Backing up on-premises ONTAP data to StorageGRID

Contributors netapp-tonacki

Complete a few steps to get started backing up data from your on-premises ONTAP systems to object storage in your NetApp StorageGRID systems.

Note that "on-premises ONTAP systems" includes FAS, AFF, and ONTAP Select systems.

Quick start

Get started quickly by following these steps, or scroll down to the remaining sections for full details.

One Verify support for your configuration
  • You have discovered the on-premises cluster and added it to a working environment in BlueXP. See Discovering ONTAP clusters for details.

    • The cluster is running ONTAP 9.7P5 or later.

    • The cluster has a SnapMirror license — it is included as part of the Premium Bundle or Data Protection Bundle.

    • The cluster must have the required network connections to StorageGRID and to the Connector.

  • You have a Connector installed on your premises.

    • The Connector can be installed in a site with or without internet access.

    • Networking for the Connector enables an outbound HTTPS connection to the ONTAP cluster and to StorageGRID.

  • You have purchased and activated a Cloud Backup BYOL license from NetApp.

  • Your StorageGRID has version 10.3 or later with access keys that have S3 permissions.

Two Enable Cloud Backup on the system

Select the working environment and click Enable > Backup Volumes next to the Backup and recovery service in the right-panel, and then follow the setup wizard.

A screenshot that shows the Backup and recovery Enable button which is available after you select a working environment.

Three Enter the StorageGRID details

Select StorageGRID as the provider, and then enter the StorageGRID server and S3 tenant account details. You also need to specify the IPspace in the ONTAP cluster where the volumes reside.

A screenshot that shows the cloud provider details when backing up volumes from an ONTAP cluster to StorageGRID.

Four Define the default backup policy

The default policy backs up volumes every day and retains the most recent 30 backup copies of each volume. Change to hourly, daily, weekly, monthly, or yearly backups, or select one of the system-defined policies that provide more options. You can also change the number of backup copies you want to retain.

If your cluster is using ONTAP 9.12.1 or greater and you’re using StorageGRID 11.3 or greater, you can choose to tier older backups to either AWS S3 Glacier or S3 Glacier Deep Archive storage after a certain number of days for further cost optimization.

Optionally, when using ONTAP 9.11.1 and greater, you can choose to protect your backups from deletion and ransomware attacks by configuring one of the DataLock and Ransomware Protection settings. Learn more about the available Cloud Backup policy configuration settings.

A screenshot that shows the Cloud Backup settings where you can choose the backup schedule and retention period.

Five Select the volumes that you want to back up

Identify which volumes you want to back up using the default backup policy in the Select Volumes page. If you want to assign different backup policies to certain volumes, you can create additional policies and apply them to volumes later.

An S3 bucket is created automatically in the service account indicated by the S3 access key and secret key you entered, and the backup files are stored there.

Requirements

Read the following requirements to make sure you have a supported configuration before you start backing up on-premises volumes to StorageGRID.

The following image shows each component when backing up an on-prem ONTAP system to StorageGRID and the connections that you need to prepare between them.

A diagram showing how Cloud Backup communicates with the volumes on the source systems and the destination storage where the backup files are located.

When the Connector and on-premises ONTAP system are installed in an on-prem location without internet access (a "dark site"), the StorageGRID system must be located in the same on-prem data center. Archival of older backup files to public cloud is not supported in dark site configurations.

Preparing your ONTAP clusters

You need to discover your on-premises ONTAP clusters in BlueXP before you can start backing up volume data.

ONTAP requirements
  • Minimum of ONTAP 9.7P5; ONTAP 9.8P13 and later is recommended.

  • A SnapMirror license (included as part of the Premium Bundle or Data Protection Bundle).

    Note: The "Hybrid Cloud Bundle" is not required when using Cloud Backup.

  • Time and time zone are set correctly.

Cluster networking requirements
  • The ONTAP cluster initiates an HTTPS connection over a user-specified port from the intercluster LIF to the StorageGRID Gateway Node for backup and restore operations. The port is configurable during backup setup.

    ONTAP reads and writes data to and from object storage. The object storage never initiates, it just responds.

  • ONTAP requires an inbound connection from the Connector to the cluster management LIF. The Connector must reside on your premises.

  • An intercluster LIF is required on each ONTAP node that hosts the volumes you want to back up. The LIF must be associated with the IPspace that ONTAP should use to connect to object storage. Learn more about IPspaces.

