Skip to main content
BlueXP backup and recovery
All cloud providers
  • Amazon Web Services
  • Google Cloud
  • Microsoft Azure
  • All cloud providers

Back up on-premises ONTAP data to StorageGRID

Contributors amgrissino netapp-tonacki netapp-bcammett

Complete a few steps to get started backing up volume data from your on-premises primary ONTAP systems to a secondary storage system and to object storage in your NetApp StorageGRID systems.

Note "On-premises ONTAP systems" include FAS, AFF, and ONTAP Select systems.

Quick start

Get started quickly by following these steps. Details for each step are provided in the following sections in this topic.

One Identify the connection method you'll use

Review how you'll connect your on-premises ONTAP cluster directly to StorageGRID over the public internet, or whether you'll use a VPN and route traffic through a private VPC Endpoint interface to StorageGRID.

Identify the connection method.

Two Prepare your BlueXP Connector

If you already have a Connector deployed in your premises, then you're all set. If not, then you'll need to create a BlueXP Connector to back up ONTAP data to StorageGRID. You'll also need to customize network settings for the Connector so that it can connect to StorageGRID.

Learn how to create a Connector and how to define required network settings.

Three Verify license requirements

You'll need to check license requirements for both StorageGRID and BlueXP.

Refer to Verify license requirements.

Four Prepare your ONTAP clusters

Discover your ONTAP clusters in BlueXP, verify that the clusters meet minimum requirements, and customize network settings so the clusters can connect to StorageGRID.

Learn how to get your ONTAP clusters ready.

Five Prepare StorageGRID as your backup target

Set up permissions for the Connector to create and manage the StorageGRID bucket. You'll also need to set up permissions for the on-premises ONTAP cluster so it can read and write data to the bucket.

Optionally, you can set up your own custom-managed keys for data encryption instead of using the default StorageGRID encryption keys. Learn how to get your StorageGRID environment ready to receive ONTAP backups.

Six Activate backups on your ONTAP volumes

Select the working environment and click Enable > Backup Volumes next to the Backup and recovery service in the right-panel. Then follow the setup wizard to select the replication and backup policies that you'll use and the volumes you want to back up.

Activate backups on your ONTAP volumes.

Identify the connection method

The following image shows each component when backing up an on-premises ONTAP system to StorageGRID and the connections that you need to prepare between them.

Optionally, you can connect to a secondary ONTAP system in the same on-premises location to replicate volumes.

A diagram showing how BlueXP backup and recovery communicates with the volumes on the source systems and the destination storage where the backup files are located.

When the Connector and on-premises ONTAP system are installed in an on-premises location without internet access (a "dark site"), the StorageGRID system must be located in the same on-premises data center. Archival of older backup files to public cloud is not supported in dark site configurations.

Prepare your BlueXP Connector

The BlueXP Connector is the main software for BlueXP functionality. A Connector is required to back up and restore your ONTAP data.

Create or switch Connectors

When you back up data to StorageGRID, a BlueXP Connector must be available on your premises. You'll either need to install a new Connector or make sure that the currently selected Connector resides on-premises. The Connector can be installed in a site with or without internet access.

Prepare Connector networking requirements

Ensure that the network where the Connector is installed enables the following connections:

  • An HTTPS connection over port 443 to the StorageGRID Gateway Node

  • An HTTPS connection over port 443 to your ONTAP cluster management LIF

  • An outbound internet connection over port 443 to BlueXP backup and recovery (not required when the Connector is installed in a "dark" site)

Private mode (dark site) considerations

  • BlueXP backup and recovery functionality is built into the BlueXP Connector. When it is installed in private mode, you'll need to update the Connector software periodically to get access to new features. Check the BlueXP backup and recovery What's New to see the new features in each BlueXP backup and recovery release. When you want to use the new features, follow the steps to upgrade the Connector software.

