The newly created vault has storage settings set as Globally Redundant, thus backups stored in vault tier will be available in the Azure paired region. Once the vault creation is complete, create a backup policy to protect AKS clusters.
Create a backup policy
Retrieve the policy template using the command Get-AzDataProtectionPolicyTemplate.
The policy template consists of a trigger criteria (which decides the factors to trigger the backup job) and a lifecycle (which decides when to delete, copy, or move the backups). In AKS backup, the default value for trigger is a scheduled hourly trigger is every 4 hours (PT4H) and retention of each backup is seven days. For vaulted backups add retention for vault datastore.
Once the vault and policy creation are complete, you need to perform the following prerequisites to get the AKS cluster ready for backup:
Create a storage account and blob container.
Backup for AKS stores Kubernetes resources in a blob container as backups. To get the AKS cluster ready for backup, you need to install an extension in the cluster. This extension requires the storage account and blob container as inputs.
To create a new storage account and a blob container, see these steps.
Install Backup Extension.
Backup Extension is mandatory to be installed in the AKS cluster to perform any backup and restore operations. The Backup Extension creates a namespace dataprotection-microsoft in the cluster and uses the same to deploy its resources. The extension requires the storage account and blob container as inputs for installation. Learn about the extension installation commands.
As part of extension installation, a user identity is created in the AKS cluster's Node Pool Resource Group. For the extension to access the storage account, you need to provide this identity the Storage Account Contributor role. To assign the required role, run these command
Enable Trusted Access
For the Backup vault to connect with the AKS cluster, you must enable Trusted Access as it allows the Backup vault to have a direct line of sight to the AKS cluster. Learn how to enable Trusted Access.
Note
For Backup Extension installation and Trusted Access enablement, the commands are available in Azure CLI only.
Configure backups
With the created Backup vault and backup policy, and the AKS cluster in ready-to-be-backed-up state, you can now start to back up your AKS cluster.
Key entities
AKS cluster to be protected
Fetch the Azure Resource Manager ID of the AKS cluster to be protected. This serves as the identifier of the cluster. In this example, let's use an AKS cluster named PSTestAKSCluster, under a resource group aksrg, in a different subscription:
The persistent volume snapshots are stored in a resource group in your subscription. We recommend you to create a dedicated resource group as a snapshot datastore to be used by the Azure Backup service.
The configuration of backup is performed in two steps:
The configuration of backup is performed in two steps:
Prepare backup configuration to define which cluster resources are to be backed up using the New-AzDataProtectionBackupConfigurationClientObject cmdlet. In this example, we're going to use the default configuration and perform a full cluster backup.
Prepare the relevant request using the relevant vault, policy, AKS cluster, backup configuration, and snapshot resource group using the Initialize-AzDataProtectionBackupInstance cmdlet.
Learn about Azure Backup before learning to implement Recovery Vaults and Azure Backup Policies. Learn to implement Windows IaaS VM recovery, perform backup and restore of on-premises workloads, and manage Azure VM backups.
Administer an SQL Server database infrastructure for cloud, on-premises and hybrid relational databases using the Microsoft PaaS relational database offerings.