Backing up on-premises ONTAP data to the public cloud

Contributors netapp-tonacki Download PDF of this page

Complete a few steps to get started backing up data from your on-premises ONTAP systems to low-cost object storage in the public cloud. This includes creating backup files on Amazon S3, Azure Blob, and Google Cloud Storage.

If you have a NetApp StorageGRID system and want to create your backups there, see how to back up on-premises ONTAP data to the private cloud.

TIP

In most cases you’ll use Cloud Manager for all backup and restore operations. However, starting with ONTAP 9.9.1 you can initiate volume backup operations of your on-premises ONTAP clusters using ONTAP System Manager. See how to use System Manager to back up your volumes to the cloud using Cloud Backup.

A Beta feature released in January 2021 allows you to run Compliance scans on the backed up volumes from your on-premises systems. Typically, compliance scans are free up to 1 TB of data, and then a cost for the service is applied for data over 1 TB. When combining Backup and Compliance for your on-premises volumes, the cost for scans on those on-prem volumes is free. Learn more about how Cloud Compliance can get your business applications and cloud environments privacy ready.

Quick start

Get started quickly by following these steps, or scroll down to the remaining sections for full details.

Number 1 Verify support for your configuration

  • You have discovered the on-premises cluster and added it to a working environment in Cloud Manager. See Discovering ONTAP clusters for details.

    • The cluster is running ONTAP 9.7P5 or later.

    • The cluster has a SnapMirror license — it is included as part of the PREM or Data Protection bundle.

  • You have subscribed to the Azure, the AWS, or the Google Cloud Manager Marketplace Backup offering, or you have purchased and activated a Cloud Backup BYOL license from NetApp.

  • You have a valid cloud provider subscription for the object storage space where your backups will be located.

  • For AWS and GCP, you need to have an account that has an access key and the required permissions so the ONTAP cluster can back up the data.

Number 2 Enable Cloud Backup on the system

Select the working environment and click Enable next to the Backup & Compliance service in the right-panel, and then follow the setup wizard.

A screenshot that shows the Backup & Compliance Enable button which is available after you select an on-prem working environment.

Number 3 Select the cloud provider and enter the provider details

Select the provider and then enter the provider details. You also need to specify the IPspace in the ONTAP cluster where the volumes reside.

Number 4 Define the backup policy

The default policy backs up volumes every day and retains the most recent 30 backup copies of each volume. Change to daily, weekly, or monthly backups, or select one of the system-defined policies that provide more options.

A screenshot that shows the Cloud Backup settings where you can choose the backup schedule and retention period.

Number 5 Select the volumes that you want to back up

Identify which volumes you want to back up from the cluster.

Number 6 Activate Compliance scans on the backed up volumes (optional)

Choose whether you want to have Cloud Compliance scan the volumes that are backed up in the cloud.

Number 7 Restore your data, as needed

Choose to restore an entire backup to a new volume, or to restore individual files from the backup to an existing volume. You can restore data to a Cloud Volumes ONTAP system that is using the same cloud provider, or to an on-premises ONTAP system.

Requirements

Read the following requirements to make sure you have a supported configuration before you start backing up on-premises volumes to object storage.

The following image shows each component when backing up an on-prem ONTAP system to Amazon S3 and the connections that you need to prepare between them:

A diagram showing how Cloud Backup communicates with the volumes on the source systems and the destination storage where the backup files are located.

The following image shows each component when backing up an on-prem ONTAP system to Azure Blob and the connections that you need to prepare between them:

A diagram showing how Cloud Backup communicates with the volumes on the source systems and the destination storage where the backup files are located.

The following image shows each component when backing up an on-prem ONTAP system to Google Cloud Storage and the connections that you need to prepare between them:

A diagram showing how Cloud Backup communicates with the volumes on the source systems and the destination storage where the backup files are located.

Preparing your ONTAP clusters

Your ONTAP clusters must meet the following requirements when backing up data to cloud storage.

ONTAP requirements
Cluster networking requirements
  • The ONTAP cluster initiates an HTTPS connection over port 443 to the cloud object storage.

    ONTAP reads and writes data to and from object storage. The object storage never initiates, it just responds.

  • An inbound connection is required from the Connector, which can reside in an AWS VPC, Azure VNet, or Google Cloud Platform VPC; depending on the object storage provider you are using.

  • An intercluster LIF is required on each ONTAP node that hosts the volumes you want to back up. The LIF must be associated with the IPspace that ONTAP should use to connect to object storage. Learn more about IPspaces.

