Professional Documents
Culture Documents
Acronis #CyberFit Cloud Tech Associate Cyber Infrastructure 2023 Handout
Acronis #CyberFit Cloud Tech Associate Cyber Infrastructure 2023 Handout
#CyberFit Academy
The course that you are taking is Cloud Tech Associate Cyber Infrastructure.
This is an optional course that you are taking in the Cloud Tech Associate track.
Hope you will have a great time learning about the Acronis products.
and by the end of the course, you would know more about what it is that you are
selling.
So you will feel more comfortable to do it and be ready to talk to your customers
about it.
4
Meet your Instructor
Amos Dong
Partner Technology Evangelist
Amos is passionate in latest technology trends. He comes from a
Singapore solid technical IT infrastructure background. He has over 16 years
of experience in the IT industry. Holding multiple certifications
English and Chinese from Microsoft, Cisco, VMware, and Red Hat. His interests and
specializations include Windows Server, Active Directory,
Amos.Dong@acronis.com
Exchange Server, Hyper-V and VMware virtualization, Microsoft
365 and Google Workspace, Cisco Routing and Switching,
Network Security, and Linux Server.
#CyberFit Academy
5
Learning Objectives
#CyberFit Academy
6
Course Modules
1. Case Study
2. Overview
1. What is ACI?
2. ACI in Acronis Ecosystem
3. Deployment Options
4. Acronis Cyber Protect Cloud Back-end
Options
5. Licensing models
#CyberFit Academy
7
Course Modules (Continue)
3. Technology Fundamentals
1. Storage Cluster
• Failure Domains
• Data Distribution Models
• Disk Roles and Storage Tiers
2. Networking Concepts
• Understanding Traffic Types
• Private and Public Networks
#CyberFit Academy
8
Cyber Protect Cloud
Case Study
#CyberFit Academy
9
Meet Joseph
(MSP Business Owner)
#CyberFit Academy
10
Challenges and Points of
Consideration
#CyberFit Academy
11
Challenges and Points of
Consideration
#CyberFit Academy
Joseph has been researching for the perfect storage solution on his own
12
Benefits
#CyberFit Academy
After discussing his concerns with their Acronis Account Manager, Joseph came to
know of Acronis Cyber Infrastructure
It is a hardware neutral hyperconverged infrastructure.
It offers flexible licensing options
It helps to reduce his total cost of ownership
Plus it covers all storage types with a universal storage solution
It can support Acronis Cyber Protect Cloud backup storage, S3, block storage, and NFS
storage types
This is the perfect storage solution for him that can meet all his customers’ storage
requirements
13
Section Summary
#CyberFit Academy
14
Acronis Cyber Infrastructure
Overview
#CyberFit Academy
In this section,
we will be going through the overview of Acronis Cyber Infrastructure.
15
Section 2 – Overview
Modules
1. What is ACI?
2. ACI in Acronis Ecosystem
3. Backup Storage Architecture
4. Deployment Options
5. Acronis Cyber Protect Cloud Back-end Options
6. Licensing Models
#CyberFit Academy
16
Acronis Cyber Infrastructure
What is ACI?
#CyberFit Academy
In this module,
We will be covering What is ACI?
17
Acronis Cyber Infrastructure
An integrated suite of software and
hardware technologies providing the
Advanced Security
Advanced Disaster
Advanced Backup
Advanced Email
Advanced File
Cyber Notary
Management
foundation for Acronis Cyber
Cyber Files
Advanced
Recovery
Security
Acronis
Acronis
Acronis
Cloud
Cloud
Cloud
Protection services
#CyberFit Academy
18
Acronis Cyber Infrastructure
Cover all use-cases and scenarios with
one solution
Reduce TCO
Improve IT Productivity
Deliver Innovative Cyber Protection
Ensure Seamless Integration
Eliminate Resource Silos
#CyberFit Academy
Acronis Cyber Infrastructure covers all use cases and scenarios with one solution
It helps you to
Reduce TCO
Shrink costs by working with industry‐standard hardware and pay‐as‐you‐go licensing
Improve IT Productivity
Leverage agile implementation, deployment, maintenance, and management with an
easy‐to‐use GUI and single sign on (OpenID)
Deliver Innovative Cyber Protection
Protect against component failures and data corruption with flexible erasure coding
and mirroring, and inbound firewall rules for node interfaces
Ensure Seamless Integration
Work optimally with Acronis cyber protection solutions to completely protect data on
any workload — anytime and anywhere
Eliminate Resource Silos
Offer software‐defined block, file, and object storage in a single IT infrastructure
solution
19
What is ACI?
Acronis Cyber Infrastructure is a Linux-
based OS with additional functionality
included
#CyberFit Academy
20
What is ACI? (Continue)
Acronis Cyber Infrastructure is
a Storage
STORAGE
• Storage system designed to
store data
• What kind of data is supported?
Everything:
Databases
Photos/Videos
VM disks
User files
Whatever you want!
#CyberFit Academy
21
What is ACI? (Continue)
Acronis Cyber Infrastructure is a
Virtualization platform
Includes a built-in hypervisor service
Virtualization building and
management approach is based on
open-source technology –
OpenStack
Virtual machines may run both
Windows and Linux Guest OSes
#CyberFit Academy
Guest virtual machines can run both Windows and Linux operating systems
22
ACI Storage Cluster
Cluster is a number of servers (nodes) that are
sharing their storage capacity I am a
Cluster may consist of any number of nodes
Cluster
too!
I am a
Cluster!
#CyberFit Academy
23
Section Summary
#CyberFit Academy
24
Acronis Cyber Infrastructure
ACI in Acronis Ecosystem
#CyberFit Academy
In this module,
We will be covering Acronis Cyber Infrastructure in Acronis Ecosystem
25
Integrated Platform
An integrated solution of cyber security, backup, disaster recovery,
management and automation built specifically for SPs
#CyberFit Academy
We begin with the fact that the system that you are looking at is one integrated
system,
not simply a series of products.
26
Integrated Platform
An integrated solution of cyber security, backup, disaster recovery,
management and automation built specifically for SPs
Acronis Infrastructure
Technicians
Owner
#CyberFit Academy
27
Acronis Cyber Infrastructure in
Acronis Data Centers
#CyberFit Academy
Acronis Cyber Infrastructure is being used in Acronis Cyber Cloud data centers
worldwide.
With over 250 petabytes of data stored and over 5 million workloads protected
globally.
28
Ensure compliance and a local presence
Choose from 49 data centers worldwide to store data – Acronis Hosted, Google
Cloud and Microsoft Azure
over 49
DATA CENTERS
Acronis Data Acronis SCS Google Data Azure Data
Centers Data Centers Centers Centers
#CyberFit Academy
Acronis has data centers all over the world and is adding more all the time.
