Cloud Backup: DataLock and Ransomware Protection Support
Organizations continue to face the challenge of ransomware and attacks can cost a business time, resources, and reputation. An organization typically has two options after it has encountered ransomware: pay the ransom or restore from backups. Protection against ransomware attacks has become one of the high-priority requirements among customers.
Cloud Backup has now introduced support for DataLock and Ransomware protection on Cloud Snapshots. With this feature, Cloud Backup provides a mechanism to lock the Cloud Snapshots replicated via SM-C and provides the ability to detect a ransomware attack and recover a consistent copy of the cloud snapshot. The solution uses both SM-C and ADC to achieve the above functionality. Currently, the feature is supported only for StorageGRID and AWS.
Cloud Backup: Search & Restore Azure Support
Cloud Backup has now added support for Azure, which means you can now search for a specific file from all backups stored on Azure Blob cloud storage and then perform a restore. It provides users with a quick and focused search for files across all the backups in the cloud and gives options to narrow searches using multiple search criteria. The implementation has been done based on SnapDiff v3 with the full file system representation. The Search and Restore” solution has been developed using native cloud technology, which is fast, lean, and cost-optimized.
Features of Cloud Backup “Search and Restore”
Searches based on
- File Name
- File Type
- File Creation Time
- File Size
- Working Environment
- Local and Cloud Backups
- Searches based on the Volume name
- Handles both Local and Cloud backups
- Handles newly created, deleted, and renamed directories.
- Handles newly created, deleted, and renamed files.
- Restore only supported on Cloud backups.
- No separate Cloud Restore instance is required
How does Cloud Backup “Search and Restore” Work?
- Cloud Backup Search & Restore Uses a combination of ONTAP SnapDiff v3 SDK technology along with Azure Synapse Analytics.
- Indexed Catalog functionality uses a dedicated container that runs on the Cloud Manager instance to provide indexed catalog functionalities. The catalog container can be easily decoupled to run on more powerful machines if required.
- The feature uses Azure Synapse Analytics to provide efficient search capabilities to browse data within the DataLake storage account.
- When you enable the Indexed catalog feature on Cloud Backup service in Azure, it enables Snapdiff v3 on the Storage VM in your Working Environment. It also provisions Azure Synapse Analytics for storing and querying Catalog datasets. This provisions Azure Synapse Analytics workspace and DataLake storage account to store the parquet file for quick querying.
- Scheduled tasks to monitor changes are run periodically by the catalog container. It scans for changes in the backups incrementally on working environments enabled for indexing and then updates DataLake storage account with changes and snapshot details.
What do I need before I get started with Cloud Backup “Search and Restore”: Prerequisites
You can start using the Search & Restore feature if you already have a Cloud Manager Connector deployed and Cloud Backup is enabled on the Working Environment. Make sure that your Working Environment (On-prem ONTAP or Cloud Volumes ONTAP) version is 9.8 and above.
- ONTAP requirements
- ONTAP version 9.8 or above
- NFS protocol enabled
- SnapDiff RPC Server should be activated on the indexed SVMs. This is automated by Cloud Manager.
- Online Storage VM Data-LIF
- The following Cloud permissions have to be manually added for existing Connectors
- You must register the Azure Synapse Analytics Resource Provider with your subscription. See how to register this resource provider for your subscription. You must be the Subscription Owner or Contributor to register the resource provider.
