Backing up on-premises ONTAP data to Azure Blob storage

Contributors netapp-tonacki

Complete a few steps to get started backing up data from your on-premises ONTAP systems to Azure Blob storage.

Note that "on-premises ONTAP systems" includes FAS, AFF, and ONTAP Select systems.

Quick start

Get started quickly by following these steps, or scroll down to the remaining sections for full details.

One Verify support for your configuration
  • You have discovered the on-premises cluster and added it to a working environment in Cloud Manager. See Discovering ONTAP clusters for details.

    • The cluster is running ONTAP 9.7P5 or later.

    • The cluster has a SnapMirror license — it is included as part of the Premium Bundle or Data Protection Bundle.

    • The cluster must have the required network connections to Blob storage and to the Connector.

  • The Connector must have the required network connections to Blob storage and to the cluster, and the required permissions.

  • You have a valid Azure subscription for the object storage space where your backups will be located.

Two Enable Cloud Backup on the system

Select the working environment and click Enable > Backup Volumes next to the Backup & Restore service in the right-panel, and then follow the setup wizard.

A screenshot that shows the Backup & Restore Enable button which is available after you select a working environment.

Three Select the cloud provider and enter the provider details

Select Microsoft Azure as your provider and then enter the provider details. You’ll need to select the Azure Subscription and the region where you want to create the backups. You can also choose your own customer-managed key for data encryption instead of using the default Microsoft-managed encryption key.

A screenshot that shows the cloud provider details when backing up volumes from an on-premises cluster to Azure Blob storage.

Four Select the cluster IPspace and optional use of a private VNet endpoint

Select the IPspace in the ONTAP cluster where the volumes reside. You can also choose to use an existing Azure Private Endpoint for a more secure connection to the VNet from your on-prem data center.

A screenshot that shows the networking details when backing up volumes from an ONTAP system to Azure Blob storage.

Five Define the default backup policy

The default policy backs up volumes every day and retains the most recent 30 backup copies of each volume. Change to hourly, daily, weekly, or monthly backups, or select one of the system-defined policies that provide more options. You can also change the number of backup copies you want to retain.

By default, backups are stored in the Cool access tier. If your cluster is using ONTAP 9.10.1 or greater, you can choose to tier backups to Azure Archive storage after a certain number of days for further cost optimization.

A screenshot that shows the Cloud Backup settings where you can choose the backup schedule and retention period.

Six Select the volumes that you want to back up

Identify which volumes you want to back up using the default backup policy in the Select Volumes page. If you want to assign different backup policies to certain volumes, you can create additional policies and apply them to volumes later.

Requirements

Read the following requirements to make sure you have a supported configuration before you start backing up on-premises volumes to Azure Blob storage.

There are two connection methods you can use when configuring backups from on-premises ONTAP systems to Azure Blob.

  • Public connection - Directly connect the ONTAP system to Azure Blob storage using a public Azure endpoint.

  • Private connection - Use a VPN or ExpressRoute and route traffic through a VNet Private Endpoint that uses a private IP address.

The following image shows the public connection method and the connections that you need to prepare between the components:

A diagram showing how Cloud Backup communicates with the volumes on the source systems and the destination storage where the backup files are located.

The following image shows the private connection method and the connections that you need to prepare between the components:

A diagram showing how Cloud Backup communicates with the volumes on the source systems and the destination storage where the backup files are located.

Note that when the Cloud Restore instance is deployed in the cloud, it is located in the same subnet as the Connector.

Preparing your ONTAP clusters

You need to discover your on-premises ONTAP clusters in Cloud Manager before you can start backing up volume data.

ONTAP requirements
  • ONTAP 9.7P5 and later.

  • A SnapMirror license (included as part of the Premium Bundle or Data Protection Bundle).

    Note: The "Hybrid Cloud Bundle" is not required when using Cloud Backup.

  • Time and time zone are set correctly.

Cluster networking requirements
  • The ONTAP cluster initiates an HTTPS connection over port 443 from the intercluster LIF to Azure Blob storage for backup and restore operations.

    ONTAP reads and writes data to and from object storage. The object storage never initiates, it just responds.

  • ONTAP requires an inbound connection from the Connector to the cluster management LIF. The Connector can reside in an Azure VNet.

  • An intercluster LIF is required on each ONTAP node that hosts the volumes you want to back up. The LIF must be associated with the IPspace that ONTAP should use to connect to object storage. Learn more about IPspaces.

    When you set up Cloud Backup, you are prompted for the IPspace to use. You should choose the IPspace that each LIF is associated with. That might be the "Default" IPspace or a custom IPspace that you created.

  • The nodes' and intercluster LIFs are able to access the object store.

  • DNS servers have been configured for the storage VM where the volumes are located. See how to configure DNS services for the SVM.

  • Note that if you use are using a different IPspace than the Default, then you might need to create a static route to get access to the object storage.

  • Update firewall rules, if necessary, to allow Cloud Backup service connections from ONTAP to object storage through port 443 and name resolution traffic from the storage VM to the DNS server over port 53 (TCP/UDP).

Creating or switching Connectors

A Connector is required to back up data to the cloud, and the Connector must be in an Azure VNet when backing up data to Azure Blob storage. You can’t use a Connector that’s deployed on-premises. You’ll either need to create a new Connector or make sure that the currently selected Connector resides in the correct provider.

Preparing networking for the Connector

Ensure that the Connector has the required networking connections.