For locations that we don’t have our own Acronis Cyber Cloud data centers,
we are partnering with Google Cloud Platform and Microsoft Azure to serve you even
better.
29
ACI Use Cases: Acronis Solutions
How partners can use ACI in combination with other Acronis solution?
Infrastructure for Storage for Acronis Cyber
Backup storage
DR Cloud Files Cloud
Aka. partner-owned storage, or Allows using ACI as a back-end S3-compatible storage for
simply partner storage: for Disaster Recovery service: storing File Sync & Share users
• secure and reliable storage for • compute resources for Cloud data:
Acronis Cyber Protect Cloud’s VMs’ creation and management • can be used instead of default
backups ACFC Acronis storage
• hot (high-performance) storage
• installed on customer’s premises for DR Cloud servers
#CyberFit Academy
Among some of the Acronis Cyber Infrastructure use cases for Acronis Cyber Protect
Cloud solutions are
30
Section Summary
#CyberFit Academy
It stores over 250 petabytes of backed up data from more than 5 million workload
devices
The three main use cases for Acronis Cyber Infrastructure are
Backup storage, Infrastructure for Disaster Recovery Cloud, and
Storage for Acronis Cyber Files Cloud
31
Acronis Cyber Infrastructure
Backup Storage Architecture
#CyberFit Academy
In this module,
We will be covering Acronis Cyber Infrastructure Backup Storage Architecture
32
Backup Storage: Back-ends
Supported back-ends:
#CyberFit Academy
In a nutshell,
backup storage or Acronis Backup Gateway (ABGW) is a proxy service that
works with the data that was backed up using Acronis Cyber Protect cloud.
ABGW receives the back data and then forwards it to the storage backend.
The backup storage service supports three different types of backends.
They are the local disks of Acronis Cyber Infrastructure, remote NFS share, and public
cloud.
In order to be able to perform successful backups to cloud storage or to perform
recovery from cloud backups,
it's mandatory that the backup storage is up and running.
If the backup storage service is not available, it would not be possible to access cloud
backup.
===
In a nutshell, Backup storage (ABGW) is a proxy service, that receives data backed up
via Acronis Cyber Protect Cloud. Then ABGW sends data to its final destination (a.k.a.
ABGW’s back‐end).
33
Backup Storage: Local Storage
#CyberFit Academy
34
Architecture: Local Storage
#CyberFit Academy
35
Backup Storage: NFS
• Using Backup Storage with NFS back-end, backed
up data will go through ABGW, but is not kept on ACI Acronis Cyber Infrastructure
cluster
Backup Storage (ABGW)
• It is forwarded to external storage device with NFS
configured on it
• Local storage is used to keep non-critical service
information about backup archives
• Data redundancy has to be provided by the external
storage device
• Due to limitations of NFS protocol, Backup Storage
service can be running only on a single node
• Important: NFS here has nothing to do with NFS
service that can be configured on top of ACI.
“Backup Storage + NFS backend” means some NAS
standalone device with NFS configured
#CyberFit Academy
The second type of a backend full backup storage service is a remote NFS share.
In this setup,
the backup storage service receives the backup data and
then forward the 2 remote device over NFS protocol.
In this case,
the backup data is not kept on ACI.
The redundancy of the backup data is supposed to
be guaranteed by the external device where the NFS share was set up.
There is an important limitation when backup storage is using the NFS backend.
In this case,
the backup storage service can be set up only on top of a single node.
This is a limitation of the NFS protocol,
not the limitation of ACI.
Since backup storage will be running on top of just a single node and
becomes highly vulnerable for the possible hardware issue.
If the node with the backup storage service goes down,
the service will become unavailable and people will not be able to
perform backup and recovery operations.
An additional note here,
36
when we are saying backup storage with NFS backend,
it means that the NFS share will be configured on an external device,
not on ACI itself.
===
While using Backup Storage in combination with NFS back‐end, backed up data will go
through ABGW, but is not kept on ACI cluster. Rather it is forwarded to external
storage device with NFS configured on it
Local storage is used to keep non‐critical service information about backup archives
Data redundancy has to be provided by the external storage device
Due to limitations of NFS protocol, Backup Storage service can be running only on a
single node. In other words, no ABGW service redundancy available in this case
Important: NFS here has nothing to do with NFS service that can be configured on
top of ACI. When we say “Backup Storage + NFS backend” we always mean some
standalone device with NFS configured
36
Architecture: NFS
NFS
protocol
EXTERNAL
NFS SHARE
#CyberFit Academy
37
Backup Storage: Public Cloud
• Backup Storage service can be used in combination
with Public Cloud services: Google cloud, Amazon Acronis Cyber Infrastructure
AWS etc
Backup Storage (ABGW)
• Working with public clouds, Backup storage uses the
local storage as the staging area as well as to keep
service information
• It is vital that the local storage is persistent and
redundant so the data does not get lost
• Necessary to keep in mind ABGW service
redundancy: it should be running at least on two
nodes
Google Cloud
Microsoft Azure
Amazon AWS
#CyberFit Academy
The third backend type for backup storage service is public cloud.
Among the supported public cloud solutions are Google, Amazon, Microsoft, Azure,
and many others.
When using public cloud backend,
the back data is first temporary stored on ACI cluster and
then it has been forwarded to the public cloud storage
where it'll be kept permanently.
Since the data is first stored on ACI,
it is vital that the local storage is persistent and redundant so that the temporary data
does not get lost.
In other words,
your ACI cluster should not consist of just a single CS disk from the other side.
It is also important to remember that
we need to guarantee the redundancy of the backup storage service itself,
so it is supposed to be configured on multiple nodes to
ensure backup service high availability.
===
Backup Storage service can also be used in combination with Public Cloud services:
Google cloud, Amazon AWS etc. This option is useful when a person already has
38
Amazon/Google/Microsoft subscription
When working with public clouds, Backup storage uses the local storage as the
staging area as well as to keep service information. It means that the data to be
uploaded to a public cloud is first stored locally and only then sent to the destination
For this reason, it is vital that the local storage is persistent and redundant so the data
does not get lost. Thus configuring data redundancy on ACI level in such setup is
important as well
However, it’s still necessary to keep in mind ABGW service redundancy: it should be
running at least on two nodes
38
Architecture: Public Cloud
PUBLIC
CLOUD
#CyberFit Academy
39
Section Summary
#CyberFit Academy
40
Acronis Cyber Infrastructure
Deployment Options
#CyberFit Academy
In this module,
We will be covering Acronis Cyber Infrastructure Deployment Options
41
Acronis Cyber Infrastructure: Two options
An integrated suite of software and hardware technologies
Software-only
• Run on the hardware of your choice
• Run on a third-party cloud of your choice
#CyberFit Academy
Each appliance is essentially a 5‐node server cluster in a box 3 rack units tall,
with Acronis Cyber Infrastructure installed in advance.
