Tutorial: Enable Vault Tier backups for AKS and restore across regions by using Azure Backup

This tutorial describes how to create backups for an AKS cluster stored in the Secondary Region (Azure Paired region). Then perform a Cross Region Restore to recover the AKS Cluster during regional disaster.

Azure Backup allows you to store AKS cluster backups in both Operational Tier and Vault Tier. This feature enables you to move snapshot-based AKS backups stored in Operational Tier to a Vault-standard Tier. You can use the backup policy, to define whether to store backups just in Operational Tier as snapshots or also protect them in Vault Tier along with Operational. Vaulted backups are stored offsite, which protects them from tenant compromise, malicious attacks, and ransomware threats. You can also retain the backup data for long term. Additionally, you can perform Cross Region Restore by configuring the Backup vault with storage redundancy set as global and Cross Region Restore property enabled. Learn more.

Consideration

For backups to be available in Secondary region (Azure Paired Region), create a Backup vault with Storage Redundancy enabled as Globally Redundant and Cross Region Restore enable.

Configure Vault Tier backup

To use AKS backup for regional disaster recovery, store the backups in Vault Tier. You can enable this capability by creating a backup policy with retention policy set for Vault-standard datastore.

To set the retention policy in a backup policy, follow these steps:

  1. Select the backup policy.

  2. On the Schedule + retention tab, define the frequency of backups and how long they need to be retained in Operational and Vault Tier (also called datastore).

    Backup Frequency: Select the backup frequency (hourly or daily), and then choose the retention duration for the backups.

    Screenshot that shows selection of backup frequency.

    Retention Setting: A new backup policy has two retention rules. You can also create additional retention rules to store backups for a longer duration that are taken daily or weekly.

    • Default: This rule defines the default retention duration for all the operational tier backups taken. You can only edit this rule and can’t delete it.

    • First successful backup taken every day: In addition to the default rule, every first successful backup of the day can be retained in the Operational datastore and Vault-standard store. You can edit and delete this rule (if you want to retain backups in Operational datastore).

With the new backup policy, you can configure protection for the AKS cluster and store in both Operational Tier (as snapshot) and Vault Tier (as blobs). Once the configuration is complete, the backups stored in the vault are available in the Secondary Region (an Azure paired region) for restore that can be used when during regional outage.

Restore in secondary region

If there is an outage in the primary region, you can use the recovery points stored in Vault Tier in the secondary region to restore the AKS cluster. Follow these steps:

  1. Go to Backup center and select Restore.

    Screenshot shows how to start the restore process.

  2. On the next page, select Select backup instance, and then select the instance that you want to restore.

    If a disaster occurs and there is an outage in the Primary Region, select Secondary Region. Then, it allows you to choose recovery points available in the Azure Paired Region.

    Screenshot shows selection of backup instance for restore.

    Screenshot shows choosing instances for restore.

    Screenshot shows the selection of the secondary region.

  3. Click Select restore point to select the restore point you want to restore.

    If the restore point is available in both Vault and Operation datastore, select the one you want to restore from.

    Screenshot shows how to view the restore points.

    Screenshot shows selection of a restore point.

  4. In the Restore parameters section, click Select Kubernetes Service and select the AKS cluster to which you want to restore the backup to.

    Screenshot shows how to initiate parameter selection.

    Screenshot shows selection of AKS instance.

    Screenshot shows the Restore page with the selection of Kubernetes parameter.

  5. The backups stored in the Vault need to be moved to a Staging Location before being restored to the AKS Cluster. Provide a snapshot resource group and storage account as a Staging Location.

    Screenshot shows the parameters to add for restore from Vault-standard storage.

    Screenshot shows the storage parameter to add for restore from Vault-standard storage.

Note

Currently, resources created in the staging location can't belong within a Private Endpoint. Ensure that you enable public access on the storage account provided as a staging location.

  1. Select Validate to run validation on the cluster selections for restore.

    Screenshot shows the validation of restore parameters.

  2. Once the validation is successful, select Restore to trigger the restore operation.

    Screenshot shows how to start the restore operation.

  3. You can track this restore operation by the Backup Job named as CrossRegionRestore.

Next steps