AKS post-release updates

AbhishekMallick01 · AbhishekMallick01 · commit 94137e030d42 · 2023-03-17T22:04:10.000+05:30
diff --git a/articles/backup/azure-kubernetes-service-backup-overview.md b/articles/backup/azure-kubernetes-service-backup-overview.md
@@ -3,7 +3,7 @@ title: Azure Kubernetes Service backup - Overview
 description: This article gives you an understanding about Azure Kubernetes Service (AKS) backup, the cloud-native process to back up and restore the containerized applications and data running in AKS clusters.
 ms.topic: conceptual
 ms.service: backup
-ms.date: 03/14/2023
+ms.date: 03/17/2023
 author: jyothisuri
 ms.author: jsuri
 ---
@@ -12,30 +12,38 @@ ms.author: jsuri
 
 [Azure Kubernetes Service (AKS)](../aks/intro-kubernetes.md) backup is a simple, cloud-native process to back up and restore the containerized applications and data running in AKS clusters. You can configure scheduled backup for cluster state and application data (persistent volumes - CSI driver-based Azure Disks). The solution provides granular control to choose a specific namespace or an entire cluster to back up or restore by storing backups locally in a blob container and as disk snapshots. With AKS backup, you can unlock end-to-end scenarios - operational recovery, cloning developer/test environments, or cluster upgrade scenarios. 
 
-AKS backup integrates with Backup center (with other backup management capabilities) to provide a single pane of glass that helps you govern, monitor, operate, and analyze backups at scale.
+AKS backup integrates with Backup center, providing a single pane of glass that can help you govern, monitor, operate, and analyze backups at scale. Your backups are also available in the *AKS portal* under the **Settings** section.
 
 ## How does AKS backup work?
 
-AKS backup enables you to back up your Kubernetes workloads and persistent volumes deployed in AKS clusters. The solution requires a [**Backup Extension**](../azure-arc/kubernetes/conceptual-extensions.md) to be installed in the AKS cluster. Backup vault communicates to the Backup Extension to perform backup and restore related operations. You can configure scheduled backups for your clusters as per your backup policy and can restore the backups to the original or an alternate cluster within the same subscription and region. The extension also allows you to enable granular controls to choose a specific namespace or an entire cluster as a backup/restore configuration while performing the specific operation.
+AKS Backup enables you to back up your Kubernetes workloads and Persistent Volumes deployed in AKS clusters. The solution requires a [**Backup Extension**](/azure/azure-arc/kubernetes/conceptual-extensions) to be installed inside the AKS cluster and Backup Vault communicates to the Extension to perform backup and restore related operations. **Backup Extension** is mandatory to be installed inside AKS cluster to enable backup and restore. As part of installation, a storage account and a blob container is to be provided in input where backups will be stored. 
+
+Along with Backup Extension, a *User Identity* is created in the AKS cluster's Managed Resource Group (called Extension Identity). This extension identity gets the *Storage Account Contributor* role assigned to it on the storage account where backups are stored in a blob container.
+
+To support Public, Private, and Authorized IP based clusters, AKS backup requires *Trusted Access* to be enabled between *Backup vault* and *AKS cluster*. Trusted Access allows Backup vault to access the AKS clusters as specific permissions assigned to it related to the *Backup operations*. For more information on AKS Trusted Access, see [Enable Azure resources to access Azure Kubernetes Service (AKS) clusters using Trusted Access](../aks/trusted-access-feature.md).
 
 >[!Note]
->- You must install Backup Extension in the AKS cluster to enable backups and restores. With the extension installation, a User Identity is created in the AKS cluster's managed resource group (Extension Identity), which gets assigned a set of permissions to access the storage account with the backups stored in the blob container.
-> 
->- An AKS cluster can have only one Backup Extension installed at a time.
->
->- Currently, AKS backup allows storing backups in Operational Tier. Operational Tier is a local data store and backups aren't moved to a vault but are stored in your own tenant. However, the Backup vault still serves as the unit for managing backups. 
+>AKS backup currently allows storing backups in *Operational Tier*. Operational Tier is a local data store and backups aren't moved to a vault, but are stored in your own tenant. However, the Backup vault still serves as the unit of managing backups.
 