42
Understanding Storage Services
Acronis Cyber Infrastructure allows
SERVICES
STORAGE
setting up different storage services
on top of it
Data from different storage services is
stored across all available chunk
servers on the cluster
ROLES
DISK
Storage service can be configured on
any cluster node, even the one that
PHYSICAL
does not have CS disks
DISKS
#CyberFit Academy
43
Disaster Recovery Infrastructure
Grow your business without complexity concerns
Acronis
High-performance and high-availability
Cyber Infrastructure
virtualization technology
Single point of administration, monitoring, Virtualization
and control VM VM VM
Software-defined network
Software-Defined Network
Storage policies and redundancy options
per virtual machine (VM)
Software-Defined Storage
Multi-tenant architecture
Efficient resource management
Cluster nodes
Fast and simple installation
Easy integration with third-party
#CyberFit Academy
MSPs can use Acronis Cyber Infrastructure as their Disaster Recovery Infrastructure.
They can grow their business without complexity concerns.
Among the benefits of using ACI as their DR infrastructure includes:
High‐performance and high‐availability virtualization technology
Single point of administration, monitoring, and control for network, storage, and
virtual infrastructure
Highly available storage and compute resources that protect systems from node
failure
Software‐defined network for secure and isolated networking with VXLAN
encapsulation based on distributed virtual‐switching technology
Set storage policies and redundancy options per virtual machine (VM)
Multi‐tenant architecture ensures security by segregating consumption of system
resources by multiple users and requests
Efficient resource management so heavy demands on system components don’t
slowdown individual workloads
Fast and simple installation with no need for professional services
Easy integration with third‐party systems via open standard API
44
Archiving/ Secure Backup/ Cold Storage
Backup your data easily, efficiently and securely Other DC
Acronis
Cyber Infrastructure
Virtualization
#CyberFit Academy
Acronis Cyber Infrastructure can be used as a storage for the backups created with
Acronis Cyber Protect or Acronis Cyber Protect Cloud
Backup storage Service allows storing data at various destinations starting from the
local disks of ACI cluster itself and in remote NFS or public cloud storage. The back
data can be encrypted for additional security.
Plus it can be replicated to a different ACI I cluster using geo replication feature
===
• Service providers can use Acronis Cyber Infrastructure as а centralized backup
storage cluster to store clients’ backup data
• End users can leverage Acronis Cyber Infrastructure as a centralized backup storage
for local and offsite backups from remote offices and subsidiaries
• Uses industry‐standard hardware and manageable redundancy options
• Adds an additional layer of data protection with geo‐replication to another data
center
• Eliminates service interruptions because you can change or upgrade hosts or disks
on live production systems
• Encrypts data at rest
45
S3 Object Storage
Build your own Amazon S3-compatible storage cloud
Works with Acronis Cyber Files Acronis Provides active-active geo-
Cloud Cyber Infrastructure replication for S3 data between
data centers with full data
Compatible with most S3 Virtualization consistency and collision
applications out of the box resolution
Scales to billions of objects Software-Defined Network
iSCSI
NFS
S3-aware
applications Active-Active
Cluster nodes
S3 Geo-Replication
#CyberFit Academy
Let us also discussed some other storage services that can be set up on ACI.
Starting from S3 storage.
S3 stands for Simple Storage Solution.
S3 is the protocol developed by Amazon,
which is later adopted by other vendors.
Acronis Cyber Infrastructure allows setting up an S3 like storage which
the end users would be looking pretty much similar to
the way how they can work with Amazon S3.
ACI's S3 storage is compatible with all S3 aware applications.
Plus also ACI's S3 Storage can be used as
a background for Acronis Cyber Files Cloud Service
46
General Purpose/ File Storage
Affordable and fully manageable file shares via the NFS protocol
Acronis Provides optimized file storage for
better performance, even for partial
Cyber Infrastructure file updates
Virtualization Stores any type of corporate data
Works via object storage and
Software-Defined Network scales to billions of entities
Includes an organized file archive
• Corporate data to store older files
Software-Defined Storage
• Archive Backup Storage Scales up and out so you can start
with a small system and grow as
• File sharing S3
your business grows
iSCSI
• Web hosting Provides easy-to-use, automated,
NFS
cluster infrastructure management
Supports all modern NFS
Cluster nodes standards, including NFS v4, and
NFS v4.1
#CyberFit Academy
ACI allows setting up a file share on top of itself, which is available over NFS protocol.
This type of storage perfectly fits the purpose of web hosting, file sharing, storing
archives, or corporate data.
In other words, the data that is not sensitive to the moderate performance.
ACI's NFS share currently supports only NFS version 4 and newer.
NFS version three or pNFS are not supported.
ACI's NFS share can be easily mounted on Linux or Mac.
For Windows the native client is not supported so far.
47
High Performance/ Hot Storage
Highly efficient, fast block storage for hot data
Acronis
Offers highly available and secure Cyber Infrastructure
iSCSI access
Ideal for storing critical/high Virtualization i Enable NVMe performance to
performance databases increase parallelism and throughput
Software-Defined Network of fast disk. More information here
Stores Microsoft Hyper-V and
VMware vSphere data
Software-Defined Storage
Includes SSD caching for best Backup Storage
performance S3 VMware
Block data vSphere
Storage tiering and load iSCSI
balancing NFS Hyper-V
RDMA/InfiniBand usage provides KVM
lower latency and decreases CPU Cluster nodes Databases
load
#CyberFit Academy
48
Storage Services: Tech
Representation
#CyberFit Academy
When configuring a storage service, you are defining on which ACI node the service
will be running.
The more nodes you have with the same storage service, the more reliable the
service will become.
When speaking about the storage service reliability, you are not speaking about data
safety.
Storage service is something that works with the data, but storage service is not
equal to the data itself.
From a technical perspective, a storage service is yet another service that is running
on that ACI node where it was configured.
You can easily discover it by going to the common line of a particular storage node.
===
Please do not confuse storage service redundancy vs. data redundancy
49
Acronis Cyber Appliance
Optimal choice for secure storage for backups.
#CyberFit Academy
Now let me introduce you to our ACI hardware appliance, Acronis Cyber Appliance.
This is in partnership with RNT Rausch which is a pioneer in the server and storage
industry.
Acronis Cyber Appliance is the optimal choice for secure storage for backups.
It comes with ACI pre deployed on a cluster of 5 servers contained in a single 3U
chassis.
Acronis Cyber Appliance can be used for local backup storage for
Acronis Cyber Protect Cloud and Acronis Cyber Protect (on‐premises).
50
Acronis Cyber Appliance: Specifications
Element Details
RAM 32GB
Storage 1 x SSD for OS; 1 x SSD for use as cache; 3 x HDD for data storage
#CyberFit Academy
Every Acronis Cyber Appliance comes with five server nodes installed in the chassis.
