BDRC cross-account unified management lets you centrally manage data protection for resources across multiple accounts with a unified view, configuration, monitoring, and alerting, reducing operational overhead and improving disaster recovery consistency and compliance.
How it works
BDRC cross-account unified management is built on Resource Directory, the foundational service for building multi-account structures and centrally managing resources on Alibaba Cloud. As a trusted service of Resource Directory, BDRC uses its organizational structure and authorization model to centrally manage data disaster recovery for member accounts within the organization.
After a delegated administrator account (a member account authorized by the management account to perform management tasks for the organization in BDRC) enables cross-account unified management and adds member accounts, BDRC creates the AliyunServiceRoleForBdrcRd service-linked role to access resources in those member accounts. The management account can then switch to a member account view in the BDRC console to check data protection scores, view resource information, and configure unified protection policies.
In a cross-account scenario, the delegated administrator account and member accounts can perform the following operations:
|
Member account resources |
Delegated administrator actions |
Member account actions |
|
ECS/OSS/NAS/Tablestore |
|
|
|
OSS/Tablestore |
|
|
Enable cross-account unified management
Prerequisites
Enable Resource Directory, and then create member accounts or invite existing Alibaba Cloud accounts to join your resource directory. For more information, see Create a member or Invite an Alibaba Cloud account to join a resource directory.
Step 1: Set the delegated administrator
-
Log on to the Resource Management console with your management account.
-
In the left-side navigation pane, choose .
-
Search for BDRC and click Manage in the Actions column.
-
In the Delegated administrator account section, click Add, select the member account that you want to set as the delegated administrator, and then click OK.
After the management account grants authorization, the delegated administrator account can access the Resource Directory organization and member information and perform administrative operations in the BDRC console.
Step 2: Enable cross-account unified management
-
Log on to the BDRC console with the delegated administrator account.
-
In the left-side navigation pane, choose Cross-account unified management. Then, follow the on-screen instructions to enable the feature.
If the prerequisite check fails, follow the on-screen instructions to complete the prerequisite tasks and set the delegated administrator.
Step 3: Manage accounts
-
In the left-side navigation pane, choose Cross-account unified management, and then click the Account Management tab.
-
On the Cross-account Management Settings page, select the member accounts, the folders that contain the member accounts, or the entire Resource Directory that you want to manage, and then click OK.
NoteWhen you select a folder or Resource Directory for management, all accounts within it are automatically managed. For a managed folder or Resource Directory, new accounts added to it are automatically managed, and accounts removed from it are automatically unmanaged. Data for accounts removed from the management scope is cleared.
After the accounts are added, they appear in the cross-account management list.
Step 4: View member resources
After you complete these steps, you can use the delegated administrator account in the BDRC console to view and manage data disaster recovery for your member accounts. You can switch between managed member accounts. The following table describes account switching support on each page.
|
Page |
Account switching support |
|
Overview |
You can select multiple accounts for an aggregated view or switch to a single account view. |
|
|
You can switch to a single account view. |
|
Resource center (ECS/OSS/NAS/Tablestore) |
You can select multiple accounts for an aggregated view or switch to a single account view. |
|
Risk detection |
You can select multiple accounts for an aggregated view or switch to a single account view. |
When you switch accounts on one page, the selection persists across all other pages that support account switching. If you switch from a multi-account view to a single-account view page, the view defaults to the first account in your selection.
View multi-account data protection scores
View the data protection dashboard
On the Overview page, use the delegated administrator account to select member accounts and view their aggregated data:
-
By default, the dashboard displays the data protection score for the current account.
-
You can select multiple accounts to view aggregated data.
-
The resource category filter shows only the categories associated with the current account. For example, if you select both Account A and Account B and then filter by the
importantresource category (which is associated only with resources in Account A), the dashboard displays the score only for the resources in Account A that belong to theimportantcategory.
Download the data protection report
After you filter by account and resource category, click Preview and Download Report to download the report.
Configure protection policies for multiple accounts
Configure cross-account resource categories
On the Resource category management page, you can associate tags from multiple accounts to categorize resources across accounts:
-
Log on to the BDRC console with the delegated administrator account.
-
In the left-side navigation pane, choose .
-
Click Create Resource Category and follow the on-screen instructions to create a resource category.
NoteThe tags that you associate with a resource category are matched against resources in all managed accounts. After you select the tags, you can click Detect Resources to view the number of affected accounts and resources.
Configure cross-account protection policies
The delegated administrator account can configure unified protection policies and apply them to multiple member accounts:
-
Log on to the BDRC console with the delegated administrator account.
-
In the left-side navigation pane, choose Protection Policy Center, and then follow the on-screen instructions to create a protection policy.
The sub-policies associated with a protection policy created by the delegated administrator account belong to that same account and are not linked to Cloud Backup policies in other member accounts. Cross-account policies apply to resources in member accounts through their association with resource categories, so you do not need to switch to each member account to configure policies individually.
For ECS, automatic snapshot policies cannot be applied to cross-account resources. They can only be applied to resources in the current account. For multi-account management, use ECS instance backup. We recommend that you do not use both the Cloud Backup service for ECS instance backup and the disk snapshot service on the same disk. This prevents potential conflicts between snapshot execution times.
Disable cross-account unified management
Step 1: Unmanage accounts
-
Log on to the BDRC console with the delegated administrator account.
-
In the left-side navigation pane, choose Cross-account unified management.
-
In the list of member accounts, find the account that you want to unmanage, click Unmanage, and then click OK.
-
You cannot individually unmanage a member account that was automatically managed as part of a folder. Instead, go to the Account Management tab and remove the entire folder from management. After the folder is removed, all member accounts within it are unmanaged.
-
After a member account is unmanaged, the associated tags and protection policies no longer apply to its resources. The associations between the account's resources and any sub-policies are also removed.
Step 2: (Optional) Remove the delegated administrator
To revoke the BDRC management permissions from the delegated administrator account, follow these steps:
Before you proceed, ensure that the delegated administrator account is not managing any member accounts. You cannot remove a delegated administrator that is still managing member accounts.
-
Log on to the Resource Management console with your management account.
-
In the left-side navigation pane, choose .
-
Search for BDRC and click Manage in the Actions column.
-
In the Delegated administrator account section, find the account that you want to remove, click Remove in the Actions column, and then click OK.
Limitations
Enabling cross-account unified management does not prevent member accounts from enabling and using BDRC independently. Each member account's BDRC configuration is independent of the delegated administrator account. The delegated administrator and member accounts do not share resource categories, protection policies, or notifications.
Billing
The BDRC cross-account management feature itself is free of charge. However, when you improve a resource’s data protection score or remediate disaster recovery risks, standard charges for underlying services such as disk snapshots and Cloud Backup apply. For more information, see Billing.