    The new version of BlueXP backup and recovery that includes the ability to schedule and create Snapshot copies and replicated volumes, in addition to creating backups to object storage, requires that you are using version 3.9.31 or greater of the BlueXP Connector. So it is recommended that you get this newest release to manage all your backups.

  • When you use BlueXP backup and recovery in a SaaS environment, the BlueXP backup and recovery configuration data is backed up to the cloud. When you use BlueXP backup and recovery in a site with no internet access, the BlueXP backup and recovery configuration data is backed up to the StorageGRID bucket where your backups are being stored. If you ever have a Connector failure in your private mode site, you can restore the BlueXP backup and recovery data to a new Connector.

Verify license requirements

Before you can activate BlueXP backup and recovery for your cluster, you'll need to purchase and activate a BlueXP backup and recovery BYOL license from NetApp. This license is for the account and can be used across multiple systems.

You'll need the serial number from NetApp that enables you to use the service for the duration and capacity of the license. Learn how to manage your BYOL licenses.

Tip PAYGO licensing is not supported when backing up files to StorageGRID.

Prepare your ONTAP clusters

You'll need to prepare your source on-premises ONTAP system and any secondary on-premises ONTAP or Cloud Volumes ONTAP systems.

Preparing your ONTAP clusters involves the following steps:

  • Discover your ONTAP systems in BlueXP

  • Verify ONTAP system requirements

  • Verify ONTAP networking requirements for backing up data to object storage

  • Verify ONTAP networking requirements for replicating volumes

Discover your ONTAP systems in BlueXP

Both your source on-premises ONTAP system and any secondary on-premises ONTAP or Cloud Volumes ONTAP systems must be available on the BlueXP Canvas.

You'll need to know the cluster management IP address and the password for the admin user account to add the cluster.
Learn how to discover a cluster.

Verify ONTAP system requirements

Ensure that the following ONTAP requirements are met:

  • Minimum of ONTAP 9.8; ONTAP 9.8P13 and later is recommended.

  • A SnapMirror license (included as part of the Premium Bundle or Data Protection Bundle).

    Note: The "Hybrid Cloud Bundle" is not required when using BlueXP backup and recovery.

    Learn how to manage your cluster licenses.

  • Time and time zone are set correctly. Learn how to configure your cluster time.

  • If you are going to replicate data, you should verify that the source and destination systems are running compatible ONTAP versions before replicating data.

    View compatible ONTAP versions for SnapMirror relationships.

Verify ONTAP networking requirements for backing up data to object storage

You must configure the following requirements on the system that connects to object storage.

  • When you use a fan-out backup architecture, the following settings must be configured on the primary storage system.

  • When you use a cascaded backup architecture, the following settings must be configured on the secondary storage system.

The following ONTAP cluster networking requirements are needed:

  • The ONTAP cluster initiates an HTTPS connection over a user-specified port from the intercluster LIF to the StorageGRID Gateway Node for backup and restore operations. The port is configurable during backup setup.

    ONTAP reads and writes data to and from object storage. The object storage never initiates, it just responds.

  • ONTAP requires an inbound connection from the Connector to the cluster management LIF. The Connector must reside on your premises.

  • An intercluster LIF is required on each ONTAP node that hosts the volumes you want to back up. The LIF must be associated with the IPspace that ONTAP should use to connect to object storage. Learn more about IPspaces.

    When you set up BlueXP backup and recovery, you are prompted for the IPspace to use. You should choose the IPspace that each LIF is associated with. That might be the "Default" IPspace or a custom IPspace that you created.

  • The nodes' intercluster LIFs are able to access the object store (not required when the Connector is installed in a "dark" site).

  • DNS servers have been configured for the storage VM where the volumes are located. See how to configure DNS services for the SVM.

  • If you use are using a different IPspace than the Default, then you might need to create a static route to get access to the object storage.

  • Update firewall rules, if necessary, to allow BlueXP backup and recovery service connections from ONTAP to object storage through the port you specified (typically port 443) and name resolution traffic from the storage VM to the DNS server over port 53 (TCP/UDP).

