Skip to main content
BlueXP backup and recovery
All cloud providers
  • Amazon Web Services
  • Google Cloud
  • Microsoft Azure
  • All cloud providers

Back up Cloud Volumes ONTAP data to Azure Blob storage

Contributors amgrissino netapp-tonacki netapp-bcammett

Complete a few steps to get started backing up volume data from your Cloud Volumes ONTAP systems to Azure Blob storage.

Quick start

Get started quickly by following these steps or scroll down to the remaining sections for full details.

One Verify support for your configuration
  • You're running Cloud Volumes ONTAP 9.8 or later in Azure (ONTAP 9.8P13 and later is recommended).

  • You have a valid cloud provider subscription for the storage space where your backups will be located.

  • You have subscribed to the BlueXP Marketplace Backup offering, or you have purchased and activated a BlueXP backup and recovery BYOL license from NetApp.

Two Prepare your BlueXP Connector

If you already have a Connector deployed in an Azure region, then you're all set. If not, then you'll need to install a BlueXP Connector in Azure to back up Cloud Volumes ONTAP data to Azure Blob storage. The Connector can be installed in a site with full internet access ("standard mode") or with limited internet connectivity ("restricted mode").

Three Verify license requirements

You'll need to check license requirements for both Azure and BlueXP.

Four Verify ONTAP networking requirements for replicating volumes

Ensure that the source and destination systems meet ONTAP version and networking requirements.

Five Enable BlueXP backup and recovery

Select the working environment and click Enable > Backup Volumes next to the Backup and recovery service in the right-panel.

Six Activate backups on your ONTAP volumes

Follow the setup wizard to select the replication and backup policies that you'll use and the volumes you want to back up.

Verify support for your configuration

Read the following requirements to make sure that you have a supported configuration before you start backing up volumes to Azure Blob storage.

The following image shows each component and the connections that you need to prepare between them.

Optionally, you can connect to a secondary ONTAP system for replicated volumes using the public or private connection as well.

A diagram showing how BlueXP backup and recovery communicates with the volumes on the source systems and the destination storage where the backup files are located.

Supported ONTAP versions

Minimum of ONTAP 9.8; ONTAP 9.8P13 and later is recommended.

Supported Azure regions

BlueXP backup and recovery is supported in all Azure regions where Cloud Volumes ONTAP is supported; including Azure Government regions.

By default, BlueXP backup and recovery provisions the Blob container with Local redundancy (LRS) for cost optimization. You can change this setting to Zone redundancy (ZRS) after BlueXP backup and recovery has been activated if you want to make sure your data is replicated between different zones. See the Microsoft instructions for changing how your storage account is replicated.

Required setup for creating backups in a different Azure subscription

By default, backups are created using the same subscription as the one used for your Cloud Volumes ONTAP system. If you want to use a different Azure subscription for your backups, you must log in to the Azure portal and link the two subscriptions.

Verify license requirements

For BlueXP backup and recovery PAYGO licensing, a subscription through the Azure Marketplace is required before you enable BlueXP backup and recovery. Billing for BlueXP backup and recovery is done through this subscription. You can subscribe from the Details & Credentials page of the working environment wizard.

For BlueXP backup and recovery BYOL licensing, you need the serial number from NetApp that enables you to use the service for the duration and capacity of the license. Learn how to manage your BYOL licenses. You must use a BYOL license when the Connector and Cloud Volumes ONTAP system are deployed in a dark site ("private mode").

And you need to have a Microsoft Azure subscription for the storage space where your backups will be located.

Prepare your BlueXP Connector

The Connector can be installed in an Azure region with full or limited internet access ("standard" or "restricted" mode). See BlueXP deployment modes for details.

Verify or add permissions to the Connector

To use the BlueXP backup and recovery Search & Restore functionality, you need to have specific permissions in the role for the Connector so that it can access the Azure Synapse Workspace and Data Lake Storage Account. See the permissions below, and follow the steps if you need to modify the policy.

Before you start
  • You must register the Azure Synapse Analytics Resource Provider (called "Microsoft.Synapse") with your Subscription. See how to register this resource provider for your subscription. You must be the Subscription Owner or Contributor to register the resource provider.

  • Port 1433 must be open for communication between the Connector and the Azure Synapse SQL services.

