Introduction
The VAST Data Platform delivers a unified, flash-first architecture that fundamentally transforms the economics of enterprise storage. By making flash viable for all workloads—from the most performance-sensitive databases to massive-scale data protection and archival use cases—it eliminates the traditional tradeoffs between performance, capacity, and cost.
Built on VAST’s Disaggregated Shared Everything (DASE) architecture, the VAST Data Platform introduces a fundamentally new approach to scale-out storage. Compute, storage, and network resources scale independently while operating as a single global system, delivering exceptional resilience, efficiency, and linear scalability across the entire data lifecycle.
At the core of the platform is a single global namespace that natively supports both file and object workloads at exabyte scale. This unified foundation allows organizations to consolidate infrastructure, simplify operations, and scale seamlessly without creating data silos or sacrificing efficiency.
VAST further extends these architectural advantages through global, similarity-based data reduction. Rather than relying solely on traditional deduplication techniques, the platform identifies shared patterns and structures across datasets—dramatically reducing stored capacity while preserving full performance. This global data reduction is especially impactful for snapshots, backups, long-term retention workloads, and even restores to the same cluster in case the primary storage system is down.
Cohesity DataProtect is a high-performance, software-defined data protection solution purpose-built for the hybrid and multi-cloud era. It delivers comprehensive, policy-driven backup and recovery for both traditional and modern workloads through a single, unified platform.
Designed for hyperscale environments, Cohesity DataProtect replaces fragmented point solutions with a converged architecture that can be deployed on-premises or consumed as a service. This approach simplifies operations while delivering fast recovery, flexible retention, and seamless scalability.
Together: Scalable, Independent Growth
Together, VAST Data and Cohesity provide a powerful foundation for modern data protection and long-term data management. VAST enables organizations to scale performance independently from capacity while achieving exceptional efficiency through global similarity and data reduction. Cohesity DataProtect independently scales backup performance and protected capacity without imposing constraints on primary storage.
The combined architecture delivers maximum flexibility, allowing enterprises to evolve performance, protection, and retention on their own terms while maintaining predictable costs, operational simplicity, and industry-leading storage efficiency.
VAST Data Platform with COHESITY® DataProtect - Solution & Best Practices Guide 3
Solution Overview
Figure 1 - Cohesity Integration with VAST
The VAST cluster can be both the source (data to be backed up) and as the target. Using VAST as the target with Cohesity DataProtect offers three different use cases:
CloudArchive – VAST Data provides the target for data that goes beyond the initial retention time of keeping the data local to the Cohesity DataProtect
ArchiveDirect – VAST Data provides the direct target for backups, with data bypassing DataProtect and being stored instantly on the VAST cluster. Metadata and indexing are stored on the VAST cluster, but also on DataProtect for faster lookups.
CloudTier – A seldom-used solution where the Cohesity DataProtect filesystem is extended onto the VAST cluster.
The first 2 use cases are the most compelling and will be covered in this document with a strong focus on the S3 protocol due to its security and ability to handle all the multitude of data types. The document is divided into 2 major sections: a VAST configuration section and a Cohesity configuration section for integrating VAST into the Cohesity workflow, as shown in Figure 1.
VAST Configuration
When creating a Cohesity policy targeting a VAST cluster, several prerequisites must be configured on the VAST side first. This section walks through the complete setup of S3 from the VAST perspective.
Configuration for NFS and SMB is more straightforward and is not covered here; for those protocols, refer to the VAST Knowledge Base for detailed guidance.
S3 configuration on a VAST system involves several components. The following sections walk through each component individually, starting from their primary locations in the UI. While many of these configuration steps can be initiated from within other wizards, navigating nested wizards can be confusing for first-time users. Presenting each step from its base location provides a clearer, end-to-end understanding of how the components are connected.
