Use protection groups to create recurring VM snapshots and replicate them to a cloud file system, so they can later be used for disaster and ransomware recovery.

After snapshots replicate to a cloud file system, you can use those snapshots in recovery plans for disaster and ransomware recovery. When you configure a recovery plan, you can select protection groups that have scheduled replication to a cloud file system, and when you start a plan you can select snapshots for recovery.

Snapshot Frequency

VMware Live Cyber Recovery provides two types of snapshots for protection groups, based on snapshot frequency:
Snapshot Frequency Description

Standard-frequency snapshots

Schedule recurring snapshots as frequent as every 4 hours.

High-frequency snapshots

With high-frequency snapshots, you can schedule recurring snapshots as frequently as every 15 minutes (up to 200 VMs per-cloud file system), which requires that the on-premises protected site is running vSphere 7.0 Update 3 or the protected VMware Cloud on AWS SDDC is running version 1.16.

If you are not sure if the hosts on your protected site are compatible with high-frequency snapshots see, run a host compatibilty check for high-frequency snapshots.

To convert standard-frequency snapshots to high-frequency snapshots, open a standard-frequency snapshot and select the high-frequency snapshot option.

Snapshot Retention

A protection group snapshot retention policy defines how long snapshots remain on the cloud file system. You can set retention for any duration of hours, days, weeks, months, or years.
Note: A 90 day retention schedule might result in higher storage capacity consumption.

Dynamic Group Membership

A protection group query dynamically defines the protection group membership at the time a snapshot is taken. Protection groups provide three types of queries: 

  • VM name pattern. A VM name pattern is a string of characters that matches the names of VMs in your vSphere inventory, either for inclusion or exclusion in the protection group snapshot. Any VMs that match the pattern specified become included (or explicitly excluded from) the protection group for snapshots.
  • Folders. You can add VM folders that are present in your vSphere inventory to a protection group, so that all VMs in those folders are included in snapshots. Folder selection does not include sub folders. To include sub folders, select them manually.
    Note: Protection groups do not support folder-based snapshots for VMs that are a part of vApp.
  • vSphere tags. Use tags to define protection group membership. Any VMs that match the tags you specify are included in the protection group snapshot. You can select any tags defined in vSphere on the protected site. For successful failover operations, ensure that the selected tags also exist on the target Recovery SDDC vCenter, or the compliance check display warnings, and the failback operation fails.
    Note: Creating, deleting, and assigning vSphere tags on VMs are not immediately visible to protection groups. For example, if you create a tag and associate it with 10 VMs, a protection group might not immediately show the VMs associated with this tag. Typically, it can take up to 15 minutes for vSphere tags to appear in protection groups, but usually is much faster.

Before a protection group takes a snapshot, VMs that match any name patterns evaluate first, and then combine with any defined folder or tag queries.

If you use an exclusion name pattern in your query, it is possible that other Folder or tag queries defined in the protection group might override the previously excluded name pattern. For example, if one of your queries excludes a VM by name, if that same VM lives inside a folder you have selected in a Folders query, that VM is included in the snapshot.
Note: When defining protection group membership, ensure that you use unique membership criteria across protected sites. Protection group membership queries should not allow the same VM to belong to multiple protection groups and different recovery plans across multiple protected sites.

To verify the snapshot before a scheduled job, take a manual snapshot.

Note: To create a VM name pattern to match VMs that have name using the following special characters, they must be escaped (prefixed with \ ) in the specified name pattern: ? , * .
Protection group snapshots ignore VMs that provide infrastructure services for your vSphere environment, even if the protection group definition indicates that the VM should be included. (For example, if the PG is defined with the "*" VM name pattern). Specifically, protection groups exclude the following types of VMs from snapshots:
  • VMware Live Cyber Recovery Cyber Recovery connector VMs.
  • VMware Cloud on AWS Management VMs.
  • vCLS (cluster service VMs).

Changing VM Protection Group Association

In some situations, you might want to change a VM’s protection group membership from one protection group to another. You can change the VM protection group membership by changing the protection group queries (name, tag, folder) so that the new protection group queries include the VM.

Once a VM has been moved from one protection group to another and the first snapshot of that VM is taken, you can do the following:
  • Fail over the VM from the original protection group snapshot.
  • Fail over the VM from the new protection group snapshot.
  • Perform a single VM restore from the original protection group snapshot.
  • Perform a single VM restore from the new protection group snapshot.

VMware Live Cyber Recovery tracks VM snapshots at the VM level, so the VM in the new protection group does not have to be reseeded when taking a new snapshot. When a VM is moved from one protection group to another, VMware Live Cyber Recovery only requires incremental snapshots when the VM is in the new group.

App-consistent Snapshots with Quiescing

For powered-on VMs with VMware Tools installed, you can create protection groups that take quiesced snapshots. Quiescing pauses or alters the state of running processes on the VM to guarantee a consistent state of any applications running at the time a snapshot is taken. So when you restore the VM, you recover applications to the state they were in at the time the snapshot was taken.

Requirements for quiescing:
  • VM is powered on.
  • VMware Tools installed and running. VMware Tools requires Windows Volume Shadow Copy Service (VSS) or protection groups cannot take quiesced snapshots. Windows VMs require VMware Tools version 10.x and above.
  • High-frequency snapshots only:
    • VMware ESXi must be 8.0U3b or higher to quiesce high-frequency snapshots.
    • Quiesing high-frequency snapshots is not supported on protected VMware Cloud on AWS SDDCs.
  • Linux VMs only: Pre-freeze and post-thaw scripts installed on the VM. VMware Tools must be version 10.2 or above.

Preparing Linux VMs for Ransomware Recovery

If you plan to use the ransomware recovery feature with production Linux VMs, you should prepare those VMs for recovery by installing the Carbon Black Launcher on them before they are added to a protection group and snapshotted.
Note: Windows VMs already have the Carbon Black Cloud launcher embedded into the VMware Tools executable, so you do not need to manually install the launcher on Windows VMs.

Having the launcher present on Linux VMs allows VMware Live Cyber Recovery to automatically install the security sensor needed for ransomware recovery.

In this situation, the sensor is installed when you run the plan and start a VM in the validation process. For more information see Carbon Black Launcher and configure a recovery plan for ransomware recovery.

If you do not want the sensor installed automatically, see Manual Sensor Installation.