-The backup solution enables backups for your Kubernetes workloads deployed in the cluster and the data stored in the persistent volume. Currently, the solution only supports persistent volumes of CSI driver-based Azure Disks. During backups, other *PV* types (such as File Share and Blobs) are skipped by the solution. The Kubernetes workloads are stored in a blob container and the Disk-based persistent volumes are backed up as Disk snapshots.   
+Once *Backup Extension* is installed and *Trusted Access* is enabled, you can configure scheduled backups for the clusters as per your backup policy, and can restore the backups to the original or an alternate cluster in the same subscription and region. AKS backup allows you to enable granular controls to choose a specific *namespace* or an *entire cluster* as a backup/restore configuration while performing the specific operation.
+
+The *backup solution* enables backup operation for your Kubernetes workloads deployed in the cluster and the data stored in the *Persistent Volume*. The Kubernetes workloads are stored in a blob container and the *Disk-based Persistent Volumes* are backed up as *Disk Snapshots* in a Snapshot Resource Group 
+
+>[!Note]
+>Currently, the solution only supports Persistent Volumes of CSI Driver-based Azure Disks. During backups, other Persistent Volume types (File Share, Blobs) are skipped by the solution.
 
 ## Backup
  
 To configure backup for AKS cluster, first you need to create a *Backup vault*. The vault gives you a consolidated view of the backups configured across different workloads. AKS backup supports only Operational Tier backup.
-Note: Copying backups to the Vault Tier is currently not supported. So, the Backup vault storage redundancy setting (LRS/GRS) doesn't apply to the backups stored in Operational Tier.  
+
+>[!Note]
+>- The Backup vault and the AKS cluster to be backed up or restored should be in the same region and subscription.
+>- Copying backups to the *Vault Tier* is currently not supported. So, the *Backup vault storage redundancy* setting (LRS/GRS) doesn't apply to the backups stored in Operational Tier.
 
 AKS backup automatically triggers scheduled backup job that copies the cluster resources to a blob container and creates an incremental snapshot of the disk-based persistent volumes as per the backup frequency. Older backups are deleted as per the retention duration specified by the backup policy.
 
 >[!Note]
->AKS backup allows creating multiple backup instances for a single AKS cluster. You can create multiple backup Instances with different backup configurations, as required. However, each backup instance of an AKS cluster should be created with a different backup policy, either in the same or in a different Backup vault.
+>AKS backup allows creating multiple backup instances for a single AKS cluster with different backup configurations, as required. However, each backup instance of an AKS cluster should be created either in a different Backup vault or with a different backup policy in the same Backup vault.
 
 ## Backup management 
 
diff --git a/articles/backup/azure-kubernetes-service-cluster-backup-concept.md b/articles/backup/azure-kubernetes-service-cluster-backup-concept.md
@@ -3,7 +3,7 @@ title: Azure Kubernetes Service (AKS) backup using Azure Backup prerequisites
 description: This article explains the prerequisites for Azure Kubernetes Service (AKS) backup.
 ms.topic: conceptual
 ms.service: backup
-ms.date: 03/14/2023
+ms.date: 03/17/2023
 author: jyothisuri
 ms.author: jsuri
 ---
@@ -24,6 +24,10 @@ Azure Backup now allows you to back up AKS clusters (cluster resources and persi
 
 - You need to install Backup Extension on both the source cluster to be backed up and the target cluster where the restore will happen.
 
+- Backup Extension can be installed in the cluster from the *AKS portal* blade on the **Backup** tab under **Settings**. You can also use the Azure CLI commands to [manage the installation and other operations on the Backup Extension](azure-kubernetes-service-cluster-manage-backups.md#manage-operations).
+
+- Before you install an extension in an AKS cluster, you must register the `Microsoft.KubernetesConfiguration` resource provider at the subscription level. Learn how to [register the resource provider](azure-kubernetes-service-cluster-manage-backups.md#register-the-resource-provider).
+
 Learn [how to manage the operation to install Backup Extension using Azure CLI](azure-kubernetes-service-cluster-manage-backups.md#manage-operations).
 
 ## Trusted Access
@@ -34,6 +38,8 @@ Your Azure resources access AKS clusters through the AKS regional gateway using
 
 For AKS backup, the Backup vault accesses your AKS clusters via Trusted Access to configure backups and restores. The Backup vault is assigned a pre-defined role **Microsoft.DataProtection/backupVaults/backup-operator** in the AKS cluster, allowing it to only perform specific backup operations. 
 
