Set up backup destinations before you use BlueXP backup and recovery

08/06/2025 Contributors

PDFs

Before you use BlueXP backup and recovery, perform a few steps to set up backup destinations.

Before you begin, review prerequisites to ensure that your environment is ready.

Prepare the backup destination

Prepare one or more of the following backup destinations:

NetApp StorageGRID.

Refer to Discover StorageGRID.

Refer to StorageGRID documentation for details about StorageGRID.
Amazon Web Services. Refer to Amazon S3 documentation.

Do the following to prepare AWS as a backup destination:
- Set up an account in AWS.
- Configure S3 permissions in AWS, listed in the next section.
- For details about managing your AWS storage in BlueXP, refer to Manage your Amazon S3 buckets.

Microsoft Azure.
- Refer to Azure NetApp Files documentation.
- Set up an account in Azure.
- Configure Azure permissions in Azure.
- For details about managing your Azure storage in BlueXP, refer to Manage your Azure storage accounts.

After you configure options in the backup destination itself, you will later configure it as a backup destination in the BlueXP backup and recovery service. For details about how to configure the backup destination in BlueXP backup and recovery, refer to Discover backup targets.

Set up S3 permissions

You'll need to configure two sets of AWS S3 permissions:

Permissions for the Connector to create and manage the S3 bucket.
Permissions for the on-premises ONTAP cluster so it can read and write data to the S3 bucket.

Steps

Ensure that the Connector has the required permissions. For details, see BlueXP policy permissions.

When creating backups in AWS China regions, you need to change the AWS Resource Name "arn" under all Resource sections in the IAM policies from "aws" to "aws-cn"; for example arn:aws-cn:s3:::netapp-backup-*.

When you activate the service, the Backup wizard will prompt you to enter an access key and secret key. These credentials are passed to the ONTAP cluster so that ONTAP can back up and restore data to the S3 bucket. For that, you'll need to create an IAM user with the following permissions.

Refer to the AWS Documentation: Creating a Role to Delegate Permissions to an IAM User.

Details

{
    "Version": "2012-10-17",
     "Statement": [
        {
           "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:DeleteObject",
                "s3:ListBucket",
                "s3:ListAllMyBuckets",
                "s3:GetBucketLocation",
                "s3:PutEncryptionConfiguration"
            ],
            "Resource": "arn:aws:s3:::netapp-backup-*",
            "Effect": "Allow",
            "Sid": "backupPolicy"
        },
        {
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Resource": "arn:aws:s3:::netapp-backup*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:DeleteObject",
                "s3:ListAllMyBuckets",
                "s3:PutObjectTagging",
                "s3:GetObjectTagging",
                "s3:RestoreObject",
                "s3:GetBucketObjectLockConfiguration",
                "s3:GetObjectRetention",
                "s3:PutBucketObjectLockConfiguration",
                "s3:PutObjectRetention"
            ],
            "Resource": "arn:aws:s3:::netapp-backup*/*",
            "Effect": "Allow"
        }
    ]
}

Set up backup destinations before you use BlueXP backup and recovery

Creating your file...

Prepare the backup destination

Set up S3 permissions