S3 Identity Policy
The VAST identity policy is the mechanism that grants user-specific S3 API permissions. While a set of permissions isn't explicitly listed in Cohesity documentation, the following list will cover most scenarios, including when using object lock:
Minimum Required | S3 Compatible Targets |
|---|---|
s3:DeleteObject | s3:ListMultipartUploadParts |
s3:DeleteObjectVersion | s3:AbortMultipartUpload |
s3:GetObject | |
s3:GetObjectRetention | Object Lock (WORM) enabled |
s3:GetBucketAcl | s3:GetObjectTagging |
s3:GetBucketLocation | s3:PutObjectRetention |
s3:GetBucketVersioning | s3:PutObjectTagging |
s3:GetBucketObjectLockConfiguration | |
s3:ListBucket | |
s3:ListBucketVersions | |
s3:ListBucketMultipartUploads | |
s3:PutObject |
Table 1 - S3 API Permissions
To ensure full functionality, all the permissions above should be used in the VAST identity policy. This policy is in the form of a JSON file. Using the following example ensures that all S3 permissions are enabled for the user on the VAST cluster and adheres to AWS specification requirements. To create an identity policy, in the VAST UI select User Management along the left windowpane and select Identity Policies (Figure 2).
Figure 2 - Selecting Identity Policies
This will bring up the User Management and Identity Management window (Figure 3). In the upper right corner, click the Create Identity Policy button.
Figure 3 - Identity Policy Window
This brings up the Create New Identity Policy wizard. The policy window that appears can be overwhelming as it allows for a lot of manual policy creation. That said, the easiest approach is to simply copy the example JSON code from below and paste it in the section on the right as shown in Figure 4. The only other entries needed here are the policy name and tenant. Click Create when completed.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:GetObjectRetention",
"s3:PutObjectRetention",
"s3:PutObjectLegalHold",
"s3:GetObjectLegalHold",
"s3:PutObjectTagging",
"s3:GetObjectTagging",
"s3:ListMultipartUploadParts",
"s3:AbortMultipartUpload",
"s3:ListBucket",
"s3:ListBucketVersions",
"s3:ListBucketMultipartUploads",
"s3:GetBucketLocation",
"s3:GetBucketVersioning",
"s3:GetBucketObjectLockConfiguration",
"s3:PutBucketObjectLockConfiguration",
"s3:GetBucketAcl"
],
"Resource": "*"
}
]Note: If any of the API calls generate an error during identity policy creation, it just means that it’s implicitly applied and that API call can simply be removed from the identity policy. Also, take special care that the quotes used in the code are straight quotes and not curly quotes.
Figure 4 - Creating Identity Policy
This policy can now be assigned to a user, who will be created next.
Creating an S3 User
The user created here will be used to connect to the VAST cluster with access and secret keys. To create a user with S3 credentials in the VAST UI, go to the floating left windowpane, click User Management, then select Local Users (Figure 5).
Figure 5 - Select Users to Create a User
The Add User window appears (Figure 6), and a local username needs to be entered along with any desired number for the UID (an Active Directory user can be used and would already have a SID).
Figure 6 - Adding User - Part 1
This user is being created in the default tenant. Further down in the wizard (Figure 7) the default tenant is selected from the pull-down menu to ensure that permissions and keys are created in the same tenant the user is being created. Toggle both levers on for Create and Delete bucket permissions. This is also where the identity policy that was created in the previous section is assigned. Note that there is a message saying that the user needs to be created first before adding access keys.
Figure 7 – Adding User – Part 2
After clicking Create, the user will show up in the User Management window (Figure 8).
Figure 8 - User Created / Edit User
Now that the user is created, it needs to be edited to create and capture the active and secret keys. If an existing active directory user is being used, they can be found and edited by selecting Query User or Group (Figure 5) and querying for the user. To edit a user, right-click anywhere on the user and it will bring up a drop-down menu (Figure 8). Simply select Edit.
Figure 9 - Select Add New Key
In the Update User window that appears (Figure 9), select the appropriate tenant. Here, it is the default tenant. Now, click on the Add New Key pull-down menu and select Create S3 Access Key. Now copy the active and secret keys to some safe place. This is the only time when the secret key will be obtainable, so be sure to copy it down in some safe location (Figure 10). Click Update to close the window.
Figure 10 - Active and Secret Keys
The user can now be used in the creation of a bucket or view within the VAST UI.
Note: This example showed a local user. As mentioned previously, a domain user can also be used if the VAST cluster has been joined to a domain. Any domain user can be searched for and modified in a similar manner for secret and access keys as well as assigning an identity policy.
