NetBackup™ Snapshot Manager for Cloud Install and Upgrade Guide
- Introduction
- Section I. NetBackup Snapshot Manager for Cloud installation and configuration
- Preparing for NetBackup Snapshot Manager for Cloud installation
- Meeting system requirements
- NetBackup Snapshot Manager host sizing recommendations
- NetBackup Snapshot Manager extension sizing recommendations
- Creating an instance or preparing the host to install NetBackup Snapshot Manager
- Installing container platform (Docker, Podman)
- Creating and mounting a volume to store NetBackup Snapshot Manager data
- Verifying that specific ports are open on the instance or physical host
- Preparing NetBackup Snapshot Manager for backup from snapshot jobs
- OCI - iptables rules for backup from snapshot jobs
- Deploying NetBackup Snapshot Manager for Cloud using container images
- Before you begin installing NetBackup Snapshot Manager
- Installing NetBackup Snapshot Manager in the Docker/Podman environment
- Installing NetBackup Snapshot Manager on CIS Level 2 v2 configured host
- Securing the connection to NetBackup Snapshot Manager
- Verifying that NetBackup Snapshot Manager is installed successfully
- Restarting NetBackup Snapshot Manager
- Deploying NetBackup Snapshot Manager for Cloud extensions
- Before you begin installing NetBackup Snapshot Manager extensions
- Downloading the NetBackup Snapshot Manager extension
- Installing the NetBackup Snapshot Manager extension on a VM
- Installing the NetBackup Snapshot Manager extension on a managed Kubernetes cluster (AKS) in Azure
- Installing the NetBackup Snapshot Manager extension on a managed Kubernetes cluster (EKS) in AWS
- Installing the NetBackup Snapshot Manager extension on a managed Kubernetes cluster (GKE) in GCP
- Install extension using the Kustomize and CR YAMLs
- Managing the extensions
- NetBackup Snapshot Manager for cloud providers
- Why to configure the NetBackup Snapshot Manager cloud providers?
- AWS plug-in configuration notes
- Prerequisites for configuring the AWS plug-in
- Before you create a cross account configuration
- Prerequisites for application consistent snapshots using AWS Systems Service Manager
- Prerequisites for configuring AWS plug-in using VPC endpoint
- AWS permissions required by NetBackup Snapshot Manager
- Configuring AWS permissions for NetBackup Snapshot Manager
- Google Cloud Platform plug-in configuration notes
- Prerequisites for configuring the GCP plug-in using Credential and Service Account option
- Google Cloud Platform permissions required by NetBackup Snapshot Manager
- Preparing the GCP service account for plug-in configuration
- Configuring a GCP service account for NetBackup Snapshot Manager
- GCP cross-project configuration
- GCP shared VPC configuration
- Microsoft Azure plug-in configuration notes
- Microsoft Azure Stack Hub plug-in configuration notes
- OCI plug-in configuration notes
- Cloud Service Provider endpoints for DBPaaS
- Configuration for protecting assets on cloud hosts/VM
- Deciding which feature (on-host agent or agentless) of NetBackup Snapshot Manager is to be used for protecting the assets
- Protecting assets with NetBackup Snapshot Manager's on-host agent feature
- Installing and configuring NetBackup Snapshot Manager agent
- Configuring the NetBackup Snapshot Manager application plug-in
- Configuring an application plug-in
- Microsoft SQL plug-in
- Oracle plug-in
- Protecting assets with NetBackup Snapshot Manager's agentless feature
- Snapshot Manager for cloud catalog backup and recovery
- NetBackup Snapshot Manager for cloud assets protection
- Volume encryption in NetBackup Snapshot Manager for cloud
- NetBackup Snapshot Manager for Cloud security
- Preparing for NetBackup Snapshot Manager for Cloud installation
- Section II. NetBackup Snapshot Manager for Cloud maintenance
- NetBackup Snapshot Manager for Cloud logging
- Upgrading NetBackup Snapshot Manager for Cloud
- About NetBackup Snapshot Manager for Cloud upgrades
- Supported upgrade path
- Upgrade scenarios
- Preparing to upgrade NetBackup Snapshot Manager
- Upgrading NetBackup Snapshot Manager
- Upgrading NetBackup Snapshot Manager using patch or hotfix
- Applying operating system patches on NetBackup Snapshot Manager host
- Migrating and upgrading NetBackup Snapshot Manager
- GCP configuration for migration from zone to region
- Post-upgrade tasks
- Post-migration tasks
- Uninstalling NetBackup Snapshot Manager for Cloud
- Preparing to uninstall NetBackup Snapshot Manager
- Backing up NetBackup Snapshot Manager
- Unconfiguring NetBackup Snapshot Manager plug-ins
- Unconfiguring NetBackup Snapshot Manager agents
- Removing the NetBackup Snapshot Manager agents
- Removing NetBackup Snapshot Manager from a standalone Docker host environment
- Removing NetBackup Snapshot Manager extensions - VM-based or managed Kubernetes cluster-based
- Restoring NetBackup Snapshot Manager
- Troubleshooting NetBackup Snapshot Manager for Cloud
- Troubleshooting NetBackup Snapshot Manager
