Backing up Cloud Volumes ONTAP data to Amazon S3

Complete a few steps to get started backing up volume data from your Cloud Volumes ONTAP systems to Amazon S3.

Quick start

Get started quickly by following these steps or scroll down to the remaining sections for full details.

One Verify support for your configuration

  • You’re running Cloud Volumes ONTAP 9.7P5 or later in AWS (ONTAP 9.8P13 and later is recommended).

  • You have a valid cloud provider subscription for the storage space where your backups will be located.

  • You have subscribed to the BlueXP Marketplace Backup offering, an AWS annual contract, or you have purchased and activated a BlueXP backup and recovery BYOL license from NetApp.

  • You have a Connector installed in AWS:

    • The Connector can be installed in a site with full internet access ("standard mode") or with limited internet connectivity ("restricted mode").

    • The IAM role that provides the BlueXP Connector with permissions includes S3 permissions from the latest BlueXP policy.

Two Enable BlueXP backup and recovery on your new or existing system

  • New systems: BlueXP backup and recovery is enabled by default in the working environment wizard. Be sure to keep the option enabled.

  • Existing systems: Select the working environment and click Enable next to the Backup and recovery service in the right-panel, and then follow the setup wizard.

    A screenshot that shows the Backup and recovery Enable button which is available after you select a working environment.

Three Enter the provider details

Select the AWS Account and the region where you want to create the backups. You can also choose your own customer-managed key for data encryption instead of using the default Amazon S3 encryption key.

A screenshot that shows the cloud provider details when backing up volumes from a Cloud Volumes ONTAP system to AWS S3.

Four Define the default backup policy

The default policy backs up volumes every day and retains the most recent 30 backup copies of each volume. Change to hourly, daily, weekly, monthly, or yearly backups, or select one of the system-defined policies that provide more options. You can also change the number of backup copies you want to retain.

Backups are stored in S3 Standard storage by default. If your cluster is using ONTAP 9.10.1 or greater, you can choose to tier backups to either S3 Glacier or S3 Glacier Deep Archive storage after a certain number of days for further cost optimization.

Optionally, when using ONTAP 9.11.1 and greater, you can choose to protect your backups from deletion and ransomware attacks by configuring one of the DataLock and Ransomware Protection settings. Learn more about the available BlueXP backup and recovery policy configuration settings.

A screenshot that shows the BlueXP backup and recovery settings where you can choose your backup schedule and retention period.

Five Select the volumes that you want to back up

Identify which volumes you want to back up using the default backup policy in the Select Volumes page. If you want to assign different backup policies to certain volumes, you can create additional policies and apply them to volumes later.

Requirements

Read the following requirements to make sure that you have a supported configuration before you start backing up volumes to S3.

The following image shows each component and the connections that you need to prepare between them:

A diagram showing how BlueXP backup and recovery communicates with the volumes on the source systems and the destination storage where the backup files are located.

The VPC gateway endpoint must exist in your VPC already. Learn more about gateway endpoints.

Supported ONTAP versions

Minimum of ONTAP 9.7P5; ONTAP 9.8P13 and later is recommended.

License requirements

For BlueXP backup and recovery PAYGO licensing, a BlueXP subscription is available in the AWS Marketplace that enables deployments of Cloud Volumes ONTAP and BlueXP backup and recovery. You need to subscribe to this BlueXP subscription before you enable BlueXP backup and recovery. Billing for BlueXP backup and recovery is done through this subscription.

For an annual contract that enables you to back up both Cloud Volumes ONTAP data and on-premises ONTAP data, you need to subscribe from the AWS Marketplace page and then associate the subscription with your AWS credentials.

For an annual contract that enables you to bundle Cloud Volumes ONTAP and BlueXP backup and recovery, you must set up the annual contract when you create a Cloud Volumes ONTAP working environment. This option doesn’t enable you to back up on-prem data.

For BlueXP backup and recovery BYOL licensing, you need the serial number from NetApp that enables you to use the service for the duration and capacity of the license. Learn how to manage your BYOL licenses. You must use a BYOL license when the Connector and Cloud Volumes ONTAP system are deployed in a dark site.

And you need to have an AWS account for the storage space where your backups will be located.

Required information for using customer-managed keys for data encryption

You can choose your own customer-managed keys for data encryption in the activation wizard instead of using the default Amazon S3 encryption keys. In this case you’ll need to have the encryption managed keys already set up. See how to use your own keys.

