Hi I have a customer that is asking me for some feature on Nutanix (AHV) that may provide some kind of immutability for the VM snapshots, so in the event of an admin account hack the snapshots could not be destroyed.I was looking for something like that on AHV and I discovered Secure Snapshots with Approval Policies in Prism Central and I’d like to confirm a few points regarding requirements and licensing.https://portal.nutanix.com/page/documents/details?targetId=Disaster-Recovery-DRaaS-Guide-vpc_7_5:ecd-approval-policies-dr-pc-c.htmlContext:The customer has two AHV clusters, each one with his own Prism Central Licensing: NCI Pro + Advanced Replication add-on (Metro/Sync already in use) + NUS Pro Goal: prevent accidental or malicious deletion of snapshots/recovery points, not VMs themselves (it would be also great but I think it can’t be protected with aprobal policies)So from the documentation, I understand that Secure Snapshots allows attaching an Approval Policy to a Protection Policy, requiring approval before deleting protected snapshots. If that’s correct I think it will fit the main goal.However, I have some doubts:Licensing scope: With NCI Pro + Advanced Replication add-on, should Secure Snapshots / Approval Policies be fully supported? Or is any additional license (like Ultimate or specific DRaaS features) required? Prerequisites in Prism Central: When enabling the Marketplace, I’m prompted to allocate additional resources (+2 GB RAM for Prism Central) and some extra services like a new appliance that has to be deployed for ¿CALM? Is Marketplace strictly required for Approval Policies / Secure Snapshots? Are there other mandatory components (Self-Service/Calm services, specific PC scale, etc.)? Operational behavior: Does the approval apply only to snapshot deletion, or also to policy removal? What happens in DR/failover scenarios (Metro or Async) regarding protected snapshots? Best practices: For those already using this feature in production: Do you rely on it as a ransomware protection layer? Any caveats or limitations to be aware of? Any clarification or real-world experience would be appreciated, especially regarding the Marketplace dependency and resource requirements in Prism Central.Thanks

Question

Implementing Secure Snapshots & Approval Policies

Forum|Forum|1 day ago
April 27, 2026
4 replies
24 views

+2

Daniel Martinez
Trailblazer

Hi

I have a customer that is asking me for some feature on Nutanix (AHV) that may provide some kind of immutability for the VM snapshots, so in the event of an admin account hack the snapshots could not be destroyed.

I was looking for something like that on AHV and I discovered Secure Snapshots with Approval Policies in Prism Central and I’d like to confirm a few points regarding requirements and licensing.

https://portal.nutanix.com/page/documents/details?targetId=Disaster-Recovery-DRaaS-Guide-vpc_7_5:ecd-approval-policies-dr-pc-c.html

Context:

The customer has two AHV clusters, each one with his own Prism Central
Licensing: NCI Pro + Advanced Replication add-on (Metro/Sync already in use) + NUS Pro
Goal: prevent accidental or malicious deletion of snapshots/recovery points, not VMs themselves (it would be also great but I think it can’t be protected with aprobal policies)

So from the documentation, I understand that Secure Snapshots allows attaching an Approval Policy to a Protection Policy, requiring approval before deleting protected snapshots. If that’s correct I think it will fit the main goal.

However, I have some doubts:

Licensing scope:
With NCI Pro + Advanced Replication add-on, should Secure Snapshots / Approval Policies be fully supported? Or is any additional license (like Ultimate or specific DRaaS features) required?
Prerequisites in Prism Central:
When enabling the Marketplace, I’m prompted to allocate additional resources (+2 GB RAM for Prism Central) and some extra services like a new appliance that has to be deployed for ¿CALM?
- Is Marketplace strictly required for Approval Policies / Secure Snapshots?
- Are there other mandatory components (Self-Service/Calm services, specific PC scale, etc.)?
Operational behavior:
- Does the approval apply only to snapshot deletion, or also to policy removal?
- What happens in DR/failover scenarios (Metro or Async) regarding protected snapshots?
Best practices:
For those already using this feature in production:
- Do you rely on it as a ransomware protection layer?
- Any caveats or limitations to be aware of?

Any clarification or real-world experience would be appreciated, especially regarding the Marketplace dependency and resource requirements in Prism Central.

Thanks

J

+3

jamali.ahmad
Vanguard
Forum|Forum|1 day ago
April 27, 2026

for approval policy , you have to have policy engine (which can be used as part of calm,self-service)
regarding license I am not sure, so I will not put any comment for it.
for DR snapshot, you can find it in the same link which you have shared.for failover, ideally the PC (and the policy engine) should be available.
for real-world experience, I personally believe in keeping the 3-2-1 terminology against data-loss, so keeping the snapshot (even if it is immutable) it is still on same site/server.

Like

+2

Daniel Martinez
Author
Trailblazer
Forum|Forum|1 day ago
April 27, 2026

for approval policy , you have to have policy engine (which can be used as part of calm,self-service)
regarding license I am not sure, so I will not put any comment for it.
for DR snapshot, you can find it in the same link which you have shared.for failover, ideally the PC (and the policy engine) should be available.
for real-world experience, I personally believe in keeping the 3-2-1 terminology against data-loss, so keeping the snapshot (even if it is immutable) it is still on same site/server.

thanks for the comments, I agree that the rule 3-2-1 is a must have and this customer already has it. But he also wants that extra security feature if possible.

So as far as I understand from your comment, I think calm or self-service to deploy secure snapshots. However now the main doubt is if the customer has the requested licensing or no.

Like

+2

Daniel Martinez
Author
Trailblazer
Forum|Forum|1 day ago
April 27, 2026

Based on this answer: https://next.nutanix.com/self-service-55/licensing-for-nutanix-calm-or-self-service-45534?postid=78265#post78265

the customer requieres NCM licensing so he would have to ask the sales team for it.

Like

J

+3

jamali.ahmad
Vanguard
Forum|Forum|1 day ago
April 27, 2026

all of these features fall under Prism central, so Definity something to do with NCM licenses, look at below link for licensing.
Nutanix Licensing and Cloud Platform Software Options | Nutanix
for such a cases which involves license, I would suggest always involve Nutanix Presales/sales team.

Like

Sign up

Login to the community

Scanning file for viruses.

This file cannot be downloaded