Add Azure immutable backup location

Portworx Backup now supports Azure Blob immutable storage containers as backup locations. This feature aims to extend the current support for S3 object lock to Azure Blob Storage, ensuring data protection through immutability support and implements version-level Write Once Read Many (WORM) policy at both storage-account level and container level.

Immutability support helps to protect data from overwrites and deletes. Starting from Portworx Backup version 2.7.3, you can add your containers (that support immutability) as a backup location through the Portworx Backup web console. You will need new Azure credentials and configurations to add immutable Azure backup locations.

For more information, refer to Azure immutable storage concepts.

Azure immutable backup location supports:

• Time-based retention policies with a minimum retention period of 7 days
• Version-level WORM policies at both storage account and container levels
• Azure container locked and unlocked policies
• Immutability for backups orchestrated via Portworx (cloudsnaps), generic/KDMP and CSI backups
• Azure Blob immutability in 'Global' and 'China' regions
• Auto-detection of immutability on Azure Blob containers
• Alerting for Azure immutable backup locations
• Denial of delete operations on backups stored in Azure immutable backup location until their retention period is over
• Validation mechanism for immutable Azure backup locations
• Usage of backup schedule/policy with an immutable Azure backup location
• Immutability with and without the soft delete option; Soft delete recovery is supported only for Portworx cloud snapshot backups (taken without offload to backup location option) of Portworx volumes

What is not supported

• Legal hold based immutability support, blob granular and container-level WORM policy are not supported
• Recovery of backups of non-portworx volumes to Azure containers that have soft delete enabled is not supported

Before you begin

Refer the following topics from Azure documentation:

1. Container-level WORM policies for immutable blob data
2. Version-level WORM policies for immutable blob data
3. Configure immutability policies for containers
4. Configure immutability policies for blob versions

Refer the following topics from Portworx Backup documentation:

1. Get started to familiarize yourself on how to install or upgrade Portworx Backup
2. AKS cluster prerequisites to learn about the required prerequisites to configure Azure cluster

Azure Portal prerequisites

1. Azure resource group name

2. At the Storage Account Level:

   • Enable versioning for blobs: enable versioning on the storage account to ensure that every version of an object is preserved. This is essential for maintaining the history of changes and for the retrieval of previous versions if needed.
   • Version level immutability support: configure immutability support on the storage account to enforce WORM at the version level. This prevents any version of an object from being altered or deleted within a specified retention period.

3. Set retention policy either at storage account-level or container-level.

   note

   1. Portworx backup supports both locked and unlocked retention policies and you can set these policies at both storage account and container level through Azure Portal.
   2. Retention policies set at container level will have precedence over those set at storage account level.

Add Azure immutable backup location

To add an Azure immutable backup location use the Portworx Backup web console. You can add an Azure immutable backup location based out of any geography worldwide or in China.

Prerequisites

• Make sure a locked or unlocked container exists with versioning enabled and immutable support set
• Add Azure cloud account in Portworx backup web console

Perform the following steps to add Azure global backup location in Portworx Backup:

To add an Azure immutable backup location:

1. In the home page, from the left navigation pane, click Clusters.

2. In the upper-right corner, click Settings > Cloud Settings:

   

3. In the Backup Locations section, click Add:

   

4. In the Add Backup Location window, populate the following fields:

   
   • Name: specify the name for the backup location, Portworx Backup displays this name as backup location name in the web console
     
   • Cloud Account: choose the Azure credentials this backup location will use to create backups
     
   • Path/Bucket: specify the name of the container this backup location will place backups onto
     
   • Encryption key (Optional): enter the optional encryption key to encrypt your backups in-transit
     
   • Azure Environment: this drop-down lists two regions; Azure Global and Azure China and by default takes Azure Global as the value for Azure environment. Choose Azure Global or Azure China (based on the geographical location of your backup target) to add your Azure backup location.
     
   • Resource group name: name of the Azure resource group and this field is mandatory to add an immutable Azure backup location

5. Click Add.

Portworx Backup validates the data you have provided in the above fields, adds the backup location if the data is accurate and then displays the added Azure immutable backup location in Home page > Clusters > Settings > Cloud Settings > Backup Locations page.

If data provided is inaccurate, the web console displays an error message stating it failed to add the backup location.

Manage Azure immutable backup location

After you add an Azure immutable backup location, you can perform the following actions on the added backup location:

• View Json: provides metadata, detailed information on backup location and the email ID of the backup location owner
  
• Remove: deletes the backup location from the system and the display
  
• Edit: allows you to change the cloud account associated with the backup location
  
• Validate: validates the backup location after it is added
  
• User Access: allows you to change the backup location accessibility to public (all the users who use Portworx Backup web console) or to a single user or group

note

Backups stored in immutable container(s) or containers associated with immutable storage accounts cannot be deleted if their retention period is still active. You can delete the backups only after the container(s) retention period expires.