Steps
  1. Ensure that the network where the Connector is installed enables the following connections:

    • An outbound internet connection to the Cloud Backup service over port 443 (HTTPS)

    • An HTTPS connection over port 443 to your Blob object storage

    • An HTTPS connection over port 443 to your ONTAP cluster management LIF

  2. Enable a VNet Private Endpoint to Azure storage. This is needed if you have an ExpressRoute or VPN connection from your ONTAP cluster to the VNet and you want communication between the Connector and Blob storage to stay in your virtual private network.

Supported regions

You can create backups from on-premises systems to Azure Blob in all regions where Cloud Volumes ONTAP is supported; including Azure Government regions. You specify the region where the backups will be stored when you set up the service.

Verify license requirements

  • Before you can activate Cloud Backup for your cluster, you’ll need to either subscribe to a pay-as-you-go (PAYGO) Cloud Manager Marketplace offering from Azure, or purchase and activate a Cloud Backup BYOL license from NetApp. These licenses are for your account and can be used across multiple systems.

    • For Cloud Backup PAYGO licensing, you’ll need a subscription to the Azure Cloud Manager Marketplace offering to use Cloud Backup. Billing for Cloud Backup is done through this subscription.

    • For Cloud Backup BYOL licensing, you’ll need the serial number from NetApp that enables you to use the service for the duration and capacity of the license. Learn how to manage your BYOL licenses.

  • You need to have an Azure subscription for the object storage space where your backups will be located.

    You can create backups from on-premises systems to Azure Blob in all regions where Cloud Volumes ONTAP is supported; including Azure Government regions. You specify the region where backups will be stored when you set up the service.

Preparing Azure Blob storage for backups

  1. If your virtual or physical network uses a proxy server for internet access, ensure that the Cloud Restore virtual machine has outbound internet access to contact the following endpoints.

    Endpoints Purpose

    http://olcentgbl.trafficmanager.net
    https://olcentgbl.trafficmanager.net

    Provides CentOS packages for the Cloud Restore virtual machine.

    https://download.docker.com/linux/centos/docker-ce.repo

    Provides the Docker Engine packages.

    http://cloudmanagerinfraprod.azurecr.io
    https://cloudmanagerinfraprod.azurecr.io

    Cloud Restore virtual machine image repository.

  2. You use choose your own custom-managed keys for data encryption in the activation wizard instead of using the default Microsoft-managed encryption keys. In this case you will need to have the Azure Subscription, Key Vault name, and the Key. See how to use your own keys.

  3. If you want to have a more secure connection over the public internet from your on-prem data center to the VNet, there is an option to configure an Azure Private Endpoint in the activation wizard. In this case you will need to know the VNet and Subnet for this connection. See details about using a Private Endpoint.

Enabling Cloud Backup

Enable Cloud Backup at any time directly from the on-premises working environment.

Steps
  1. From the Canvas, select the working environment and click Enable > Backup Volumes next to the Backup & Restore service in the right-panel.

    A screenshot that shows the Backup & Restore Enable button which is available after you select a working environment.

  2. Select Microsoft Azure as your provider and click Next.

  3. Enter the provider details and click Next.

    1. The Azure subscription used for backups and the Azure region where the backups will be stored.

    2. The resource group that manages the Blob container - you can create a new resource group or select an existing resource group.

    3. Whether you will use the default Microsoft-managed encryption key or choose your own customer-managed keys to manage encryption of your data. (See how to use your own keys).

      A screenshot that shows the cloud provider details when backing up volumes from an on-premises cluster to Azure Blob storage.

  4. If you don’t have an existing Cloud Backup license for your account, you’ll be prompted at this point to select the type of charging method that you want to use. You can subscribe to a pay-as-you-go (PAYGO) Cloud Manager Marketplace offering from Azure (or if you have multiple subscriptions you’ll need to select one), or purchase and activate a Cloud Backup BYOL license from NetApp. Learn how to set up Cloud Backup licensing.

  5. Enter the networking details and click Next.

    1. The IPspace in the ONTAP cluster where the volumes you want to back up reside. The intercluster LIFs for this IPspace must have outbound internet access.

    2. Optionally, choose whether you will configure an Azure Private Endpoint. See details about using a Private Endpoint.

      A screenshot that shows the networking details when backing up volumes from an ONTAP system to Azure Blob storage.

  6. Enter the default backup policy details and click Next.

    1. Define the backup schedule and choose the number of backups to retain. See the list of existing policies you can choose.

    2. When using ONTAP 9.10.1 and greater, you can choose to tier backups to Azure Archive storage after a certain number of days for further cost optimization. Learn more about using archival tiers.

      A screenshot that shows the Cloud Backup settings where you can choose your schedule and backup retention.

  7. Select the volumes that you want to back up using the default backup policy in the Select Volumes page. If you want to assign different backup policies to certain volumes, you can create additional policies and apply them to those volumes later.

    • To back up all volumes, check the box in the title row (button backup all volumes).

    • To back up individual volumes, check the box for each volume (button backup 1 volume).

      A screenshot of selecting the volumes that will be backed up.

    If you want all volumes added in the future to have backup enabled, just leave the checkbox for "Automatically back up future volumes…​" checked. If you disable this setting, you’ll need to manually enable backups for future volumes.

  8. Click Activate Backup and Cloud Backup starts taking the initial backups of your volumes.

Result

Cloud Backup starts taking the initial backups of each selected volume and the Volume Backup Dashboard is displayed so you can monitor the state of the backups.

What’s next?

You can start and stop backups for volumes or change the backup schedule.
You can also restore entire volumes or individual files from a backup file to a Cloud Volumes ONTAP system in Azure, or to an on-premises ONTAP system.