In cloud data centers, where hosted applications share the underlying network resources, network-bandwidth guarantees have been shown to improve predictability of application performance and cost. However, recent empirical studies have also shown that often data center devices and links are not all that reliable and that failures may cause service outages, rendering significant revenue loss for the affected tenants, as well as the cloud operator. Accordingly, cloud operators are pressed to offer both reliable and predictable performance for the hosted applications. While much work has been done on solving both problems separately, this paper seeks to develop a joint framework by which cloud operators can offer both performance and availability guarantees for the hosted tenants. In particular, this paper considers a simple model to abstract the bandwidth guarantees requirement for the tenant and presents a protection plan design which consists of backup virtual machines placement and bandwidth provisioning to optimize the internal data center traffic. We show through solid motivational examples that finding the optimal protection plan design is highly perplexing, and encompasses several constituent challenges. Owing to its complexity, we decompose it into two subproblems, and solve them separately. First, we invoke a placement subproblem of the minimum number of backup VMs and then we attempt to find the most efficient correspondence between backup and primary VMs (i.e., protection plan) which minimizes the bandwidth redundancy. Our numerical evaluation shows that our two-step method is both scalable and accurate; further, it performs much better than a baseline method where placement of backup VMs is done at random.