Managing Protected Paths

Protected Paths Overview

A protected path is a path in the element store (file/object system) that is protected by snapshots and/or replication to one or more remote peers.

Protected paths are used by the following data protection features:

Async replication, where data is captured by snapshots on a schedule of points in time and replicated to other clusters
Sync replication, where data on a path on a primary cluster is replicated immediately on every write operation to a destination path on a secondary cluster.
Overview of VAST Replication
Global access, where a data path is shared with one or more remote clusters such that the data is accessible to clients of the remote cluster at a target path.
Local backup, where data is captured by snapshots on a schedule of points in time and stored locally. Snapshots and Local Backup
Backup to S3, where data is captured by snapshots on a schedule of points in time and replicated via S3 to an AWS bucket. Overview of Backup to S3

For full configuration instructions for async replication, sync replication, local backup and backup to S3, see the relevant feature section, linked above.

A protected path can have one or more destinations. In replication and backup features, each destination has a replication stream takes snapshots of the data on a schedule controlled by a protection policy. Each protection policy determines how long snapshots are stored and retained locally and if they are replicated to a remote peer and on what schedule.

Creating Protected Paths between Tenants

You can configure protected paths between tenants on different clusters, subject to the following restriction:

If Tenant A replicates a protected path to Tenant B on a remote cluster, it cannot then replicate another path to Tenant C on the same remote cluster (that is, Tenant A cannot have replicated protected paths to more than one tenant on the same remote cluster). It can, however, replicate protected paths to Tenant C (or any other tenant) on a different remote cluster. Similarly, Tenant A can replicate additional protected paths to Tenant B on the same remote cluster.

Limitations and Cautions

Managing Protection Policies

Important
Limitations:
No more than one replicating protected path can be configured per directory.
Protected paths with async replication or backup to S3 cannot be nested.
A protected path cannot have a file under it that has a hard link outside of the protected path.
It is not allowed to create a protected path on a subdirectory under a path that exposes an S3 bucket.

Caution
If you create a protected path to replicate data to a peer that you already replicated data to earlier by means of another protected path that was deleted earlier, the initial sync is performed again. In other words, the re-creation of a protected path triggers a new transfer of all data under the path to the peer.

Note
Moving data across the boundaries of protected paths is supported by an implicit conversion to a copy and delete task. As such, movement may take longer than expected. This includes the following:
Moving a file or directory from a protected path to a non protected path.
Moving a file or directory from a non protected path to a protected path.
Moving a file or directory from one protected path to another protected path.

Creating a Remote Protected Path in the VAST Web UI

In the left navigation menu, select Data Protection and then Protected Paths.
On the Protected Paths tab, click New Remote Protected Path.

In the Add Protected Path dialog, click Add Source/Primary and complete the fields:

Tenant	Select the tenant under which the source path resides. Note Paths on different tenants can share identical names.
Name	Enter a name for the protected path.
Path	The path you want to replicate. A snapshot of this directory will be taken periodically according to the protection policy. Note If you specify '/' (the root directory), this includes data written via S3. To specify a path to a specific S3 bucket with name bucket, enter /bucket.

Click Next.

In the Add Destination/Secondary dialog, complete the fields:

