Tech ONTAP Blogs
Tech ONTAP Blogs
The May ’23 release of the BlueXP Backup & Recovery Service includes support for customer-managed encryption keys (CMEK) from multiple Google Cloud projects, that enables users to encrypt buckets in one project with keys from a different project. This feature was not available in the past, and users could only encrypt buckets in a project with keys in the same project.
To use cross-project encryption, the bucket and keys must be located in the same region. This means that users can only encrypt a bucket with a key that is stored in a different project but in the same region. Additionally, the service account used to create the connector must have the necessary permissions to access the keys in the other project. This service account must also be associated with all the projects from which the user wishes to list the keys. Make sure that the following set of permissions is available in the connector's service account of the other project(s) where keys are residing.
The ability to encrypt buckets in one project with keys from a different project provides more flexibility and control for users. It allows them to manage their keys centrally while encrypting data across different projects. This feature also enhances security by ensuring that only authorized users with the necessary permissions can access the encrypted data.
Up until now, directory and multi-level directory restore were supported only from snapshots stored in the cloud object store, taken from standard volumes. With the BlueXP Backup & Recovery May ’23 release, customers using ONTAP version 9.13.1 and above can now do both directory and multi-level directory restore from archive tiers, SnapLock volumes backups, and backups stored in DataLock enabled cloud object store.
Points to Note:-
1) This new feature applies to both new and existing customers running ONTAP 9.13.1 and above.
2) You can initiate a folder restore from a source that has ONTAP versions lower than 9.13.1. However, the restore destination ONTAP version should be 9.13.1 and above.
3) Currently, directory restores for FlexGroup volumes backups are not supported.
4) Both directory and multi-level directory restore works for SaaS, Gov Cloud, On-premise, and Dark-Site deployments.
5) Restoring multiple folders at a time is not supported. Only one folder is supported currently.
6) File-level restore and folder-level restore cannot be done at the same time. We can either do folder-level restore or file-level restore
Are there any changes in the Folder Restore workflows?
There are no changes in the Folder Restore workflow when restoring from archive tiers, SnapLock volumes backups and backups stored in DataLock enabled cloud object store.
1. When you want to restore a folder, from from archive tiers, SnapLock volumes backups and backups stored in DataLock enabled cloud object store, click the Restore tab and click Restore Files or Folder under Browse & Restore.
2. Select the source working environment, volume, and backup file in which the folder or file(s) reside.
3. BlueXP Backup & Recovery displays the folders and files that exist within the selected backup file.
4. Select the folder that you want to restore from that backup.
5. Select the destination location where you want the folder or file(s) to be restored (the working environment, volume, and folder), and click Restore.
6. The file(s) will be restored.
Now you can search for folders using the “Search and Restore” feature from backups stored on archive tiers, SnapLock volumes backups and backups stored in DataLock enabled cloud object store. as well.
If you attempt to do a folder restore from archive tiers, SnapLock volumes backups, and backups stored in DataLock enabled cloud object store to a destination with ONTAP version below 9.13.1, an error will be thrown stating that the restore operation is not supported as shown below.
By default, BlueXP enables an Azure Private Link for connections between Cloud Volumes ONTAP and its associated storage accounts. However, for BlueXP Backup & Recovery service, there were no methods available to expose the Private DNS Zone subscription and resource group details. Therefore BlueXP Backup & Recovery was not able to configure VNet Link connections between endpoints in Azure.
With the May ’23 release of BlueXP Backup & Recovery, users have the option to provide private DNS zone subscription and resource group details for creating the VNet link. With this change in place, we have a couple of scenarios to handle for creating a Private Endpoint to connect to the Storage Account.
Understanding Azure Private Endpoints
Private endpoints utilize a network interface that employs a private IP address from your virtual network to establish a secure, private connection with an Azure Private Link-powered service. Enabling a private endpoint incorporates the service into your virtual network. Various Azure services, including Storage Accounts, Azure Synapse, and Azure DBs for MySQL/MariaDB, support private endpoints.
To create a private endpoint and connect to an Azure service using a private IP, three primary services are required. These include the Private Endpoint, which is a network interface connected to an Azure service that utilizes a private IP from the VNet where it was created. For instance, a private endpoint could be created in a VNet to attach a network interface using a private IP for an Azure Storage Account.
Another service used is a Private DNS Zone, which resolves or translates a service name to an IP address. In the previous example, the private IP created for the Storage Account could be added to the Private DNS Zone as an A record.
Lastly, VNet Link is employed to link a Vnet to a Private DNS Zone, enabling VMs in that Vnet to resolve to the Private IP for the Azure service via an A record. For example, adding a vnet-link in the Private DNS Zone would allow VMs in that Vnet to connect to the Storage Account using a private IP.