Each of the five nodes is separate hardware that runs independently of the other
nodes.
Individual nodes can be swapped out and replaced if needed.
Each server node in Acronis Cyber Appliance has its own
storage, network, memory, and CPU, as follows.
51
Section Summary
#CyberFit Academy
52
Acronis Cyber Infrastructure
Acronis Cyber Protect Cloud
Back-end Options
#CyberFit Academy
In this module,
We will be covering Acronis Cyber Protect Cloud Backend Options
53
Acronis-hosted Model
Cloud storage is located in the Acronis data centers. Acronis Cyber Infrastructure is installed
on physical servers, data is stored on them
Target
Audience Partners with no data center infrastructure, who want a turnkey solution from Acronis
#CyberFit Academy
54
Hybrid model: Option 1
Cloud storage is located in the service provider’s data center. Acronis Cyber Infrastructure is
installed on physical servers, data is stored on them
Acronis Cyber
Acronis Cyber Protect Cloud Infrastructure is installed Backup is stored on
Management Components on physical servers them
Target
Audience Partners with own data center, ready to invest in new physical servers or have unutilized ones
#CyberFit Academy
55
Hybrid model: Option 2
Cloud storage is located in the service provider’s data center. Acronis Cyber Infrastructure is installed on
a virtual machine (VM) used as a gateway. Data is stored on a service provider’s third-party NFS or S3
storage
Acronis Cyber Protect Cloud Acronis Cyber Infrastructure NFS or S3 for backup
Management Components is installed on VM storage
Target
Audience Partners with own data center and third-party NAS or object storage solution
#CyberFit Academy
56
Hybrid model: Option 3
Cloud storage is located in a public cloud (Azure and Amazon). Acronis Cyber Infrastructure is installed
on a virtual machine (VM) in the same cloud
Target Partners with no data center infrastructure, who’d like to leverage their Azure or Amazon
Audience subscriptions
#CyberFit Academy
Acronis Cyber Infrastructure is installed on virtual machine (VM) in the same cloud.
57
Hybrid model: Option 4
Cloud storage is located in a public cloud (e.g. Wasabi). Acronis Cyber Infrastructure is
installed on a virtual machine (VM) used as gateway
Target Partners, using affordable third-party public cloud storage (third-party doesn’t have VM
Audience service)
#CyberFit Academy
This is suitable for partners using affordable 3rd party public cloud storage where
the 3rd party public cloud doesn’t have VM service.
58
Section Summary
#CyberFit Academy
There are 5 different Acronis Cyber Protect Cloud backend option models:
Which are Acronis hosted and hybrid options 1 to 4.
59
Acronis Cyber Infrastructure
Licensing Models
#CyberFit Academy
In this module,
We will be covering Acronis Cyber Infrastructure Licensing Models
60
Licenses
Three licensing models: Trial, SPLA and License keys
• Trial allows saving up to 1 TB of data on the cluster. Trial
license has no expiration period
#CyberFit Academy
61
In general,
it is one year plus also a certain threshold in terms of maximum data size that
can be stored on the cluster.
For example, 5, 10, or 20 terabytes.
Whenever the validity period has expired or the data total limit has exceeded,
the license needs to be switched with another one.
Otherwise, the cluster would not allow to place more data on it.
And the third type of license is SPLA or Service Provider License Agreement.
SPLA implements a Pay as you Go model.
In general,
SPLA is recommended to be used along with Acronis Cyber Protect Cloud Solution.
In SPLA licensing,
Acronis Cyber Infrastructure automatically sends and
reports to Acronis Cyber Protect Cloud once every four hours.
If no reports have been received for two weeks, the SPLA license automatically gets
expired
and the right operations to the cluster are suspended until
the point the cluster will be able to communicate with Acronis Cyber Protect Cloud
and report ACI's cluster or storage consumption again.
===
Trial allows saving up to 1 TB of data on the cluster. Trial license has no expiration
period
License keys are time‐limited (most commonly – 1 year long) and grant a certain
storage capacity. If a commercial license is already installed, a key augments its
expiration date and storage limit
SPLA – service provider license agreement. The SPLA implements a pay‐as‐you‐go
model: it grants unlimited storage capacity and customers are charged for their actual
usage of these resources. With an SPLA, Acronis Cyber Infrastructure automatically
sends reports to Acronis Cyber Cloud once every four hours. If no reports have been
received for two weeks, the license expires
If a license expires, all write operations to the storage cluster stop until
a valid license is installed.
61
Licensing Rules
Which license is required
#CyberFit Academy
62
Licensing Model and SKU for Service Providers
A service provider’s Acronis Cyber Infrastructure commitment is combined with their overall
cloud commitment. Billable usage is calculated monthly, based on total storage used by the
last day of the month
Using Acronis Cyber Infrastructure:
• Service providers will NOT be charged if Acronis Cyber Infrastructure is used for storing archives from
Acronis Cyber Protect Cloud
• Service providers will be charged if Acronis Cyber Infrastructure is used for any other type of
workload or if using a third-party backup solution
#CyberFit Academy
63
Licensing Model for On-premises Deployment
#CyberFit Academy
64
SKUs for On-premises Deployment
SKU Product name Description
SCPBEBLOS11 Acronis Cyber Infrastructure Subscription License 10 TB, 1 Year Refers to one year subscription license with 10 TB included storage
SCPBEDLOS11 Acronis Cyber Infrastructure Subscription License 10 TB, 2 Year Refers to two years subscription license with 10 TB included storage
SCPBEILOS11 Acronis Cyber Infrastructure Subscription License 10 TB, 3 Year Refers to three years subscription license with 10 TB included storage
SCPBEKLOS11 Acronis Cyber Infrastructure Subscription License 10 TB, 4 Year Refers to four years subscription license with 10 TB included storage
SCPBEJLOS11 Acronis Cyber Infrastructure Subscription License 10 TB, 5 Year Refers to five year subscription license with 10 TB included storage
SCQBEBLOS11 Acronis Cyber Infrastructure Subscription License 50 TB, 1 Year Refers to one year subscription license with 50 TB included storage
SCQBEDLOS11 Acronis Cyber Infrastructure Subscription License 50 TB, 2 Year Refers to two years subscription license with 50 TB included storage
SCQBEILOS11 Acronis Cyber Infrastructure Subscription License 50 TB, 3 Year Refers to three years subscription license with 50 TB included storage
SCQBEKLOS11 Acronis Cyber Infrastructure Subscription License 50 TB, 4 Year Refers to four years subscription license with 50 TB included storage
SCQBEJLOS11 Acronis Cyber Infrastructure Subscription License 50 TB, 5 Year Refers to five years subscription license with 50 TB included storage
SCRBEBLOS11 Acronis Cyber Infrastructure Subscription License 100 TB, 1 Year Refers to one year subscription license with 100 TB included storage
