CCAE Exam Preparation — Interactive Study Guide
cohesity/cohesity), Ansible (cohesity.dataprotect), and the cross-platform PowerShell module — and choose the right tool for each job.If Chapters 1 through 12 taught you how to design, deploy, secure, and protect data on individual Cohesity clusters, this chapter zooms out to the operating model an architect actually inherits in production: a fleet. Real CCAE-scale customers run anywhere from three or four clusters to several hundred, and they cannot afford for the same Gold protection policy to mean three different things in three different regions. The architectural answer is the Helios SaaS control plane plus the Marketplace and the automation stack.
Think of it this way: a single Cohesity cluster is a server. Helios is the cloud console for the whole fleet, and the automation tools are the deployment pipelines that keep that fleet in compliance with whatever the architecture document says it should be.
1. Which network direction does Helios require for cluster connectivity?
2. What flows from a managed cluster up to the Helios SaaS service?
3. A federal classified site forbids any outbound SaaS connectivity. Which Helios option fits?
Cohesity Helios is delivered as a SaaS service that aggregates and centralizes management of every Cohesity cluster a customer owns, regardless of whether those clusters live on-premises, in a public cloud, or in a hybrid topology. From an architect's standpoint, Helios is the single pane of glass that turns a fleet of independent clusters into one logical, policy-governed estate.
Architecturally, Helios is a multi-tenant cloud service hosted by Cohesity. Each customer gets a Helios account (a tenant), and clusters are bound to that account during onboarding. Connectivity from cluster to Helios is outbound HTTPS over TCP/443 — Cohesity does not require any inbound openings on customer firewalls, which is exactly what enterprise security architects want to hear. The cluster establishes a long-lived TLS session to Helios, sends telemetry, accepts pushed configuration, and exposes a relay channel for "Launch Cluster UI" proxying.
| Helios Layer | Responsibility | Lives Where |
|---|---|---|
| Helios UI / API | Single pane of glass; entry point for admins, APIs, dashboards | Cohesity SaaS |
| Helios services (telemetry, search index, reporting) | Aggregate cluster metadata, run anomaly detection | Cohesity SaaS |
| Cluster agent / Helios connector | Outbound HTTPS tunnel from each cluster | On each managed cluster |
| Data plane (SpanFS, Bridge, Magneto) | Stores and protects data; Helios does not see data, only metadata | On each managed cluster |
Onboarding is intentionally trivial: in the cluster UI under Settings → Helios Registration, the admin enters Helios credentials, Helios issues a registration token, and the cluster establishes the outbound tunnel. For dark sites or air-gapped environments where outbound HTTPS is forbidden, Cohesity offers Helios Self-Managed, a customer-hosted variant of the Helios services that runs on customer infrastructure and provides equivalent fleet management without depending on Cohesity's SaaS — the standard answer for federal classified environments and certain regulated banks.
Helios presents a unified, real-time view that aggregates health, capacity, protection status, SLA compliance, and performance metrics from every managed cluster. Federated global search lets an admin search for a VM, file, mailbox object, or database backup by name across the entire fleet. Federated RBAC layers on top: granular roles can be scoped to specific clusters, regions, organizations, or object types, sourced from Okta, Azure AD/Entra ID, AD, or any SAML 2.0 IdP.
Key Takeaway: Helios converts N independent Cohesity clusters into one managed estate over outbound-HTTPS only. Backup data stays put; metadata flows up; and Self-Managed Helios covers the dark-site case.
1. Which network direction does Helios require for cluster connectivity?
2. What flows from a managed cluster up to the Helios SaaS service?
3. A federal classified site forbids any outbound SaaS connectivity. Which Helios option fits?
4. In a DMaaS subscription, who owns cluster ops (upgrades, hardware, capacity)?
5. An EU customer is backing up M365 mailboxes via DMaaS. From a residency standpoint, which placement is acceptable?
6. Which is the most accurate cost-model contrast between on-prem DataProtect and DMaaS?
Helios is not just a console; it is also the entry point and management surface for Cohesity's Data Management as a Service offerings. DMaaS shifts the operating model from "I run the cluster" to "I subscribe to backup outcomes" — Cohesity operates the underlying clusters in the cloud, and the customer consumes them through Helios.