Steps
  1. Identify the role assigned to the Connector virtual machine:

    1. In the Azure portal, open the virtual machines service.

    2. Select the Connector virtual machine.

    3. Under Settings, select Identity.

    4. Select Azure role assignments.

    5. Make note of the custom role assigned to the Connector virtual machine.

  2. Update the custom role:

    1. In the Azure portal, open your Azure subscription.

    2. Select Access control (IAM) > Roles.

    3. Select the ellipsis (…​) for the custom role and then select Edit.

    4. Select JSON and add the following permissions:

      Details
      "Microsoft.Storage/storageAccounts/listkeys/action",
      "Microsoft.Storage/storageAccounts/read",
      "Microsoft.Storage/storageAccounts/write",
      "Microsoft.Storage/storageAccounts/blobServices/containers/read",
      "Microsoft.Storage/storageAccounts/listAccountSas/action",
      "Microsoft.KeyVault/vaults/read",
      "Microsoft.KeyVault/vaults/accessPolicies/write",
      "Microsoft.Network/networkInterfaces/read",
      "Microsoft.Resources/subscriptions/locations/read",
      "Microsoft.Network/virtualNetworks/read",
      "Microsoft.Network/virtualNetworks/subnets/read",
      "Microsoft.Resources/subscriptions/resourceGroups/read",
      "Microsoft.Resources/subscriptions/resourcegroups/resources/read",
      "Microsoft.Resources/subscriptions/resourceGroups/write",
      "Microsoft.Authorization/locks/*",
      "Microsoft.Network/privateEndpoints/write",
      "Microsoft.Network/privateEndpoints/read",
      "Microsoft.Network/privateDnsZones/virtualNetworkLinks/write",
      "Microsoft.Network/virtualNetworks/join/action",
      "Microsoft.Network/privateDnsZones/A/write",
      "Microsoft.Network/privateDnsZones/read",
      "Microsoft.Network/privateDnsZones/virtualNetworkLinks/read",
      "Microsoft.Network/networkInterfaces/delete",
      "Microsoft.Network/networkSecurityGroups/delete",
      "Microsoft.Resources/deployments/delete",
      "Microsoft.ManagedIdentity/userAssignedIdentities/assign/action",
      "Microsoft.Synapse/workspaces/write",
      "Microsoft.Synapse/workspaces/read",
      "Microsoft.Synapse/workspaces/delete",
      "Microsoft.Synapse/register/action",
      "Microsoft.Synapse/checkNameAvailability/action",
      "Microsoft.Synapse/workspaces/operationStatuses/read",
      "Microsoft.Synapse/workspaces/firewallRules/read",
      "Microsoft.Synapse/workspaces/replaceAllIpFirewallRules/action",
      "Microsoft.Synapse/workspaces/operationResults/read",
      "Microsoft.Synapse/workspaces/privateEndpointConnectionsApproval/action"
    5. Click Review + update and then click Update.

Required information for using customer-managed keys for data encryption

You can use your own customer-managed keys for data encryption in the activation wizard instead of using the default Microsoft-managed encryption keys. In this case, you will need to have the Azure Subscription, Key Vault name, and the Key. See how to use your own keys.

BlueXP backup and recovery supports Azure access policies as the permission model. The Azure role-based access control (Azure RBAC) permission model is not currently supported.

Create your Azure Blob storage account

By default, the service creates storage accounts for you. If you want to use your own storage accounts, you can create them before you start the backup activation wizard and then select those storage accounts in the wizard.

Verify ONTAP networking requirements for replicating volumes

If you plan to create replicated volumes on a secondary ONTAP system using BlueXP backup and recovery, ensure that the source and destination systems meet following networking requirements.

On-premises ONTAP networking requirements

  • If the cluster is in your premises, you should have a connection from your corporate network to your virtual network in the cloud provider. This is typically a VPN connection.

  • ONTAP clusters must meet additional subnet, port, firewall, and cluster requirements.

    Because you can replicate to Cloud Volumes ONTAP or an on-premises systems, review peering requirements for on-premises ONTAP systems. View prerequisites for cluster peering in the ONTAP documentation.

Cloud Volumes ONTAP networking requirements

  • The instance's security group must include the required inbound and outbound rules: specifically, rules for ICMP and ports 11104 and 11105. These rules are included in the predefined security group.

  • To replicate data between two Cloud Volumes ONTAP systems in different subnets, the subnets must be routed together (this is the default setting).

Enable BlueXP backup and recovery on Cloud Volumes ONTAP

Enabling BluXP backup and recovery is easy. The steps differ slightly depending on whether you have an existing Cloud Volumes ONTAP system or a new one.

Enable BlueXP backup and recovery on a new system

BlueXP backup and recovery is enabled by default in the working environment wizard. Be sure to keep the option enabled.

See Launching Cloud Volumes ONTAP in Azure for requirements and details for creating your Cloud Volumes ONTAP system.

Note If you want to pick the name of the resource group, disable BlueXP backup and recovery when deploying Cloud Volumes ONTAP. Follow the steps for enabling BlueXP backup and recovery on an existing system to enable BlueXP backup and recovery and choose the resource group.
Steps
  1. From the BlueXP Canvas, select Add Working Environment, choose the cloud provider, and select Add New. Select Create Cloud Volumes ONTAP.

