Skip to main content
BlueXP backup and recovery
All cloud providers
  • Amazon Web Services
  • Google Cloud
  • Microsoft Azure
  • All cloud providers

Back up on-premises ONTAP data to Google Cloud Storage

Contributors amgrissino netapp-tonacki netapp-bcammett

Complete a few steps to get started backing up volume data from your on-premises primary ONTAP systems to a secondary storage system and to Google Cloud Storage.

Note "On-premises ONTAP systems" include FAS, AFF, and ONTAP Select systems.

Quick start

Get started quickly by following these steps. Details for each step are provided in the following sections in this topic.

One Identify the connection method you'll use

Choose whether you'll connect your on-premises ONTAP cluster directly to Google Cloud Storage over the public internet, or whether you'll use a VPN or Google Cloud Interconnect and route traffic through a private Google Access interface that uses a private IP address.

Two Prepare your BlueXP Connector

If you already have a Connector deployed in your Google Cloud Platform VPC, then you're all set. If not, then you'll need to create a BlueXP Connector to back up ONTAP data to Google Cloud storage. You'll also need to customize network settings for the Connector so that it can connect to Google Cloud.

Three Verify license requirements

You'll need to check license requirements for both Google Cloud and BlueXP.

Four Prepare your ONTAP clusters

Discover your ONTAP clusters in BlueXP, verify that the clusters meet minimum requirements, and customize network settings so the clusters can connect to Google Cloud.

Five Prepare Google Cloud as your backup target

Set up permissions for the Connector to create and manage the Google Cloud bucket. You'll also need to set up permissions for the on-premises ONTAP cluster so it can read and write data to the Google Cloud bucket.

Optionally, you can set up your own custom-managed keys for data encryption instead of using the default Google Cloud encryption keys. Learn how to get your Google Cloud environment ready to receive ONTAP backups.

Six Activate backups on your ONTAP volumes

Select the working environment and click Enable > Backup Volumes next to the Backup and recovery service in the right-panel. Then follow the setup wizard to select the replication and backup policies that you'll use and the volumes you want to back up.

Identify the connection method

Choose which of the two connection methods you will use when configuring backups from on-premises ONTAP systems to Google Cloud Storage.

  • Public connection - Directly connect the ONTAP system to Google Cloud Storage using a public Google endpoint.

  • Private connection - Use a VPN or Google Cloud Interconnect and route traffic through a Private Google Access interface that uses a private IP address.

Optionally, you can connect to a secondary ONTAP system for replicated volumes using the public or private connection as well.

The following diagram shows the public connection method and the connections that you need to prepare between the components. The Connector must be deployed in the Google Cloud Platform VPC.

A diagram showing how BlueXP backup and recovery communicates over a public connection with the volumes on the cluster and the Google Cloud storage where the backup files are located.

The following diagram shows the private connection method and the connections that you need to prepare between the components. The Connector must be deployed in the Google Cloud Platform VPC.

A diagram showing how BlueXP backup and recovery communicates over a private connection with the volumes on the cluster and the Google Cloud storage where the backup files are located.

Prepare your BlueXP Connector

The BlueXP Connector is the main software for BlueXP functionality. A Connector is required to back up and restore your ONTAP data.

Create or switch Connectors

If you already have a Connector deployed in your Google Cloud Platform VPC, then you're all set.

If not, then you'll need to create a Connector in that location to back up ONTAP data to Google Cloud Storage. You can't use a Connector that's deployed in another cloud provider, or on-premises.

Prepare networking for the Connector

Ensure that the Connector has the required networking connections.

Steps
  1. Ensure that the network where the Connector is installed enables the following connections:

    • An HTTPS connection over port 443 to the BlueXP backup and recovery service and to your Google Cloud storage (see the list of endpoints)

    • An HTTPS connection over port 443 to your ONTAP cluster management LIF

  2. Enable Private Google Access (or Private Service Connect) on the subnet where you plan to deploy the Connector. Private Google Access or Private Service Connect are needed if you have a direct connection from your ONTAP cluster to the VPC and you want communication between the Connector and Google Cloud Storage to stay in your virtual private network (a private connection).