SCRBEDLOS11 Acronis Cyber Infrastructure Subscription License 100 TB, 2 Year Refers to two years subscription license with 100 TB included storage
SCRBEILOS11 Acronis Cyber Infrastructure Subscription License 100 TB, 3 Year Refers to three years subscription license with 100 TB included storage
SCRBEKLOS11 Acronis Cyber Infrastructure Subscription License 100 TB, 4 Year Refers to four years subscription license with 100 TB included storage
SCRBEJLOS11 Acronis Cyber Infrastructure Subscription License 100 TB, 5 Year Refers to five years subscription license with 100 TB included storage
SCTBEBLOS11 Acronis Cyber Infrastructure Subscription License 500 TB, 1 Year Refers to one year subscription license with 500 TB included storage
SCTBEDLOS11 Acronis Cyber Infrastructure Subscription License 500 TB, 2 Year Refers to two years subscription license with 500 TB included storage
SCTBEILOS11 Acronis Cyber Infrastructure Subscription License 500 TB, 3 Year Refers to three years subscription license with 500 TB included storage
SCTBEKLOS11 Acronis Cyber Infrastructure Subscription License 500 TB, 4 Year Refers to four years subscription license with 500 TB included storage
SCTBEJLOS11 Acronis Cyber Infrastructure Subscription License 500 TB, 5 Year Refers to five years subscription license with 500 TB included storage
SCUBEBLOS11 Acronis Cyber Infrastructure Subscription License 1000 TB, 1 Year Refers to one year subscription license with 1000 TB included storage
SCUBEDLOS11 Acronis Cyber Infrastructure Subscription License 1000 TB, 2 Year Refers to two years subscription license with 1000 TB included storage
SCUBEILOS11 Acronis Cyber Infrastructure Subscription License 1000 TB, 3 Year Refers to three years subscription license with 1000 TB included storage
SCUBEKLOS11 Acronis Cyber Infrastructure Subscription License 1000 TB, 4 Year Refers to four years subscription license with 1000 TB included storage
SCUBEJLOS11 Acronis Cyber Infrastructure Subscription License 1000 TB, 5 Year Refers to five years subscription license with 1000 TB included storage
#CyberFit Academy
The table here shows all the SKUs for ACI on premises deployment.
65
Section Summary
#CyberFit Academy
66
Acronis Cyber Infrastructure
Technological Fundamentals
#CyberFit Academy
In this section,
we will be going through the Technological Fundamentals of Acronis Cyber
Infrastructure.
67
Section 3 - Technological Fundamentals
Modules
1. Storage Cluster
1. Failure Domains
2. Data Distribution Models
3. Disk Roles and Storage Tiers
2. Networking Concepts
1. Understanding Traffic Types
2. Private and Public Networks
#CyberFit Academy
68
Acronis Cyber Infrastructure
Storage Cluster
#CyberFit Academy
In this module,
We will be covering Acronis Cyber Infrastructure Storage Cluster
69
About Storage Cluster
The storage cluster The cluster space can be ACI is integrated with Geo-replication is available
provides the most used for: Acronis Cyber Protection for Backup Gateways set
efficient usage of the solutions for storing up on different storage
hardware with: backups in: backends:
#CyberFit Academy
The storage cluster provides the most efficient usage of the hardware with
erasure coding, integrated SSD caching, automatic load balancing, and
RDMA/InfiniBand support.
In addition,
Acronis Cyber Infrastructure is integrated with Acronis Cyber Protection solutions for
storing backups in the cluster, sending them to cloud services
(like Google Cloud, Microsoft Azure, and AWS S3), or
storing them on NAS via the NFS protocol.
70
About Storage Cluster
Data storage policies can be
customized to meet various use
cases: each data volume can
have a specific:
• Redundancy mode
• Storage tier
The data can be encrypted with the
• Failure domain AES-256 standard.
#CyberFit Academy
71
Failure Domains
#CyberFit Academy
In this module,
We will be covering Acronis Cyber Infrastructure Failure Domains
72
Failure Domains
• Define a scope (for example, a disk, a host or a Ouch!
rack) which can fail
• Disk failure domain, the cluster data will tolerate a failure But the data is
of a disk: the remaining disks will provide for the data
availability.
still OK!
• Host failure domain, the loss of an entire node would
not result in the loss of data availability
#CyberFit Academy
While the most important terms for understanding ACI is failure domain.
Failure domain defines the tolerance of ACI cluster to hardware failures.
When configuring failure domain,
we in fact define a scope of what actually we can lose without losing the data.
For example, if your failure domain is disk,
the cluster can survive a loss of a hard disk (HDD)
And what is most important,
the data that was previously stored on that hard disk will also be preserved.
Another example, if our failure domain is set to host.
The cluster can survive a loss of a node and still the data will be.
The more node you have in your cluster,
the more reliable failure domains become available.
Failure domain is configured during the setup of a storage service.
===
Click to proceed,
The idea behind failure domains is to define a scope (for example, a disk, a host or a
rack) which can fail, while its data will still be available.
If we choose the disk failure domain, the cluster data will tolerate a failure of a disk:
the remaining disks will provide for the data availability.
73
If we choose the host failure domain, the loss of an entire node would not result in
the loss of data availability
The more nodes you have – the more reliable and redundant you can configure your
storage cluster
The maximum number of disks (nodes/racks/etc.) that can be lost without actually
loosing useful data, can be chosen while configuring a particular storage service
73
Failure Domains (Continue)
Defines how tolerant your cluster is to failures
Reliability level
• Storage cluster has a built-in data self-healing
mechanism. When a failed disk (or node) is
replaced by a healthy one, ACI will start the
process of retrieving the lost data.
• The following failure domains are available:
Disk
Host (node)
Rack
Row
Room
#CyberFit Academy
Failure domain defines the way how the data will be distributed across ACI nodes.
ACI provides five different failure domains that are:
disk, host, rack, row, and room.
Failure domain guarantees that the data stays highly available and
is not lost in case of a hardware outage.
It is necessary to remember what the failure domain is.
For instance, if our failure domain is set to disk,
we can lose the disk and still the data will remain intact.
However, if the failure domain is set to disk while we actually lose one of ACI nodes,
that will be causing data loss due to failure domain breach.
Acronis Cyber Infrastructure also introduces the self‐healing mechanism.
That means that if the failure domain was not breached,
say you had a failure domain set to host and
you lost a single node of your cluster later on.
You can replace the node with the new wall and
the data that was previously stored on that node that
went down will be automatically repaired.
