Create an Object Lock-Enabled Scheduled Backup

Object lock-enabled backups protect backup data from modification or deletion for a specified retention period, providing immutability for compliance, ransomware protection, and long-term data retention requirements. Portworx Backup supports creating scheduled backups on S3-compatible backup locations that have S3 Object Lock enabled.

note

Immutable object storage behavior depends on the underlying storage provider.

• Amazon S3 Object Lock

  • Supports Compliance and Governance modes.
  • Compliance mode prevents deletion by any user until the retention period expires.
  • Governance mode allows authorized users to bypass retention restrictions.

• Azure Immutable Blob Storage

  • Supports immutable storage using time-based retention and legal hold policies.

Refer to the respective cloud provider documentation for provider-specific retention behavior and limitations.

Prerequisites

Before creating an object lock-enabled scheduled backup, ensure the following:

• Object lock-enabled backup location: An object lock-enabled backup location must already be added to Portworx Backup. S3 Object Lock must be enabled at bucket creation time. It cannot be enabled on an existing S3 bucket. For supported S3-compatible providers, see the Backup Location Support Matrix. For setup instructions, see:
  • Add an object lock-enabled S3 backup location
  • Add an immutable Azure backup location
• Locked schedule policy: A locked schedule policy with a retention period greater than the schedule interval must be configured. For more information, see Schedule policies.
• Storage lifecycle management policy: Configure lifecycle management policies on the immutable object store to manage retained object versions and expired delete markers. Without lifecycle management, retained object versions and delete markers may accumulate over time and increase storage usage.

For provider-specific configuration details, refer to:

• AWS S3 Lifecycle Management
• Azure Blob Storage lifecycle management

note

Immutable retention is enforced by the underlying object storage configuration. If the retention period defined in the schedule policy does not match the bucket's Object Lock retention period, it can lead to:

• Over-retention — Backups are retained longer than expected, increasing storage costs.
• Delete failures — Portworx Backup cannot delete backups until the bucket retention period expires.

Ensure that the schedule policy retention period aligns with the retention configuration of the underlying immutable object store.

Create an object lock-enabled scheduled backup

To create an object lock-enabled backup:

1. On the Portworx Backup clusters page, select the cluster you want to back up.

2. Select the namespaces and apply label selectors to filter the resources you want to back up.

3. Click Backup.

4. In the Create Backup window, specify the following fields, refer Create a backup for more information on these fields.

   

   • Enter name for Backup: provide a relevant name for your backup

   • Backup location: choose the object lock-enabled backup location you have created previously from the drop-down

     note

     Backup location drop-down displays only the successfully validated object store or NFS backup locations.

   • Cross Cloud Backup/Restore: you can enable or disable this option. For more information on this option, refer Create backup.

   • Snapshot Class Mapping: facilitates mapping of your storage provisioner with volume snapshot class

     • CSI Provisioner: lists the CSI provisioners associated with the PVCs present in the namespaces selected for the backup

     • Volume snapshot class: lists all the volume snapshot class (vsc) resources along with default vsc

     • Offload CSI snapshots to backup location: offloads the CSI snapshot to the specified backup location

   • Backup type: allows you to choose the type of backup required (manual or scheduled backup)

     • On a schedule: enable this option to create an object lock-enabled scheduled backup

       • Choose a schedule policy: select a schedule policy from the drop-down list

       • Allow parallel backup: select this option to enable Portworx Backup to trigger a new scheduled backup even when the previous scheduled backup is still in progress (uploading snapshots to the cloud). Refer to Parallel backup schedules for more information on how this feature works in the backend.

       note

       The parallel backup option is applied only for Portworx volumes and will not work for other volume types.

   • Pre-exec rule: select a rule from the drop-down to execute before the backup is created

   • Post-exec rule: select a post rule you want to execute after the backup is created

   • Backup Labels: any labels that you want to add to the backup you are going to create

   • NAMESPACES LIST: lists all the namespaces selected for backup creation

   note

   When changing the retention period between two scheduled backups, set the new retention period to a value greater than the schedule interval. For example, if backups run every 7 days, the retention period must exceed 7 days. Setting a retention period shorter than the schedule interval may result in backup failures or rejected writes on the object lock-enabled bucket.

5. Click Create.

The object lock-enabled scheduled backup is created. It appears in the Backups list with a lock icon, indicating that object lock protection is active. To verify the schedule is running, go to Backup schedules and confirm that the next run time is displayed.

Update object lock-enabled backups

You can add new labels or delete a pre-applied label on your object lock-enabled backups using the Edit option. To update labels on an object lock-enabled manual or scheduled backup:

1. In the home page, click Clusters icon.

2. Select the cluster where you have created the object lock-enabled backup.

3. Select the Backup tab to view the list of all object lock-enabled backups you have created.

4. Select the Vertical ellipsis of the object lock-enabled backup you need to update and choose Edit.

5. Enter new backup label(s) or delete a pre-applied label and select Update. You can apply multiple labels to your object lock-enabled backup to filter them later based on the need.

Update the backup schedule

To modify the schedule policy, retention period, or other schedule settings for an object lock-enabled scheduled backup, use the Backup schedules tab in the Portworx Backup UI. For more information, see Backup schedules.