You can use an on-premises Cleanroom recovery site to restore and test critical data in an isolated, air-gapped environment using a HyperScale X vault and a customer-provided ESXi server.
Overview
The on-premises cleanroom feature enables you to deploy a fully functional, isolated recovery environment (IRE) directly within your own infrastructure. This configuration uses a HyperScale X air-gapped vault to securely store your backup data, ensuring that your critical data remains protected from network-borne threats. When you initiate a cleanroom recovery operation, the system orchestrates the recovery of the control plane into the isolated environment.
Because the environment is entirely on-premises, you maintain complete control over the underlying hardware and network isolation. The automated orchestration process deploys a new CommServe server from an OVA file, upgrades the software to match your production environment, and restores the database using the latest disaster recovery (DR) backup set.
Architecture
The on-premises cleanroom architecture separates the production environment from the isolated recovery environment.
During normal operations, the production CommServe server replicates critical data, including DR backup sets, Threat Scan signatures, and the CommServe server OVA file. These backups are replicated to the HyperScale X air-gapped vault.
You must manually download the CommServe CIS-hardened OVA file from the store and then copy it to the folder CleanroomMetaData on the production CommServe server. This folder will be present at the same level as the DR directory.
For example:
-
Linux
-
DR location:
/opt/commvaultDR -
OVA file location:
/opt/CleanroomMetaData
-
-
Windows
-
DR location:
E:\Commvault\CommvaultDR -
OVA file location:
E:\Commvault\CleanroomMetaData
-
When the production environment is upgraded to a newer release or maintenance pack, download the same or a higher-version OVA file and copy it to the same directory. Once the OVA file is in place, it is automatically included in the replication workflow.
When a cyber incident or testing event occurs, you use a command-line orchestration tool directly from the HyperScale X nodes.
Note
The orchestration tool must be launched using the restricted user cvbackupadmin. Root will be disabled on HSX, so the only way to launch the tool is via this restricted user.
The orchestration tool connects to a customer-provided ESXi server inside the IRE. It deploys the recovery CommServe server as a virtual machine, configures the necessary network sharing to access the replicated DR data, and installs a second instance of the Commvault software on the HyperScale X nodes. This second instance is registered to the recovery CommServe server (or cleanroom/IRE CommServe server), and serves as the MediaAgent to read data from the vault nodes for all recoveries within the IRE.
Infrastructure requirements
To support an on-premises cleanroom, your environment must include the following infrastructure components within the isolated network:
-
Hypervisor: A customer-provided ESXi server managed by VMware vCenter. This server hosts the recovery CommServe server virtual machine.
-
Storage: Sufficient datastore capacity on the ESXi server to deploy and run the recovery CommServe server.
-
Vault: A HyperScale X cluster configured as an air-gapped vault (bunker site). Ensure that dedicated ports on the vault nodes are configured to the VLAN within the IRE. The ESXi server must be configured on the same VLAN, and the ESXi server must be added to vSphere host.
-
Authentication: Valid vSphere administrative credentials to authenticate and deploy virtual machines to the ESXi server.
Network and VLAN requirements
Proper network isolation is critical for the on-premises cleanroom. You must configure your network to meet the following requirements:
-
Isolated VLAN: All HyperScale X bunker nodes and the ESXi server must reside on the same isolated recovery environment (IRE) VLAN. This ensures that the recovered CommServe server can communicate with the vault nodes without exposing the environment to the production network.
-
HSX node ports: You must configure two additional network ports per HyperScale X node specifically for the IRE network.
-
IP addressing: The isolated network must support either DHCP for automatic IP assignment to the recovery CommServe server, or you must have a dedicated static IP address available for manual assignment during orchestration.