DMaaS bundles DataProtect, replication, archive, and recovery as a fully managed SaaS service. The customer points sources (VMs, M365 tenants, databases, NAS) at the DMaaS endpoint; Cohesity provisions the underlying SpanFS capacity, runs the backup jobs, manages upgrades, and meters consumption. There is no cluster to bootstrap, no node to replace, and no version to upgrade — the SLA covers the platform.
| Operating Model | Customer Owns | Cohesity Owns |
|---|---|---|
| Self-managed DataProtect (on-prem cluster) | Hardware, OS, network, cluster software, policies, sources | Software releases, support, Helios SaaS |
| Self-managed DataProtect (Cloud Edition) | Cloud VM/IaaS bill, cluster software ops, policies | Software, Helios SaaS |
| DMaaS | Sources, policies, RBAC, data residency choice | Cluster, capacity, upgrades, SLA, infrastructure |
| FortKnox cyber vault | Vault policies, recovery decisions | Vault infrastructure (immutable, air-gapped) |
DMaaS is provisioned into specific cloud regions (AWS or Azure, depending on offering). The architect's job is to map regulatory boundaries — GDPR for EU data, sovereignty laws in countries like Germany, Switzerland, India, Australia, Canada — to a region selection. Backup data carries the same residency obligations as primary data; picking a US region for an EU tenant's M365 backups is not an option you can quietly hand-wave past an auditor. Helios surfaces region choice during DMaaS subscription and pins data residency for the lifetime of the tenant.
DMaaS is sold on a subscription basis (typically per FETB-month or per workload tier), versus the perpetual or term license model common to self-managed DataProtect. This shifts the economics from CapEx + ongoing maintenance to pure OpEx. Architects sizing DMaaS apply the same FETB and change-rate inputs from Chapter 3 but must additionally model:
| Concern | On-Prem DataProtect | DMaaS |
|---|---|---|
| Cluster ops (upgrades, hardware) | Customer | Cohesity |
| Capacity planning | Customer (sizing tool, refresh cycles) | Cohesity (elastic) |
| Network ingress | LAN-speed to cluster | WAN egress to cloud (mind change rate) |
| Data residency | Wherever you put the cluster | Region selection at subscription time |
| Cost model | CapEx + maintenance | OpEx subscription |
| Best fit | Large, dense, predictable workloads; latency-sensitive recoveries | M365, branch offices, cloud-native apps, fast time-to-value |
Key Takeaway: DMaaS is DataProtect-as-a-managed-SaaS. Architects pick a region for residency, subscribe by FETB/workload, and consume backup as an outcome rather than an appliance.
4. In a DMaaS subscription, who owns cluster ops (upgrades, hardware, capacity)?
5. An EU customer is backing up M365 mailboxes via DMaaS. From a residency standpoint, which placement is acceptable?
6. Which is the most accurate cost-model contrast between on-prem DataProtect and DMaaS?
7. What runtime executes Marketplace apps on a Cohesity cluster?
8. In an AppSpec YAML, what does network.egress: false guarantee?
9. How does a Marketplace app gain access to backup data?
The Cohesity Marketplace is the storefront and delivery mechanism for first- and third-party applications that run directly on the Cohesity DataPlatform. The architectural value proposition is compute at data: instead of egressing backup data to a separate analytics, AV, or compliance system, applications run in containers next to SpanFS where the data already lives.
