Backing up on-premises ONTAP data to Google Cloud Storage

Complete a few steps to get started backing up volume data from your on-premises ONTAP systems to Google Cloud Storage.

Note that "on-premises ONTAP systems" includes FAS, AFF, and ONTAP Select systems.

Quick start

Get started quickly by following these steps, or scroll down to the remaining sections for full details.

One Verify support for your configuration
  • You have discovered the on-premises cluster and added it as a working environment in BlueXP. See Discovering ONTAP clusters for details.

    • The cluster is running ONTAP 9.7P5 or later (ONTAP 9.8P13 and later is recommended).

    • The cluster has a SnapMirror license — it is included as part of the Premium Bundle or Data Protection Bundle.

    • The cluster must have the required network connections to Google storage and to the Connector.

  • The Connector must have the required network connections to Google storage and to the cluster.

  • You have a valid Google subscription for the object storage space where your backups will be located.

  • You have a Google account with an access key and secret key so the ONTAP cluster can back up and restore data.

Two Enable BlueXP backup and recovery on the system

Select the working environment and click Enable > Backup Volumes next to the Backup and recovery service in the right-panel, and then follow the setup wizard.

A screenshot that shows the Backup and recovery Enable button which is available after you select a working environment.

Three Select the cloud provider and enter the provider details

Select Google Cloud as your provider and then enter the provider details. You’ll need to specify the IPspace in the ONTAP cluster where the volumes reside. You can also choose your own customer-managed keys for data encryption instead of using the default Google-managed encryption key.

A screenshot that shows the cloud provider details when backing up volumes from an on-prem ONTAP system to a Google Cloud Storage bucket.

Four Define the default backup policy

The default policy backs up volumes every day and retains the most recent 30 backup copies of each volume. Change to hourly, daily, weekly, monthly, or yearly backups, or select one of the system-defined policies that provide more options. You can also change the number of backup copies you want to retain.

Backups are stored in Standard storage by default. If your cluster is using ONTAP 9.12.1 or greater, you can choose to tier backups to Google Archive storage after a certain number of days for further cost optimization. Learn more about the available BlueXP backup and recovery policy configuration settings.

A screenshot that shows the BlueXP backup and recovery settings where you can choose the backup schedule and retention period.

Five Select the volumes that you want to back up

Identify which volumes you want to back up using the default backup policy in the Select Volumes page. If you want to assign different backup policies to certain volumes, you can create additional policies and apply them to volumes later.

Requirements

Read the following requirements to make sure you have a supported configuration before you start backing up on-premises volumes to Google Cloud storage.

There are two connection methods you can use when configuring backups from on-premises ONTAP systems to Google Cloud Storage.

  • Public connection - Directly connect the ONTAP system to Google Cloud Storage using a public Google endpoint.

  • Private connection - Use a VPN or Google Cloud Interconnect and route traffic through a Private Google Access interface that uses a private IP address.

The following diagram shows the public connection method and the connections that you need to prepare between the components. The Connector must be deployed in the Google Cloud Platform VPC.

A diagram showing how BlueXP backup and recovery communicates over a public connection with the volumes on the cluster and the Google Cloud storage where the backup files are located.

The following diagram shows the private connection method and the connections that you need to prepare between the components. The Connector must be deployed in the Google Cloud Platform VPC.

A diagram showing how BlueXP backup and recovery communicates over a private connection with the volumes on the cluster and the Google Cloud storage where the backup files are located.

Preparing your ONTAP clusters

You need to discover your on-premises ONTAP clusters in BlueXP before you can start backing up volume data.

ONTAP requirements
  • Minimum of ONTAP 9.7P5; ONTAP 9.8P13 and later is recommended.

  • A SnapMirror license (included as part of the Premium Bundle or Data Protection Bundle).

    Note: The "Hybrid Cloud Bundle" is not required when using BlueXP backup and recovery.

  • Time and time zone are set correctly.

Cluster networking requirements
  • The ONTAP cluster initiates an HTTPS connection over port 443 from the intercluster LIF to Google Cloud storage for backup and restore operations.

    ONTAP reads and writes data to and from object storage. The object storage never initiates, it just responds.

  • ONTAP requires an inbound connection from the Connector to the cluster management LIF. The Connector can reside in a Google Cloud Platform VPC.

  • An intercluster LIF is required on each ONTAP node that hosts the volumes you want to back up. The LIF must be associated with the IPspace that ONTAP should use to connect to object storage. Learn more about IPspaces.

    When you set up BlueXP backup and recovery, you are prompted for the IPspace to use. You should choose the IPspace that each LIF is associated with. That might be the "Default" IPspace or a custom IPspace that you created.

  • The nodes' intercluster LIFs are able to access the object store.