Creating an S3 Endpoint on VAST
A good best practice for organizational purposes and ease of use with creating buckets with third-party S3 utilities is to create an endpoint. All new buckets created with the same credentials that are assigned to the endpoint will be placed in an orderly manner underneath that endpoint path structure. If one were to just create buckets without an endpoint, they could purposely or accidentally all land in the root directory of the VAST cluster, and it could become onerous to manage.
Figure 11 - Creating an S3 Endpoint
To create an endpoint, go to the Element Store within the VAST UI, select the Views tab, and then click Create View as highlighted in Figure 11.
Figure 12 - S3 Endpoint Details Part 1
This will open an Add View wizard as shown in Figure 12. Enter the tenant, path, policy and S3 Endpoint as the protocol. (If the path doesn’t exist yet, check the Create Directory box). In the S3 section of this wizard (Figure 13), ensure the appropriate user is given access for Bucket creators. Click Create when finished. This will show the endpoint as in Figure 11.
Note: An endpoint can have multiple users added as Bucket Creators, but a user can only be added to one endpoint.
Figure 13 - Assigning Bucket Creator to the Endpoint
Again, the benefit of having an endpoint is that during bucket creation (with an S3 utility), all endpoint properties will propagate to the buckets and cleanly place them under the endpoint path.
For example, the endpoint that was just created here has a path of
/data/Cohesity/ep1
A new bucket created with the name – bucket1 will show up in the VAST UI like this:
/data/Cohesity/ep1/bucket1
This helps to organize the VAST system and becomes especially useful when creating the bucket with an S3 utility that allows for bucket creation. Currently, the Cohesity workflow for external targets or policies does not allow for bucket creation during the configuration process. All buckets will need to be created before creating an external target or policy.
Creating an S3 Bucket
Creating a bucket is the exact same process as creating an endpoint. The only difference is selecting S3 Bucket for the protocol instead of S3 Endpoint. Ensure the bucket owner has also been set with an appropriate user.
Figure 14 - New S3 Bucket Details
To create a bucket (Figure 14), mimic the same steps for creating an endpoint, but ensure that only the S3 Bucket is selected as the protocol. To align the bucket with an existing endpoint, make sure the path, policy, and bucket creator follow the same format. The example (Figure 15) shows that 'bucket1' was created with the same path underneath the endpoint example given earlier.
Figure 15 - S3 Bucket Created
Buckets can be created by using the steps above or with any S3 utility. With a bucket now created, it can be used as a target during policy creation within the Cohesity UI.
Enabling Object Lock / WORM
If there is a plan to use object lock for a Cohesity target, then it will need to be enabled within the VAST UI. Enabling it can be done either during bucket creation or later, after the bucket has been created. Once enabled it cannot be disabled. Within the bucket, either editing or creating, there is a section on Versioning and Object Lock (Figure 16).
Figure 16 - Enabling Object Lock
To enable object lock, slide the toggle on, which will also turn on versioning, as that is also required. Cohesity requires that retention mode and retention time be set within VAST UI. Since Cohesity is performing all maintenance on the objects, it is required to have the VAST retention time equal to or shorter than the retention time set within a Cohesity policy; otherwise, expired objects will not be deleted properly.
For retention mode, it is possible to have a target using governance mode, and it is a great method for testing capacity usage without a full commitment; however, for full security, the retention mode should be set to compliance.
Object Lock Time Format
In the 5.x release of the VAST cluster, the S3 object lock retain time format defaults to UTC time and not the expected AWS specification of Zulu time. This will cause issues with S3 backups, however, there is a setting that can be modified on the VAST cluster to default to Zulu time and has the following details:
Setting: S3_OBJ_LOCK_RETAIN_TIME_FORMAT
Purpose: Controls the timezone format returned in ObjectLockRetainUntilDate.
