Back up Azure Kubernetes Service using Azure Backup (preview)

This article describes how to configure and back up Azure Kubernetes Service (AKS).

Azure Backup now allows you to back up AKS clusters (cluster resources and persistent volumes attached to the cluster) using a backup extension, which must be installed in the cluster. Backup vault communicates with the cluster via this Backup Extension to perform backup and restore operations.

Before you start

  • Currently, AKS backup supports Azure Disk-based persistent volumes (enabled by CSI driver) only. The backups are stored in operational datastore only (backup data is stored in your tenant only and isn't moved to a vault). The Backup vault and AKS cluster should be in the same region.

  • AKS backup uses a blob container and a resource group to store the backups. The blob container has the AKS cluster resources stored in it, whereas the persistent volume snapshots are stored in the resource group. The AKS cluster and the storage locations must reside in the same region. Learn how to create a blob container.

  • Currently, AKS backup supports once-a-day backup. It also supports more frequent backups (in every 4, 8, and 12 hours intervals) per day. This solution allows you to retain your data for restore for up to 360 days. Learn to create a backup policy.

  • You must install the Backup Extension to configure backup and restore operations on an AKS cluster. Learn more about Backup Extension.

  • Ensure that Microsoft.KubernetesConfiguration, Microsoft.DataProtection, and the TrustedAccessPreview feature flag on Microsoft.ContainerService are registered for your subscription before initiating the backup configuration and restore operations.

  • Ensure to perform all the prerequisites before initiating backup or restore operation for AKS backup.

For more information on the supported scenarios, limitations, and availability, see the support matrix.

Create a Backup vault

A Backup vault is a management entity that stores recovery points created over time and provides an interface to perform backup operations. These include taking on-demand backups, performing restores, and creating backup policies. Though operational backup of AKS cluster is a local backup and doesn't store data in the vault, the vault is required for various management operations. AKS backup requires the Backup vault and the AKS cluster to be in the same region.


The Backup vault is a new resource used for backing up newly supported workloads and is different from the already existing Recovery Services vault.

Learn how to create a Backup vault.

Create a backup policy

Before you configure backups, you need to create a backup policy that defines the frequency of backup and retention duration of backups before getting deleted. You can also create a backup policy during the backup configuration.

To create a backup policy, follow these steps:

  1. Go to Backup center and select + Policy to create a new backup policy.

    Screenshot shows how to start creating a backup policy.

    Alternatively, go to Backup center > Backup policies > Add.

  2. Select Datasource type as Kubernetes Service and continue.

    Screenshot shows the selection of datasource type.

  3. Enter a name for the backup policy (for example, Default Policy) and select the Backup vault (the new Backup vault you created) where the backup policy needs to be created.

    Screenshot shows providing the backup policy name.

  4. On the Schedule + retention tab, select the backup frequency – (Hourly or Daily), and then choose the retention duration for the backups.

    Screenshot shows selection of backup frequency.

    You can edit the retention duration with default retention rule. You can't delete the default retention rule.

    Screenshot shows selection of retention period.

    You can also create additional retention rules to store backups taken daily or weekly to be stored for a longer duration.

  5. Once the backup frequency and retention settings configurations are complete, select Next.

    Screenshot shows the completion of backup policy creation.

  6. On the Review + create tab, review the information, and then select Create.

Configure backups

AKS backup allows you to back up an entire cluster or specific cluster resources deployed in the cluster, as required. You can also protect a cluster multiple times as per the deployed applications schedule and retention requirements or security requirements.


You can set up multiple backup instances for the same AKS cluster by:

  • Configuring backup in the same Backup vault with a different backup policy.
  • Configuring backup in a different Backup vault.

To configure backups for AKS cluster, follow these steps:

  1. In the Azure portal, go to the AKS Cluster you want to back up, and then under Settings, select the Backup tab.

    Screenshot shows viewing AKS cluster for backup.

  2. To prepare AKS cluster for backup or restore, you need to install backup extension in the cluster by selecting Install Extension.

  3. Provide a storage account and blob container as input.

    Your AKS cluster backups will be stored in this blob container. The storage account needs to be in the same region and subscription as the cluster.

    Select Next.

    Screenshot shows how to add storage and blob details for backup.

  4. Review the extension installation details provided, and then select Create.

    The deployment begins to install the extension.

    Screenshot shows how to review and install the backup extension.

  5. Once the backup extension is installed successfully, start configuring backups for your AKS cluster by selecting Configure Backup.

    You can also perform this action from the Backup center.

    Screenshot shows the selection of Configure Backup.

  6. Now, select the Backup vault to configure backup.

    Screenshot shows how to choose a vault.

    The Backup vault should have Trusted Access enabled for the AKS cluster to be backed up. You can enable Trusted Access by selecting Grant Permission. If it's already enabled, select Next.

    Screenshot shows how to proceed to the next step after granting permission.


    • Before you enable Trusted Access, enable the TrustedAccessPreview feature flag for the Microsoft.ContainerServices resource provider on the subscription.
    • If the AKS cluster doesn't have the backup extension installed, you can perform the installation step that configures backup.
  7. Select the backup policy, which defines the schedule for backups and their retention period. Then select Next.

    Screenshot shows how to choose a backup policy.

  8. Select Add/Edit to define the Backup Instance Configuration.

    Screenshot shows how to define the Backup Instance Configuration.

  9. In the context pane, define the cluster resources you want to back up.

    Learn more about backup configurations.

    Screenshot shows how to define the cluster resources for backup.

  10. Select Snapshot Resource Group where Persistent volumes (Azure Disk) Snapshots will be stored. Then select Validate.

    Screenshot shows how to validate the Snapshot Resource Group.

    After validation is complete, if appropriate roles aren't assigned to the vault on Snapshot resource group, an error appears. See the following screenshot to check the error.

    Screenshot shows validation error when appropriate permissions aren't assigned.

  11. To resolve the error, select the checkbox next to the Datasource, and then select Assign missing roles.

    Screenshot shows how to start assigning roles.

    The following screenshot shows the list of roles you can select.

    Screenshot shows how to select missing roles.

  12. Once the role assignment is complete, select Next and proceed for backup.

    Screenshot shows how to proceed for backup.

  13. Select Configure backup.

    Screenshot shows how to finish backup configuration.

    Once the configuration is complete, the Backup Instance will be created.

    Screenshot shows the list of created backup instances.

    Screenshot shows the backup instance details.

Backup configurations

As a part of AKS backup capability, you can back up all or specific cluster resources by using the filters available for the backup configurations. The defined backup configurations are referenced by the Backup Instance Name. You can use the following options to choose the Namespaces for backup:

  • All (including future Namespaces): This backs up all the current and future Namespaces with the underlying cluster resources.

  • Choose from list: Select the specific Namespaces in the AKS cluster to be backed up.

    If you want to check specific cluster resources, you can use labels attached to them in the textbox. Only the resources with entered labels are backed up. You can use multiple labels. You can also back up cluster scoped resources, secrets, and persistent volumes, and select the specific checkboxes under Other Options.


    You should add the labels to every single Yaml file that is deployed and to be backed up. This includes both Namespace scoped resources such as Persistent Volume Claims, and Cluster scoped resources such as Persistent Volumes.

    If you also want to back up cluster scoped resources, secrets, and Persistent Volumes, select the specific checkboxes under Other Options.

Screenshot shows various backup configurations.

Next steps