What components require protection?
Every private cloud is different, so each organization's backup requirements will also vary. As a general rule, backing up a Microsoft private cloud environment requires backing up the Azure Pack server, all Hyper-V servers, and SCVMM and its underlying database.
Azure Pack is a Web application that provides tenant and administrative access to the private cloud environment. A server running Azure Pack requires IIS, the Virtual Machine Manager console, the Service Provider Foundation (part of System Center Orchestrator) and a few other miscellaneous components (such as the .NET Framework). Azure Pack also uses a SQL Server database of its own that will need to be backed up.
As you prepare to back up a Microsoft private cloud environment, it is extremely important to include Active Directory. Microsoft private clouds require several different service accounts to function. These service accounts exist within the Active Directory database.
Backing up virtual machines
When backing up private cloud environments, a critical factor is tenant isolation. Private cloud environments generally provide self-service VM creation and management capabilities to authorized users. Such users are able to use the Azure Pack Tenant portal to build VMs from predefined templates. Once a VM has been created, users can configure and use it as they see fit.
Because users can do almost anything with the VMs they own, a private cloud environment must enforce tenant isolation. In doing so, the private cloud places each tenant's virtual machines onto a separate, isolated network segment. This isolation prevents any tenant from accessing (or even seeing) another tenant's VMs.
To put this concept into perspective, consider the way that public clouds such as Microsoft Azure or Amazon Web Services work. Public cloud providers have a number of different customers, each of whom creates their own VMs. A public cloud provider puts isolation boundaries into place to preserve each customer's security and privacy. These same boundaries also prevent the underlying cloud infrastructure from being exposed to customers. Microsoft private cloud environments use these same sorts of controls to provide tenant isolation.
So how can a backup administrator back up VMs that exist on a completely isolated network segment? There are two approaches that can be used.
If you need to perform a guest-level backup of a tenant VM, you will have to do more than just install a backup agent into the virtual machine. Remember, virtual network isolation makes the VM invisible to the backup server. The solution is to handle the backup as if you were backing up a VM from across the Internet. In most cases, tenant VMs can access the Internet. As such, you may be able to set up a logical VPN connection that allows the backup server to communicate with VMs on an isolated network segment. Care must be taken to implement firewall rules that prevent anything other than backup traffic from passing across this link.
Backing up a Microsoft private cloud is not overly difficult, although guest-level VM backups can be challenging. As a best practice, you should avoid guest-level backups of tenant VMs unless absolutely necessary.