Rubrik : Archiving on Google Cloud Platform (GCP)



Background

Your Rubrik platform is getting full and you are low on CAPEX. However, you have plenty of OPEX, then cloud is yours. Setting up archiving in the cloud could be complex process. I'm actually quite new to this area so I will try to explain you how to use it

Google is your friend! 

Most of the time yes. But when it comes to configuring buckets and object store archiving it could be something else than a friend.

Actions on the GCP Side

Firstly, you need to prepare the work on the GCP side (from the Google Cloud Console). Go to the Storage section and create a new bucket :



Note : the name must be unique within the entire GCP infrastructure, so be very specific to your own need to avoid any "name already in use". About the bucket location, I recommend to use a Google datacenter as close as possible from your Rubrik infrastructure. That will drastically improve data transfer performance. For storage class, Google recommend to chose Nearline for backup archives.


Next, we need to create a specific service account accessing our bucket from the the Rubrik side. Go to Service Account :




Create a service account and ask Google to generate a key for it in JSON format.

The key (secure it, there is no way to regenerate it later) looks like this :

{
  "type": "service_account",
  "project_id": "xxxxxxxxxxxxxxxx",
  "private_key_id": "f9e95990cdxxxxxxxxxxxxxxe4fbc00ee",
  "private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCqmG1qOgEBCm+B\no3/JhxOe71aq7qz86JnvqsY1NU/kyFp7mTEcbpDtsUQoaVP52igPka8wHX1JYjom\nI7l/omvA5oYB8v6XA4PPp65IxzjxUPD5BnVCqiXYsVKG1sZHxoGvZ4uo8gJW19FU\njPDtoC9RLdYHdJR7KQZIkn2zb2es7A28/2flLM2Wc8d4659+QXvzDj1fav5Vd/YV\nOjbcEGxCDWsorWlYBre96TyoD7yhkq2zm4NE1YGZ6732+3e7lrlYxMiTvsuYp/v0\nQJlwgn8et2n6MZpYyYs/RDZbrW65tPWPe7CRE18oNsYc1xGp0Ee/Iqh7XhV70ykG\nqhu+C3xNAgMBAAECggEAI12UpzYtoZvaeG9e7TYnuuXmm2p96bNFwFHwo7Sw4p6n\nZWKhdAG24VPDq7YELvKLJgkfXpPqdnVa1S/IQ522BWg0xUAtB7z2jSy3nIZSd3J+\ndj2gvwh7bpP6JhJtyhDsryKB6Sz8j6jPkF3kj3qK/KMKMQL5yht73j0iOnngrg/t\nJK/i757UiVKx+rZ+KdeOd1S/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxKjHIixn5vky36OsuX4FXdIJx8K\nKhJj/l9u0x+MMAuOYSc41bdu9CDjh6Zo+65Rfr3BAoGBAOtgpfNiztQLviLbNHJw\nyb6Jb/s6ooMfZG4JfoNPnauPu/TjqFQI3qbWM8TMbR9P8dMNJ7dtjIozYirecbNl\nyulODFhlwyxVW7tF12GerexrS4A+Y7vkmKbZsvQL5IJfbx/xS1hJBLsd52JzYlcM\nTGYDG0rt5mc62FZxv0JssJfZ\n-----END PRIVATE KEY-----\n",
  "client_email": "rubrik-test-archive@xxxxxxxxxxxx.iam.gserviceaccount.com",
  "client_id": "10480000000000002470",
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  "token_uri": "https://oauth2.googleapis.com/token",
  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/rubrik-test-archive%40xxxxxxxxxxx.iam.gserviceaccount.com"
}

Go back to the previously created bucket and edit the permissions, add a new member, type the service account we just created in the New Member section and assign it the Storage Admin rights :


Actions on the Rubrik Side

Next step is on the Rubrik CDM side. Click on the gear icon, Archival Location and plus sign to reach this screen :



Few remarks here, the encryption password is something you chose, ideally must be complex and will be used to encrypt the data written on GCP (on the fly).
The Service Account JSON key is the one you have secured above when generating the key. 

Press add.

You should see a screen similar to this : 


At this stage, the baseline is ready and we can use it.

Create a SLA as usual and in the second screen configure the following : 




Now, you can assign objects to this SLA and the archival will kick in!



Now, back on the GCP side, you can see some files coming in the bucket :



Note : there is nothing you can do/exploit from the data stored in the bucket, only Rubrik knows how to use those data.

Using the Cloud Console from the GCP interface, you can issue some commands to see the usage of the bucket : 

 flhoest@cloudshell:~ (my_project)$ gsutil du -s -h gs://rubrik-nutanix-archive-fred
69 GiB gs://rubrik-nutanix-archive-fred
flhoest@cloudshell:~ (my_project)$ gsutil ls gs://rubrik-nutanix-archive-fred
gs://rubrik-nutanix-archive-fred/rubrik_cluster_lock.txt
gs://rubrik-nutanix-archive-fred/rubrik_encryption_info.txt
gs://rubrik-nutanix-archive-fred/rubrik_encryption_key_check.txt
gs://rubrik-nutanix-archive-fred/blobstore/
gs://rubrik-nutanix-archive-fred/snappables/
flhoest@cloudshell:~ (my_project)$

While operating the backups, the status of the snapshot can be either both local and in the cloud, in the cloud and local only.

Cloud Only

Both on-prem and in the cloud



Local only

Be careful while playing with archives, the cost could be surprising in some cases, so be sure to check/understand what you are doing. As a matter of best practice, I would recommend to have a on-prem buffer with some sort of cheap S3-like storage before sending in the cloud for longer term retention rather than pushing your archives directly on public cloud providers.

Usually, they are proposing a cost simulator that can be very useful. Here is a sample with GCP for 10 TB with some retrieval operations : 


Sample class A operations
Create buckets; upload objects; set bucket permissions; delete object permissions

Sample class B operations
Download objects; view metadata; retrieve bucket and object permissions

Final note : as of now (Dec 2020) there is no way to move archived data from one location to another. Rubrik is considering this for the future.

I hope this guide will help others struggling to configure archiving in the cloud.

That's it for today ;)



Comments

What's hot ?

ShredOS : HDD degaussing with style

ThingSpeak : Create some useful formulas