How do I configure Private DNS Zone Settings
To configure the Private DNS Zone Settings, you would need to access the “app.conf” file which can be found in the path “/opt/application/netapp/cloudmanager/docker_occm/data”. Include the following json excerpt to the existing json content:-
"user-private-dns-zone-settings": {
"use-existing": true,
"resource-group": "jacoba_japaneast",
"subscription": "d3fgtyub-e7h7-1289-876r-c25fbbce1b19",
"create-private-dns-zone-link": true
}
Your final JSON file should look like the one given below:-
Once the contents are updated in the “app.conf”, make sure to restart the cloudmanager_cbs container using the following command.
docker restart cloudmanager_cbs
Now, users can go ahead with normal backup activation of the Working Environment from the BlueXP Backup & Recovery UI. During the activation, the private DNS zone subscription and resource group details from the app.conf will be detected by BlueXP Backup & Recovery service and a VNet link will be created, and an ‘A’ record for the Private Endpoint connectivity to the Storage Account will be added in the Private DNS Zone. The Connector needs to have appropriate permissions for the subscription.
Please Note:-
1) If the configuration details are not specified for a Private DNS Zone in the app.conf file, CBS considers the connector's subscription and resource group for creating a Private DNS Zone.
2) If the user doesn’t have a Private DNS Zone configured in the subscription, then CBS will create a Private DNS Zone.
3) CBS creates only one Private Endpoint in the connector VNet, since the connector and the CVO would be in the same VNet or peered VNets.
4) CBS assumes that the connector and the CVO VNets will not have any vnet-links in any other Private DNS Zone apart from the one that is considered to be used to create Storage Account Connectivity
5) CBS requires valid permissions to be available on the connector to update DNS ‘A’ record entries on the user-configured Private DNS Settings.
With this change in place, we have a couple of scenarios to handle for creating a Private Endpoint to connect to the Storage Account.
CVO, Connector, and Private DNS Zone Settings, all are in the same subscription
In this scenario, BlueXP Backup & Recovery service creates a Private Endpoint in the Connector VNet (CVO Vnet can be the same or different). After which a Private DNS Zone is created in the connector's subscription and resource group. BlueXP Backup & Recovery then goes ahead and creates a vnet-link for the connector VNet in the Private DNS Zone and finally, the A record is added in the Private DNS Zone, mapping the storage account to the private IP.
CVO, Connector, and Private DNS Zone Settings, two or more in different subscription
In this scenario, BlueXP Backup & Recovery service will go ahead and create a Private Endpoint in the Connector VNet under the Respective subscription and resource group (CVO Vnet can be the same or different). After which, the Private DNS Zone is created in the user-configured subscription and resource group which has been entered in the app.conf file. The VNet-links for the connector and the CVO VNets are then created. Finally, the A record is added in the Private DNS Zone, mapping the storage account to the private IP.
With the previous April ’23 BlueXP Backup & Recovery release, enhancements had been made to send alerts to BlueXP notification center in case of a scheduled job failure and restore job completion with warnings.
With the May ’23 release, additional notifications for the restore operations done through ONTAP REST API or ONTAP CLI, outside of BlueXP Backup & Recovery service have been added to the Notification panel. These notifications are retrieved from ONTAP using the PubSub job information retrieval framework implemented in BlueXP Backup and Recovery service.
The picture below shows the notification when a volume is successfully restored using ONTAP REST API or ONTAP CLI, outside of BlueXP Backup & Recovery service.
The following picture shows the notification when a directory or volume is successfully restored using ONTAP REST API or ONTAP CLI, outside of BlueXP Backup & Recovery service.
The BlueXP Backup & Recovery APIs were not designed to retrieve or verify the size of the cloud object store bucket in which the ONTAP volume backups were stored and this information was not reflected on the BlueXP Backup & Recovery user interface.
With the May ’23 release, the V2 version of the GET Backup Working Environment API will now fetch the size details of the physical bucket Size of the cloud object store.
The GET /account/{accountId}/providers/cloudmanager_cbs/api/v1/backup/working-environment/{workingEnvironmentId} V1 version of the BlueXP Backup & Recovery API, retrieved the details of a specific working environment backed up by using BlueXP Backup & Recovery within an account. It also retrieved backup enablement status, archive storage class, archive after days, catalog enablement status, auto enablement status, maximum transfer status, backup policy details, cloud storage pool, and remote MetroCluster ID.
With the V2 version GET Backup Working Environment BlueXP Backup & Recovery API, along with the above-mentioned details, it will now retrieve details of the cloud object store size which is on the standard storage tier and archived storage tier. The following JSON excerpt shows the details of the output of the GET Backup Working Environment API
These details will be included in the BlueXP Backup & Recovery User Interface in the upcoming releases, to notify the user of the bucket size consumed by each working environment.
With the May ’23 release, BlueXP Backup and Recovery Service now supports backing up Cloud Volume ONTAP to a cloud object store in the AWS China (Beijing) Region and AWS China (Ningxia) Region. Cloud Volumes ONTAP support for China region was introduced in the month of March of 2023 for ONTAP version 9.12.1 GA and above.