    Follow the Google instructions for setting up these Private access options. Make sure your DNS servers have been configured to point www.googleapis.com and storage.googleapis.com to the correct internal (private) IP addresses.

Verify or add permissions to the Connector

To use the BlueXP backup and recovery "Search & Restore" functionality, you need to have specific permissions in the role for the Connector so that it can access the Google Cloud BigQuery service. Review the permissions below, and follow the steps if you need to modify the policy.

Steps
  1. In the Google Cloud Console, go to the Roles page.

  2. Using the drop-down list at the top of the page, select the project or organization that contains the role that you want to edit.

  3. Select a custom role.

  4. Select Edit Role to update the role's permissions.

  5. Select Add Permissions to add the following new permissions to the role.

    bigquery.jobs.get
    bigquery.jobs.list
    bigquery.jobs.listAll
    bigquery.datasets.create
    bigquery.datasets.get
    bigquery.jobs.create
    bigquery.tables.get
    bigquery.tables.getData
    bigquery.tables.list
    bigquery.tables.create
  6. Select Update to save the edited role.

Verify license requirements

  • Before you can activate BlueXP backup and recovery for your cluster, you'll need to either subscribe to a pay-as-you-go (PAYGO) BlueXP Marketplace offering from Google, or purchase and activate a BlueXP backup and recovery BYOL license from NetApp. These licenses are for your account and can be used across multiple systems.

  • You need to have a Google subscription for the object storage space where your backups will be located.

Supported regions

You can create backups from on-premises systems to Google Cloud Storage in all regions where Cloud Volumes ONTAP is supported. You specify the region where backups will be stored when you set up the service.

Prepare your ONTAP clusters

You'll need to prepare your source on-premises ONTAP system and any secondary on-premises ONTAP or Cloud Volumes ONTAP systems.

Preparing your ONTAP clusters involves the following steps:

  • Discover your ONTAP systems in BlueXP

  • Verify ONTAP system requirements

  • Verify ONTAP networking requirements for backing up data to object storage

  • Verify ONTAP networking requirements for replicating volumes

Discover your ONTAP systems in BlueXP

Both your source on-premises ONTAP system and any secondary on-premises ONTAP or Cloud Volumes ONTAP systems must be available on the BlueXP Canvas.

You'll need to know the cluster management IP address and the password for the admin user account to add the cluster.
Learn how to discover a cluster.

Verify ONTAP system requirements

Ensure that the following ONTAP requirements are met:

  • Minimum of ONTAP 9.8; ONTAP 9.8P13 and later is recommended.

  • A SnapMirror license (included as part of the Premium Bundle or Data Protection Bundle).

    Note: The "Hybrid Cloud Bundle" is not required when using BlueXP backup and recovery.

  • Time and time zone are set correctly. Learn how to configure your cluster time.

  • If you are going to replicate data, you should verify that the source and destination systems are running compatible ONTAP versions before replicating data.

Verify ONTAP networking requirements for backing up data to object storage

You must configure the following requirements on the system that connects to object storage.

  • For a fan-out backup architecture, configure the following settings on the primary system.

  • For a cascaded backup architecture, configure the following settings on the secondary system.

The following ONTAP cluster networking requirements are needed:

  • The ONTAP cluster initiates an HTTPS connection over port 443 from the intercluster LIF to Google Cloud Storage for backup and restore operations.

    ONTAP reads and writes data to and from object storage. The object storage never initiates, it just responds.

  • ONTAP requires an inbound connection from the Connector to the cluster management LIF. The Connector can reside in a Google Cloud Platform VPC.

  • An intercluster LIF is required on each ONTAP node that hosts the volumes you want to back up. The LIF must be associated with the IPspace that ONTAP should use to connect to object storage. Learn more about IPspaces.

    When you set up BlueXP backup and recovery, you are prompted for the IPspace to use. You should choose the IPspace that each LIF is associated with. That might be the "Default" IPspace or a custom IPspace that you created.