Connector requirements

The Connector can be installed in an AWS region with full or limited internet access ("standard" or "restricted" mode). See BlueXP deployment modes for details.

Required AWS Connector permissions

The IAM role that provides BlueXP with permissions must include S3 permissions from the latest BlueXP policy. If the policy does not contain all of these permissions, see the AWS Documentation: Editing IAM policies.

Here are the specific permissions from the policy:

{
            "Sid": "backupPolicy",
            "Effect": "Allow",
            "Action": [
                "s3:DeleteBucket",
                "s3:GetLifecycleConfiguration",
                "s3:PutLifecycleConfiguration",
                "s3:PutBucketTagging",
                "s3:ListBucketVersions",
                "s3:GetObject",
                "s3:DeleteObject",
                "s3:PutObject",
                "s3:ListBucket",
                "s3:ListAllMyBuckets",
                "s3:GetBucketTagging",
                "s3:GetBucketLocation",
                "s3:GetBucketPolicyStatus",
                "s3:GetBucketPublicAccessBlock",
                "s3:GetBucketAcl",
                "s3:GetBucketPolicy",
                "s3:PutBucketPolicy",
                "s3:PutBucketOwnershipControls"
                "s3:PutBucketPublicAccessBlock",
                "s3:PutEncryptionConfiguration",
                "s3:GetObjectVersionTagging",
                "s3:GetBucketObjectLockConfiguration",
                "s3:GetObjectVersionAcl",
                "s3:PutObjectTagging",
                "s3:DeleteObjectTagging",
                "s3:GetObjectRetention",
                "s3:DeleteObjectVersionTagging",
                "s3:PutBucketObjectLockConfiguration",
                "s3:ListBucketByTags",
                "s3:DeleteObjectVersion",
                "s3:GetObjectTagging",
                "s3:PutBucketVersioning",
                "s3:PutObjectVersionTagging",
                "s3:GetBucketVersioning",
                "s3:BypassGovernanceRetention",
                "s3:PutObjectRetention",
                "s3:GetObjectVersion",
                "athena:StartQueryExecution",
                "athena:GetQueryResults",
                "athena:GetQueryExecution",
                "glue:GetDatabase",
                "glue:GetTable",
                "glue:CreateTable",
                "glue:CreateDatabase",
                "glue:GetPartitions",
                "glue:BatchCreatePartition",
                "glue:BatchDeletePartition"
            ],
            "Resource": [
                "arn:aws:s3:::netapp-backup-*"
            ]
        },
Note When creating backups in AWS China regions, you need to change the AWS Resource Name "arn" under all Resource sections in the IAM policies from "aws" to "aws-cn"; for example arn:aws-cn:s3:::netapp-backup-*.
Required AWS Cloud Volumes ONTAP permissions

When your Cloud Volumes ONTAP system is running ONTAP 9.12.1 or greater software, the IAM role that provides that working environment with permissions must include a new set of S3 permissions specifically for BlueXP backup and recovery from the latest Cloud Volumes ONTAP policy.

If you created the Cloud Volumes ONTAP working environment using BlueXP version 3.9.23 or greater, these permissions should be part of the IAM role already. Otherwise you’ll need to add the missing permissions.

Supported AWS regions

BlueXP backup and recovery is supported in all AWS regions where Cloud Volumes ONTAP is supported; including AWS GovCloud regions.

Required setup for creating backups in a different AWS account

By default, backups are created using the same account as the one used for your Cloud Volumes ONTAP system. If you want to use a different AWS account for your backups, you must:

  • Verify that the permissions "s3:PutBucketPolicy" and "s3:PutBucketOwnershipControls" are part of the IAM role that provides the BlueXP Connector with permissions.

  • Add the destination AWS account credentials in BlueXP. See how to do this.

  • Add the following permissions in the user credentials in the second account:

    "athena:StartQueryExecution",
"athena:GetQueryResults",
"athena:GetQueryExecution",
"glue:GetDatabase",
"glue:GetTable",
"glue:CreateTable",
"glue:CreateDatabase",
"glue:GetPartitions",
"glue:BatchCreatePartition",
"glue:BatchDeletePartition"

Enabling BlueXP backup and recovery on a new system

BlueXP backup and recovery is enabled by default in the working environment wizard. Be sure to keep the option enabled.