- Specific Azure Synapse Workspace and Data Lake Storage Account permissions must be added to the user role that provides Cloud Manager with permissions. Make sure all the permissions are configured correctly
- "Microsoft.Storage/checknameavailability/read", existing
- "Microsoft.Storage/operations/read", existing
- "Microsoft.Storage/storageAccounts/listkeys/action", existing
- "Microsoft.Storage/storageAccounts/read", existing
- "Microsoft.Storage/storageAccounts/write", existing
- "Microsoft.Storage/storageAccounts/blobServices/containers/read", existing
- "Microsoft.Storage/storageAccounts/listAccountSas/action", new
- "Microsoft.Synapse/workspaces/write", new
- "Microsoft.Synapse/workspaces/read", new
- "Microsoft.Synapse/workspaces/delete", new
- "Microsoft.Synapse/register/action", new
- "Microsoft.Synapse/checkNameAvailability/action", new
- "Microsoft.Synapse/workspaces/operationStatuses/read", new
- "Microsoft.Synapse/workspaces/firewallRules/read", new
- "Microsoft.Synapse/workspaces/replaceAllIpFirewallRules/action", new
- "Microsoft.Synapse/workspaces/operationResults/read" new
Note that if you were already using Cloud Backup with a Connector you configured in the past, you’ll need to add the Azure Synapse Workspace and Data Lake Storage Account permissions to the Cloud Manager user role now. These are new, and they are required for Search & Restore.
- If you are new to Cloud Manager, complete the following steps to get started with “Search & Restore”.
- A valid cloud account with required admin rights to deploy EC2 instances and create IAM roles.
- Make sure that you have subscribed to the NetApp Cloud Central Account.
- Log in into Cloud Manager.
- Deploy a Cloud Manager Connector.
- Deploy a Cloud Volumes ONTAP Working Environment.or discover an onpremises ONTAP system (version 9.8 and bove)
- Choose the “Canvas” page on the Cloud Manager UI.
- Select the required Working Environment.
- On the righthand side, you will be able to see the list of services.
- If the “Backup and Restore” service is not enabled, click on Enable.
- Now the “Backup and Restore” wizard will open.
- Provide the required Account name and the region.
- Create a backup policy with the required backup requirements.
- Choose the volume, or volumes, that need to be backed up.
- Click Submit so that the backup job is started.
For more information, visit the Cloud Manager documentation.
Enabling “Search & Restore” on the Working Environment
To get started with the Search & Restore feature, make sure that Cloud Backup is enabled.
- On the Cloud Manager Canvas, choose the required Working Environment.
- On the right-hand side of the Cloud Manager UI, all the services applicable to the Working Environment will be listed.
- Click on the “Backup and Restore”, 3 dots UI drop down, and choose “Restore Dashboard”. Now you will be able to see the Restore window as shown below.
- For the first time using Backup & Restore you need to enable Indexed Catalog. Click on “Enable Indexing for Working Environments” .
5. Now you will see all the Working Environments and you can go ahead and enable Indexing on the Working Environment that you would like. Click “Enable Indexing” .
6. Once the Indexed Catalog is enabled, appropriate services and databases will be created at the backend to start the cataloging features. Enabling Indexed Cataloging will result in the following:
a) The service will enable SnapDiff v3 on the Storage VM in your Working Environment.
b) It also provisions Azure Synapse Analytics for storing and querying Catalog dataset. This provisions Azure Synapse Analytics workspace and DataLake storage account to store the parquet file for quick querying.
7. Once the services are provisioned, the Indexed Catalog service for the Working Environment will be shown as “Active”
How do I use the Indexed Catalog UI?
Now let's go ahead and check out the new UI that has been introduced for the “Search and Restore” feature and understand its functionality.
1. The new “Restore Dashboard” UI, will provide the option to “Browse & Restore” and “Search & Restore”. Click on “Search & Restore”.
2. To search for a file or a list of files having a common name, input the name of the file in the search bar and choose from where you would like to restore. You can search from “All Resources”, “Files”, or “Volumes”. To filter further, choose the “Filter by” options to filter by file types, file-creation dates, specific working environments, file sizes, and backup location.
3. Clicking on “View All Backups” will show all the backups both on the Cloud and Primary (local) which contains the particular file. Note that you will only be able to restore the selected file from the cloud backups. The “Restore” button on the Primary (local) backup copies will be grayed out as it's not supported as yet.
4. To restore a file, select the Restore location. You can Restore to the Original Location or Restore to an Alternate location.