Mode	Select the mode: Async Replication. For async replication to a remote peer. Sync Replication. For sync replication to a remote peer. S3 Replication. For backup to an S3 bucket. Global Access. For global access.
Activate Global Access	Check this box if you want to enable global access on an async replication destination path. This requires that both the source and destination peers are running VAST Cluster 5.4.
Protection policy	If you selected Async Replication for Mode, select a protection policy from the dropdown or select Add new Protection Policy, configure the new one in the dialog provided and save it. Warning After adding a destination to a protected path, it is not possible to change which policy is associated with the destination. All changes to a destination's snapshot schedule, replication schedule, and snapshot expiration must be done by modifying the protection policy. Those modifications affect all destinations that use the same protection policy. To work around this limitation, use one protection policy per destination.
Cluster	If Mode is set to Async Replication, and the selected protection policy has a peer configured, this field is filled automatically with the cluster specified as the peer in the protection policy. If the protection policy has no peer configured, the destination will be local for storing snapshots on the cluster. If Mode is set to Global Access, select a remote cluster where you want to configure a destination path. The remote cluster must be configured already as a replication peer.
Remote tenant	This field is applicable only if there is a remote peer set in the Cluster field and it has more than one tenant. If it appears, select a tenant on the remote peer from the dropdown. The remote path will be created on the selected tenant. The selection of tenant on the remote peer is subject to the restriction in Creating Protected Paths between Tenants.
Path	This field is applicable only if there is a remote peer set in the Cluster field. Specify the directory on the remote peer cluster where the data should be replicated. This must be a directory that does not yet exist on the remote peer. Tip You cannot use "/" as remote path because that always exists already. Therefore if you would like to replicate all data under the root directory, you will need to replicate this to a subdirectory. e.g. path on peer = "mirror/"

Click Save.
Click Create.
The protected path is created and listed in the Protected Paths tab.

Creating a Local Protected Path in the VAST Web UI

In the left navigation menu, select Data Protection and then Protected Paths.
On the Protected Paths tab, click New Local Protected Path.

In the Create Local Protected Path dialog, complete the fields:

Tenant	Select the tenant under which the source path resides.
Name	Enter a name for the protected path.
Path	The path you want to replicate. A snapshot of this directory will be taken periodically according to the protection policy. Note If you specify '/' (the root directory), this includes data written via S3. To specify a path to a specific S3 bucket with name bucket, enter /bucket.
Protection policy	Select a protection policy from the dropdown or select Add new Protection Policy, configure the new one in the dialog provided and save it. Warning After adding a destination to a protected path, it is not possible to change which policy is associated with the destination. All changes to a destination's snapshot schedule, replication schedule, and snapshot expiration must be done by modifying the protection policy. Those modifications affect all destinations that use the same protection policy. To work around this limitation, use one protection policy per destination.

Click Create.
The protected path is created and listed in the Protected Paths tab.

Adding Destinations to a Remote Protected Path

When you first create a remote protected path, you can add one destination. After creating the protected path, you can add additional destinations.

In the Protected paths page, right-click the protected path and select Edit.

In the Edit Remote Protected Path dialog, click +Add Another, and enter the following:

Mode	Select the mode: Async Replication. For async replication to a remote peer. Sync Replication. For sync replication to a remote peer. S3 Replication. For backup to an S3 bucket. Global Access. For global access.
Activate global access	Check this box if you want to enable global access on an async replication destination path. This requires that both the source and destination peers are running VAST Cluster 5.4.
Protection policy	Select the protection policy that is configured for the remote peer that you want to add. The Remote peer field is filled with the remote peer from the protection policy.
Cluster	If Mode is set to Async Replication, and the selected protection policy has a peer configured, this field is filled automatically with the cluster specified as the peer in the protection policy. If the protection policy has no peer configured, the destination will be local for storing snapshots on the cluster. If Mode is set to Global Access, select a remote cluster where you want to configure a destination path. The remote cluster must be configured already as a replication peer.
Remote tenant	This field appears only if the remote peer has more than one tenant. Select the tenant on the remote peer where you want to create the remote path. The selection of tenant on the remote peer is subject to the restriction in Creating Protected Paths between Tenants.
Path	Specify the path on the remote peer to which you want the stream to replicate the data from the protected path. The path you specify must be to a directory that does not yet exist on the remote peer.

Click Update.

Removing a Destination from a Protected Path

When you remove a destination from a protected path on the source cluster, VMS removes any associated standby stream(s) on destination clusters.

On the source cluster, right-click the protected path and select Edit.
Click the trash icon for the destination you want to remove.
Click Yes to confirm the removal.

Viewing Protected Paths

In the left navigation menu, select Data Protection and then Protected Paths.