Verify ONTAP networking requirements for replicating volumes

If you plan to create replicated volumes on a secondary ONTAP system using BlueXP backup and recovery, ensure that the source and destination systems meet following networking requirements.

On-premises ONTAP networking requirements

  • If the cluster is in your premises, you should have a connection from your corporate network to your virtual network in the cloud provider. This is typically a VPN connection.

  • ONTAP clusters must meet additional subnet, port, firewall, and cluster requirements.

    Because you can replicate to Cloud Volumes ONTAP or an on-premises systems, review peering requirements for on-premises ONTAP systems. View prerequisites for cluster peering in the ONTAP documentation.

Cloud Volumes ONTAP networking requirements

  • The instance's security group must include the required inbound and outbound rules: specifically, rules for ICMP and ports 11104 and 11105. These rules are included in the predefined security group.

Prepare StorageGRID as your backup target

StorageGRID must meet the following requirements. See the StorageGRID documentation for more information.

Supported StorageGRID versions

StorageGRID 10.3 and later is supported.

To use DataLock & Ransomware Protection for your backups, your StorageGRID systems must be running version 11.6.0.3 or greater.

To tier older backups to cloud archival storage, your StorageGRID systems must be running version 11.3 or greater. Additionally, your StorageGRID systems must be discovered to the BlueXP Canvas.

S3 credentials

You must have created an S3 tenant account to control access to your StorageGRID storage. See the StorageGRID docs for details.

When you set up backup to StorageGRID, the backup wizard prompts you for an S3 access key and secret key for a tenant account. The tenant account enables BlueXP backup and recovery to authenticate and access the StorageGRID buckets used to store backups. The keys are required so that StorageGRID knows who is making the request.

These access keys must be associated with a user who has the following permissions:

"s3:ListAllMyBuckets",
"s3:ListBucket",
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:CreateBucket"
Object versioning

You must not enable StorageGRID object versioning manually on the object store bucket.

Prepare to archive older backup files to public cloud storage

Tiering older backup files to archival storage saves money by using a less expensive storage class for backups that you may not need. StorageGRID is an on-premises (private cloud) solution that doesn't provide archival storage, but you can move older backup files to public cloud archival storage. When used in this fashion, data that is tiered to cloud storage, or restored from cloud storage, goes between StorageGRID and the cloud storage - BlueXP is not involved in this data transfer.

Current support enables you to archive backups to AWS S3 Glacier/S3 Glacier Deep Archive or Azure Archive storage.

ONTAP Requirements

  • Your cluster must be using ONTAP 9.12.1 or greater.

StorageGRID Requirements

Amazon S3 requirements

  • You'll need to sign up for an Amazon S3 account for the storage space where your archived backups will be located.

  • You can choose to tier backups to AWS S3 Glacier or S3 Glacier Deep Archive storage. Learn more about AWS archival tiers.

  • StorageGRID should have full-control access to the bucket (s3:*); however, if this is not possible, the bucket policy must grant the following S3 permissions to StorageGRID:

    • s3:AbortMultipartUpload

    • s3:DeleteObject

    • s3:GetObject

    • s3:ListBucket

    • s3:ListBucketMultipartUploads

    • s3:ListMultipartUploadParts

    • s3:PutObject

    • s3:RestoreObject

Azure Blob requirements

  • You'll need to sign up for an Azure Subscription for the storage space where your archived backups will be located.

  • The activation wizard enables you to use an existing Resource Group to manage the Blob container that will store the backups, or you can create a new Resource Group.

When defining the Archival settings for the backup policy for your cluster, you'll enter your cloud provider credentials and select the storage class that you want to use. BlueXP backup and recovery creates the cloud bucket when you activate backup for the cluster. The information required for AWS and Azure archival storage is shown below.

A screenshot of the information you'll need to archive backup files from StorageGRID to AWS S3 or Azure Blob.

The archival policy settings you select will generate an information lifecycle management (ILM) policy in StorageGRID, and add the settings as "rules".