74
Data Distribution Models
#CyberFit Academy
In this module,
We will be covering Acronis Cyber Infrastructure Data Distribution Models
75
Data Redundancy
Key Knowledge
#CyberFit Academy
76
Data Distribution: Replication
• With replication, Acronis Cyber Infrastructure Replication
breaks incoming data into 256 MB pieces (data
chunks).
• Each chunk is replicated (copied) as many
times as is set in the storage policy. The replicas Data
are stored on different storage nodes if the
failure domain is host, so that each node has
only one replica of a given chunk.
• Used for Hot (high-performance) storage (e.g.
Block Storage, VMs virtual disks).
• Supported storage services: S3, Block storage,
NFS
#CyberFit Academy
77
Replication: Example #1
Data
#CyberFit Academy
Now, let us review how replication works for different failure domains.
In the first example, you have an ACI cluster that consists of three nodes.
So what happens when we try to put some data on ACI with a given configuration?
First of all, the income and data stream has been split into 256 megabyte pieces.
78
ACI automatically creates two more copies of every single data piece.
For example,
the databases can be distributed like this
ACI will never put two or three replicas of the same kinds on a single Chunk Server
disk
because this puts the data in danger.
In other words on the picture, you will never find a CS disk that contains two squares
of the same color.
Now, let us see how does the cluster ensure tolerance to the possible hardware
failures?
As you recall,
the clusters tolerance level to the hardware failures strongly depends on the failure
domain.
78
In this example, the failure domain is disk.
What it means for us is that ACI can survive a loss of several HDDs without affecting
the data's integrity.
But how many disks can we lose in case our redundancy scheme is three replicas?
So even if we lose two random HDDs, still the data will remain intact.
If it is not,
the redundancy scheme three replicas combined with
failure domain disk allow us to lose not more than two HDDs without
affecting the data stored on ACI.
However, disk failure domain does not protect us against a failure of entire node.
So, is there a way how to protect our data against an old failure?
78
Replication: Example #2
Data
#CyberFit Academy
So the question is how to preserve the consistency of the data in case an entire node
goes down?
In this example,
we have the very same ACI cluster that consists of three node
79
Let us see what happens when some data is written to ACI with such configuration.
First, the incoming data stream has been split into 256 megabyte data pieces.
79
Data Distribution: Erasure Coding
Erasure coding 5+2
• Incoming data stream is split into fragments of a certain
size. Each fragment is not copied itself; instead, a certain M = 5, N = 2
number (M) of such fragments are grouped and a
certain number (N) of parity pieces are created for
redundancy
• All pieces distributed among M+N storage disk Data
(nodes/rows/rack/rooms) selected from all available
disks. Data can survive the failure of any N storage disks
(nodes/rows/etc.) without data loss
• Values of M and N are indicated in the names of erasure
coding redundancy modes. For example, in the 5+2
mode, the incoming data is split into 5 fragments, and 2
more parity pieces (same size) are added for
redundancy
• Used for Cold (moderate-performance) storage
(backups, NFS)
• Supported storage services: Backup Storage (ABGW),
S3, Block storage, NFS
CS (chunk server) disks
#CyberFit Academy
The Erasure Coding in common data stream is split into fragments of a certain size.
80
Each erasure coding scheme is represented by two values, M plus N.
Parity chunks are useful in case of hardware outage that might occur.
Using the purity chunks ACI is capable of restoring the lost data chunks.
A short example,
consider an ACI cluster that has failure domains set to disk and
erasure coding scheme three plus two.
If you're not sure from where the value five come from,
just look at the scheme itself.
So the minimum number for our three plus two erasure coding scheme would be five
disks,
but the maximum number is not limited,
so that can be 10, 20, 50, and so on.
80
===
With erasure coding (or just encoding), the incoming data stream is split into
fragments of a certain size. Then, each fragment is not copied itself; instead, a certain
number (M) of such fragments are grouped and a certain number (N) of parity pieces
are created for redundancy.
All pieces are distributed among M+N storage disk (nodes/rows/rack/rooms) selected
from all available disks). The data can survive the failure of any N storage disks
(nodes/rows/etc.) without data loss.
The values of M and N are indicated in the names of erasure coding redundancy
modes. For example, in the 5+2 mode, the incoming data is split into 5 fragments,
and 2 more parity pieces (same size) are added for redundancy
Supported storage services: Backup Storage (ABGW), S3, Block storage, NFS
80
Erasure Coding: Example #1
Data
#CyberFit Academy
Now, let us review a couple of examples how erasure coding redundancy works.
The failure domain is disk and the redundancy scheme is erasure coding three
plus two.
first, the data has been split into 256 megabyte pieces.
81
<Click>
Then those big pieces are divided into a bunch of a smaller ones,
up to one megabyte in size.
<Click>
As soon as the spliting is done,
each group of data chunks automatically receives the so called parity chunks.
<Click>
The number of data chunks in group and
the number of parity chunks that will be automatically added
depends on the erasure coding scheme that is chosen.
Once the data is split and the parity chunks are generated,
it is time to place the data on ACI's disks.
<Click>
<Click>
In this example, the failure domains disk,
that would mean that from every group of five chunks,
every ACI's disk would receive not more than just a single chunk.
Alright, now our data resides on ACI and let's discuss the redundancy aspect of this
configuration.
81
It's very easy to answer this question
for any kind of a erasure coding scheme because
the answer for this question always comes after the plus value in the scheme's name.
In this example, the failure domain is disk and the scheme is three plus two.
Unfortunately, the disk failure domain does not protect us against a loss of entire
node.
81
Erasure Coding: Example #2
Data
#CyberFit Academy
First when common data stream is split into 256 megabyte pieces.
82
Then every piece has been split into numerous one megabyte chunks.
So the three plus one scheme means three data chunks plus one parity chunk.
As soon as the data is split into chunks and the parity chunks are generated,
it is time to distribute them across ACI clusters chunk server disks.
In this example,
the failure domain is host and the erasure coding scheme is three plus one.
The value after the plus sign always indicates the total number of units that you can
lose.
Keeping that in mind, you now understand that the data chunks
should be distributed across the cluster in that way.
So that a loss of a single node would not result in the data outage.
This can be achieved if every node contains just a single chunk out of four.
So if we will lose one of ACI node and thus one of the data chunk.
Still there will be three more nodes left with three other data chunks,
and that would be absolutely sufficient for rebuilding the data.
82
Redundancy Modes
The following table illustrates data overhead of various redundancy modes
Redundancy mode Nodes required to How many nodes can fail Storage overhead, percent Raw space needed to
store data copies without data loss store 100 GB of data
#CyberFit Academy
===
The numbers of nodes listed in the table indicate only the requirements of each
redundancy method but not the number of nodes needed for the Acronis Cyber
Infrastructure cluster. The minimum and recommended cluster configurations are
described in Quantity of servers.