    When you set up Cloud Backup, you are prompted for the IPspace to use. You should choose the IPspace that each LIF is associated with. That might be the "Default" IPspace or a custom IPspace that you created.

  • Node and intercluster LIFs are able to access the internet.

  • DNS servers have been configured for the storage VM where the volumes are located.

  • Update firewall rules, if necessary, to allow Cloud Backup service connections from ONTAP to object storage through port 443 and name resolution traffic from the storage VM to the DNS server over port 53 (TCP/UDP).

Discovering an ONTAP cluster

You need to discover your on-premises ONTAP clusters in Cloud Manager before you can start backing up volume data.

Creating or switching Connectors

A Connector is required to back up data to the cloud, and the Connector must be in the same cloud provider as the destination object storage. For example, when backing up data to AWS S3 you must use a Connector that’s in an AWS VPC. You cannot use a Connector that is deployed on-premises. You’ll either need to create a new Connector or make sure that the currently selected Connector resides in the correct provider.

Preparing networking for the Connector

Ensure that the Connector has the required networking connections.

Steps
  1. Ensure that the network where the Connector is installed enables the following connections:

    • An outbound internet connection to the Cloud Backup service over port 443 (HTTPS)

    • An HTTPS connection over port 443 to your object storage (S3, Blob, or Google)

    • An HTTPS connection over port 443 to your ONTAP clusters

  2. Enable an endpoint to your object storage:

    • For AWS: Enable a VPC Endpoint to S3. This is needed if you have a Direct Connect or VPN connection from your ONTAP cluster to the VPC and you want communication between the Connector and S3 to stay in your AWS internal network.

    • For Azure: Enable a VNet Private Endpoint to Azure storage. This is needed if you have an ExpressRoute or VPN connection from your ONTAP cluster to the VNet and you want communication between the Connector and Blob storage to stay in your virtual private network.

    • For Google: Enable Private Google Access on the subnet where you plan to deploy the Service Connector. Private Google Access is needed if you have a direct connection from your ONTAP cluster to the VPC and you want communication between the Connector and Google Cloud Storage to stay in your virtual private network.

      Note that Private Google Access works with VM instances that have only internal (private) IP addresses (no external IP addresses).

Supported regions

You can create backups from on-premises systems to the public cloud in all regions where Cloud Volumes ONTAP is supported. You specify the region where the backups will be stored when you set up the service.

License requirements

For Cloud Backup PAYGO licensing, you’ll need a subscription to the Azure, the AWS, or the Google Cloud Manager Marketplace Backup offering before you enable Cloud Backup. Billing for Cloud Backup is done through this subscription.

For Cloud Backup BYOL licensing, you need the serial number from NetApp that enables you to use the service for the duration and capacity of the license. See Adding and updating your Backup BYOL license.

And you need to have a subscription from your cloud provider for the object storage space where your backups will be located.

Preparing Amazon S3 for backups

When you are using Amazon S3, you must configure permissions for Cloud Manager to access the S3 bucket, and you must configure permissions so the on-premises ONTAP cluster can access the S3 bucket.

Steps
  1. Provide the following S3 permissions (from the latest Cloud Manager policy) to the IAM role that provides Cloud Manager with permissions:

    {
                "Sid": "backupPolicy",
                "Effect": "Allow",
                "Action": [
                    "s3:DeleteBucket",
                    "s3:GetLifecycleConfiguration",
                    "s3:PutLifecycleConfiguration",
                    "s3:PutBucketTagging",
                    "s3:ListBucketVersions",
                    "s3:GetObject",
                    "s3:ListBucket",
                    "s3:ListAllMyBuckets",
                    "s3:GetBucketTagging",
                    "s3:GetBucketLocation",
                    "s3:GetBucketPolicyStatus",
                    "s3:GetBucketPublicAccessBlock",
                    "s3:GetBucketAcl",
                    "s3:GetBucketPolicy",
                    "s3:PutBucketPublicAccessBlock"
                ],
                "Resource": [
                    "arn:aws:s3:::netapp-backup-*"
                ]
            },
  2. Provide the following permissions to the IAM user so that the ONTAP cluster can back up data to S3.

    "s3:ListAllMyBuckets",
    "s3:ListBucket",
    "s3:GetBucketLocation",
    "s3:GetObject",
    "s3:PutObject",
    "s3:DeleteObject"
  3. Create or locate an access key.

    Cloud Backup passes the access key on to the ONTAP cluster. The credentials are not stored in the Cloud Backup service.