- SQL snapshot or restore and granular restore operations fail if the Windows instance loses connectivity with the NetBackup Snapshot Manager host
- Disk-level snapshot restore fails if the original disk is detached from the instance
- Discovery is not working even after assigning system managed identity to the control node pool
- Performance issue with GCP backup from snapshot
- Post migration on host agents fail with an error message
- File restore job fails with an error message
- Acknowledgment not received for datamover
- Google Cloud Platform does display the Snapshot ID of the disk
- Application state of the connected/configured cloud VM(s) displays an error after upgrading to NetBackup Snapshot Manager version 11.x
- Backup and restore jobs fail with timeout error
- GCP restore with encryption key failed with an error message
- Amazon Redshift clusters and databases not available after discovery
- Shared VPC subnet not visible
- Container manager may not spawn the ephemeral registration container timely
- GCP restore from VM fails to obtain firewall rules
- Parameterised VM restore fails to retrieve encryption keys
- Restore from snapshot of a VM with security type Trusted Launch fails
- Snapshot Manager failed to retrieve the specified cloud domain(s), against the specified plugin instance
- Issues with SELinux configuration
- Performance issues with OCI backup from snapshot and restore from backup copy
- Connection to Amazon Linux 2023 or Alma Linux machines fail
- Single file restore from snapshot copy fails with an error
- MS SQL application backup, restore, or SFR job on Windows cloud VM fails with an error
- Status 49 error appears
- Restore from backup fails with an error
- (For AWS) If the specified AMI is not subscribed in the given region an error message appears
- Restore of Azure Disk Encrypted VM fails with an error
Volume encryption for Azure
You can encrypt disks in Azure using the following methods:
Default encryption, using Platform Managed Key (PMK)
Customer Managed Key (CMK) using Azure Key vault
Double Encryption at rest
For more information on Azure encryption, refer to 'Data encryption models' section of Microsoft Azure documentation.
Table: Encryption for creating snapshots
Disk encryption | Snapshot encryption |
|---|---|
Platform Managed Key (PMK) | Same PMK is used as the source disk. |
Customer Managed Key (CMK) | Same CMK is used as the source disk. |
Double Encryption (PMK_CMK) | Same CMK is used as the source disk. |
Table: Encryption for restoring snapshots
Snapshot encryption | Restored disk encryption |
|---|---|
PMK | Same PMK is used as the snapshot. |
CMK | Same CMK is used as the snapshot. |
PMK_CMK | Same CMK is used as the snapshot. |
Table: Encryption for restoring from backup
Snapshot encryption | Restored disk encryption |
|---|---|
PMK | Same PMK is used as the source disk. |
CMK | Same CMK is used as the source disk. |
PMK_CMK | Same CMK is used as the source disk, else PMK is used. |
Table: Encryption during VM restore from snapshot or backup
Snapshot encryption | Restored disk encryption |
|---|---|
PMK | Encryption on disk can be PMK/CMK as per user selection during restore. |
CMK | Encryption on disk can be PMK/CMK as per user selection during restore. |
PMK_CMK | Encryption on disk can be PMK/CMK/PMK_CMK as per user selection during restore. |
To enable restore from snapshot or backups of VM with CMK encrypted disks, assign the following permissions to the key vault used for encryption:
Create new access policy in the desired Key Vault.
For more information on Key Vault access policy, refer to 'Assign a Key Vault access policy' section of Microsoft Azure documentation.
Add the following permissions under Permissions tab from the respective sections under Key Permissions:
Section
Permission
Key Management Operations
Get
Cryptographic Operations
Wrap Key
Unwrap Key
In the Principal tab, select Object ID of service principal used in provider configuration.
Review and create access policy.
Follow Step 1 to Step 4 to assign same permissions for the ObjectID of service principal of Disk Encryption Set.
Key vault: Azure role-based access control permission
When key vault is created with Azure role-based access control permission model:
Add a role with permission and assign application service principal to it.
Similarly add permission and assign application service principal to it.
For more information refer to 'Provide access to Key Vault keys, certificates, and secrets with an Azure role-based access control' section of Microsoft Azure documentation.
System managed identity: Enabled
If system managed identity is enabled on NetBackup Snapshot Manager, assign the following roles to the managed identity:
Role | Managed identity |
|---|---|
Key Vault Reader | Virtual machine scale set |
Key Vault Secrets officer | Virtual machine scale set |
Key Vault Crypto Service Encryption User | App (Disk Encryption Set) |
User managed identity: Enabled
If user managed identity is enabled on NetBackup Snapshot Manager, then assign the role to the user managed identity in the key vault.