Please note that deployment of Cloud Volume ONTAP and enabling BlueXP Backup & Recovery currently cannot be done via the BlueXP SaaS Console. This would mean that the user would need to download the BlueXP Connector offline installer build (Cloud Manager Connector Cloud Build) from the NetApp Support site and install the build in an EC2 instance.
What are the BlueXP Backup & Recovery Features supported on AWS China Region?
All the BlueXP Backup and Recovery features currently supported for the normal BlueXP Connector Cloud (On-Prem) build are available in the AWS China region deployments as well. The following table shows the list of features supported.
Installing BlueXP Connector on AWS China Region.
Requirements:-
The Connector software must run on an AWS EC2 instance in the AWS China region that meets specific operating system requirements, RAM requirements, port requirements, and so on. A dedicated host is required. Please make sure that the AWS EC2 instance is not shared with other applications.
Cloud compute Requirements:-
Supported Cloud compute operating systems:-
* Red Hat Enterprise Linux 7.6
* Red Hat Enterprise Linux 7.7
* Red Hat Enterprise Linux 7.8
* Red Hat Enterprise Linux 7.9
* Red Hat Enterprise Linux 8.6
* Red Hat Enterprise Linux 8.7
The Red Hat Enterprise Linux system must be registered with Red Hat Subscription Management. If it is not registered, the system cannot access repositories to update required 3rd party software during Connector installation.
The Connector is supported on English-language versions of these operating systems.
Networking:-
Prepare the following for the Connector:
• A VPC and subnet
• A network connection to the networks where you’re planning to create and manage working environments
• Outbound internet access to specific endpoints for day-to-day operations
• The IP address, credentials, and HTTPS certificate of a proxy server, if a proxy server is required for outbound internet
Setting up AWS permissions:-
Create an IAM policy and attach it to an IAM role or an IAM user. You’ll either associate the role with the Connector instance or provide BlueXP with an access key for the IAM user. Follow the link that shares the detailed steps for creating and setting up AWS permission View step-by-step instructions.
IMPORTANT:-
While setting up IAM Policies, please make sure that the required policies are included as per the JSON example given here.
Also, while deploying for AWS China Region, please make sure that the AWS Resource Name “arn” under all “resource” sections of each of the “statement” sections in the Policy JSON file should have the “aws” string changed to “aws-cn”.
For example:-
"arn:aws:s3:::netapp-backup-*" to "arn:aws-cn:s3:::netapp-backup-*" .
should be replaced by
**Make sure that all the Resource” sections reflect the above change.
Hardware Requirements:-
• CPU:- 4 cores or 4 vCPUs
• RAM :- 14 GB
• Disk space in /opt :- 100 GiB of space must be available
• Disk space in /var:- 20 GiB of space must be available
Docker Engine:-
Docker Engine version 19 or later is required on the host before you install the Connector. View installation instructions.
Downloading the Installer:-
1. Log in to the NetApp Support Site, and navigate to the Download page for installing Cloud Manager on the Red Hat Enterprise Linux platform. https://mysupport.netapp.com/products/index.html
2. Download the Cloud Manager Connector Cloud installer .zip file to a directory on the target system.
3. Verify the checksum to ensure that the software is downloaded correctly.
Installing Cloud Manager(BlueXP) Connector Cloud installer:-
In this section, we will discuss how the BlueXP Connector Cloud installer can be installed.
1. Verify that docker is enabled and running.
sudo systemctl enable docker && sudo systemctl start docker
2. Copy the installer to the Linux host.
3. Assign permissions to run the script
chmod +x /path/Cloud-Manager-Connector-Cloud-v3.9.28
4. Run the installation script:
sudo /path/Cloud-Manager-Connector-Cloud-v3.9.28
Setting Up BlueXP Connector Cloud installer:-
Now that we have installed Cloud Manager(BlueXP ), let's go ahead and examine how it can be configured and set up.
1. Open a web browser and enter https://ipaddress where ipaddress is the IP address of the Linux host.
2. The NetApp BlueXP login screen appears. Sign up as a new user
3. Once the login is successful, give in a name for the connector and choose the name of the new account you would like to create.
4. Once the account is created, the BlueXP Backup & Recovery install will be completed by pulling all the required containers for deploying in restricted mode.
5. Once the installation is completed and you are logged in, it asks the user to go ahead and add the first working environment. Click on “Add Working Environment” to start the wizard that will help you add the Cloud Volumes ONTAP systems
6. Now Click on the discovered working environment and it will list all the services that can be assigned to the working environment and their current status. On the “Backup and Recovery” service tab, click on “Enable”. Give the “Provider Settings” details to provision the S3 bucket which will be used as the backup destination. Go ahead and define a policy. Choose the appropriate backup schedule and the retention count. Click on “Next”. Choose the required volumes that need to be backed up. Click on “Activate Backup”. Backups will be activated on the chosen volumes.