Exploring the VMware Software Defined Datacenter (SDDC) - Part 9 - VMware Live Recovery (VLR)

Welcome back to the VMware SDDC series for what will become part 9, a little like the original Star Wars movies we are playing with the order of release :). Parts 1-4 can be found here on my OCTO bio and cover the core components of the VMware Cloud Foundation (VCF) architecture around Storage and Networking. Part 5&6 will complete the core elements of Compute and Operations which can again be found on my OCTO bio here. Parts 7 & 8, and 9 will cover some of the innovations that VMware by Broadcom is building onto the VCF foundation. These will be Private AI, Data Services Manager and Live Recovery. As we write this post, VMware Explore Barcelona (Nov 2024), this innovation is now known as Advanced Services and will be layered onto the VCF platform.  

VCF with Advanced Services  

Following Explore, we now have the future vision for Cloud Foundation and how this is broken down into three key layers. The Build and Operate layers that make up the core of VCF (ESXi, vSAN, NSX) are curated to enable the Cloud admin to operate the physical components of the stack. Secondly, we have the developer interfaces that will allow developers to focus on writing code. Finally, we have a suite of advanced services to complete the cloud-like experience. 

At Explore, we got a full view of this catalogue of advanced services, some of which we have known about for some time now, such as Tanzu Container Operations, Avi Load Balancing, and Advanced Security capabilities. Others are new additions and are the topics of the latter SDDC series articles - Part 7 (Private AI), Part 8 (Data Services), and this (Part 9) release all about Live Recovery. As we look towards the release of VCF 9 around springtime 2025, we expect to see these services integrated into the core VCF platform.  

Customer Choice 

One of the repeating messages from VMware is providing customer choice (as long as it’s running on the core VCF architecture!). We have seen this with the release of native K8s on vSphere, allowing customers to choose Tanzu orchestration capabilities or roll their preferred container operations. We have VCF available on multiple hardware platforms, major hyperscale clouds, and many partner platforms (like CDW ServiceWorks). With the new licence portability rules, customers can adopt VCF in their location of choice. 

We are also seeing the same trends with Live Recovery Services. Once an AWS-only offering that had to be managed by VMware, now we have more choice on how and where we run our Cyber Defence solutions.  

VMware Live Recovery 

So, let’s dive into VMware Live Recovery (VLR) as the third of the new advanced services. At a simple level, VLR is a combination of two existing VMware services, Site Recovery Manager (SRM) and what was called VMware Cloud Disaster Recovery (VCDR), but later renamed to Live Cyber Recovery. SRM is an established orchestration tool for traditional disaster scenarios, so we won’t spend much time covering this; the important note is that from a licencing perspective, you get both capabilities in VLR. Live Cyber Recovery is the focus of VLR, and it brings the automation and simplification required when recovering from a cyber incident.  

If we look at VLR as a component in the wider Cyber Resilient Private cloud, we can see how we have an integrated stack of technologies to help build your defence-in-depth strategies. Validated hardened core infrastructure provided by VCF, advanced networking capabilities providing advanced defence, and VLR ensuring an effective recovery option for when the worst happens.   

When we look at the core elements of VLR, we can break this down into three major components: 

Unified Protection: Secure Replication of VMware workloads into an air-gapped environment, all orchestrated from an external management plane to ensure isolation from lateral threats.  

Accelerated Recovery: Guided workflows and technology to allow rapid iteration through infected systems to find known good restore points. Then, attaching an Isolated Recovery Environment with micro-segmentation to ensure no re-infection events 

Simple Consumption: A single subscription covering traditional disaster and cyber recovery for complete peace of mind. 

So, how does it work? Let’s look at each step of the process. 

Immutable Replication: 

Step one is to get your critical data into the recovery environment. This is achieved by an included replication engine fully orchestrated from the external VLR management plane. With an entire air gap and immutable storage capabilities, this pull mechanic ensures that any breach of the production site cannot make a lateral move into the recovery environment. Storing snapshots in a secure, managed scale-out cloud file system ensures the solutions preserve data integrity during recovery. 

Guided Workflows: 

VLR streamlines and automates recovery with guided ransomware recovery workflows that provide guided restore point selection and quick iterations to allow rapid identification of good backups. These workflows are augmented by embedded behavioural analytics that can quickly validate images as clean and good for restoration. 

IT admins can leverage a step-by-step guided workflow that integrates identification, validation and restoration of recovery points within a single UI. Given the pressure that most IT (yes, IT, not Security) teams will be under during a recovery exercise with guard rails, automation can ensure the quickest restore time. As the team iterates through the restore points, they can be marked and tagged to ensure no accidental restores happen that could threaten reinfection. 