+Before you enable Trusted Access between a Backup vault and an AKS cluster, [enable a *feature flag* on the cluster's subscription](azure-kubernetes-service-cluster-manage-backups.md#enable-the-feature-flag).
+
 Learn [how to enable Trusted Access](azure-kubernetes-service-cluster-manage-backups.md#enable-trusted-access).
 
 ## AKS Cluster
@@ -55,6 +61,11 @@ To enable backup for an AKS cluster, see the following prerequisites: .
 
 - The Backup Extension during installation fetches Container Images stored in Microsoft Container Registry (MCR). If you enable a firewall on the AKS cluster, the extension installation process might fail due to access issues on the Registry. Learn [how to allow MCR access from the firewall](../container-registry/container-registry-firewall-access-rules.md#configure-client-firewall-rules-for-mcr).
 
+- Install Backup Extension on the AKS clusters following the [required FQDN/application rules](../aks/limit-egress-traffic.md#required-fqdn--application-rules-6).
+
+- If you've any previous installation of *Velero* in the AKS cluster, you need to delete it before installing Backup Extension.
+
+
 ## Required roles and permissions
 
 To perform AKS backup and restore operations as a user, you need to have specific roles on the AKS cluster, Backup vault, Storage account, and Snapshot resource group.
@@ -75,7 +86,7 @@ Also, as part of the backup and restore operations, the following roles are assi
 | --- | --- | --- | --- |
 | Reader | Backup vault | AKS cluster | Allows the Backup vault to perform *List* and *Read* operations on AKS cluster. |
 | Reader | Backup vault | Snapshot resource group | Allows the Backup vault to perform *List* and *Read* operations on snapshot resource group. |
-| Disk Snapshot Contributor | AKS cluster | Snapshot resource group | Allows AKS cluster to store persistent volume snapshots in the resource group. |
+| Contributor | AKS cluster | Snapshot resource group | Allows AKS cluster to store persistent volume snapshots in the resource group. |
 | Storage Account Contributor | Extension Identity | Storage account | Allows Backup Extension to store cluster resource backups in the blob container. |
 
 >[!Note]
diff --git a/articles/backup/azure-kubernetes-service-cluster-backup.md b/articles/backup/azure-kubernetes-service-cluster-backup.md
@@ -3,7 +3,7 @@ title: Back up Azure Kubernetes Service (AKS) using Azure Backup
 description: This article explains how to back up Azure Kubernetes Service (AKS) using Azure Backup.
 ms.topic: how-to
 ms.service: backup
-ms.date: 03/15/2023
+ms.date: 03/17/2023
 author: jyothisuri
 ms.author: jsuri
 ---
@@ -91,46 +91,25 @@ To configure backups for AKS cluster, follow these steps:
 
 6. In the *context* pane, provide the *storage account* and *blob container* where you need to store the backup, and then select **Generate Command**.
 
-   >[!Note]
-   >Before you install the AKS Backup Extension via *Azure CLI*, you must enable the `Microsoft.KubernetesConfiguration` resource provider on the subscription.
-   >
-   >To register the resource provider before the extension installation (don't initiate extension installation before registering resource provider), run the following commands:
-   >
-   >1. Register the resource provider.
-   >   `az provider register --namespace Microsoft.KubernetesConfiguration`
-   >2. Monitor the registration process. The registration may take up to *10 minutes*.
-   >   `az provider show -n Microsoft.KubernetesConfiguration -o table`
-
-7. Open the PowerShell console, and then upgrade the CLI to version *2.24.0* or later using the command `az upgrade`.
-
-   Sign in to the Azure portal (using the command `az login`), and then copy and run the generated commands.
-
-   The commands install the *Backup Extension* and *Assign Extension* managed identity permissions on the storage account.
-
-   Once done, select **Revalidate**.
-
-   >[!Note]
-   >We're using the Extension managed identity attached to the underlying compute of the AKS cluster. After running the `az role assignment` command, it may take some time (up to *1 hour*) to propagate permission to the AKS cluster (due to caching issue). If revalidation fails, try again after some time.
-
-8. To enable *Trusted Access* and *other role permissions*, select **Grant Permission** > **Next**.
+7. To enable *Trusted Access* and *other role permissions*, select **Grant Permission** > **Next**.
 
-9. Select the backup policy that defines the schedule and retention policy for AKS backup, and then select **Next**.
+8. Select the backup policy that defines the schedule and retention policy for AKS backup, and then select **Next**.
 