    When you set up Cloud Backup, you are prompted for the IPspace to use. You should choose the IPspace that each LIF is associated with. That might be the "Default" IPspace or a custom IPspace that you created.

  • The nodes' intercluster LIFs are able to access the object store (not required when the Connector is installed in a "dark" site).

  • DNS servers have been configured for the storage VM where the volumes are located. See how to configure DNS services for the SVM.

  • Note that if you use are using a different IPspace than the Default, then you might need to create a static route to get access to the object storage.

  • Update firewall rules, if necessary, to allow Cloud Backup service connections from ONTAP to object storage through the port you specified (typically port 443) and name resolution traffic from the storage VM to the DNS server over port 53 (TCP/UDP).

Preparing StorageGRID

StorageGRID must meet the following requirements. See the StorageGRID documentation for more information.

Supported StorageGRID versions

StorageGRID 10.3 and later is supported.

To use DataLock & Ransomware Protection for your backups, your StorageGRID systems must be running version 11.6.0.3 or greater.

To tier older backups to cloud archival storage, your StorageGRID systems must be running version 11.3 or greater.

S3 credentials

You must have created an S3 tenant account to control access to your StorageGRID storage. See the StorageGRID docs for details.

When you set up backup to StorageGRID, the backup wizard prompts you for an S3 access key and secret key for a tenant account. The tenant account enables Cloud Backup to authenticate and access the StorageGRID buckets used to store backups. The keys are required so that StorageGRID knows who is making the request.

These access keys must be associated with a user who has the following permissions:

"s3:ListAllMyBuckets",
"s3:ListBucket",
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:CreateBucket"
Object versioning

You must not enable StorageGRID object versioning manually on the object store bucket.

Creating or switching Connectors

When backing up data to StorageGRID, a Connector must be available on your premises. You’ll either need to install a new Connector or make sure that the currently selected Connector resides on-prem. The Connector can be installed in a site with or without internet access.

Note Cloud Backup functionality is built into the BlueXP Connector. When installed in a site with no internet connectivity, you’ll need to update the Connector software periodically to get access to new features. Check the Cloud Backup What’s New to see the new features in each Cloud Backup release, and then you can follow the steps to upgrade the Connector software when you want to use new features.

We highly recommend that you create local backups of the Cloud Backup configuration data periodically when the Connector is installed in a site without internet connectivity. See how to back up Cloud Backup data in a dark site.

Preparing networking for the Connector

Ensure that the Connector has the required networking connections.

Steps
  1. Ensure that the network where the Connector is installed enables the following connections:

    • An HTTPS connection over port 443 to the StorageGRID Gateway Node

    • An HTTPS connection over port 443 to your ONTAP cluster management LIF

    • An outbound internet connection over port 443 to Cloud Backup (not required when the Connector is installed in a "dark" site)

Preparing to archive older backup files to public cloud storage

Tiering older backup files to archival storage saves money by using a less expensive storage class for backups that you may not need. StorageGRID is an on-premises (private cloud) solution that doesn’t provide archival storage, but you can move older backup files to public cloud archival storage. When used in this fashion, data that is tiered to cloud storage, or restored from cloud storage, goes between StorageGRID and the cloud storage - BlueXP is not involved in this data transfer.

Requirements
  • Your cluster must be using ONTAP 9.12.1 or greater

  • Your StorageGRID must be using 11.3 or greater

  • Your StorageGRID must be discovered and available in the BlueXP Canvas

  • Archival storage is supported only for AWS S3 storage classes at this time. You can choose to tier backups to AWS S3 Glacier or S3 Glacier Deep Archive storage. Learn more about AWS archival tiers.

  • You’ll need to sign up for an Amazon S3 account for the storage space where your backups will be located.

  • StorageGRID should have full-control access to the bucket (s3:*); however, if this is not possible, the bucket policy must grant the following S3 permissions to StorageGRID:

    • s3:AbortMultipartUpload

    • s3:DeleteObject

    • s3:GetObject

    • s3:ListBucket

    • s3:ListBucketMultipartUploads

    • s3:ListMultipartUploadParts

    • s3:PutObject

    • s3:RestoreObject

When defining the Archival settings for the backup policy for your cluster, you’ll enter your cloud provider credentials and select the storage class that you want to use. Cloud Backup creates the cloud bucket when you activate backup for the cluster. The information required for AWS archival storage is shown below.