Isolate Recovery Environment (IRE): 

VLR provides on-demand provisioning of a fully managed IRE to help prevent reinfection scenarios and provide a secure platform for running—business services. With push-button workloads network isolation, VLR can Isolate VMs from one another at restore to prevent lateral movement of ransomware and reinfection of the production environment or existing restored workloads. With options for on-demand or pilot light IRE capacity, the solution offers choice, sound upfront costs, and recovery speed.  

This IRE can run critical services and ensure business continuity during the cyber event, leaving production systems free for investigation teams to complete any required forensics activities. 

Replicate to Production: 

Finally, we can replicate back to production infrastructure once this has been reprovisioned following clean-up activities. This could be the original platform or any other VMware-compliant architecture (self-managed, partner-managed, or CSP-hosted) 

Why now  

So why do solutions like VLR matter in the here and now? Simply put, backups alone are not enough anymore (and have not been for quite some time now); recovering from ransomware is very different from recovering from a traditional disaster. Attacks are not just targeting files anymore; we have advanced persistent threats embedded deeply into the operating systems, increasing the risk of double infection. Extended dwell times mean we cannot be sure when to recover or if a backup can be trusted. This is further exacerbated by the fact that different systems will have differing known good states. Combine all this with the business impact, ransom negotiation, reputation challenges, and regulatory reporting, and we will have a highly complex recovery environment.  

Anything your Data Protection Technologies can do to assist IT teams in navigating this complexity should be welcomed. Looking at how guided workflows and automation will ensure faster recovery could be the difference between survival and going out of business. 

New Announcements from Explore 2024 

As we exit the VMware Explore events, we have a much clearer view of how customers can adopt the VLR portfolio. Post-VCF9 release, we expect the options for VLR targets to exist in AWS, GCP, and any on-premises VCF9 deployment, giving customers more options to leverage investments in VCF cores.  

VLR embedded into VCF 9  

VCF 9.0 (Late Spring) will include the ability to deliver a secure air-gapped data vault and Isolated Recovery Environment (IRE) for use during a ransomware recovery process, fully API-driven for integration into Service Management processes—this will be a validated design from VMware. The other good news is that the source sites can be vSphere 8.0 u3 and above, along with VCF 5.1 and above. This means a journey to VCF 9 could start with deploying your Cyber Recovery environment.  

The implication here is that the core capabilities of VLR will be baked into VCF 9 as native features. vSAN ESA will bring the immutable vault capabilities to act as the target for data replication. As with the original VCDR solution, this will be air-gapped and managed as a pull replication to ensure isolation from production and lateral threat actor movement (NSX will play a core part here, but configuration curated by VLR). This replication ESA cluster will be a two-node minimum configuration and sit separately from the product and IRE environments. Next will be a VCF9 cluster to act as the IRE, which can be scaled to support the required recovery activities. On Day One, we expect this to be fully API driven for integration into an Enterprise workflow. With VCF 9.1, we hope to see the VLR GUI become the on-premises solution to open wider adoption. 

For those with eagle-eyed viewers, a core component of VLR is the EDR capabilities used to validate restore points. On day one, VMware Carbon Black will continue to provide this capability. We expect to see additional EDR tooling available, with CrowdStrike likely to be the first.  

AWS will have two models 

The existing VMC on AWS offering for VLR will remain based on the currently deployed operating model and code base; this is expected to be the case for the foreseeable future. With AWS announcing the Elastic VMware Service (EVS), a new native AWS service leveraging VCF9 (late spring GA is expected), this will provide a second target for VLR, given the native capabilities built into VCF9. 

Google Cloud Support  

By summer 2025, we are expecting to see the full VLR stack come to GCP, but this is not a fully confirmed outcome, so it is subject to the changes to roadmaps, etc., we usually have from any vendor. 

Azure Thoughts

Once VCF 9 goes live, the native capabilities for becoming a VLR target will be present. This would allow any hosting provider leveraging VCF9 to offer a target for VLR. In the case of Azure, this will be a Microsoft decision, and VMware could not provide any detail on the intentions in this space. This is one to watch as we move into the middle of 2025. 

Summary 

For customers with VMware Estates, VLR offers a solution for orchestrating and operationally implication two key challenges—disaster Recovery and Cyber Recovery. Given the complexity of modern recovery activities, even in relatively small environments, knowing you have secure copies of your critical data, a place to recover that is out of reach to the threat actor, and tooling to streamline the process is critical. The interface and guided workflows built into VLR are well worth a demo if you are considering the future of your Data Protection requirements.