Back up Azure Kubernetes Service by using Azure Backup
This article describes how to configure and back up Azure Kubernetes Service (AKS).
You can use Azure Backup to back up AKS clusters (cluster resources and persistent volumes attached to the cluster) by using the Backup extension, which must be installed in the cluster. The Backup vault communicates with the cluster via the Backup extension to perform backup and restore operations.
Note
Vaulted backup and Cross Region Restore for AKS using Azure Backup are currently in preview.
Before you start
Currently, AKS backup supports only Azure Disk Storage-based persistent volumes (enabled by CSI driver). The backups are stored in an operational datastore only (backup data is stored in your tenant and isn't moved to a vault). The Backup vault and AKS cluster must be in the same region.
AKS backup uses a blob container and a resource group to store the backups. The blob container holds the AKS cluster resources. Persistent volume snapshots are stored in the resource group. The AKS cluster and the storage locations must be in the same region. Learn how to create a blob container.
Currently, AKS backup supports once-a-day backup. It also supports more frequent backups (in 4-hour, 8-hour, and 12-hour intervals) per day. This solution allows you to retain your data for restore for up to 360 days. Learn how to create a backup policy.
You must install the Backup extension to configure backup and restore operations for an AKS cluster. Learn more about the Backup extension.
Ensure that
Microsoft.KubernetesConfiguration
,Microsoft.DataProtection
, andMicrosoft.ContainerService
are registered for your subscription before you initiate backup configuration and restore operations.Ensure that you perform all the prerequisites before you initiate a backup or restore operation for AKS backup.
For more information on supported scenarios, limitations, and availability, see the support matrix.
Create a Backup vault
A Backup vault is a management entity that stores recovery points treated over time. A Backup vault also provides an interface to do the backup operations. Operations include taking on-demand backups, doing restores, and creating backup policies. AKS backup requires the Backup vault and the AKS cluster to be in the same region. Learn how to create a Backup vault.
Note
A Backup vault is a new resource that's used to back up newly supported datasources. A Backup vault is different from a Recovery Services vault.
If you want to use Azure Backup to protect your AKS clusters from any regional outage:
Set the Backup Storage Redundancy parameter as Globally-Redundant during vault creation. Once the redundancy for a vault is set, you can't disable.
Set the Cross Region Restore parameter under Vault Properties as Enabled. Once this parameter is enabled, you can't disable it.
Create a Backup Instance using a Backup Policy with retention duration set for Vault-standard datastore. Every recovery point stored in this datastore will be in the secondary region.
Note
Vault-standard datastore is currently in preview.
Create a backup policy
Before you configure backups, you need to create a backup policy that defines the frequency of backups and the retention duration of backups.
You can also create a backup policy when you configure the backup.
To create a backup policy:
Go to Backup center and select Policy to create a new backup policy.
Alternatively, go to Backup center > Backup policies > Add.
For Datasource type, select Kubernetes Service and continue.
Enter a name for the backup policy (for example, Default Policy) and select the Backup vault (the new Backup vault you created) where the backup policy needs to be created.
On the Schedule + retention tab, define the frequency of backups and how long they need to be retained in Operational and Vault Tier (also called datastore).
Backup Frequency: Select the backup frequency (hourly or daily), and then choose the retention duration for the backups.
Retention Setting: A new backup policy has two retention rules.
You can also create additional retention rules to store backups for a longer duration that are taken daily or weekly.
Default: This rule defines the default retention duration for all the operational tier backups taken. You can only edit this rule and can’t delete it.
First successful backup taken every day: In addition to the default rule, every first successful backup of the day can be retained in the Operational datastore and Vault-standard store. You can edit and delete this rule (if you want to retain backups in Operational datastore).
You can also define similar rules for the First successful backup taken every week, month, and year.
Note
- In addition to first successful backup of the day, you can define the retention rules for first successful backup of the week, month, and year. In terms of priority, the order is year, month, week, and day.
- The Vault-standard datastore is currently in preview. If you don't want to use the feature, edit the retention rule and clear the checkbox next to the Vault-standard datastore.
- The backups stored in the Vault Tier can also copied in the secondary region (Azure Paired region) that you can use to restore AKS clusters to a secondary region when the primary region is unavailable. To opt for this feature, use a Geo-redundant vault with Cross Region Restore enabled.
When the backup frequency and retention settings are configured, select Next.
On the Review + create tab, review the information, and then select Create.
Configure backups
You can use AKS backup to back up an entire cluster or specific cluster resources that are deployed in the cluster. You can also protect a cluster multiple times per the deployed application's schedule and retention requirements or security requirements.
Note
To set up multiple backup instances for the same AKS cluster:
- Configure backup in the same Backup vault but using a different backup policy.
- Configure backup in a different Backup vault.
To configure backups for AKS cluster:
In the Azure portal, go to the AKS cluster that you want to back up.
In the resource menu, select Backup, and then select Configure Backup.
To prepare the AKS cluster for backup or restore, select Install Extension to install the Backup extension in the cluster.
Provide a storage account and blob container as input.