A screenshot of the information you’ll need to archive backup files from StorageGRID to AWS S3.

The archival policy settings you select will generate an information lifecycle management (ILM) policy in StorageGRID, and add the settings as "rules". If there is an existing active ILM policy, new rules will be added to the ILM policy to move the data to the archive tier. If there is an existing ILM policy in the "proposed" state, the creation and activation of a new ILM policy will not be possible. Learn more about StorageGRID ILM policies and rules.

License requirements

Before you can activate Cloud Backup for your cluster, you’ll need to purchase and activate a Cloud Backup BYOL license from NetApp. This license is for the account and can be used across multiple systems.

You’ll need the serial number from NetApp that enables you to use the service for the duration and capacity of the license. Learn how to manage your BYOL licenses.

Tip PAYGO licensing is not supported when backing up files to StorageGRID.

Enabling Cloud Backup to StorageGRID

Enable Cloud Backup at any time directly from the on-premises working environment.

Steps
  1. From the Canvas, select the on-premises working environment and click Enable > Backup Volumes next to the Backup and recovery service in the right-panel.

    If the StorageGRID destination for your backups exists as a working environment on the Canvas, you can drag the cluster onto the StorageGRID working environment to initiate the setup wizard.

    A screenshot that shows the Backup and recovery Enable button which is available after you select a working environment.

  2. Select StorageGRID as the provider, click Next, and then enter the provider details:

    1. The FQDN of the StorageGRID Gateway Node.

    2. The port that ONTAP should use for HTTPS communication with StorageGRID.

    3. The Access Key and the Secret Key used to access the bucket to store backups.

    4. The IPspace in the ONTAP cluster where the volumes you want to back up reside. The intercluster LIFs for this IPspace must have outbound internet access (not required when the Connector is installed in a "dark" site).

      Selecting the correct IPspace ensures that Cloud Backup can set up a connection from ONTAP to your StorageGRID object storage.

      A screenshot that shows the cloud provider details when backing up volumes from an on-premises cluster to StorageGRID storage.

  3. Enter the backup policy details that will be used for your default policy and click Next. You can select an existing policy, or you can create a new policy by entering your selections in each section:

    1. Enter the name for the default policy. You don’t need to change the name.

    2. Define the backup schedule and choose the number of backups to retain. See the list of existing policies you can choose.

    3. If your cluster is using ONTAP 9.11.1 or greater, you can choose to protect your backups from deletion and ransomware attacks by configuring DataLock and Ransomware Protection. DataLock protects your backup files from being modified or deleted, and Ransomware protection scans your backup files to look for evidence of a ransomware attack in your backup files. Learn more about the available DataLock settings.

    4. If your cluster is using ONTAP 9.12.1 or greater, and you’re using StorageGRID 11.3 or greater, you can choose to tier older backups to either AWS S3 Glacier or S3 Glacier Deep Archive storage after a certain number of days for further cost optimization. See how to configure your systems for this functionality.

      A screenshot that shows the Cloud Backup settings where you can choose your backup schedule and retention period.

      Important: If you plan to use DataLock, you must enable it in your first policy when activating Cloud Backup.

  4. Select the volumes that you want to back up using the defined backup policy in the Select Volumes page. If you want to assign different backup policies to certain volumes, you can create additional policies and apply them to those volumes later.

    • To back up all existing volumes and any volumes added in the future, check the box "Back up all existing and future volumes…​". We recommend this option so that all your volumes will be backed up and you’ll never have to remember to enable backups for new volumes.

    • To back up only existing volumes, check the box in the title row (button backup all volumes).

    • To back up individual volumes, check the box for each volume (button backup 1 volume).

      A screenshot of selecting the volumes that will be backed up.

    • If there are any local Snapshot copies for read/write volumes in this working environment that match the backup schedule label you just selected for this working environment (for example, daily, weekly, etc.), an additional prompt is displayed "Export existing Snapshot copies to object storage as backup copies". Check this box if you want all historic Snapshots to be copied to object storage as backup files to ensure the most complete protection for your volumes.

  5. Click Activate Backup and Cloud Backup starts taking the initial backups of each selected volume.

Result

An S3 bucket is created automatically in the service account indicated by the S3 access key and secret key you entered, and the backup files are stored there. The Volume Backup Dashboard is displayed so you can monitor the state of the backups. You can also monitor the status of backup and restore jobs using the Job Monitoring panel.

What’s next?