5. Click Restore to complete the file restore process.
Cloud Backup: Support for Custom SnapMirror-Labels
Cloud Backup has now added support for custom SnapMirror labels. Previously, Cloud Backup supported only pre-defined SnapMirror labels like hourly, daily, weekly, hourly and yearly. But now Cloud Backup can discover custom SnapMirror policies that have custom SnapMirror labels and expose them on Cloud Backup UI so that users can backup the Volume Snapshots with the SnapMirror label of their choice to the cloud object store.
How do we use custom SnapMirror labels?
Let's examine this feature a little in-depth:
Imagine a user has Volumes set with a snapshot policy that uses a custom SnapMirror label “12-hourly” and the user needs to replicate these snapshots created with this label to the cloud object store using Cloud Backup. To achieve this, the user would need to create a custom SnapMirror policy on ONTAP with the SnapMirror label. For example, let’s create a SnapMirror label with the snapshot label “12-hourly” using System Manager or ONTAP CLI.
Sfrtmeaws0108::> snapmirror policy create -vserver Sfrtmeaws0108 -policy 12-hourly -tries 8 -transfer-priority normal
Sfrtmeaws0108::> snapmirror policy add-rule -vserver Sfrtmeaws0108 -policy 12-hourly -snapmirror-label 12-hourly -keep 12
Sfrtmeaws0108::> snapmirror policy show
Vserver Policy Policy Number Transfer
Name Name Type Of Rules Tries Priority Comment
------- ------------------ ------ -------- ----- -------- ----------
12-hourly vault 1 8 normal -
SnapMirror Label: 12-hourly Keep: 12
Total Keep: 12
Now to backup the Working Environment with Volumes which has snapshots created with this specific label, Click the “enable” button in the Backup and Restore tab available on the right-hand “Services” panel.
This opens the Backup Activation wizard.
- Give in the details of the “Provider Settings” on the wizard and click on next.
- On the “Define Policy” window, click on “Select an Existing Policy”.
- This will list all the snapmirror policies available on the ONTAP Cluster which includes the custom snapmirror policy created by the user. To view all the snapmirror labels available on the policy, click on the drop-down arrow on the right.
- Now select the custom policy and click “Next”
- Select the volumes that you would like to backup and click on “Activate”
- Once the activation is complete, the volume snapshots with the custom snapmirror label will be backed up to the cloud.
This can be also done for volumes that have already been backed up. You can modify the applicable snapmirror label of an existing backed-up volume by modifying the policy on the “Manage Volume” page. Make sure that you create the snapmirror policy on ONTAP using System Manager or ONTAP CLI.
- Traverse to the “Manage Volume” page under the “Backup Settings” tab.
- Click on the volume where you would like to change the policy to accommodate the new snapmirror label. Click on “Change Policy”
- Finally, click on the “Save” button so that the changes may be updated.
- Once the modification is complete, the volume snapshots with the custom snapmirror label will be backed up to the cloud.
Enabling Cloud Backup (Azure and Google Cloud) using “Drag and Drop” on Cloud Manager UI
Now its possible to enable Cloud Backup in working environments by dragging and dropping Cloud Volumes ONTAP /On-prem ONTP cluster on to Azue Blob Storage or Google Storage Bucket on the Canvas page in Cloud Manager UI.
When the user selects the Cloud Volumes ONTAP /On-prem ONTAP cluster and drags it onto an Azue Blob Storage or Google Storage Bucket, the user will be presented with a dialog box “Select a service to enable it”. Choosing the “Backup and Restore ” will trigger the Cloud Backup Wizard and proceed with the “Provider Setting” page. The user can give in the details for the “Provider Setting”, “Define Policy ” and “select Volumes” pages in the wizard and click on “Activate Backup ” to complete enabling Cloud Backup service on the working environment. You will , now be able to see that Cloud Backup for the source will be configured successfully according to policy and the relationship line will be drawn between the source and cloud storage (“Backup & Restore” with a representation of the direction).