Skip to content

Commit 7ba992d

Browse files
authored
Merge pull request #285587 from rajats22/aksbackup26082024
AKS, PGSQL and MYSQL Update
2 parents 5be8797 + 98a992f commit 7ba992d

28 files changed

+258
-77
lines changed

articles/backup/azure-kubernetes-service-backup-overview.md

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -35,7 +35,7 @@ After the Backup extension is installed and Trusted Access is enabled, you can c
3535
The backup solution enables the backup operations for your AKS datasources that are deployed in the cluster and for the data that's stored in the persistent volume for the cluster, and then store the backups in a blob container. The disk-based persistent volumes are backed up as disk snapshots in a snapshot resource group. The snapshots and cluster state in a blob both combine to form a recovery point that is stored in your tenant called Operational Tier. You can also convert backups (first successful backup in a day, week, month, or year) in the Operational Tier to blobs, and then move them to a Vault (outside your tenant) once a day.
3636

3737
> [!NOTE]
38-
> Currently, Azure Backup supports only persistent volumes in CSI driver-based Azure Disk Storage. During backups, the solution skips other persistent volume types, such as Azure File Share and blobs. Also, backups are eligible to be moved to the vault if the persistent volumes are of size less than or equal to 1 TB.
38+
> Currently, Azure Backup supports only persistent volumes in CSI driver-based Azure Disk Storage. During backups, the solution skips other persistent volume types, such as Azure File Share and blobs. Also, if you have defined retention rules for Vault tier then backups are only eligible to be moved to the vault if the persistent volumes are of size less than or equal to 1 TB.
3939
4040
## Configure backup
4141

@@ -438,6 +438,8 @@ You incur charges for:
438438

439439
- **Snapshot fee**: Azure Backup for AKS protects a disk-based persistent volume by taking snapshots that are stored in the resource group in your Azure subscription. These snapshots incur snapshot storage charges. Because the snapshots aren't copied to the Backup vault, backup storage cost doesn't apply. For more information on the snapshot pricing, see [Managed Disk pricing](https://azure.microsoft.com/pricing/details/managed-disks/).
440440

441+
- **Backup Storage fee**: Azure Backup for AKS also supports storing backups in Vault Tier. This can be achieved by defining retention rules for **vault-standard** in the backup policy, with one restore point per day eligible to be moved into the Vault. Restore points stored in the Vault Tier are charged a separate fee called Backup Storage fee as per the total data stored (in GBs) and redundancy type enable on the Backup Vault.
442+
441443

442444
## Next step
443445

articles/backup/azure-kubernetes-service-backup-troubleshoot.md

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -343,6 +343,14 @@ These error codes can appear while you enable AKS backup to store backups in a v
343343

344344
**Recommended action**: Use same cluster version for Target cluster as Source cluster or manually apply the CRs.
345345

346+
### LinkedAuthorizationFailed
347+
348+
**Error code**: LinkedAuthorizationFailed
349+
350+
**Cause**: To perform a restore operation, user needs to have a **read** permission over the backed up AKS cluster.
351+
352+
**Recommended action**: Assign Reader role on the source AKS cluster and then proceed to perform the restore operation.
353+
346354
## Next steps
347355

348356
- [About Azure Kubernetes Service (AKS) backup](azure-kubernetes-service-backup-overview.md)

articles/backup/azure-kubernetes-service-cluster-backup-concept.md

Lines changed: 1 addition & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -50,9 +50,7 @@ Your Azure resources access AKS clusters through the AKS regional gateway using
5050

5151
For AKS backup, the Backup vault accesses your AKS clusters via Trusted Access to configure backups and restores. The Backup vault is assigned a predefined role **Microsoft.DataProtection/backupVaults/backup-operator** in the AKS cluster, allowing it to only perform specific backup operations.
5252