  2. Select Microsoft Azure as the cloud provider and then choose a single node or HA system.

  3. In the Define Azure Credentials page, enter the credentials name, client ID, client secret, and directory ID, and click Continue.

  4. Fill out the Details & Credentials page and be sure that an Azure Marketplace subscription is in place, and click Continue.

  5. On the Services page, leave the service enabled and click Continue.

    Shows the BlueXP backup and recovery option in the working environment wizard.

  6. Complete the pages in the wizard to deploy the system.

Result

BlueXP backup and recovery is enabled on the system. After you've created volumes on these Cloud Volumes ONTAP systems, launch BlueXP backup and recovery and activate backup on each volume that you want to protect.

Enable BlueXP backup and recovery on an existing system

Enable BlueXP backup and recovery at any time directly from the working environment.

Steps
  1. From the BlueXP Canvas, select the working environment and select Enable next to the Backup and recovery service in the right-panel.

    If the Azure Blob destination for your backups exists as a working environment on the Canvas, you can drag the cluster onto the Azure Blob working environment to initiate the setup wizard.

    A screenshot that shows the BlueXP backup and recovery Enable button which is available after you select a working environment.

  2. Complete the pages in the wizard to deploy BlueXP backup and recovery.

  3. When you want to initiate backups, continue with Activate backups on your ONTAP volumes.

Activate backups on your ONTAP volumes

Activate backups at any time directly from your on-premises working environment.

A wizard takes you through the following major steps:

You can also Show the API commands at the review step, so you can copy the code to automate backup activation for future working environments.

Start the wizard

Steps
  1. Access the Activate backup and recovery wizard using one of the following ways:

    • From the BlueXP canvas, select the working environment and select Enable > Backup Volumes next to the Backup and recovery service in the right-panel.

      A screenshot that shows the Backup and recovery Enable button that is available after you select a working environment.

      If the Azure destination for your backups exists as a working environment on the Canvas, you can drag the ONTAP cluster onto the Azure Blob object storage.

    • Select Volumes in the Backup and recovery bar. From the Volumes tab, select the Actions Actions icon icon and select Activate Backup for a single volume (that does not already have replication or backup to object storage already enabled).

    The Introduction page of the wizard shows the protection options including local Snapshots, replication, and backups. If you did the second option in this step, the Define Backup Strategy page appears with one volume selected.

  2. Continue with the following options:

    • If you already have a BlueXP Connector, you're all set. Just select Next.

    • If you don't already have a BlueXP Connector, the Add a Connector option appears. Refer to Prepare your BlueXP Connector.

Select the volumes that you want to back up

Choose the volumes you want to protect. A protected volume is one that has one or more of the following: Snapshot policy, replication policy, backup-to-object policy.

You can choose to protect FlexVol or FlexGroup volumes; however, you cannot select a mix of these volumes when activating backup for a working environment. See how to activate backup for additional volumes in the working environment (FlexVol or FlexGroup) after you have configured backup for the initial volumes.

Note
  • You can activate a backup only on a single FlexGroup volume at a time.

  • The volumes you select must have the same SnapLock setting. All volumes must have SnapLock Enterprise enabled or have SnapLock disabled. (Volumes with SnapLock Compliance mode require ONTAP 9.14 or later.)

Steps

Note that if the volumes you choose already have Snapshot or replication policies applied, then the policies you select later will overwrite these existing policies.

  1. In the Select Volumes page, select the volume or volumes you want to protect.

    • Optionally, filter the rows to show only volumes with certain volume types, styles, and more to make the selection easier.

    • After you select the first volume, then you can select all FlexVol volumes. (FlexGroup volumes can be selected one at a time only.) To back up all existing FlexVol volumes, check one volume first and then check the box in the title row. (button backup all volumes).

    • To back up individual volumes, check the box for each volume (button backup 1 volume).

  2. Select Next.

Define the backup strategy

Defining the backup strategy involves setting the following options:

  • Whether you want one or all of the backup options: local Snapshots, replication, and backup to object storage

  • Architecture

  • Local Snapshot policy

  • Replication target and policy

    Note If the volumes you choose have different Snapshot and replication policies than the policies you select in this step, the existing policies will be overwritten.
  • Backup to object storage information (provider, encryption, networking, backup policy, and export options).

Steps
  1. In the Define backup strategy page, choose one or all of the following. All three are selected by default:

    • Local Snapshots: If you are performing replication or back up to object storage, local Snapshots must be created.

    • Replication: Creates replicated volumes on another ONTAP storage system.

    • Backup: Backs up volumes to object storage.