The following information is displayed for each protected path:

Field	Description
ID	The ID of the protected path.
Name	The name of the protected path.
Role	For async replication, the role of the local peer in the protected path, which can be: Source. Snapshots are replicated from the local peer to the remote peer. The protected path on the local peer is writeable. Destination. Snapshots are replicated from the remote peer to the local peer. The replication path on the local peer is read only. Standalone. Replication between the peers is suspended and data on the local peer is writeable.
Global Access	Indicates the Global Access status for the path.
Mode	Shows the current replication mode, such as synchronous or asynchronous replication.
State	Possible values: Format. The protected path is being formatted and the initial sync has not yet begun. Initial Sync. The initial data sync is in progress. Active. The initial data is sync was completed in the past and the protected path is enabled. Suspended. The protected path was suspended. A protected path can be suspended in any of the following situations: When manually deactivated. Temporarily during graceful failover (async replication). If the connection between the peers is lost (async replication). Following ungraceful failover, when the protected path role is standalone and both peers are writeable (async replication).
Health	An indication of whether the state is OK or not: OK, if the State of the protected path is healthy. Error, if the State is not a healthy state.
Local Path	The local data path that is being protected.
Tenant	The local tenant to which the local data path belongs.
Destination path	For async replication and global access only. The directory on the peer where the protected data is replicated or made globally accessible. If the protected path has multiple destinations, each destination has a different path on peer.
Remote Tenant	For async replication and global access only. The tenant on the replication peer to which the path on peer belongs. (There is more than one if the protected path has multiple destinations.)
Replication Peer	If there is a replication peer configured on the cluster, this field displays the cluster name of the replication peer. (There is more than one if the protected path has multiple destinations. )
Protection Policy	The protection policy which governs the protected path's schedule, snapshot retention and replication peer if applicable.
Last Point Creation Time	The time of the last completion of a restore point on the replication peer or replication S3 peer, if applicable.
Next Point progress	The progress towards creating the next restore point on the destination peer(s).
BW	The speed of the connection with a replication peer or replication S3 peer, if applicable.
Aggregated Usage	An estimate of the amount of usable capacity that could be reclaimed by deleting all snapshots on the protected path. This estimation takes into account any nested protected paths that hold common data, because data held by another protected path's snapshots would not be removed even if all snapshots on the protected path were removed.
Next Point Physical Size	The physical size on disk of the delta to be transferred in the next restore point.
Next Point Logical Size	The logical size on disk of the delta to be transferred in the next restore point.
ETA	Applicable during a failover event, this is the estimated time remaining until the local peer completes a change of replication role with respect to the protected path. For example, if the local peer is changing from destination role to source role for the protected path, this is the estimated time until that role change is complete.
Files Counted	The number of files at the protected path on the local peer.
Progress	Applicable during a failover event, this is the percentage progress of a change of replication role for the local peer with respect to the protected path. For example, if the local peer is changing from destination role to source role for the protected path, this is the percentage progress so far for that role change.

Activating and Deactivating (Starting and Pausing) Protected Paths

Deactivating a protected path pauses replication for the path. Activating the protected path resumes replication.

Note
Deactivating a protected path that is using an indestructible protection policy requires unlocking the indestructibility mechanism on the cluster.

Right-click the protected path you want to activate or deactivate, and select Activate or Deactivate as needed.

Removing a Protected Path in VAST Web UI

Removing a protected path prevents the ability to resume it. After removing a protected path, if you create a new protected path using the same policy, that new protected path triggers a new initial sync, copying over all of the VAST Cluster's data to the S3 replication peer (if a peer is specified in the policy).

Tip
If you only want to pause replication and you may want to resume later, don't remove the protected path; instead deactivate the protected path.

Removing a protected path does not delete snapshots or restore points that were already backed up to an async or S3 replication peer.

To remove a protected path:

Right-click the protected path and select Remove.
Click Yes to confirm the removal.