NetBackup™ Snapshot Manager for Cloud Install and Upgrade Guide

Last Published:
Product(s): NetBackup & Alta Data Protection (11.0)
  1. Introduction
    1.  
      About the deployment approach
    2.  
      Deciding where to run NetBackup Snapshot Manager for Cloud
    3.  
      About deploying NetBackup Snapshot Manager in the cloud
  2. Section I. NetBackup Snapshot Manager for Cloud installation and configuration
    1. Preparing for NetBackup Snapshot Manager for Cloud installation
      1.  
        Meeting system requirements
      2.  
        NetBackup Snapshot Manager host sizing recommendations
      3.  
        NetBackup Snapshot Manager extension sizing recommendations
      4.  
        Creating an instance or preparing the host to install NetBackup Snapshot Manager
      5.  
        Installing container platform (Docker, Podman)
      6.  
        Creating and mounting a volume to store NetBackup Snapshot Manager data
      7.  
        Verifying that specific ports are open on the instance or physical host
      8.  
        Preparing NetBackup Snapshot Manager for backup from snapshot jobs
      9.  
        OCI - iptables rules for backup from snapshot jobs
    2. Deploying NetBackup Snapshot Manager for Cloud using container images
      1.  
        Before you begin installing NetBackup Snapshot Manager
      2.  
        Installing NetBackup Snapshot Manager in the Docker/Podman environment
      3.  
        Installing NetBackup Snapshot Manager on CIS Level 2 v2 configured host
      4.  
        Securing the connection to NetBackup Snapshot Manager
      5.  
        Verifying that NetBackup Snapshot Manager is installed successfully
      6.  
        Restarting NetBackup Snapshot Manager
    3. Deploying NetBackup Snapshot Manager for Cloud extensions
      1.  
        Before you begin installing NetBackup Snapshot Manager extensions
      2.  
        Downloading the NetBackup Snapshot Manager extension
      3. Installing the NetBackup Snapshot Manager extension on a VM
        1.  
          Prerequisites to install the extension on VM
        2.  
          Installing the extension on a VM
      4. Installing the NetBackup Snapshot Manager extension on a managed Kubernetes cluster (AKS) in Azure
        1.  
          Prerequisites to install the extension on a managed Kubernetes cluster in Azure
        2.  
          Installing the extension on Azure (AKS)
      5. Installing the NetBackup Snapshot Manager extension on a managed Kubernetes cluster (EKS) in AWS
        1.  
          Prerequisites to install the extension on a managed Kubernetes cluster in AWS
        2. Installing the extension on AWS (EKS)
          1.  
            Install extension using the extension script
      6. Installing the NetBackup Snapshot Manager extension on a managed Kubernetes cluster (GKE) in GCP
        1.  
          Prerequisites to install the extension on a managed Kubernetes cluster in GCP
        2.  
          Installing the extension on GCP (GKE)
      7.  
        Install extension using the Kustomize and CR YAMLs
      8.  
        Managing the extensions
    4. NetBackup Snapshot Manager for cloud providers
      1.  
        Why to configure the NetBackup Snapshot Manager cloud providers?
      2. AWS plug-in configuration notes
        1.  
          Prerequisites for configuring the AWS plug-in
        2.  
          Before you create a cross account configuration
        3.  
          Prerequisites for application consistent snapshots using AWS Systems Service Manager
        4.  
          Prerequisites for configuring AWS plug-in using VPC endpoint
        5.  
          AWS permissions required by NetBackup Snapshot Manager
        6.  
          Configuring AWS permissions for NetBackup Snapshot Manager
      3. Google Cloud Platform plug-in configuration notes
        1. Prerequisites for configuring the GCP plug-in using Credential and Service Account option
          1.  
            Additional prerequisites for configuring the GCP plug-in using Service Account option
        2.  
          Google Cloud Platform permissions required by NetBackup Snapshot Manager
        3.  
          Preparing the GCP service account for plug-in configuration
        4.  
          Configuring a GCP service account for NetBackup Snapshot Manager
        5.  
          GCP cross-project configuration
        6.  
          GCP shared VPC configuration