Apps are packaged as Docker images plus a Cohesity AppSpec — a Kubernetes-style YAML descriptor extended with Cohesity-specific fields. The cluster's container runtime, Apollo (introduced in the Pegasus 6.3 release line), executes the image. The AppSpec declares resources, view mounts, network requirements, and lifecycle hooks.
apiVersion: cohesity.com/v1
kind: App
metadata:
name: clamav-scanner
version: 1.4.0
spec:
image: cohesity-marketplace/clamav:1.4.0
resources:
cpu: "2"
memory: "4Gi"
views:
- name: vm-backups
mountPath: /mnt/backups
mode: ReadOnly
network:
egress: false
lifecycle:
onStart: /opt/clamav/scan.shThree security properties matter:
views — the only sanctioned data path. The app sees backup data through view mounts (NFS/SMB-backed), restricted to admin-authorized views. There is no direct SpanFS access.network.egress: false — apps can be locked into air-gapped operation, supporting dark-site and high-security deployments.resources — Apollo enforces CPU/memory quotas, so a misbehaving app cannot starve the cluster.| App | Purpose | Typical Use Case |
|---|---|---|
| SentinelOne | Endpoint/AV scanning of backup data, no internet egress required | Validate backups are clean before relying on them for recovery |
| ClamAV | Open-source antivirus scanning of NAS and VM snapshots | Cost-effective AV for compliance check-the-box |
| Sophos | Commercial AV alternative | Enterprise environments standardized on Sophos |
| Splunk Enterprise | Log analytics / SIEM ingest running on the cluster | Search audit logs and backup metadata in place |
| Imanis Data | NoSQL/Hadoop backup integration | MongoDB, Cassandra, Hadoop, Couchbase backup |
Cohesity ships two SDKs: the App SDK (primitives like cohesity_mount for view mounting) and the Management SDK (REST API surface from inside the container). The publish flow is build → AppSpec validate (appspecvalidator) → Cohesity vetting (developer@cohesity.com) → list. Vetting + isolation + view scoping form a defense-in-depth posture that makes "third-party code on my backup cluster" an acceptable architectural decision.
network.egress: false enables air-gapped app operation, ideal for dark sites and SentinelOne-style scanning.Key Takeaway: Marketplace turns a Cohesity cluster into a compute-at-data platform — Docker containers isolated by Apollo, scoped to admin-authorized views, with optional internet air-gap.
7. What runtime executes Marketplace apps on a Cohesity cluster?
8. In an AppSpec YAML, what does network.egress: false guarantee?
9. How does a Marketplace app gain access to backup data?
10. An architect wants declarative IaC with state and drift detection for cluster-side policies and protection groups. Which tool fits best?
cohesity.dataprotect collectioncohesity/cohesity provider11. Which task is the most natural fit for the Ansible cohesity.dataprotect collection?
12. A ServiceNow workflow needs to trigger a Cohesity recovery from an incident ticket. Which integration approach is most appropriate?
13. Which statement is TRUE about Cohesity's automation tooling layering?
Helios and Marketplace solve the interactive operating model. The programmatic operating model is REST API v2 plus the language-specific wrappers — Terraform, Ansible, and PowerShell. At CCAE scale, automating policy and protection-group management is the only scalable path; manually clicking through hundreds of policies across dozens of clusters is both error-prone and untraceable.
All higher-level tools sit on top of the cluster's REST API v2 (cluster 6.3.1+). It covers protection groups, policies, sources, storage domains, views, alerts, recoveries, and tenants. Direct REST is the right choice when no higher-level wrapper exists, or for purpose-built integrations with ITSM (ServiceNow), SIEM (Splunk, Sentinel), or custom self-service portals.