  2. Architecture: If you chose replication and backup, choose one of the following flows of information:

    • Cascading: Information flows from the primary storage system to the secondary, and from secondary to object storage.

    • Fan out: Information flows from the primary storage system to the secondary and from the primary to object storage.

      For details about these architectures, refer to Plan your protection journey.

  3. Local Snapshot: Choose an existing Snapshot policy or create one.

    Tip To create a custom policy before activating the Snapshot, refer to Create a policy.

    To create a policy, select Create new policy and do the following:

    • Enter the name of the policy.

    • Select up to 5 schedules, typically of different frequencies.

    • Select Create.

  4. Replication: Set the following options:

    • Replication target: Select the destination working environment and SVM. Optionally, select the destination aggregate or aggregates and prefix or suffix that will be added to the replicated volume name.

    • Replication policy: Choose an existing replication policy or create one.

      Tip To create a custom policy before activating the replication, refer to Create a policy.

      To create a policy, select Create new policy and do the following:

      • Enter the name of the policy.

      • Select up to 5 schedules, typically of different frequencies.

      • Select Create.

  5. Back up to Object: If you selected Backup, set the following options:

    • Provider: Select Microsoft Azure.

    • Provider settings: Enter the provider details.

      Enter the region where the backups will be stored. This can be a different region than where the Cloud Volumes ONTAP system resides.

      Either create a new storage account or select an existing one.

      Enter the Azure subscription used to store the backups. This can be a different subscription than where the Cloud Volumes ONTAP system resides. If you want to use a different Azure subscription for your backups, you must log in to the Azure portal and link the two subscriptions.

      Either create your own resource group that manages the Blob container or select the resource group type and group.

      Tip If you want to protect your backup files from being modified or deleted, ensure that the storage account was created with immutable storage enabled using a 30-day retention period.
      Tip If you want to tier older backup files to Azure Archive Storage for further cost optimization, ensure that the storage account has the appropriate Lifecycle rule.
    • Encryption key: If you created a new Azure storage account, enter encryption key information given to you from the provider. Choose whether you'll use the default Azure encryption keys, or choose your own customer-managed keys from your Azure account, to manage encryption of your data.

      If you choose to use your own customer-managed keys, enter the key vault and key information. Learn how to use your own keys.

    Note If you chose an existing Microsoft storage account, encryption information is already available, so you don't need to enter it now.
    • Networking: Choose the IPspace, and whether you'll be using a Private Endpoint. Private Endpoint is disabled by default.

      1. The IPspace in the ONTAP cluster where the volumes you want to back up reside. The intercluster LIFs for this IPspace must have outbound internet access.

      2. Optionally, choose whether you'll use an Azure private endpoint that you have previously configured. Learn about using an Azure private endpoint.

    • Backup policy: Select an existing backup-to-object storage policy.

      Tip To create a custom policy before activating the backup, refer to Create a policy.

      To create a policy, select Create new policy and do the following:

      • Enter the name of the policy.

      • Select up to 5 schedules, typically of different frequencies.

      • Select Create.

    • Export existing Snapshot copies to object storage as backup copies: If there are any local Snapshot copies for volumes in this working environment that match the backup schedule label you just selected for this working environment (for example, daily, weekly, etc.), this additional prompt is displayed. Check this box to have all historic Snapshots copied to object storage as backup files to ensure the most complete protection for your volumes.

  6. Select Next.

Review your selections

This is the chance to review your selections and make adjustments, if necessary.

Steps
  1. In the Review page, review your selections.

  2. Optionally check the box to Automatically synchronize the Snapshot policy labels with the replication and backup policy labels. This creates Snapshots with a label that matches the labels in the replication and backup policies.

  3. Select Activate Backup.

Result

BlueXP backup and recovery starts taking the initial backups of your volumes. The baseline transfer of the replicated volume and the backup file includes a full copy of the primary storage system data. Subsequent transfers contain differential copies of the primary storage data contained in Snapshot copies.

A replicated volume is created in the destination cluster that will be synchronized with the primary volume.

A Blob storage container is created in the resource group you entered, and the backup files are stored there.

By default, BlueXP backup and recovery provisions the Blob container with Local redundancy (LRS) for cost optimization. You can change this setting to Zone redundancy (ZRS) if you want to make sure your data is replicated between different zones. See the Microsoft instructions for changing how your storage account is replicated.

The Volume Backup Dashboard is displayed so you can monitor the state of the backups.

You can also monitor the status of backup and restore jobs using the Job Monitoring panel.

Show the API commands

You might want to display and optionally copy the API commands used in the Activate backup and recovery wizard. You might want to do this to automate backup activation in future working environments.

Steps
  1. From the Activate backup and recovery wizard, select View API request.

  2. To copy the commands to the clipboard, select the Copy icon.

What's next?