      4. Microsoft Azure plug-in configuration notes
        1.  
          Configuring permissions on Microsoft Azure
        2.  
          About Azure snapshots
      5. Microsoft Azure Stack Hub plug-in configuration notes
        1.  
          Configuring permissions on Microsoft Azure Stack Hub
        2.  
          Configuring staging location for Azure Stack Hub VMs to restore from backup
        3.  
          About Azure Stack Hub snapshots
      6. OCI plug-in configuration notes
        1.  
          Limitation of NetBackup OCI support
        2.  
          Prerequisite for configuring the OCI plug-in
        3.  
          OCI configuration parameters
        4.  
          Configuring host support for OCI
        5.  
          OCI permissions required by NetBackup Snapshot Manager
      7.  
        Cloud Service Provider endpoints for DBPaaS
    5. Configuration for protecting assets on cloud hosts/VM
      1.  
        Deciding which feature (on-host agent or agentless) of NetBackup Snapshot Manager is to be used for protecting the assets
      2. Protecting assets with NetBackup Snapshot Manager's on-host agent feature
        1. Installing and configuring NetBackup Snapshot Manager agent
          1.  
            Downloading and installing the NetBackup Snapshot Manager agent
          2. Linux-based agent
            1.  
              Preparing to install the Linux-based agent
            2.  
              Registering the Linux-based agent
          3. Windows-based agent
            1.  
              Preparing to install the Windows-based agent
            2.  
              Registering the Windows-based agent
        2. Configuring the NetBackup Snapshot Manager application plug-in
          1.  
            Configuring an application plug-in
          2. Microsoft SQL plug-in
            1.  
              Microsoft SQL plug-in configuration requirements
            2.  
              Restore requirements and limitations for Microsoft SQL Server
            3.  
              Steps required before restoring SQL AG databases
            4.  
              Additional steps required after restoring SQL AG databases
            5. Additional steps required after a SQL Server instance snapshot restore
              1.  
                Steps required after a SQL Server host-level restore
              2.  
                Steps required after a SQL Server instance disk-level snapshot restore to new location
          3. Oracle plug-in
            1. Oracle plug-in configuration requirements
              1.  
                Optimizing your Oracle database data and metadata files
            2.  
              Restore requirements and limitations for Oracle
            3.  
              Additional steps required after an Oracle snapshot restore
      3. Protecting assets with NetBackup Snapshot Manager's agentless feature
        1.  
          Prerequisites for the agentless configuration
        2.  
          Configuring the agentless feature
        3.  
          Configuring the agentless feature after upgrading NetBackup Snapshot Manager
    6. Snapshot Manager for cloud catalog backup and recovery
      1.  
        About using script
      2.  
        NetBackup Snapshot Manager data backup
      3.  
        NetBackup Snapshot Manager data recovery
    7. NetBackup Snapshot Manager for cloud assets protection
      1. NetBackup protection plan
        1.  
          Creating a NetBackup protection plan for cloud assets
        2.  
          Subscribing cloud assets to a NetBackup protection plan
      2.  
        Assigning tags on snapshots and Restore Point Collection
      3.  
        Configuring VSS to store shadow copies on the originating drive
    8. Volume encryption in NetBackup Snapshot Manager for cloud
      1.  
        About volume encryption support in NetBackup Snapshot Manager
      2.  
        Volume encryption for Azure
      3.  
        Volume encryption for GCP
      4.  
        Volume encryption for AWS
      5.  
        Volume encryption for OCI
    9. NetBackup Snapshot Manager for Cloud security
      1.  
        Configuring security for Azure Stack
      2.  
        Configuring the cloud connector for Azure Stack
      3.  
        CA configuration for Azure Stack
  3. Section II. NetBackup Snapshot Manager for Cloud maintenance
    1. NetBackup Snapshot Manager for Cloud logging
      1.  
        About NetBackup Snapshot Manager logging mechanism
      2. How Fluentd-based NetBackup Snapshot Manager logging works
        1.  
          About the NetBackup Snapshot Manager fluentd configuration file
        2.  
          Modifying the fluentd configuration file
      3.  
        NetBackup Snapshot Manager logs
      4.  
        Agentless logs
      5.  
        Troubleshooting NetBackup Snapshot Manager logging
    2. Upgrading NetBackup Snapshot Manager for Cloud
      1.  
        About NetBackup Snapshot Manager for Cloud upgrades
      2.  
        Supported upgrade path
      3.  
        Upgrade scenarios
      4.  
        Preparing to upgrade NetBackup Snapshot Manager
      5.  
        Upgrading NetBackup Snapshot Manager
      6.  
        Upgrading NetBackup Snapshot Manager using patch or hotfix
      7.  
        Applying operating system patches on NetBackup Snapshot Manager host
      8. Migrating and upgrading NetBackup Snapshot Manager
        1.  
          Before you begin migrating NetBackup Snapshot Manager
        2.  
          Migrate and upgrade NetBackup Snapshot Manager on RHEL 8.x and 9.x
      9.  
        GCP configuration for migration from zone to region
      10. Post-upgrade tasks
        1.  
          Upgrading NetBackup Snapshot Manager extensions
        2.  
          Post upgrade limitations
      11.  
        Post-migration tasks
    3. Uninstalling NetBackup Snapshot Manager for Cloud
      1.  
        Preparing to uninstall NetBackup Snapshot Manager
      2.  
        Backing up NetBackup Snapshot Manager
      3.  
        Unconfiguring NetBackup Snapshot Manager plug-ins
      4.  
        Unconfiguring NetBackup Snapshot Manager agents
      5.  
        Removing the NetBackup Snapshot Manager agents
      6.  
        Removing NetBackup Snapshot Manager from a standalone Docker host environment
      7.  
        Removing NetBackup Snapshot Manager extensions - VM-based or managed Kubernetes cluster-based
      8.  
        Restoring NetBackup Snapshot Manager
    4. Troubleshooting NetBackup Snapshot Manager for Cloud
      1.  
        Troubleshooting NetBackup Snapshot Manager
      2.  
        SQL snapshot or restore and granular restore operations fail if the Windows instance loses connectivity with the NetBackup Snapshot Manager host
      3.  
        Disk-level snapshot restore fails if the original disk is detached from the instance
      4.  
        Discovery is not working even after assigning system managed identity to the control node pool
      5.  
        Performance issue with GCP backup from snapshot
      6.  
        Post migration on host agents fail with an error message
      7.  
        File restore job fails with an error message
      8.  
        Acknowledgment not received for datamover
      9.  
        Google Cloud Platform does display the Snapshot ID of the disk
      10.  
        Application state of the connected/configured cloud VM(s) displays an error after upgrading to NetBackup Snapshot Manager version 11.x
      11.  
        Backup and restore jobs fail with timeout error
      12.  
        GCP restore with encryption key failed with an error message
      13.  
        Amazon Redshift clusters and databases not available after discovery
      14.  
        Shared VPC subnet not visible
      15.  
        Container manager may not spawn the ephemeral registration container timely
      16.  
        GCP restore from VM fails to obtain firewall rules
      17.  
        Parameterised VM restore fails to retrieve encryption keys
      18.  
        Restore from snapshot of a VM with security type Trusted Launch fails
      19.  
        Snapshot Manager failed to retrieve the specified cloud domain(s), against the specified plugin instance
      20.  
        Issues with SELinux configuration
      21.  
        Performance issues with OCI backup from snapshot and restore from backup copy
      22.  
        Connection to Amazon Linux 2023 or Alma Linux machines fail
      23.  
        Single file restore from snapshot copy fails with an error
      24.  
        MS SQL application backup, restore, or SFR job on Windows cloud VM fails with an error
      25.  
        Status 49 error appears
      26.  
        Restore from backup fails with an error
      27.  
        (For AWS) If the specified AMI is not subscribed in the given region an error message appears
      28.  
        Restore of Azure Disk Encrypted VM fails with an error

OCI permissions required by NetBackup Snapshot Manager

The table lists the required permissions.

Table:

Permissions

Description

BOOT_VOLUME_BACKUP_CREATE

To take snapshots of the boot volume.

BOOT_VOLUME_BACKUP_DELETE

To delete the snapshot of the boot volume as per policy.

BOOT_VOLUME_BACKUP_INSPECT

To fetch the list of boot volume backup in the discovery.

BOOT_VOLUME_BACKUP_READ

To create boot volume from backup.

COMPARTMENT_INSPECT

To list availability domains, and to retrieve all the compartments in the tenancy.

INSTANCE_ATTACH_VOLUME

To attach the volume to the instance while restore.

INSTANCE_CREATE

To restore the instance.

INSTANCE_DELETE

To create and delete the instance that is created for boot volume restore from backup copy.

INSTANCE_DETACH_VOLUME

To detach volume after backup and restore operation.

INSTANCE_IMAGE_INSPECT

To fetch the OS details of the instance.

INSTANCE_INSPECT

To list various attachments like VNIC, volume, and so on.

INSTANCE_POWER_ACTIONS

To stop or start the instance during parameterized restore.

INSTANCE_READ

To list the instances in discovery and retrieve the details of the instance.

INSTANCE_UPDATE

Update the tags attached on the instance.

KEY_ASSOCIATE

To attach CMK in the parameterized restore.

KEY_DISASSOCIATE

To detach the CMK in the parameterized restore.

KEY_INSPECT

To list the keys in the vault.

KEY_READ

To get the key details.

NETWORK_SECURITY_GROUP_READ

List the network security group for parameterized restore.

NETWORK_SECURITY_GROUP_UPDATE_MEMBERS

To attach a network security group to an instance.

SUBNET_ATTACH

To launch the instance in a specific subnet.

SUBNET_DETACH

To terminate the instance in a specific subnet.

SUBNET_READ

To list subnets in parameterized restore.

TAG_NAMESPACE_CREATE

To create the tag namespace for NetBackup Snapshot Manager.

TAG_NAMESPACE_INSPECT

To check if the NetBackupSnapshot Manager tag namespace exists or not.

TAG_NAMESPACE_USE

To create the tag in the NetBackupSnapshot Manager tag namespace.

TENANCY_INSPECT

To get the details of the tenancy.

VAULT_INSPECT

To list the vaults and retrieve the keys.

VCN_READ

To get VCN details associated with the instance.

VNIC_ASSOCIATE_NETWORK_SECURITY_GROUP

To associate the network security group while launching the instance.

VNIC_ATTACH

To launch the instance.

VNIC_ATTACHMENT_READ

To list the VNIC attachment.

VNIC_CREATE

To associate VNIC to the instance while launching the instance.

VNIC_DELETE

To delete the associated VNIC to delete the instance.

VNIC_READ

To fetch the VNIC information associated with the instance.

VOLUME_ATTACHMENT_CREATE

To attach the volume after restore.

VOLUME_ATTACHMENT_DELETE

To attach the volume after restore.

VOLUME_ATTACHMENT_INSPECT

To detach the volume after backup and restore.

VOLUME_BACKUP_CREATE

To take snapshots of the volume.

VOLUME_BACKUP_DELETE

To delete the snapshot of the volume as per policy.

VOLUME_BACKUP_INSPECT

To retrieve the list of volume backups during discovery.

VOLUME_BACKUP_READ

List volume backups during the discovery.

VOLUME_CREATE

To create volumes during restore.

VOLUME_DELETE

To delete volumes during parameterized restore if the availability domain is changed.

VOLUME_INSPECT

To list volumes during discovery.

VOLUME_UPDATE

To update the tags and different attributes of the volume.