 10. Select **Add/Edit** to define the *backup instance configuration*.
 
-11. In the *context* pane, enter the *cluster resources* that you want to back up.
+9. In the *context* pane, enter the *cluster resources* that you want to back up.
 
     Learn about the [backup configurations](#backup-configurations).
 
-12. Select the *snapshot resource group* where *persistent volume (Azure Disk) snapshots* need to be stored, and then select **Validate**.
+10. Select the *snapshot resource group* where *persistent volume (Azure Disk) snapshots* need to be stored, and then select **Validate**.
 
    After validation, if the appropriate roles aren't assigned to the vault over snapshot resource group, the error **Role assignment not done** appears.
 
-14. To resolve the error, select the *checkbox* corresponding to the *Datasource*, and then select **Assign Missing Role**.
+11. To resolve the error, select the *checkbox* corresponding to the *Datasource*, and then select **Assign Missing Role**.
 
-15. Once the *role assignment* is successful, select **Next**.
+12. Once the *role assignment* is successful, select **Next**.
 
-16. Select **Configure Backup**. 
+13. Select **Configure Backup**. 
 
    Once the configuration is complete, the **Backup Instance** gets created.
 
diff --git a/articles/backup/azure-kubernetes-service-cluster-manage-backups.md b/articles/backup/azure-kubernetes-service-cluster-manage-backups.md
@@ -3,7 +3,7 @@ title: Manage Azure Kubernetes Service (AKS) backups using Azure Backup
 description: This article explains how to manage Azure Kubernetes Service (AKS) backups using Azure Backup.
 ms.topic: how-to
 ms.service: backup
-ms.date: 03/15/2023
+ms.date: 03/17/2023
 author: jyothisuri
 ms.author: jsuri
 ---
@@ -18,6 +18,25 @@ Azure Backup now allows you to back up AKS clusters (cluster resources and persi
 
 This section provides the set of Azure CLI commands to create, update, delete operations on the backup extension. You can use the *update* command to change the blob container where backups are stored along with compute limits for the underlying Backup Extension Pods.
 
+## Register the resource provider
+
+To register the resource provider, run the following command:
+
+   ```azurecli-interactive
+   az provider register --namespace Microsoft.KubernetesConfiguration
+   ```
+
+>[!Note]
+>Don't initiate extension installation before registering resource provider.
+
+### Monitor the registration process
+
+The registration may take up to *10 minutes*. To monitor the registration process, run the following command:
+
+   ```azurecli-interactive
+   az provider show -n Microsoft.KubernetesConfiguration -o table
+   ```
+
 ### Install Backup Extension
 
 To install the Backup Extension, use the following command:
@@ -53,6 +72,51 @@ To view the progress of Backup Extension installation, use the following command
    az k8s-extension show --name azure-aks-backup --cluster-type managedClusters --cluster-name aksclustername --resource-group aksclusterrg
    ```
 
+## Enable the feature flag
+
+To enable the feature flag follow these steps:
+
+1. To install the *aks-preview* extension, run the following command:
+
+   ```azurecli-interactive
+   az extension add --name aks-preview
+   ```
+
+1. To update to the latest version of the extension released, run the following command:
+
+   ```azurecli-interactive
+   az extension update --name aks-preview
+   ```
+
+1. To register the *TrustedAccessPreview* feature flag, run the `az feature register` command.
+
+   **Eexample**
+
+   ```azurecli-interactive
+   az feature register --namespace "Microsoft.ContainerService" --name "TrustedAccessPreview"
+   ```
+   
+   It takes a few minutes for the status to show Registered.
+
+1. To verify the registration status, run the `az feature show` command.
+
+   **Eexample**
+
+   ```azurecli-interactive
+   az feature show --namespace "Microsoft.ContainerService" --name "TrustedAccessPreview"
+   ```
+
+1. When the status shows as **Registered**, run the `az provider register` command to refresh the `Microsoft.ContainerService` resource provider registration.
+
+   **Example**
+
+   ```azurecli-interactive
+   az provider register --namespace Microsoft.ContainerService
+   ```
+
+>[!Note]
+>Don't initiate backup configuration before enabling the feature flag.
+
 ## Enable Trusted Access
 
 To enable Trusted Access between Backup vault and AKS cluster, use the following Azure CLI command:
