
  • Settings section, which includes the Protection settings, Agents list, System settings and email notification settings.
• Define which source workloads you need to protect and which of them you need to only take backups as compared to the ones for which you need backups and DR protection in the Acronis Cloud. Then navigate to the Monitoring - Overview section of the portal and click "Show all options". On this page you can view all supported workloads which can be protected by the Acronis Cloud agent.

• You can use any online (Web) installer or download the Windows offline installer (32-bit or 64-bit). After you run the Acronis Cloud agent installer, it will ask you to authenticate against the Acronis Cloud management server, so that you are able to view and manage your machine(s) inside the management server portal. Alternatively, you can issue Acronis Cloud tokens inside the settings section of the management portal. You can then use an issued token instead of your user name and password when configuring automated deployment of agents.

• You can first customize the agent installation settings. Then click on "Install" to start the Acronis agent installation on your source machine(s).

 

• At the very end of the agent installation procedure, you will need to register the workload on which the agent was installed. The workload registration can occur either from the same machine on which the agent was installed or from another machine.

• To register your workload, you should either login to the Acronis portal with username and password (+ 2FA if exists).

• Click Register to validate the automatically populated registration code.

• Registration from another machine is also an alternative option for workload registration.

• After you have registered the workload, allow for some time for it to be shown in the list of protected devices in the Acronis portal.

• You now need to enable protection for the registered workload, by activating an existing or new/custom protection plan, as shown in the screenshots below.

• After the backup and DR plan has been applied to your workload(s), monitor the tasks and backup restoration options.

 

• You should now proceed with setting up your Acronis DR protection plan. Setup the basic DR parameters and the required ingress and egress firewall rules for all protected resources.

• Ensure that you enable the Continuous Data Protection (CDP) option inside your data protection plan and edit any other backup parameters, as required in your scenario, example shown below.

• You can also optionally configure application-aware backup, as shown below.

• Create at least one point-to-site (PS2) VPN user inside the Acronis portal and provide only the Cyber Administrator role to that user. Do the same for any other use who will need a P2S VPN connection to the Acronis DR site after a potential failover.

• You can optionally create one or more runbooks to automate all or parts of the failover and failback procedures, as shown below. Runbooks let you automate a failover of one or multiple servers. You can set the correct sequence of failover operations for servers running distributed applications. You can execute runbooks in either test or production mode, to check the integrity of your disaster recovery solution. Add steps and actions. All actions of a step start simultaneously. Select an action to edit its parameters. Use drag and drop to move actions and steps.

• You can initiate the failover procedure, either as a test failover or in the case of a real production disaster. For each Acronis failover virtual machine, Acronis automatically creates a second virtual machine which can only be used for test failover. For test failover, you can optionally assign a second private IP address to the test failover virtual machines in the Acronis DR site, so that you are able to access both the failover VMs and their corresponding test VMs during a test failover. Otherwise, if a second IP is not assigned, the test virtual machines will be using the same private IP addresses as their corresponding failover virtual machines.
• Choose the recovery point you wish to start failover to and click "Start". Failover can occur individually for each protected workload, or automatically, by using runbooks.

• If you now need to initiate the failback procedure, you should use the Acronis boot media (downloaded from the Acronis portal along with its registration token). Either use an existing on-premise VM or create a new VM and boot that VM from the Acronis boot media (.iso file). First click on "Register Media". The failback procedure consists of the following four phases: Planning, Data transfer, Switchover,Validation.

• This will prompt you for the registration token which you were provided when you downloaded the Acronis boot media from the Acronis portal. This action will register the specific workload (VM) to the Acronis portal and allow for failback action.

• By clicking "Manage this machine locally", you have the following options.

• You are now able to initiate the failback procedure for any workload which is in the "failover" state, from the Acronis portal. The "target bootable media" field should now be populated with the FQDN/name of the boot media you registered earlier on. Click "Start data tranfer" to initiate the failback procedure of that specific workload.

• The next step is to wait for until at least 90% of the workload's data have been replicated, before initiating the failback switchover procedure. When this is true, click on "Switchover" to activate the on-premises failed back workload and disable the failed over Acronis DR workload.

• Wait until the failover procedure is completed. You can always view the estimated time to finish, before and during the switchover procedure.

• At this point, to finalize failback, reboot the server in the local site from the registered boot media. After the switchover procedure is completed successfully, validate that everything works without issues on your on-premises site and then click "Confirm failback". Otherwise click on cancel failback, to return your Acronis DR workload to its failover state and make it active again. Then you should rectify any blocking issues on your on-premises site and try failback again as soon as possible.

How to connect P2S VPN users after an Acronis DR failover #

Carry out the steps below.

1. Download and install the OpenVPN client version 2.4.0 or later. Download OpenVPN. Ensure that you download OpenVPN (Community Downloads). OpenVPN Connect client is not supported.
2. Download the configuration for OpenVPN from the Acronis portal.
3. Import the downloaded configuration to the OpenVPN. The configuration file is valid for users in your organization with the "Company Administrator" or "Cyber Protection" user role.
4. Log in to OpenVPN with your Cyber Cloud portal credentials (provisioned user via the portal). Ensure that the user you are logging in with is assigned the "Company administrator" or "Cyber Protection" user role.
5. After enabling two-factor authentication for your account, you need to re-generate the VPN configuration file and renew it for your existing OpenVPN clients. Users must re-log in to Cyber Cloud to set up two-factor authentication.

References #

The Acronis Cloud DR official docs are available at https://www.acronis.com/en-us/support/documentation/DisasterRecovery/#welcome-to-cyber-disaster-recovery-cloud.html.