VOLUME_WRITE

Create volume from snapshot.

Here is an example of assigning permissions to the policy that you create. Here, nbsm-iam-role is the name of dynamic group and NetBackup Snapshot Manager is a part of that dynamic group

Allow dynamic-group nbsm-iam-role to inspect compartments in tenancy
Allow dynamic-group nbsm-iam-role to inspect instance-images in tenancy
Allow dynamic-group nbsm-iam-role to inspect vnic-attachments in tenancy
Allow dynamic-group nbsm-iam-role to inspect vaults in tenancy
Allow dynamic-group nbsm-iam-role to read vcns in tenancy
Allow dynamic-group nbsm-iam-role to use keys in tenancy
Allow dynamic-group nbsm-iam-role to use subnets in tenancy where any { request.permission='SUBNET_DETACH', request.permission='SUBNET_ATTACH', request.permission='SUBNET_READ' }
Allow dynamic-group nbsm-iam-role to manage boot-volumes in tenancy where any { request.permission='BOOT_VOLUME_CREATE', request.permission='BOOT_VOLUME_DELETE', request.permission='BOOT_VOLUME_INSPECT', request.permission='BOOT_VOLUME_WRITE' }
Allow dynamic-group nbsm-iam-role to manage boot-volume-backups in tenancy where any { request.permission='BOOT_VOLUME_BACKUP_CREATE', request.permission='BOOT_VOLUME_BACKUP_DELETE', request.permission='BOOT_VOLUME_BACKUP_INSPECT', request.permission='BOOT_VOLUME_BACKUP_READ' , request.permission='BOOT_VOLUME_BACKUP_UPDATE' }
Allow dynamic-group nbsm-iam-role to manage instances in tenancy where any { request.permission='INSTANCE_ATTACH_VOLUME', request.permission='INSTANCE_CREATE', request.permission='INSTANCE_DELETE', request.permission='INSTANCE_DETACH_VOLUME', request.permission='INSTANCE_INSPECT', request.permission='INSTANCE_READ', request.permission='INSTANCE_POWER_ACTIONS', request.permission='INSTANCE_UPDATE' }
Allow dynamic-group nbsm-iam-role to manage network-security-groups in tenancy where any { request.permission='NETWORK_SECURITY_GROUP_READ', request.permission='NETWORK_SECURITY_GROUP_UPDATE_MEMBERS' }
Allow dynamic-group nbsm-iam-role to manage tag-namespaces in tenancy where any { request.permission='TAG_NAMESPACE_CREATE', request.permission='TAG_NAMESPACE_USE', request.permission='TAG_NAMESPACE_INSPECT' }
Allow dynamic-group nbsm-iam-role to manage volumes in tenancy where any { request.permission='VOLUME_CREATE', request.permission='VOLUME_DELETE', request.permission='VOLUME_INSPECT', request.permission='VOLUME_WRITE', request.permission='VOLUME_UPDATE' }
Allow dynamic-group nbsm-iam-role to manage volume-attachments in tenancy where any { request.permission='VOLUME_ATTACHMENT_CREATE', request.permission='VOLUME_ATTACHMENT_DELETE', request.permission='VOLUME_ATTACHMENT_INSPECT' }
Allow dynamic-group nbsm-iam-role to manage volume-backups in tenancy where any { request.permission='VOLUME_BACKUP_CREATE', request.permission='VOLUME_BACKUP_DELETE', request.permission='VOLUME_BACKUP_INSPECT'request.permission='VOLUME_BACKUP_READ', request.permission='VOLUME_BACKUP_UPDATE' }
Allow dynamic-group nbsm-iam-role to manage vnics in tenancy where any { request.permission='VNIC_ASSOCIATE_NETWORK_SECURITY_GROUP', request.permission='VNIC_ATTACH', request.permission='VNIC_CREATE', request.permission='VNIC_DELETE', request.permission='VNIC_READ' }
Allow dynamic-group nbsm-iam-role to use key-delegate in tenancy