TOKEN=$(curl -sk -X POST https://cluster.example.com/v2/mcm/access-tokens \
-H 'Content-Type: application/json' \
-d '{"username":"admin","password":"'"$PWD"'","domain":"LOCAL"}' \
| jq -r .accessToken)
curl -sk -H "Authorization: Bearer $TOKEN" \
https://cluster.example.com/v2/data-protect/protection-groups| Dimension | Terraform | Ansible | PowerShell | Raw REST v2 |
|---|---|---|---|---|
| Paradigm | Declarative IaC | Imperative + idempotent push | Imperative scripting | Direct HTTP |
| State | Yes (.tfstate) | None | None | None |
| Best for | Cluster config: policies, groups, views, RBAC, replication | Source-side: agent installs, source registration, ad-hoc jobs | Windows ops, ad-hoc reporting | ITSM/SIEM webhooks, custom portals, gap-fill |
| CI/CD fit | Excellent (plan/apply, drift) | Good (AAP / Tower) | Moderate | Excellent (any HTTP-aware tool) |
| Drift detect | First-class | Re-runs converge | Manual | Manual |
| Skill | Medium (HCL, state) | Low–medium (YAML) | Low for Windows admins | High for non-trivial flows |
| Owner | Platform / SRE | Server / source team | Windows ops | Integration / dev team |
Architect rule of thumb: Terraform for cluster-side IaC, Ansible for source-side push, PowerShell for Windows-native ops, REST when nothing else fits. All four are thin layers over REST API v2 — pick the right ergonomics for the job.
The architectural payoff: every Cohesity cluster in the fleet has a Gold-1h-30d-1y policy that means exactly the same thing — 1-hour incremental, 30-day local retention, 1-year archive, app-consistent VMware snapshots, indexed for search, weekly archive cadence. A change request to extend retention to 45 days is a one-line PR that cascades to every cluster on merge.
resource "cohesity_protection_policy" "gold" {
name = "Gold-1h-30d-1y"
description = "Tier 1: 1h RPO, 30d local retention, 1y archive"
backup_policy {
regular {
incremental {
schedule { unit = "Hours" hour_schedule { frequency = 1 } }
}
retention { unit = "Days" duration = 30 }
}
}
remote_target_policy {
archival_targets {
target_id = var.archive_target_id
schedule { unit = "Weeks" frequency = 1 }
retention { unit = "Years" duration = 1 }
}
}
}
resource "cohesity_protection_group" "tier1_vms" {
name = "Tier1-VMware-Gold"
policy_id = cohesity_protection_policy.gold.id
environment = "kVMware"
vmware_params {
source_id = var.vcenter_source_id
object_ids = var.vm_object_ids
app_consistent_snapshot = true
indexing_policy { enable_indexing = true }
}
}plan.Key Takeaway: Treat backup configuration as code. Pair Terraform (cluster-side) with Ansible (source-side), use PowerShell for Windows ops, and call REST when nothing else fits. Every cluster in the fleet gets the same Gold policy from the same Git PR.
10. An architect wants declarative IaC with state and drift detection for cluster-side policies and protection groups. Which tool fits best?
cohesity.dataprotect collectioncohesity/cohesity provider11. Which task is the most natural fit for the Ansible cohesity.dataprotect collection?
12. A ServiceNow workflow needs to trigger a Cohesity recovery from an incident ticket. Which integration approach is most appropriate?
13. Which statement is TRUE about Cohesity's automation tooling layering?
Helios is the architectural answer to fleet sprawl — a SaaS control plane with outbound-HTTPS-only connectivity that converts any number of independent Cohesity clusters into one managed estate, with shared dashboards, federated RBAC, global search, anomaly detection, and centralized policy authoring. Helios Self-Managed delivers the same model on customer infrastructure for dark sites. DMaaS extends Helios into a fully managed subscription where Cohesity operates the cluster — region selection pins residency.
The Marketplace brings third-party compute to where the data already lives: Apollo (Docker runtime) executes apps declared by AppSpec YAML, isolated by container boundaries, scoped to admin-authorized view mounts, optionally air-gapped. The automation stack — REST API v2 plus Terraform, Ansible, and PowerShell — is the programmatic counterpart, with Git, CI/CD, and policy review keeping the fleet honest.