See Launching Cloud Volumes ONTAP in AWS for requirements and details for creating your Cloud Volumes ONTAP system.

Steps

  1. Click Create Cloud Volumes ONTAP.

  2. Select Amazon Web Services as the cloud provider and then choose a single node or HA system.

  3. Fill out the Details & Credentials page.

  4. On the Services page, leave the service enabled and click Continue.

    Shows the BlueXP backup and recovery option in the working environment wizard.

  5. Complete the pages in the wizard to deploy the system.

Result

BlueXP backup and recovery is enabled on the system and backs up volumes every day and retains the most recent 30 backup copies.

Enabling BlueXP backup and recovery on an existing system

Enable BlueXP backup and recovery at any time directly from the working environment.

Steps

  1. Select the working environment and click Enable next to the Backup and recovery service in the right-panel.

    If the Amazon S3 destination for your backups exists as a working environment on the Canvas, you can drag the cluster onto the Amazon S3 working environment to initiate the setup wizard.

    A screenshot that shows the Backup and recovery Enable button which is available after you select a working environment.

  2. Select the provider details and click Next.

    1. The AWS Account used to store the backups. This can be a different account than where the Cloud Volumes ONTAP system resides.

      If you want to use a different AWS account for your backups, you must add the destination AWS account credentials in BlueXP, and add the permissions "s3:PutBucketPolicy" and "s3:PutBucketOwnershipControls" to the IAM role that provides BlueXP with permissions.

    2. The region where the backups will be stored. This can be a different region than where the Cloud Volumes ONTAP system resides.

    3. Whether you’ll use the default Amazon S3 encryption keys or choose your own customer-managed keys from your AWS account to manage encryption of your data. (See how to use your own encryption keys).

      A screenshot that shows the cloud provider details when backing up volumes from a Cloud Volumes ONTAP system to AWS S3.

  3. Enter the backup policy details that will be used for your default policy and click Next. You can select an existing policy, or you can create a new policy by entering your selections in each section:

    1. Enter the name for the default policy. You don’t need to change the name.

    2. Define the backup schedule and choose the number of backups to retain. See the list of existing policies you can choose.

    3. Optionally, when using ONTAP 9.11.1 and greater, you can choose to protect your backups from deletion and ransomware attacks by configuring one of the DataLock and Ransomware Protection settings. DataLock protects your backup files from being modified or deleted, and Ransomware protection scans your backup files to look for evidence of a ransomware attack in your backup files. Learn more about the available DataLock settings.

    4. Optionally, when using ONTAP 9.10.1 and greater, you can choose to tier backups to either S3 Glacier or S3 Glacier Deep Archive storage after a certain number of days for further cost optimization. This feature is not available when deployed in dark sites. Learn more about using archival tiers.

      A screenshot that shows the BlueXP backup and recovery settings where you can choose your schedule and backup retention.

      Important: If you plan to use DataLock, you must enable it in your first policy when activating BlueXP backup and recovery.

  4. Select the volumes that you want to back up using the defined backup policy in the Select Volumes page. If you want to assign different backup policies to certain volumes, you can create additional policies and apply them to those volumes later.

    • To back up all existing volumes and any volumes added in the future, check the box "Back up all existing and future volumes…​". We recommend this option so that all your volumes will be backed up and you’ll never have to remember to enable backups for new volumes.

    • To back up only existing volumes, check the box in the title row (button backup all volumes).

    • To back up individual volumes, check the box for each volume (button backup 1 volume).

      A screenshot of selecting the volumes that will be backed up.

    • If there are any local Snapshot copies for read/write volumes in this working environment that match the backup schedule label you just selected for this working environment (for example, daily, weekly, etc.), an additional prompt is displayed "Export existing Snapshot copies to object storage as backup copies". Check this box if you want all historic Snapshots to be copied to object storage as backup files to ensure the most complete protection for your volumes.

  5. Click Activate Backup and BlueXP backup and recovery starts taking the initial backups of each selected volume.

Result

An S3 bucket is created automatically in the service account indicated by the S3 access key and secret key you entered, and the backup files are stored there. The Volume Backup Dashboard is displayed so you can monitor the state of the backups. You can also monitor the status of backup and restore jobs using the Job Monitoring panel.

What’s next?