Values:
0 - No timezone
1 - Zulu ("Z")
2 - UTC offset (default value for new installations)This setting can be changed by logging into the VAST cluster (VMS IP address) with an SSH utility and changing the default value of '2' to the appropriate Zulu value of '1' as shown in the following example:
tmphx-203 vastdata@cosmo-arrow-cb3-cn-2 ~:$ vtool vsettings set S3_OBJ_LOCK_RETAIN_TIME_FORMAT=1
SetVSettingsResult(code=SetVSettingsResultCode.SUCCESS)Cohesity Configuration
Given the document's focus on the S3 protocol for both source and target workflows—and Cohesity’s requirement for HTTPS on S3 sources—proper certificate integration is a foundational step. This section describes how an existing S3 certificate on the VAST cluster is trusted by Cohesity, followed by configuring VAST as both an S3 source and a target. These components are then unified through a Cohesity policy and protection group, demonstrating the two primary solution architectures described in the Solution Overview.
Trust VAST S3 Certificate
The following method of adding an SSL certificate to a Cohesity cluster was extracted from Cohesity documentation. There may be updates to this process, so refer to the latest Cohesity documentation to ensure the latest process is followed. Querying for the S3 VAST certificate (to install an S3 certificate, follow a similar procedure to Installing an SSL Certificate for VMS) was accomplished with the following command:
openssl s_client -connect 16vips.tmphx203.vastdata.lab:443 -showcertsThe results, in between and including BEGIN CERTIFICATE and END CERTIFICATE, were placed in a file called vast-ca.crt. That file was then copied to the Cohesity node with the following command:
scp vast-ca.crt support@<ip address>:/home/supportWith the Linux Shell Password updated to allow SSH access (under Settings → Access Management → Support), SSH into the Cohesity node as the support user. Once logged in, type the command iris_cli to allow for admin user access. The username and password for this login will be the Web UI credentials.
[support@restricted-cohe-03-00505a59cf0-node-1 ~] \> iris_cliTo test that the CA certificate that was copied over is valid, run the following test command:
trusted-cas register name=vast-root-ca desc="VAST S3 Root CA" file-path=/home/support/vast-ca.crt only-validate=trueTo trust the CA certificate, simply remove the only-validate parameter:
trusted-cas register name=vast-root-ca desc="VAST S3 Root CA" file-path=/home/support/vast-ca.crtTo list all of the trusted CA certificates, use the following command:
trusted-cas listVAST as a Source
NOTE: As of this release, VAST S3 as a source is not functioning as expected. VAST and Cohesity are currently working on this issue and will have it resolved shortly (Case #04270451).
Let's start by looking at the scenario where data resides on the VAST cluster and needs to be backed up to a target location. There are several ways that Cohesity can connect with third-party storage. With VAST being a multiprotocol system, there are three ways to communicate with the VAST cluster as a source: NFS, SMB, and S3.
When an NFS or SMB mount point is registered on the Cohesity system, there is no granularity below that mount point for creating a backup policy. It will be a grab-all policy that will back up that entire directory. During the recovery or restore, Cohesity DataProtect allows for directory browsing for specific file or folder recovery. For S3, when adding the endpoint, Cohesity DataProtect will discover all buckets associated with the access and secret keys, and then backups can be performed on a per-bucket basis.
Depending on how the data is organized within the VAST cluster, various sources (mount points) can be registered to allow for multiple backup policies based on differing backup frequencies and requirements. The following sections will highlight the connection method with a heavy focus on S3 and will follow this general workflow:
Figure 17 - Workflow for Adding VAST as Source
Register Source - VAST NFS
The steps in the next few figures show how easy it is to register a mount point from the VAST cluster using NFS v3. On the Cohesity UI, open the Data Protection menu on the left pane and select Sources (Figure 18).
Figure 18 - Adding a Source
On the Sources page, click on the Register button in the upper right (Figure 19) and then select NAS in the menu list that appears.
Figure 19 - Select NAS
On the Register NAS page (Figure 20) select Generic NAS as the NAS Source from the pull-down menu and then enter the fully qualified domain (or IP address), the mount point and click register when complete. In this example, the entire mount point FQDN:/infrastructure will be backed up. If a tighter granularity is needed, a more specific path should be used instead.
Figure 20 - Registering VAST Cluster Mount Point
When the mount point has been registered, it will appear on the Sources page as shown in Figure 21.
Figure 21 - VAST Cluster NFS Source Added
Register Source - VAST S3
Adding a VAST S3 endpoint is just as simple as adding an NFS endpoint. After clicking the Register button (Figure 19), this time select S3 Compatible (not shown). This brings up the Register S3 Compatible Source window shown in Figure 22. S3-compatible sources are required to use HTTPS, so if the VAST S3 certificate has not yet been trusted by the Cohesity node, then do that first (see Trust VAST S3 Certificate).