  • If there is an existing active ILM policy, new rules will be added to the ILM policy to move the data to the archive tier.

  • If there is an existing ILM policy in the "proposed" state, the creation and activation of a new ILM policy will not be possible. Learn more about StorageGRID ILM policies and rules.

Activate backups on your ONTAP volumes

Activate backups at any time directly from your on-premises working environment.

A wizard takes you through the following major steps:

You can also Show the API commands at the review step, so you can copy the code to automate backup activation for future working environments.

Start the wizard

Steps

  1. Access the Activate backup and recovery wizard using one of the following ways:

    • From the BlueXP canvas, select the working environment and select Enable > Backup Volumes next to the Backup and recovery service in the right-panel.

      If the destination for your backups exists as a working environment on the Canvas, you can drag the ONTAP cluster onto the object storage.

    • Select Volumes in the Backup and recovery bar. From the Volumes tab, select the Actions (…​) option and select Activate Backup for a single volume (that does not already have replication or backup to object storage already enabled).

    The Introduction page of the wizard shows the protection options including local Snapshots, replication, and backups. If you did the second option in this step, the Define Backup Strategy page appears with one volume selected.

  2. Continue with the following options:

    • If you already have a BlueXP Connector, you're all set. Just select Next.

    • If you don't already have a BlueXP Connector, the Add a Connector option appears. Refer to Prepare your BlueXP Connector.

Select the volumes that you want to back up

Choose the volumes you want to protect. A protected volume is one that has one or more of the following: Snapshot policy, replication policy, backup to object policy.

You can choose to protect FlexVol or FlexGroup volumes; however, you cannot select a mix of these volumes when activating backup for a working environment. See how to activate backup for additional volumes in the working environment (FlexVol or FlexGroup) after you have configured backup for the initial volumes.

Note

  • You can activate a backup only on a single FlexGroup volume at a time.

  • The volumes you select must have the same SnapLock setting. All volumes must have SnapLock Enterprise enabled or have SnapLock disabled. (Volumes with SnapLock Compliance mode require ONTAP 9.14 or later.)
Steps

Note that if the volumes you choose already have Snapshot or replication policies applied, then the policies you select later will overwrite these existing policies.

  1. In the Select Volumes page, select the volume or volumes you want to protect.

    • Optionally, filter the rows to show only volumes with certain volume types, styles, and more to make the selection easier.

    • After you select the first volume, then you can select all FlexVol volumes (FlexGroup volumes can be selected one at a time only). To back up all existing FlexVol volumes, check one volume first and then check the box in the title row. (button backup all volumes).

    • To back up individual volumes, check the box for each volume (button backup 1 volume).

  2. Select Next.

Define the backup strategy

Defining the backup strategy involves setting the following options:

  • Whether you want one or all of the backup options: local Snapshots, replication, and backup to object storage

  • Architecture

  • Local Snapshot policy

  • Replication target and policy

    Note If the volumes you choose have different Snapshot and replication policies than the policies you select in this step, the existing policies will be overwritten.

  • Backup to object storage information (provider, encryption, networking, backup policy, and export options).

Steps

  1. In the Define backup strategy page, choose one or all of the following. All three are selected by default:

    • Local Snapshots: If you are performing replication or back up to object storage, local Snapshots must be created.

    • Replication: Creates replicated volumes on another ONTAP storage system.

    • Backup: Backs up volumes to object storage.

  2. Architecture: If you chose both replication and backup, choose one of the following flows of information:

    • Cascading: Information flows from the primary to the secondary, and then from the secondary to object storage.

    • Fan out: Information flows from the primary to the secondary and from the primary to object storage.

      For details about these architectures, refer to Plan your protection journey.

  3. Local Snapshot: Choose an existing Snapshot policy or create a new one.

    Tip To create a custom policy before activating the Snapshot, refer to Create a policy.

    To create a policy, select Create new policy and do the following:

    • Enter the name of the policy.

    • Select up to 5 schedules, typically of different frequencies.