Your AKS cluster backups are stored in this blob container. The storage account must be in the same region and subscription as the cluster.
Select Next.
Review the extension installation details, and then select Create.
The extension installation begins.
When the Backup extension is installed successfully, select Configure Backup to begin configuring backups for your AKS cluster.
You can also perform this action in Backup center.
Select the Backup vault.
The Backup vault should have Trusted Access enabled for the AKS cluster to be backed up. To enable Trusted Access, select Grant Permission. If it's already enabled, select Next.
Note
- If the AKS cluster doesn't have the Backup extension installed, you can perform the installation during configuring backup for the cluster.
Select the backup policy, which defines the schedule for backups and their retention period. Then select Next.
On the Datasources tab, select Add/Edit to define the backup instance configuration.
In the Select Resources to Backup pane, define the cluster resources that you want to back up.
Learn more about backup configurations.
For Snapshot resource group, select the resource group to use to store the persistent volume (Azure Disk Storage) snapshots. Then select Validate.
When validation is finished, if required roles aren't assigned to the vault in the snapshot resource group, an error appears:
To resolve the error, under Datasource name, select the datasource, and then select Assign missing roles.
The following screenshot shows the list of roles that you can select:
When role assignment is finished, select Next.
Select Configure backup.
When the configuration is finished, select Next.
The backup instance is created when backup configuration is finished.
Backup configurations
Azure Backup for AKS allows you to define the application boundary within AKS cluster that you want to back up. You can use the filters that are available within backup configurations to choose the resources to back up and also to run custom hooks. The defined backup configuration is referenced by the value for Backup Instance Name. The below filters are available to define your application boundary:
Select Namespaces to backup, you can either select All to back up all existing and future namespaces in the cluster, or you can select Choose from list to select specific namespaces for backup. The following namespaces are skipped from Backup Configuration and not cofigured for backups: kube-system, kube-node-lease, kube-public.
Expand Additional Resource Settings to see filters that you can use to choose cluster resources to back up. You can choose to back up resources based on the following categories:
- Labels: You can filter AKS resources by using labels that you assign to types of resources. Enter labels in the form of key/value pairs. Combine multiple labels by using
AND
logic.
For example, if you enter the labels
env=prod;tier!=web
, the process selects resources that have a label with theenv
key and theprod
value, and a label with thetier
key for which the value isn'tweb
.API groups: You can also include resources by providing the AKS API group and kind. For example, you can choose for backup AKS resources like Deployments. You can access the list of Kubernetes defined API Groups here.
Other options: You can enable or disable backup for cluster-scoped resources, persistent volumes, and secrets. By default, cluster-scoped resources and persistent volumes are enabled
Note
All these resource settings are combined and applied via
AND
logic.- Labels: You can filter AKS resources by using labels that you assign to types of resources. Enter labels in the form of key/value pairs. Combine multiple labels by using
Note
You should add the labels to every single YAML file that is deployed and to be backed up. This includes namespace-scoped resources like persistent volume claims, and cluster-scoped resources like persistent volumes.
Use hooks during AKS backup
This section describes how to use a backup hook to create an application-consistent snapshot of the AKS cluster with MySQL deployed (a persistent volume that contains the MySQL instance).
You can use custom hooks in AKS backup to accomplish application-consistent snapshots of volumes. The volumes are used for databases that are deployed as containerized workloads.
By using a backup hook, you can define the commands to freeze and unfreeze a MySQL pod so that an application snapshot of the volume can be taken. The Backup extension then orchestrates the steps of running the commands in the hooks and takes the volume snapshot.
An application-consistent snapshot of a volume with MySQL deployed is taken by doing the following actions:
- The pod running MySQL is frozen so that no new transaction is performed on the database.
- A snapshot is taken of the volume as backup.
- The pod running MySQL is unfrozen so that transactions can be done again on the database.
To enable a backup hook as part of the backup configuration flow to back up MySQL:
Write the custom resource for backup hook with commands to freeze and unfreeze a PostgreSQL pod.
You can also use the following sample YAML script postgresbackuphook.yaml, which has predefined commands:
apiVersion: clusterbackup.dataprotection.microsoft.com/v1alpha1 kind: BackupHook metadata: # BackupHook CR Name and Namespace name: bkphookname0 namespace: default spec: # BackupHook Name. This is the name of the hook that will be executed during backup. # compulsory name: hook1 # Namespaces where this hook will be executed. includedNamespaces: - hrweb excludedNamespaces: labelSelector: # PreHooks is a list of BackupResourceHooks to execute prior to backing up an item. preHooks: - exec: command: - /sbin/fsfreeze - --freeze - /var/lib/postgresql/data container: webcontainer onError: Continue # PostHooks is a list of BackupResourceHooks to execute after backing up an item. postHooks: - exec: container: webcontainer command: - /sbin/fsfreeze - --unfreeze onError: Fail timeout: 10s
Before you configure a backup, you must deploy the backup hook custom resource in the AKS cluster.
To deploy the script, run the following command:
kubectl apply -f mysqlbackuphook.yaml
When the deployment is finished, you can configure backup for the AKS cluster.