Figure 22 - Register VAST Endpoint
Here, the endpoint means the FQDN of the VAST VIP Pool (or a single IP address – not recommended). Enter that along with the user's access and secret keys and click Register when complete.
Figure 23 - VAST S3 Endpoint Registered
Once registered, it will be displayed as in Figure 23. There is a limitation with Cohesity in that once an endpoint (VAST VIP Pool) has been used with a pair of keys, it can't be used again, even with a different set of access and secret keys.
Figure 24 - Endpoint Buckets
Selecting the registered source displays all discovered buckets accessible by the configured access and secret key (Figure 24).
VAST as a Target
As mentioned at the beginning of the document, there are two very compelling use cases with VAST as the target.
ArchiveDirect – VAST Data provides the direct target for backups, with data bypassing DataProtect and being stored immediately on the VAST cluster. Metadata and indexing are stored on the VAST cluster, but also on DataProtect for faster lookups.
CloudArchive – VAST Data provides the target for data that goes beyond the initial retention time of keeping the data local to the Cohesity DataProtect. This can be part of a 3-2-1 rule with 3 copies of data on 2 different media and 1 offsite.
To use the VAST cluster for either scenario, it needs to be added as a target and then put into a policy. This section will quickly cover adding VAST as an external target. The policy workflow is discussed in the following section.
Add VAST as an S3 External Target
Cohesity can support both NFS and S3 as a target from the VAST cluster, but keeping with the focus around S3, only that will be highlighted here. On the left pane menu, select Infrastructure and then External Targets (Figure 25).
Figure 25 - Add External Target
In the upper right corner, click on Register External Target. This will bring up a Register External Target window (Figure 26). Both solutions discussed with VAST are archival, so ensure that the radio button is selected.
Figure 26 - Add External S3 – Top Screen
On the Storage Type pull-down menu, select S3Compatible. Enter the name of a pre-configured bucket, the access and secret keys of the bucket owner, and then the endpoint. No region needs to be entered. Further down the wizard (Figure 27) is garbage collection. With this most likely being an on-prem cluster, there may not be any egress charges, but network utilization could be an issue. With the VAST cluster’s superior deduplication and similarity, a good option here is to select Network Optimized. For an external target, Cohesity supports both HTTP and HTTPS.
Figure 27 - Add External S3 – Bottom Screen
VAST supports both version 2 and 4 of AWS signatures. Archive object lock will be discussed separately, but the most important aspect of storing data on the VAST cluster is not to encrypt it. If the data itself is encrypted, there will be no deduplication or similarity savings on the VAST side. That said, this is another advantage with S3 in that data encryption can be left off, and a combination of HTTPS (encrypted transport) and VAST Data’s encryption at rest can ensure secure data from Cohesity to VAST. Using Cohesity’s compression is highly encouraged as it minimizes the amount of data that is sent to VAST, thereby improving backup times, but also minimizes local network utilization.
Figure 28 - VAST External S3 Target Added
Click Register to finish. After the VAST cluster has been registered as an external target, it can now be added to a Protection Policy, which differs slightly in each of the target use cases.
VAST S3 with Object Lock
The VAST cluster supports object lock on any S3 bucket, provided that the bucket’s view is not also enabled for other protocols. It works in conjunction with Cohesity DataProtect, and as shown in the section Enabling Object Lock / WORM, it’s important to only enable it and not to set any retention mode or retention period. VAST is essentially supporting any mode and retention that Cohesity sends.
By default, Cohesity uses GOVERNANCE mode with object lock. They do support COMPLIANCE mode, but there’s no way to modify that through the UI at this time. If COMPLIANCE is needed, reach out to the Cohesity support team, and they will be able to instruct you on how to configure DataProtect to use that mode with a particular bucket.
Figure 29 - Enable Object Lock on VAST S3 Target - Top
With object lock enabled on the VAST bucket, the workflow for adding it to Cohesity is similar to adding the S3 external target in the previous section. Starting with the Register External Target window, fill in the appropriate fields as shown in Figures 29 and 30. The key component is that the Archive Object Lock toggle is turned on.