  • The nodes' intercluster LIFs are able to access the object store.

  • DNS servers have been configured for the storage VM where the volumes are located. See how to configure DNS services for the SVM.

    If you're using Private Google Access or Private Service Connect, make sure your DNS servers have been configured to point storage.googleapis.com to the correct internal (private) IP address.

  • Note that if you use are using a different IPspace than the Default, then you might need to create a static route to get access to the object storage.

  • Update firewall rules, if necessary, to allow BlueXP backup and recovery connections from ONTAP to object storage through port 443, and name resolution traffic from the storage VM to the DNS server over port 53 (TCP/UDP).

Verify ONTAP networking requirements for replicating volumes

If you plan to create replicated volumes on a secondary ONTAP system using BlueXP backup and recovery, ensure that the source and destination systems meet following networking requirements.

On-premises ONTAP networking requirements

  • If the cluster is in your premises, you should have a connection from your corporate network to your virtual network in the cloud provider. This is typically a VPN connection.

  • ONTAP clusters must meet additional subnet, port, firewall, and cluster requirements.

    Because you can replicate to Cloud Volumes ONTAP or an on-premises systems, review peering requirements for on-premises ONTAP systems. View prerequisites for cluster peering in the ONTAP documentation.

Cloud Volumes ONTAP networking requirements

  • The instance's security group must include the required inbound and outbound rules: specifically, rules for ICMP and ports 11104 and 11105. These rules are included in the predefined security group.

Prepare Google Cloud Storage as your backup target

Preparing Google Cloud Storage as your backup target involves the following steps:

  • Set up permissions.

  • (Optional) Create your own buckets. (The service will create buckets for you if you want.)

  • (Optional) Set up customer-managed keys for data encryption

Set up permissions

When you set up backup, you need to provide storage access keys for a service account that has specific permissions. A service account enables BlueXP backup and recovery to authenticate and access Cloud Storage buckets used to store backups. The keys are required so that Google Cloud Storage knows who is making the request.

Steps
  1. In the Google Cloud Console, go to the Roles page.

  2. Create a new role with the following permissions:

    storage.buckets.create
    storage.buckets.delete
    storage.buckets.get
    storage.buckets.list
    storage.buckets.update
    storage.buckets.getIamPolicy
    storage.multipartUploads.create
    storage.objects.create
    storage.objects.delete
    storage.objects.get
    storage.objects.list
    storage.objects.update
  3. In the Google Cloud console, go to the Service accounts page.

  4. Select your Cloud project.

  5. Select Create service account and provide the required information:

    1. Service account details: Enter a name and description.

    2. Grant this service account access to project: Select the custom role that you just created.

    3. Select Done.

  6. Go to GCP Storage Settings and create access keys for the service account:

    1. Select a project, and select Interoperability. If you haven't already done so, select Enable interoperability access.

    2. Under Access keys for service accounts, select Create a key for a service account, select the service account that you just created, and click Create Key.

      You'll need to enter the keys in BlueXP backup and recovery later when you configure the backup service.

Create your own buckets

By default, the service creates buckets for you. Or, if you want to use your own buckets, you can create them before you start the backup activation wizard and then select those buckets in the wizard.

Set up customer-managed encryption keys (CMEK) for data encryption

You can use your own customer-managed keys for data encryption instead of using the default Google-managed encryption keys. Both cross-region and cross-project keys are supported, so you can choose a project for a bucket that is different than the project of the CMEK key.

If you're planning to use your own customer-managed keys:

  • You'll need to have the Key Ring and the Key Name so you can add this information in the activation wizard. Learn more about customer-managed encryption keys.

  • You'll need to verify that these required permissions are included in the role for the Connector:

    cloudkms.cryptoKeys.get
    cloudkms.cryptoKeys.getIamPolicy
    cloudkms.cryptoKeys.list
    cloudkms.cryptoKeys.setIamPolicy
    cloudkms.keyRings.get
    cloudkms.keyRings.getIamPolicy
    cloudkms.keyRings.list
    cloudkms.keyRings.setIamPolicy
  • You'll need to verify that the Google "Cloud Key Management Service (KMS)" API is enabled in your project. See the Google Cloud documentation: Enabling APIs for details.

CMEK considerations:

  • Both HSM (Hardware-backed) and Software-generated keys are supported.

  • Both newly created or imported Cloud KMS keys are supported.

  • Only regional keys are supported, global keys are not supported.

  • Currently, only the "Symmetric encrypt/decrypt" purpose is supported.

  • The service agent associated with the Storage Account is assigned the "CryptoKey Encrypter/Decrypter (roles/cloudkms.cryptoKeyEncrypterDecrypter)" IAM role by BlueXP backup and recovery.

Activate backups on your ONTAP volumes

Activate backups at any time directly from your on-premises working environment.

A wizard takes you through the following major steps:

You can also Show the API commands at the review step, so you can copy the code to automate backup activation for future working environments.

Start the wizard

Steps
  1. Access the Activate backup and recovery wizard using one of the following ways:

    • From the BlueXP canvas, select the working environment and select Enable > Backup Volumes next to the Backup and recovery service in the right-panel.

      A screenshot that shows the Backup and recovery Enable button that is available after you select a working environment.

      If the Google Cloud Storage destination for your backups exists as a working environment on the Canvas, you can drag the ONTAP cluster onto the Google Cloud object storage.

    • Select Volumes in the Backup and recovery bar. From the Volumes tab, select the Actions Actions icon icon and select Activate Backup for a single volume (that does not already have replication or backup to object storage already enabled). .

    The Introduction page of the wizard shows the protection options including local Snapshots, replication, and backups. If you did the second option in this step, the Define Backup Strategy page appears with one volume selected.

  2. Continue with the following options:

    • If you already have a BlueXP Connector, you're all set. Just select Next.

    • If you don't already have a BlueXP Connector, the Add a Connector option appears. Refer to Prepare your BlueXP Connector.

Select the volumes that you want to back up

Choose the volumes you want to protect. A protected volume is one that has one or more of the following: Snapshot policy, replication policy, backup to object policy.

You can choose to protect FlexVol or FlexGroup volumes; however, you cannot select a mix of these volumes when activating backup for a working environment. See how to activate backup for additional volumes in the working environment (FlexVol or FlexGroup) after you have configured backup for the initial volumes.

Note
  • You can activate a backup only on a single FlexGroup volume at a time.

  • The volumes you select must have the same SnapLock setting. All volumes must have SnapLock Enterprise enabled or have SnapLock disabled. (Volumes with SnapLock Compliance mode require ONTAP 9.14 or later.)

Steps

Note that if the volumes you choose already have Snapshot or replication policies applied, then the policies you select later will overwrite these existing policies.

  1. In the Select Volumes page, select the volume or volumes you want to protect.

    • Optionally, filter the rows to show only volumes with certain volume types, styles, and more to make the selection easier.

    • After you select the first volume, then you can select all FlexVol volumes (FlexGroup volumes can be selected one at a time only). To back up all existing FlexVol volumes, check one volume first and then check the box in the title row. (button backup all volumes).

    • To back up individual volumes, check the box for each volume (button backup 1 volume).

  2. Select Next.

Define the backup strategy

Defining the backup strategy involves setting the following options:

  • Whether you want one or all of the backup options: local Snapshots, replication, and backup to object storage

  • Architecture

  • Local Snapshot policy

  • Replication target and policy

    Note If the volumes you choose have different Snapshot and replication policies than the policies you select in this step, the existing policies will be overwritten.
  • Backup to object storage information (provider, encryption, networking, backup policy, and export options).

Steps
  1. In the Define backup strategy page, choose one or all of the following. All three are selected by default:

    • Local Snapshots: If you are performing replication or back up to object storage, local Snapshots must be created.

    • Replication: Creates replicated volumes on another ONTAP storage system.

    • Backup: Backs up volumes to object storage.

  2. Architecture: If you chose replication and backup, choose one of the following flows of information:

    • Cascading: Information flows from the primary to the secondary and from the secondary to object storage.

    • Fan out: Information flows from the primary to the secondary and from the primary to object storage.

      For details about these architectures, refer to Plan your protection journey.

  3. Local Snapshot: Choose an existing Snapshot policy or create a new one.

    Tip To create a custom policy before activating the Snapshot, refer to Create a policy.

    To create a policy, select Create new policy and do the following:

    • Enter the name of the policy.

    • Select up to 5 schedules, typically of different frequencies.

    • Select Create.

  4. Replication: Set the following options:

    • Replication target: Select the destination working environment and SVM. Optionally, select the destination aggregate or aggregates and prefix or suffix that will be added to the replicated volume name.

    • Replication policy: Choose an existing replication policy or create a new one.

      Tip To create a custom policy before you activate the replication, refer to Create a policy.

      To create a policy, select Create new policy and do the following:

      • Enter the name of the policy.

      • Select up to 5 schedules, typically of different frequencies.

      • Select Create.

  5. Back up to Object: If you selected Backup, set the following options:

    • Provider: Select Google Cloud.

    • Provider settings: Enter the provider details and region where the backups will be stored.

      Either create a new bucket or select one that you've already created.

      Tip If you want to tier older backup files to Google Cloud Archive storage for further cost optimization, ensure that the bucket has the appropriate Lifecycle rule.

      Enter the Google Cloud access key and secret key.

    • Encryption key: If you created a new Google Cloud storage account, enter encryption key information given to you from the provider. Choose whether you'll use the default Google Cloud encryption keys, or choose your own customer-managed keys from your Google Cloud account, to manage encryption of your data.

      Note If you chose an existing Google Cloud storage account, encryption information is already available, so you don't need to enter it now.

      If you choose to use your own customer-managed keys, enter the key ring and key name. Learn more about customer-managed encryption keys.

    • Networking: Choose the IPspace.

      The IPspace in the ONTAP cluster where the volumes you want to back up reside. The intercluster LIFs for this IPspace must have outbound internet access.

    • Backup policy: Select an existing Backup to object storage policy or create a new one.

      Tip To create a custom policy before activating the backup, refer to Create a policy.

      To create a policy, select Create new policy and do the following:

      • Enter the name of the policy.

      • Select up to 5 schedules, typically of different frequencies.

      • Select Create.

    • Export existing Snapshot copies to object storage as backup copies: If there are any local Snapshot copies for volumes in this working environment that match the backup schedule label you just selected for this working environment (for example, daily, weekly, etc.), this additional prompt is displayed. Check this box to have all historic Snapshots copied to object storage as backup files to ensure the most complete protection for your volumes.

  6. Select Next.

Review your selections

This is the chance to review your selections and make adjustments, if necessary.

Steps
  1. In the Review page, review your selections.

  2. Optionally check the box to Automatically synchronize the Snapshot policy labels with the replication and backup policy labels. This creates Snapshots with a label that matches the labels in the replication and backup policies.

  3. Select Activate Backup.

Result

BlueXP backup and recovery starts taking the initial backups of your volumes. The baseline transfer of the replicated volume and the backup file includes a full copy of the primary storage system data. Subsequent transfers contain differential copies of the primary storage system data contained in Snapshot copies.

A replicated volume is created in the destination cluster that will be synchronized with the source volume.

A Google Cloud Storage bucket is created automatically in the service account indicated by the Google access key and secret key you entered, and the backup files are stored there. The Volume Backup Dashboard is displayed so you can monitor the state of the backups.

You can also monitor the status of backup and restore jobs using the Job Monitoring panel.

Show the API commands

You might want to display and optionally copy the API commands used in the Activate backup and recovery wizard. You might want to do this to automate backup activation in future working environments.

Steps
  1. From the Activate backup and recovery wizard, select View API request.

  2. To copy the commands to the clipboard, select the Copy icon.

What's next?