Note: The 1+0, 1+1, 1+2, and 3+1 encoding modes are meant for small clusters that
have insufficient nodes for other erasure coding modes but will grow in the future. As
a redundancy type cannot be changed once chosen (from replication to erasure
coding or vice versa), this mode allows you to choose erasure coding even if your
cluster is smaller than recommended. Once the cluster has grown, more beneficial
83
redundancy modes can be chosen.
You select a data redundancy mode when configuring storage services and creating
storage volumes for virtual machines. No matter what redundancy mode you select,
it is highly recommended to be protected against a simultaneous failure of two
nodes, as that happens often in real‐life scenarios.
By default, all encoding modes, except 1+0, allow write operations when one storage
node or disk is inaccessible. When redundancy is 1, that is with the N+1 encoding
mode, and two inaccessible storage nodes, the data may become unavailable even
for reading and there is a high risk of data loss. Therefore, it is strongly recommended
to use the encoding modes N+2 or N+3.
83
Disk Roles and Storage Tiers
#CyberFit Academy
In this module,
We will be covering Acronis Cyber Infrastructure Disk Roles and Storage Tiers
84
Disk Roles
Each cluster’s disk should have a role assigned, different roles server different purposes
• Used for storing data • Contains an index of all • Increases chunks • The operating system of
• Data chunks are data stored on ACI read/write ACI. Each ACI node has
distributed based on cluster performance by a system disk
failure domain across • Tracks data chunks, creating write caches • This role is assigned to a
available chunks their versions and on selected disks disk during ACI’s
server, according to status • Designed to be used installation and cannot
their capacity and • Is highly available on solid-state drives be changed later
performance (minimum (SSDs) • May be additionally
recommended • Can be combined with assigned with Metadata
number of MDS disks MDS role on a single role
is 3) SSD
#CyberFit Academy
85
And this disk has been chosen at the point when you are configuring ACI installation.
You cannot change the OS disk afterwards.
The system disk can also be combined with the MDS role.
85
Storage Tiers
Key Knowledge
#CyberFit Academy
86
Storage Tiers (Continue)
Key Knowledge
When assigning disks to tiers, have in mind that faster storage drives should be assigned to higher tiers
→ tier 0 for backups and other cold data (CS without SSD cache);
→ tier 1 for virtual environments — a lot of cold data but fast random writes (CS with SSD cache)
→ tier 2 for hot data (CS on SSD), caches, specific disks, and such
This recommendation is related to how ACI works with storage space in the inter-tier data allocation mode
(disabled by default)
Automatic data migration between tiers works in the inter-tier data allocation mode
If a storage tier runs out of free space, ACI will attempt to temporarily use the space of the lower tiers down to
the lowest
#CyberFit Academy
For example, you can use tier 0 for backups and other cold data (CS without SSD
cache);
tier 1 for virtual environments—
a lot of cold data but fast random writes (CS with SSD cache);
and tier 2 for hot data (CS on SSD), caches, specific disks, and such.
87
If you add more storage to the original tier later,
the data, temporarily stored elsewhere,
will be moved to the tier where it should have been stored originally.
87
Storage Policies
Key Knowledge
Storage policy is defining how redundant a volume must be and where it needs to be located
Main components:
→ Tiers
→ Failure domains
→ Redundancy
Example: 3 nodes with number of storage nodes: Fast SSDs and high-capacity HDDs. Node 1 has only SSDs.
Nodes 2 and 3 have both SSDs and HDDs. Want to export storage space via iSCSI and S3, so need to define a
suitable storage policy for each workload
#CyberFit Academy
88
Storage Policies (Continue)
#CyberFit Academy
You can assign a disk to a tier when creating a storage cluster or adding nodes to it.
Note that only nodes 2 and 3 have HDDs and will be used for tier 3.
89
just one copy per node.
If a node fails, the data is still accessible from the healthy nodes.
89
Section Summary
#CyberFit Academy
Failure domains is used to define a scope (for example, a rack) which can fail,
while its data will still be available
ACI data redundancy is achieved by either one of two(2) methods, which are
Replication or Erasure Coding
90
Section Summary
#CyberFit Academy
91
Acronis Cyber Infrastructure
Network Concept
#CyberFit Academy
In this module,
We will be covering Acronis Cyber Infrastructure Networking Concept
92
Understanding Traffic Types
#CyberFit Academy
93
Traffic Types
Key Knowledge
To optimize networking
Assign different types of traffic to separate networks
• Firewall is configured on nodes connected to this network
• Specific ports are opened on node network interfaces
• Necessary iptables rules are set
For example,
→ nodes connected to a network with only the S3 public traffic type will accept incoming connections
only on ports 80 and 443
Three Traffic types
Exclusive
Traffic
Regular Types
Custom
#CyberFit Academy
For example,
nodes connected to a network with only
the S3 public traffic type will accept incoming connections only
on ports 80 and 443.
94
Exclusive Traffic Types
Can be added only to ONE network
Exclusive traffic types
Can only be reassigned from ONE network to
ANOTHER and only ONE at a time 1. Internal management
Reassignment can be performed even if the 2. Storage
related services are already deployed
3. OSTOR private
For example,
→ If the initial network configuration is wrong but 4. Backup (ABGW) private
the storage cluster is already populated with
data and running critical services; 5. VM private
→ Or after adding a network card, which requires 6. Compute API
changing network settings, adding a new
network, and assigning traffic types to it 7. VM backups
#CyberFit Academy
Exclusivity means that such a traffic type can be added only to one network.
Reassignment can be performed even if the related services are already deployed.
95
OSTOR private
Backup (ABGW) private
VM private
Compute API, and
VM backups
===
Internal management
Internal cluster management and transfers of node monitoring data to the admin
panel.
Without this traffic type,
the administrator cannot control and monitor the cluster.
The cluster, however, continues working.
Uses any available port.
Storage
Internal transfers of data chunks, high availability service heartbeats, as well as data
self‐healing. This is the most critical traffic type that defines storage performance and
enables cluster high availability. Uses any available port.
OSTOR private
Internal data exchange between multiple S3/NFS services.
Uses any available port.
Backup (ABGW) private
Internal management of and data exchange between multiple backup storage
services.
Uses any available port.
VM private
Network traffic between VMs in private virtual networks and VNC console traffic.
Virtual networks are implemented as VXLAN,
overlay networking fully isolated on L2.
Opens UDP port 4789 and TCP ports from 15900 to 16900.
Compute API
External access to standard OpenStack API endpoints.