53-
To enable Trusted Access between a Backup vault and an AKS cluster, you must register the `TrustedAccessPreview` feature flag on `Microsoft.ContainerService` at the subscription level. Learn more [to register the resource provider](azure-kubernetes-service-cluster-manage-backups.md#enable-the-feature-flag).
54-
55-
Learn [how to enable Trusted Access](azure-kubernetes-service-cluster-manage-backups.md#register-the-trusted-access).
53+
To enable Trusted Access between a Backup vault and an AKS cluster. Learn [how to enable Trusted Access](azure-kubernetes-service-cluster-manage-backups.md#trusted-access-related-operations)
5654

5755
>[!Note]
5856
>- You can install the Backup Extension on your AKS cluster directly from the Azure portal under the *Backup* section in AKS portal.
Lines changed: 83 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,83 @@
1+
---
2+
title: Audit and enforce backup operations for Azure Kubernetes Service clusters using Azure Policy
3+
description: 'An article describing how to use Azure Policy to audit and enforce backup operations for all Azure Kubernetes Service clusters created in a given scope'
4+
ms.topic: how-to
5+
ms.date: 08/26/2024
6+
ms.service: azure-backup
7+
author: AbhishekMallick-MS
8+
ms.author: v-abhmallick
9+
---
10+
11+
# Audit and enforce backup operations for Azure Kubernetes Service clusters using Azure Policy
12+
13+
One of the key responsibilities of a Backup or Compliance Admin in an organization is to ensure that all business-critical machines are backed up with the appropriate retention.
14+
15+
Azure Backup provides various built-in policies (using [Azure Policy](../governance/policy/overview.md)) to help you automatically ensure that your Azure Kubernetes Service clusters are ready for backup configuration. Depending on how your backup teams and resources are organized, you can use any one of the below policies:
16+
17+
## Policy 1 - Azure Backup Extension should be installed in AKS clusters
18+
19+
Use this [audit-only](../governance/policy/concepts/effects.md#audit) policy to identify the AKS clusters that don't have the backup extension installed. However, this policy doesn't automatically install the backup extension to these AKS clusters. It's useful only to evaluate the overall readiness of the AKS clusters for backup compliance, and not to take action immediately.
20+
21+
## Policy 2 - Azure Backup should be enabled for AKS clusters
22+
23+
Use this [audit-only](../governance/policy/concepts/effects.md#audit) policy to identify the clusters that don't have backups enabled. However, this policy doesn't automatically configure backups for these clusters. It's useful only to evaluate the overall compliance of the clusters, and not to take action immediately.
24+
25+
## Policy 3 - Install Azure Backup Extension in AKS clusters (Managed Cluster) with a given tag.
26+
27+
A central backup team in an organization can use this policy to install backup extension to any AKS clusters in a region. You can choose to **include** clusters that contain a certain tag, in the scope of this policy.
28+
29+
## Policy 4 - Install Azure Backup Extension in AKS clusters (Managed Cluster) without a given tag.
30+
31+
A central backup team in an organization can use this policy to install backup extension to any AKS clusters in a region. You can choose to **exclude** clusters that contain a certain tag, from the scope of this policy.
32+
33+
## Supported Scenarios
34+
35+
Before you audit and enforce backups for AKS clusters, see the following scenarios supported:
36+
37+
* The built-in policy is currently supported only for Azure Kubernetes Service clusters.
38+
39+
* Users must take care to ensure that the necessary [prerequisites](azure-kubernetes-service-cluster-backup-concept.md#backup-extension) are enabled before Policies 3 and 4 are assigned.
40+
41+
* Policies 3 and 4 can be assigned to a single region and subscription at a time.
42+
43+
* For Policies 1, 2, 3 and 4, management group scope is currently unsupported.
44+
45+
## Using the built-in policies
46+
47+
This section describes the end-to-end process of assigning Policy 3: **Install Azure Backup Extension in AKS clusters (Managed Cluster) with a given tag**. Similar instructions apply for the other policies. Once assigned, any new AKS cluster created under this scope has backup extension installed automatically.
48+
49+
To assign Policy 3, follow these steps:
50+
51+
1. Sign in to the Azure portal and navigate to the **Policy** Dashboard.
52+
53+
2. Select **Definitions** in the left menu to get a list of all built-in policies across Azure Resources.
54+
55+
3. Filter the list for **Category=Backup** and select the policy named *Install Azure Backup Extension in AKS clusters (Managed Cluster) with a given tag*.
56+
57+
:::image type="content" source="./media/azure-kubernetes-service-cluster-backup-policy/policy-dashboard-inline.png" alt-text="Screenshot showing how to filter the list by category on Policy dashboard.":::
58+
59+
4. Select the name of the policy. You're then redirected to the detailed definition for this policy.
60+
61+
:::image type="content" source="./media/azure-kubernetes-service-cluster-backup-policy/policy-definition-blade.png" alt-text="Screenshot showing the Policy Definition tab.":::
62+
63+
5. Select the **Assign** button at the top of the pane. This redirects you to the **Assign Policy** pane.
64+
65+
6. Under **Basics**, select the three dots next to the **Scope** field. It opens up a right context pane where you can select the subscription for the policy to be applied on. You can also optionally select a resource group, so that the policy is applied only for AKS clusters in a particular resource group.
66+
67+
:::image type="content" source="media/azure-kubernetes-service-cluster-backup-policy/policy-assignment-basics.png" alt-text="Screenshot showing the Policy Assignment Basics tab.":::
68+
69+
7. In the **Parameters** tab, choose a location from the drop-down, and select the storage account to which the backup extension installed in the AKS cluster in the scope must be associated. You can also choose to specify a tag name and an array of tag values. An AKS cluster that contains any of the specified values for the given tag are excluded from the scope of the policy assignment.
70+
71+
:::image type="content" source="./media/azure-kubernetes-service-cluster-backup-policy/policy-assignment-parameters.png" alt-text="Screenshot showing the Policy Assignment Parameters pane.":::
72+
73+
8. Ensure that **Effect** is set to deployIfNotExists.
74+
75+
9. Navigate to **Review+create** and select **Create**.
76+
77+
> [!NOTE]
78+
>
79+
> - Use [remediation](../governance/policy/how-to/remediate-resources.md) to enable these policies on existing AKS clusters.
80+
81+
## Next step
82+
83+
[Learn more about Azure Policy](../governance/policy/overview.md)