Preparing Google Cloud Storage for backups

When you set up backup, you need to provide storage access keys for a service account that has Storage Admin permissions. A service account enables Cloud Backup to authenticate and access Cloud Storage buckets used to store backups. The keys are required so that Google Cloud Storage knows who is making the request.

Steps
  1. Create a service account that has the predefined Storage Admin role.

  2. Go to GCP Storage Settings and create access keys for the service account:

    1. Select a project, and click Interoperability. If you haven’t already done so, click Enable interoperability access.

    2. Under Access keys for service accounts, click Create a key for a service account, select the service account that you just created, and click Create Key.

      You’ll need to enter the keys in Cloud Backup later when you configure the backup service.

Enabling Cloud Backup

Enable Cloud Backup at any time directly from the on-premises working environment.

Steps
  1. From the Canvas, select the working environment and click Enable next to the Backup & Compliance service in the right-panel.

    A screenshot that shows the Backup & Compliance Enable button which is available after you select an on-prem working environment.

  2. Select the provider, click Next, and then enter the provider details:

    • For Azure, enter:

      1. The Azure subscription used for backups and the Azure region where the backups will be stored.

      2. The resource group - you can create a new resource group or select and existing resource group.

      3. The IPspace in the ONTAP cluster where the volumes you want to back up reside.

        A screenshot that shows the cloud provider details when backing up volumes from an on-premises cluster to Azure Blob storage.

    • For AWS, enter:

      1. The AWS Account, the AWS Access Key, and the Secret Key used to store the backups.

      2. The AWS region where the backups will be stored.

      3. The IPspace in the ONTAP cluster where the volumes you want to back up reside.

        A screenshot that shows the cloud provider details when backing up volumes from an on-premises cluster to AWS S3 storage.

    • For Google, enter:

      1. The Google Cloud Project where you want the Google Cloud Storage bucket to be created for backups. This can be a different Project than where Cloud Manager resides. (The Project must have a Service Account that has the predefined Storage Admin role.)

      2. The Google Access Key and Secret Key used to store the backups.

      3. The Google region where the backups will be stored. This can be a different region than where Cloud Manager resides.

      4. The IPspace in the ONTAP cluster where the volumes you want to back up reside.

        A screenshot that shows the cloud provider details when backing up volumes from an on-premises cluster to Google Cloud Storage.

    • For StorageGRID, see how to back up on-premises ONTAP data to the private cloud.

      Note that you cannot change this information after the service has started.

  3. Click Next after you’ve entered the provider details.

  4. In the Define Policy page, select an existing backup schedule and retention value, or define a new backup policy, and click Next.

    A screenshot that shows the Cloud Backup settings where you can choose your backup schedule and retention period.

  5. Select the volumes that you want to back up.

    • To back up all volumes, check the box in the title row (button backup all volumes).

    • To back up individual volumes, check the box for each volume (button backup 1 volume).

      A screenshot of selecting the volumes that will be backed up.

  6. Click Activate Backup and Cloud Backup starts taking the initial backups of your volumes.

    When creating backup files in AWS or Azure, you are prompted whether you want to run compliance scans on the backed up volumes. Cloud Compliance scans are free when you run them on the backed up volumes (except for the cost of the deployed Cloud Compliance instance).

    A screenshot of the page where you can choose to activate Cloud Compliance on your backed up volumes.

  7. Click Go to Compliance to activate compliance scans on the volumes. (If you choose Close and not to scan these backed up volumes, you can always enable this functionality later from Cloud Compliance.)

    • If an instance of Cloud Compliance is already deployed in your environment, you are directed to the Configuration page to select the volumes you want to scan in each on-premises working environment that has backups. See how to choose the volumes.

      A screenshot of the Compliance page to select volumes you want to scan.

    • If Cloud Compliance has not been deployed, you are directed to the Compliance page where you can choose to deploy Compliance in the cloud or in your premises. We strongly recommend deploying it in the cloud. Go here for installation requirements and instructions.

      A screenshot of the Compliance page to choose how you want to deploy Cloud Compliance.

      After you have deployed Compliance you can choose the volumes you want to scan as described above.

Result

Cloud Backup backs up your volumes from the on-premises ONTAP system, and optionally, Cloud Compliance runs compliance scans on the backed up volumes.

You can also view the results of the compliance scans and review other features of Cloud Compliance that can help you understand data context and identify sensitive data in your organization.

The scan results are not available immediately because Cloud Backup has to finish creating the backups before Cloud Compliance can start compliance scans.