Figure 30 - Enable Object Lock on VAST S3 Target - Bottom
When completed with the form, simply click Register.
Cohesity does not allow direct backup to object lock-enabled external targets. What this means is that this type of target can’t be used for ArchiveDirect policies, where it bypasses the DataProtect cluster. It has to be used in a Cloud Archive policy where the primary copy lands on DataProtect and is then archived to the object lock-enabled VAST target. If object lock is going to be used, then jump straight to the VAST for Cloud Archive section to create a policy.
Backing Up Data
To be able to back up data from a source to a target, there are two components needed: a policy and a protection group.
The protection group defines the source data to back up, and a policy defines the target and the schedule. The policy also defines the use case, ArchiveDirect or Cloud Archive, based on where the data lands and how many copies there are.
The following sections discuss the protection policy in terms of these use cases, and then cover protection groups.
Protection Policy
By default, Cohesity provides four protection policies – Bronze, Silver, Gold, and Protect Once. We'll add an additional policy to use for illustration purposes for both an archive direct target and an archive target.
VAST For CloudArchive Direct
In this example, we will create a policy using the VAST S3 external target created previously. The way the policy is created defines the use case. Here, it'll be crafted in such a way that it highlights CloudArchive Direct.
Again, with CloudArchive Direct, a backup goes directly from the source to the VAST external target, bypassing Cohesity from a data standpoint. So, Cohesity plays the middleman and just performs an archive without any backup on the local DataProtect cluster. Only the metadata and indexes are stored on the DataProtect cluster to improve searching and restores. The data, metadata, and indexes are stored on the VAST external target.
Figure 31 – Create Archive Direct Policy
Configuring a policy is very straightforward, and with the VAST targets already configured, it's a breeze. Starting from the left pane menu, select Data Protection and then Policies, then in the upper right, click on Create Policy (not shown). This will open the Create Protection Policy window (Figure 31). Give the policy name and then in the Primary Copy pull-down menu – instead of Local (the Cohesity cluster) select the VAST S3 external target (object lock-enabled policies will not show up here – see the VAST for Cloud Archive section). Here, the primary location is aptly named the archive direct target. Finish the policy by defining backup frequency and retention, and then click Create. The finished policy will show as in Figure 32.
Figure 32 - Finished Archive Direct Policy
Note in the completed policy that the backup icon shows a cloud instead of the oval shape, which is local to Cohesity. This denotes the backup is going to a cloud target, in this case, a VAST S3 bucket.
VAST For Cloud Archive
A Cohesity cloud archive target is a location for a secondary copy on top of the copy stored on Cohesity. It typically has a longer retention and is considered a cold tier. Data can be recovered from either the local copy (until expiration) and cloud archive. Creating a cloud archive policy is done in only a few steps. Again, starting from the left pane menu, select Data Protection and then Policies, then in the upper right, click on Create Policy. Before going too far in the configuration of the policy, select More Options, which will expand the choices (Figure 33).
Figure 33 - Select More Options
The expanded window (Figure 34) gives a lot of new choices, and the pertinent one here is the Add Archive option. Click on that to add the archive layer to the policy. In the Archive To pull-down menu, select an appropriate target (object lock-enabled targets are visible) – here, the aptly named target is selected, and then a schedule is configured. Once finished, simply click Create.
Figure 34 - Configure Cloud Archive Policy
The configured policy is shown in Figure 35. Note the icons on the right side denoting that the backup copy is local to Cohesity and the archive is in a cloud target – in this case, a VAST S3 bucket.
Figure 35 - Completed Cloud Archive Policy
Protection Group
A protection group combines a policy with a data source to create a backup. This example will back up data from one VAST cluster (a NAS source) to another VAST cluster (the target), highlighting both ways VAST can be used in a Cohesity environment. To create the protection group in the left menu, click on Protection and then click on Protect in the upper right (Figure 36), and then select NAS.
Figure 36 - Creating Protection Group
When the New Protection window appears (Figure 37) click on Add Objects.
Figure 37 - Creating Protection Group
In the Add Objects window (Figure 38) use the pull-down menu to reveal the NAS Mount Points option and then click on it.