articles/backup/azure-kubernetes-service-cluster-backup-support-matrix.md

Lines changed: 18 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -15,53 +15,57 @@ ms.author: v-abhmallick
1515

1616
You can use [Azure Backup](./backup-overview.md) to help protect Azure Kubernetes Service (AKS). This article summarizes region availability, supported scenarios, and limitations.
1717

18-
>[!Note]
19-
>Vaulted backup and Cross Region Restore for AKS using Azure Backup are currently in preview.
20-
2118
## Supported regions
2219

23-
- Operational Tier support for AKS backup is supported in all the following Azure public cloud regions: East US, North Europe, West Europe, South East Asia, West US 2, East US 2, West US, North Central US, Central US, France Central, Korea Central, Australia East, UK South, East Asia, West Central US, Japan East, South Central US, West US 3, Canada Central, Canada East, Australia South East, Central India, Norway East, Germany West Central, Switzerland North, Sweden Central, Japan West, UK West, Korea South, South Africa North, South India, France South, Brazil South, and UAE North.
20+
- Operational Tier support for AKS backup is supported in all the following Azure public cloud regions: East US, North Europe, West Europe, South East Asia, West US 2, East US 2, West US, North Central US, Central US, France Central, Korea Central, Australia East, UK South, East Asia, West Central US, Japan East, South Central US, West US 3, Canada Central, Canada East, Australia South East, Central India, Norway East, Germany West Central, Switzerland North, Sweden Central, Japan West, UK West, Korea South, South Africa North, South India, France South, Brazil South, UAE North, China East 2, China East 3, China North 2, China North 3, USGov Virginia, USGov Arizona and USGov Texas.
21+
22+
- Vault Tier and Cross Region Restore support (preview) for AKS backup are available in the following regions: East US, West US, West US 3, North Europe, West Europe, North Central US, South Central US, West Central US, East US 2, Central US, UK South, UK West, East Asia, South-East Asia, Japan East South India, Central India, Canada Central and Norway East.
2423