    • Select Create.

  4. Replication: Set the following options:

    • Replication target: Select the destination working environment and SVM. Optionally, select the destination aggregate or aggregates and prefix or suffix that will be added to the replicated volume name.

    • Replication policy: Choose an existing replication policy or create one.

      Tip To create a custom policy before activating the replication, refer to Create a policy.

      To create a policy, select Create new policy and do the following:

      • Enter the name of the policy.

      • Select up to 5 schedules, typically of different frequencies.

      • Select Create.

  5. Back up to Object: If you selected Backup, set the following options:

    • Provider: Select StorageGRID.

    • Provider settings: Enter the provider gateway node FQDN details, port, access key and secret key.

      The access key and secret key are for the IAM user you created to give the ONTAP cluster access to the bucket.

    • Networking: Choose the IPspace in the ONTAP cluster where the volumes you want to back up reside. The intercluster LIFs for this IPspace must have outbound internet access (not required when the Connector is installed in a "dark" site).

      Tip Selecting the correct IPspace ensures that BlueXP backup and recovery can set up a connection from ONTAP to your StorageGRID object storage.

    • Backup policy: Select an existing Backup to object storage policy or create one.

      Tip To create a custom policy before activating the backup, refer to Create a policy.

      To create a policy, select Create new policy and do the following:

      • Enter the name of the policy.

      • Select up to 5 schedules, typically of different frequencies.

      • For backup-to-object policies, set the DataLock and Ransomware Protection settings. For details on DataLock and Ransomware Protection, refer to Backup-to-object policy settings.

        If your cluster is using ONTAP 9.11.1 or greater, you can choose to protect your backups from deletion and ransomware attacks by configuring DataLock and Ransomware Protection. DataLock protects your backup files from being modified or deleted, and Ransomware Protection scans your backup files to look for evidence of a ransomware attack in your backup files.

      • Select Create.

    If your cluster is using ONTAP 9.12.1 or greater and your StorageGRID system is using version 11.4 or greater, you can choose to tier older backups to public cloud archive tiers after a certain number of days. Current support is for AWS S3 Glacier/S3 Glacier Deep Archive or Azure Archive storage tiers. See how to configure your systems for this functionality.

    • Tier backup to public cloud: Select the cloud provider that you want to tier backups to and enter the provider details.

      Select or create a new StorageGRID cluster. For details about creating a StorageGRID cluster so BlueXP can discover it, refer to StorageGRID documentation.

    • Export existing Snapshot copies to object storage as backup copies: If there are any local Snapshot copies for volumes in this working environment that match the backup schedule label you just selected for this working environment (for example, daily, weekly, etc.), this additional prompt is displayed. Check this box to have all historic Snapshots copied to object storage as backup files to ensure the most complete protection for your volumes.

  6. Select Next.

Review your selections

This is the chance to review your selections and make adjustments, if necessary.

Steps

  1. In the Review page, review your selections.

  2. Optionally check the box to Automatically synchronize the Snapshot policy labels with the replication and backup policy labels. This creates Snapshots with a label that matches the labels in the replication and backup policies.

  3. Select Activate Backup.

Result

BlueXP backup and recovery starts taking the initial backups of your volumes. The baseline transfer of the replicated volume and the backup file includes a full copy of the source data. Subsequent transfers contain differential copies of the primary storage data contained in Snapshot copies.

A replicated volume is created in the destination cluster that will be synchronized with the primary storage volume.

An S3 bucket is created in the service account indicated by the S3 access key and secret key you entered, and the backup files are stored there.

The Volume Backup Dashboard is displayed so you can monitor the state of the backups.

You can also monitor the status of backup and restore jobs using the Job Monitoring panel.

Show the API commands

You might want to display and optionally copy the API commands used in the Activate backup and recovery wizard. You might want to do this to automate backup activation in future working environments.

Steps

  1. From the Activate backup and recovery wizard, select View API request.

  2. To copy the commands to the clipboard, select the Copy icon.

What's next?