Figure 38 – Selecting VAST NFS Source
This will show the full list of available mount points (Figure 39). Select the appropriate mount point to protect.
Figure 39 - Picking VAST S3 Source
When ready, click Continue and give the protection group a name. Finally, click on the policy and select one of the policies created previously.
.png?sv=2022-11-02&spr=https&st=2026-04-22T15%3A05%3A16Z&se=2026-04-22T15%3A41%3A16Z&sr=c&sp=r&sig=6sHmouyngHaNZAWTM%2BeLAkPX9qGuBEYbQDgDkgTeLHY%3D)
Figure 40 - Protection Group Summary
Upon creating the protection policy, it will be initiated, and a backup will begin. While the backup is running or when it's complete, a status can be seen by clicking into the protection group, as can be seen in Figure 41.
Figure 41 - Protection Group Backup Details
Recovering Data
Recovering data is relatively simple, but there are a couple of ways to do it. You can recover the entire dataset by navigating into the specific backup snapshot. The easiest way for both entire volume recoveries and file/folder recoveries is to use the Recoveries window.
Restoring Files/Folders
To do that, in the left pane menu, select Data Protection and then Recoveries. In the upper right, click on Recover (Figure 42).
Figure 42 - Selecting Recovery Category
Selecting NAS provides 2 choices, and in this example, File or Folders is selected. This brings up another window to help refine the search, either by browsing or by a specific file or folder name (Figure 43).
Figure 43 - Selecting Browse on Protection Group
If a specific file or folder is known, it is easy to find it by using the Files and Folders option and searching with appropriate characters. If the data is in a known directory, then perhaps selecting the Browse method would be more appropriate. In either case, a wildcard is available for broader searches.
Once the item(s) have been selected, there are several recovery options to choose from, but one easy way is just to download the files and folders directly. If there is more than one file, Cohesity DataProtect will zip the files and allow download when complete (Figure 44).
Figure 44 - Multi-File Recovery Download Ready
Restoring Entire Storage Volumes
One solution that is unique to the VAST cluster is that with backup data residing on a VAST cluster, it can also become primary storage by rehydrating or restoring the data back to itself. So, the entire volume could be recovered (rehydrated) right back to the same VAST cluster (Figure 45).
Figure 45 - Full Volume Recovery
This may not be very beneficial on the surface, but what happens is that the restored data is deduplicated up to 98% even with the backup data in Cohesity's proprietary format.
Figure 46 - Restore Entire Storage Volume to Same VAST
This is all due to the byte granularity that VAST Data’s deduplication and similarity can perform at. Testing has shown that only 2–10% additional capacity is needed to restore the backup data to the same cluster. Disaster recovery, dev ops, engineering, and even AI workloads can use the restored backup data with minimal additional capacity used.
Restoring VMs
Recovering VMs is just as simple as recovering everything else. This example shows how to recover a full VM. Again, in the left pane, select Data Protection under Recoveries. On the right side of the window, select Recover, but this time select VMs (Figure 47).
Figure 47 – Selecting Recover Virtual Machines
Figure 48 - Selecting VMs to Recover
A Virtual Machines window will appear and the VMs can be searched by name or even wildcard (Figure 48). Select the VM(s) to be recovered and then click on Recover Options.
Figure 49 - Restore VM Details
A Virtual Machines window now appears with further details on how and where to restore the VM (Figure 49), followed by a summary screen (Figure 50).
Figure 50 - VM Restore Summary
The complete VM restore will show as in Figure 51.
Figure 51 - VM Recovery Task Completed
For further information on specific VM recovery options, see the Cohesity user guide.
Summary
Together, the VAST Data Platform and Cohesity DataProtect deliver a flexible, scalable foundation for primary storage, protection, and long-term retention. VAST can host performance-sensitive primary workloads that are protected by Cohesity for rapid recovery and operational resilience.
Additionally, VAST can also serve as a massively scalable, flash-efficient archive tier, whether as a target for Cohesity backup policies or as a direct object storage destination via Archive Direct from VAST or third-party environments. This bidirectional flexibility enables organizations to design protection architectures that optimize performance, efficiency, and cost without introducing infrastructure silos.