  • DNS servers have been configured for the storage VM where the volumes are located. See how to configure DNS services for the SVM.

    If you’re using Private Google Access or Private Service Connect, make sure your DNS servers have been configured to point storage.googleapis.com to the correct internal (private) IP address.

  • Note that if you use are using a different IPspace than the Default, then you might need to create a static route to get access to the object storage.

  • Update firewall rules, if necessary, to allow BlueXP backup and recovery connections from ONTAP to object storage through port 443, and name resolution traffic from the storage VM to the DNS server over port 53 (TCP/UDP).

Creating or switching Connectors

If you already have a Connector deployed in your Google Cloud Platform VPC, then you’re all set. If not, then you’ll need to create a Connector in that location to back up ONTAP data to Google Cloud storage. You can’t use a Connector that’s deployed in another cloud provider, or on-premises.

Preparing networking for the Connector

Ensure that the Connector has the required networking connections.

Steps
  1. Ensure that the network where the Connector is installed enables the following connections:

    • An HTTPS connection over port 443 to the BlueXP backup and recovery service and to your Google Cloud storage (see the list of endpoints)

    • An HTTPS connection over port 443 to your ONTAP cluster management LIF

  2. Enable Private Google Access (or Private Service Connect) on the subnet where you plan to deploy the Connector. Private Google Access or Private Service Connect are needed if you have a direct connection from your ONTAP cluster to the VPC and you want communication between the Connector and Google Cloud Storage to stay in your virtual private network (a private connection).

    Follow the Google instructions for setting up these Private access options. Make sure your DNS servers have been configured to point www.googleapis.com and storage.googleapis.com to the correct internal (private) IP addresses.

Verify or add permissions to the Connector

To use the BlueXP backup and recovery "Search & Restore" functionality, you need to have specific permissions in the role for the Connector so that it can access the Google Cloud BigQuery service. See the permissions below, and follow the steps if you need to modify the policy.

Steps
  1. In the Google Cloud Console, go to the Roles page.

  2. Using the drop-down list at the top of the page, select the project or organization that contains the role that you want to edit.

  3. Click a custom role.

  4. Click Edit Role to update the role’s permissions.

  5. Click Add Permissions to add the following new permissions to the role.

    bigquery.jobs.get
    bigquery.jobs.list
    bigquery.jobs.listAll
    bigquery.datasets.create
    bigquery.datasets.get
    bigquery.jobs.create
    bigquery.tables.get
    bigquery.tables.getData
    bigquery.tables.list
    bigquery.tables.create
  6. Click Update to save the edited role.

Preparing Google Cloud Storage for backups

When you set up backup, you need to provide storage access keys for a service account that has specific permissions. A service account enables BlueXP backup and recovery to authenticate and access Cloud Storage buckets used to store backups. The keys are required so that Google Cloud Storage knows who is making the request.

Steps
  1. In the Google Cloud Console, go to the Roles page.

  2. Create a new role with the following permissions:

    storage.buckets.create
    storage.buckets.delete
    storage.buckets.get
    storage.buckets.list
    storage.buckets.update
    storage.buckets.getIamPolicy
    storage.multipartUploads.create
    storage.objects.create
    storage.objects.delete
    storage.objects.get
    storage.objects.list
    storage.objects.update
  3. In the Google Cloud console, go to the Service accounts page.

  4. Select your Cloud project.

  5. Click Create service account and provide the required information:

    1. Service account details: Enter a name and description.

    2. Grant this service account access to project: Select the custom role that you just created.

    3. Click Done.

  6. Go to GCP Storage Settings and create access keys for the service account:

    1. Select a project, and click Interoperability. If you haven’t already done so, click Enable interoperability access.

    2. Under Access keys for service accounts, click Create a key for a service account, select the service account that you just created, and click Create Key.

      You’ll need to enter the keys in BlueXP backup and recovery later when you configure the backup service.

Using customer-managed encryption keys (CMEK)

You can use your own customer-managed keys for data encryption instead of using the default Google-managed encryption keys. Both cross-region and cross-project keys are supported, so you can choose a project for a bucket that is different than the project of the CMEK key. If you’re planning to use your own customer-managed keys:

  • You’ll need to have the Key Ring and the Key Name so you can add this information in the activation wizard. Learn more about customer-managed encryption keys.

  • You’ll need to verify that these required permissions are included in the role for the Connector:

    cloudkms.cryptoKeys.get
    cloudkms.cryptoKeys.getIamPolicy
    cloudkms.cryptoKeys.list
    cloudkms.cryptoKeys.setIamPolicy
    cloudkms.keyRings.get
    cloudkms.keyRings.getIamPolicy
    cloudkms.keyRings.list
    cloudkms.keyRings.setIamPolicy
  • You’ll need to verify that the Google "Cloud Key Management Service (KMS)" API is enabled in your project. See the Google Cloud documentation: Enabling APIs for details.