25-
- Vault Tier and Cross Region Restore support (preview) for AKS backup are available in the following regions: East US, West US, West US 3, North Europe, West Europe, North Central US, South Central US, East US 2, Central US, UK South, UK West, East Asia, and South-East Asia.
2624

2725
>[!Note]
28-
>If Cross Region Restore is enabled, backups stored in Vault Tier will be available in the Azure Paired region. See the [list of Azure Paired Region](../reliability/cross-region-replication-azure.md#azure-paired-regions).
26+
>Vaulted backup and Cross Region Restore for AKS using Azure Backup are currently in preview.
27+
>
28+
>To access backups stored in Vault Tier in the Azure paired region, enable Cross Region Restore capability for your Backup Vault. See the [list of Azure Paired Region](../reliability/cross-region-replication-azure.md#azure-paired-regions).
2929
3030
## Limitations
3131

3232
- AKS backup supports AKS clusters with Kubernetes version *1.22* or later. This version has Container Storage Interface (CSI) drivers installed.
3333

3434
- Before you install the backup extension in an AKS cluster, ensure that the CSI drivers and snapshot are enabled for your cluster. If they're disabled, [enable these settings](/azure/aks/csi-storage-drivers#enable-csi-storage-drivers-on-an-existing-cluster).
3535

36+
- Provide a new and empty blob container as input while installing backup extension in an AKS cluster for the first time. Don't use same blob container for more than one AKS cluster.
37+
3638
- AKS backups don't support in-tree volumes. You can back up only CSI driver-based volumes. You can [migrate from tree volumes to CSI driver-based persistent volumes](/azure/aks/csi-migrate-in-tree-volumes).
3739

38-
- Currently, an AKS backup supports only the backup of Azure disk-based persistent volumes (enabled by the CSI driver). The supported Azure Disk SKUs are Standard HDD, Standard SSD, and Premium SSD. The disks belonging to Premium SSD v2 and Ultra Disk SKU are not supported. Both static and dynamically provisioned volumes are supported. For backup of static disks, the persistent volumes specification should have the *storage class* defined in the **YAML** file, otherwise such persistent volumes will be skipped from the backup operation.
40+
- Currently, an AKS backup supports only the backup of Azure disk-based persistent volumes (enabled by the CSI driver). The supported Azure Disk SKUs are Standard HDD, Standard SSD, and Premium SSD. The disks belonging to Premium SSD v2 and Ultra Disk SKU aren't supported. Both static and dynamically provisioned volumes are supported. For backup of static disks, the persistent volumes specification should have the *storage class* defined in the **YAML** file, otherwise such persistent volumes are skipped from the backup operation.
3941

40-
- Azure Files shares and Azure Blob Storage persistent volumes are currently not supported by AKS backup due to lack of CSI Driver-based snapshotting capability. If you're using said persistent volumes in your AKS clusters, you can configure backups for them via the Azure Backup solutions. For more information, see [Azure file share backup](azure-file-share-backup-overview.md) and [Azure Blob Storage backup](blob-backup-overview.md).
42+
- Azure Files shares and Azure Blob Storage persistent volumes are not supported by AKS backup due to lack of CSI Driver-based snapshotting capability. If you're using said persistent volumes in your AKS clusters, you can configure backups for them via the Azure Backup solutions. For more information, see [Azure file share backup](azure-file-share-backup-overview.md) and [Azure Blob Storage backup](blob-backup-overview.md).
4143

4244
- Any unsupported persistent volume type is skipped while a backup is being created for the AKS cluster.
4345