Opens the following ports:
• TCP 5000—Identity API v3
• TCP 6080—noVNC Websocket Proxy
• TCP 8004—Orchestration Service API v1
• TCP 8041—Gnocchi API (billing metering service)
• TCP 8774—Compute API
• TCP 8776—Block Storage API v3
• TCP 8780—Placement API
• TCP 9292—Image Service API v2
• TCP 9313—Key Manager API v1
95
• TCP 9513—Container Infrastructure Management API (Kubernetes service)
• TCP 9696—Networking API v2
• TCP 9888—Octavia API v2 (load balancer service)
VM backups
External access to NBD endpoints.
Third‐party backup management systems can pull VM backups by using this traffic
type.
To be able to access backup agents installed in virtual machines,
assign this traffic type along with VM public.
Opens TCP ports from 49300 to 65535.
95
Regular Traffic Types
Regular traffic types traffic
types can be added to Regular Traffic Types
multiple networks 1. S3 public
You can add a regular traffic 2. iSCSI
type to multiple networks or
3. NFS
remove it from any network
4. Backup (ABGW) public
5. Admin panel
6. VM public
7. SSH
8. SNMP
9. Self-service panel
#CyberFit Academy
96
NFS
External data exchange with the NFS access point. Uses TCP/UDP ports 111, 892, and
2049.
Backup (ABGW) public
External data exchange with Acronis Cyber Protect agents and Acronis Cyber Protect
Cloud.
Uses TCP ports 40440 and 44445.
Admin panel
External access to the admin panel. Uses TCP port 8888.
VM public
External data exchange between VMs and public networks (for example, the
Internet).
When a node network interface is assigned to a network with this traffic type,
an Open vSwitch bridge is created on that network interface.
SSH
Remote access to nodes via SSH. Uses TCP port 22.
SNMP
External access to storage cluster monitoring statistics via the SNMP protocol.
Opens UDP port 161.
Self‐service panel
External access to the self‐service panel. Opens TCP port 8800.
Internal management
Internal cluster management and transfers of node monitoring data to the admin
panel.
Without this traffic type, the administrator cannot control and monitor the cluster.
The cluster, however, continues working.
Uses any available port.
Storage
Internal transfers of data chunks, high availability service heartbeats, as well as data
self‐healing.
This is the most critical traffic type that defines storage performance and enables
cluster high availability.
Uses any available port.
OSTOR private
Internal data exchange between multiple S3/NFS services.
Uses any available port.
Backup (ABGW) private
Internal management of and data exchange between multiple backup storage
services.
Uses any available port.
VM private
Network traffic between VMs in private virtual networks and VNC console traffic.
96
Virtual networks are implemented as VXLAN, overlay networking fully isolated on L2.
Opens UDP port 4789 and TCP ports from 15900 to 16900.
Compute API
External access to standard OpenStack API endpoints. Opens the following ports:
• TCP 5000—Identity API v3
• TCP 6080—noVNC Websocket Proxy
• TCP 8004—Orchestration Service API v1
• TCP 8041—Gnocchi API (billing metering service)
• TCP 8774—Compute API
• TCP 8776—Block Storage API v3
• TCP 8780—Placement API
• TCP 9292—Image Service API v2
• TCP 9313—Key Manager API v1
• TCP 9513—Container Infrastructure Management API (Kubernetes service)
• TCP 9696—Networking API v2
• TCP 9888—Octavia API v2 (load balancer service)
VM backups
External access to NBD endpoints.
Third‐party backup management systems can pull VM backups by using this traffic
type.
To be able to access backup agents installed in virtual machines, assign this traffic
type along with VM public.
Opens TCP ports from 49300 to 65535.
96
Custom Traffic Types
Custom traffic types are created
by system administrators to open
required TCP ports
You can create custom traffic
types, add them to multiple
networks, edit, and delete
#CyberFit Academy
Custom traffic types are created by system administrators to open required TCP ports.
You can create custom traffic types, add them to multiple networks, edit, and delete.
97
Inbound Firewall Rules
To prevent access from untrusted sources to the cluster,
configure inbound firewall rules on your nodes
To enable traffic filtering, configure allow and deny lists for a
network or a traffic type
By default, the lists are empty and all incoming traffic is
allowed
Can create access rules in them to configure access for
incoming traffic
Access rules in the allow list have higher priority than those in
the deny list
If have access rules for both networks and traffic types,
access lists configured for traffic types will have higher
priority than those of networks
Limitations: If create allow rules but leave the deny list empty,
all incoming traffic will still be allowed
#CyberFit Academy
98
Outbound Firewall Rules
Key Knowledge
To control outbound traffic from cluster nodes, configure outbound firewall rules for public networks by using
the vinfra tool
By default, ports used by system services are opened, to ensure non-disruptive cluster operation
Outbound traffic is always allowed in the subnet dedicated to internal communication between cluster nodes
As private network is not publicly exposed and does not communicate with any external endpoints, do not
need to restrict outbound traffic for it
A network is recognized as private if it is assigned any of these traffic types:
→ OSTOR private
→ Backup (ABGW) private
→ Internal management
→ Storage
#CyberFit Academy
99
Private and Public Networks
#CyberFit Academy
In this module,
We will be covering Acronis Cyber Infrastructure Private and Public Networks
100
Network Types
There are two networks created by default
• Private network for internal cluster communications
• Public network for accessing cluster from external
network
Each traffic type defines firewall rules (open
ports) and will be used for service configuration
For example:
→ “ABGW private” traffic types will configure
Backup Storage service to use specified
network for communication between nodes
included in Backup Storage
→ “ABGW” public traffic type will define from
what networks Backup Storage will receive
backups
→ Setting network configuration right form the
beginning is a good practice
#CyberFit Academy
101
Storage services and Networks
Storage Services High Availability Networks Ports
Data that is available with one storage NFS Storage Yes Private, Internal 111, 2049
services will not be visible from other
storage services Local server S3 client
Private network
#CyberFit Academy
The data which is placed on ACI cluster is split into data chunks.
Those chunks are distributed across all the disks with chunks server roles and
over all the nodes that have chunks server disks respectively.
When the data is just being sent to ACI,
it is coming from the public network.
But once it is already split into data chunks,
the chunks are distributed across chunk server disks over
the internal or private network.
Chunk server disks can contain data that belongs to different storage services.
So that means that a single physical disk can contain both
data chunks that belong to backup storage and
data chunks that belong to S3 storage.
However, the backup storage service will only be
capable of accessing the chunks that
belong to backup storage
And respectively the S3 storage service will only be able to access those chunks that
belong to S3.
So in other words,
we can say that every storage service has exclusive access to its own data.
102
The diagram here shows how storage services and networks are interconnected
together.
The table here shows a summary of storage services and their ports.
For the complete list of network ports,
do refer to the documentation.
link here.
https://dl.acronis.com/u/software‐
defined/html/AcronisCyberInfrastructure_5_3_admins_guide_en‐US/#network‐
ports.html
102
Section Summary
#CyberFit Academy
103
Thank you for watching!
#CyberFit Academy
105