CMEK considerations:

  • Both HSM (Hardware-backed) and Software-generated keys are supported.

  • Both newly created or imported Cloud KMS keys are supported.

  • Only regional keys are supported, global keys are not supported.

  • Currently, only the "Symmetric encrypt/decrypt" purpose is supported.

  • The service agent associated with the Storage Account is assigned the "CryptoKey Encrypter/Decrypter (roles/cloudkms.cryptoKeyEncrypterDecrypter)" IAM role by BlueXP backup and recovery.

Verify license requirements

  • Before you can activate BlueXP backup and recovery for your cluster, you’ll need to either subscribe to a pay-as-you-go (PAYGO) BlueXP Marketplace offering from Google, or purchase and activate a BlueXP backup and recovery BYOL license from NetApp. These licenses are for your account and can be used across multiple systems.

  • You need to have a Google subscription for the object storage space where your backups will be located.

    You can create backups from on-premises systems to Google Cloud Storage in all regions where Cloud Volumes ONTAP is supported. You specify the region where backups will be stored when you set up the service.

Enabling BlueXP backup and recovery

Enable BlueXP backup and recovery at any time directly from the on-premises working environment.

Steps
  1. From the Canvas, select the working environment and click Enable > Backup Volumes next to the Backup and recovery service in the right-panel.

    If the Google Cloud Storage destination for your backups exists as a working environment on the Canvas, you can drag the cluster onto the Google Cloud Storage working environment to initiate the setup wizard.

    A screenshot that shows the Backup and recovery Enable button which is available after you select a working environment.

  2. Select Google Cloud as your provider and click Next.

  3. Enter the provider details and click Next.

    1. The Google Cloud Project where you want the Google Cloud Storage bucket to be created for backups. (The Project must have a Service Account that has a custom role with specific permissions - as described here.)

    2. The Google Access Key and Secret Key used to store the backups.

    3. The Google region where the backups will be stored.

    4. The IPspace in the ONTAP cluster where the volumes you want to back up reside. The intercluster LIFs for this IPspace must have outbound internet access.

    5. Whether you’ll use the default Google-managed encryption key or choose your own customer-managed keys to manage encryption of your data. To use a CMEK, you’ll need to have the Key Ring and the Key Name. Learn more about customer-managed encryption keys.

      A screenshot that shows the cloud provider details when backing up volumes from an on-premises cluster to Google Cloud Storage.

  4. If you don’t have an existing BlueXP backup and recovery license for your account, you’ll be prompted at this point to select the type of charging method that you want to use. You can subscribe to a pay-as-you-go (PAYGO) BlueXP Marketplace offering from Google (or if you have multiple subscriptions you’ll need to select one), or purchase and activate a BlueXP backup and recovery BYOL license from NetApp. Learn how to set up BlueXP backup and recovery licensing.

  5. Enter the backup policy details that will be used for your default policy and click Next. You can select an existing policy, or you can create a new policy by entering your selections in each section:

    1. Enter the name for the default policy. You don’t need to change the name.

    2. Define the backup schedule and choose the number of backups to retain. See the list of existing policies you can choose.

    3. When using ONTAP 9.12.1 or greater, you can choose to tier backups to Archive storage after a certain number of days for further cost optimization. Learn more about the available BlueXP backup and recovery policy configuration settings.

      A screenshot that shows the BlueXP backup and recovery settings where you can choose your backup schedule and retention period.

  6. Select the volumes that you want to back up using the defined backup policy in the Select Volumes page. If you want to assign different backup policies to certain volumes, you can create additional policies and apply them to those volumes later.

    • To back up all existing volumes and any volumes added in the future, check the box "Back up all existing and future volumes…​". We recommend this option so that all your volumes will be backed up and you’ll never have to remember to enable backups for new volumes.

    • To back up only existing volumes, check the box in the title row (button backup all volumes).

    • To back up individual volumes, check the box for each volume (button backup 1 volume).

      A screenshot of selecting the volumes that will be backed up.

    • If there are any local Snapshot copies for read/write volumes in this working environment that match the backup schedule label you just selected for this working environment (for example, daily, weekly, etc.), an additional prompt is displayed "Export existing Snapshot copies to object storage as backup copies". Check this box if you want all historic Snapshots to be copied to object storage as backup files to ensure the most complete protection for your volumes.

  7. Click Activate Backup and BlueXP backup and recovery starts taking the initial backups of your volumes.

Result

A Google Cloud Storage bucket is created automatically in the service account indicated by the Google access key and secret key you entered, and the backup files are stored there. The Volume Backup Dashboard is displayed so you can monitor the state of the backups. You can also monitor the status of backup and restore jobs using the Job Monitoring panel.

What’s next?