4446
- Currently, AKS clusters using a service principal aren't supported. If your AKS cluster uses a service principal for authorization, you can update the cluster to use a [system-assigned managed identity](/azure/aks/use-managed-identity#update-an-existing-aks-cluster-to-use-a-system-assigned-managed-identity) or a [user-assigned managed identity](/azure/aks/use-managed-identity#update-an-existing-cluster-to-use-a-user-assigned-managed-identity).
4547

46-
- You can only install the Backup Extension on agent nodes with Ubuntu and Azure Linux as Operating System. AKS Clusters with Windows based agent nodes do not allow Backup Extension installation.
48+
- You can only install the Backup Extension on agent nodes with Ubuntu and Azure Linux as Operating System. AKS Clusters with Windows based agent nodes don't allow Backup Extension installation.
4749

48-
- You cannot install Backup Extension in AKS Cluster with ARM64 based agent nodes irrespective of Operating System (Ubuntu/Azure Linux/Windows) running on these nodes.
50+
- You can't install Backup Extension in AKS Cluster with Arm64 based agent nodes irrespective of Operating System (Ubuntu/Azure Linux/Windows) running on these nodes.
4951

5052
- You must install the backup extension in the AKS cluster. If you're using Azure CLI to install the backup extension, ensure that the version is 2.41 or later. Use `az upgrade` command to upgrade the Azure CLI.
5153

52-
- The blob container provided as input during installation of the backup extension should be in the same region and subscription as that of the AKS cluster. Only blob containers in a General-purpose V2 Storage Account are supported and Premium Storage Account are not supported.
54+
- The blob container provided as input during installation of the backup extension should be in the same region and subscription as that of the AKS cluster. Only blob containers in a General-purpose V2 Storage Account are supported and Premium Storage Account aren't supported.
5355

5456
- The Backup vault and the AKS cluster should be in the same region and subscription.
5557

56-
- Azure Backup for AKS provides both Operation Tier (Snapshot) and Vault Tier backup. Multiple backups per day can be stored in Operational Tier, with only one backup per day to be stored in the Vault.
58+
- Azure Backup for AKS provides both Operational Tier (Snapshot) and Vault Tier backup. Multiple backups per day can be stored in Operational Tier, with only one backup per day to be stored in the Vault as per the retention policy defined.
5759

5860
- Currently, the modification of a backup policy and the modification of a snapshot resource group (assigned to a backup instance during configuration of the AKS cluster backup) aren't supported.
5961

6062
- AKS clusters and backup extension pods should be in a running state before you perform any backup and restore operations. This state includes deletion of expired recovery points.
6163

6264
- For successful backup and restore operations, the Backup vault's managed identity requires role assignments. If you don't have the required permissions, permission problems might happen during backup configuration or restore operations soon after you assign roles because the role assignments take a few minutes to take effect. [Learn about role definitions](azure-kubernetes-service-cluster-backup-concept.md#required-roles-and-permissions).
6365

64-
- Backup vault does not support Azure Lighthouse. Thus, cross tenant management cannot be enabled by Lighthouse for Azure Backup for AKS and you cannot backup/restore AKS Clusters across tenant.
66+
- Backup vault doesn't support Azure Lighthouse. Thus, cross tenant management can't be enabled by Lighthouse for Azure Backup for AKS and you cannot backup/restore AKS Clusters across tenant.
67+
68+
- The following namespaces are skipped from Backup Configuration and not cofigured for backups: `kube-system`, `kube-node-lease`, `kube-public`.
6569

6670
- Here are the AKS backup limits:
6771

@@ -70,6 +74,7 @@ You can use [Azure Backup](./backup-overview.md) to help protect Azure Kubernete
7074
| Number of backup policies per Backup vault | 5,000 |
7175
| Number of backup instances per Backup vault | 5,000 |
7276
| Number of on-demand backups allowed in a day per backup instance | 10 |
77+
| Number of namespaces per backup instance | 800 |
7378
| Number of allowed restores per backup instance in a day | 10 |
7479

7580
- Configuration of a storage account with private endpoint is supported.

0 commit comments

Comments
 (0)