All Products
Search

This Product

    Cloud Backup:Preparations (Alibaba Cloud VMware Service)

    Document Center

    Cloud Backup:Preparations (Alibaba Cloud VMware Service)

    Last Updated:Jun 04, 2026

    Install and activate a disaster recovery gateway in an Alibaba Cloud VMware Service (ACVS) environment to back up and restore virtual machines through the Cloud Backup console.

    Overview

    Alibaba Cloud VMware Service (ACVS) is an enterprise-grade public cloud service jointly developed by Alibaba Cloud and VMware, providing a VMware Software-Defined Data Center (SDDC).

    (Recommended) Use a RAM user AccessKey for disaster recovery

    Resource Access Management (RAM) is an Alibaba Cloud service that lets you create and manage multiple identities under one account with different permissions.

    To activate a disaster recovery gateway, you need an AccessKey. Your Alibaba Cloud account AccessKey grants full access to all resources — if exposed, all resources are at risk. Use a RAM user AccessKey instead. Create a RAM user and AccessKey before starting: Create a RAM user, Create an AccessKey pair.

    Prerequisites

    • You have enabled the Alibaba Cloud Cloud Backup service. Although enabling Cloud Backup is free of charge, using the VMware backup and disaster recovery feature of Cloud Backup incurs fees for Cloud Backup storage capacity and VMware backup software. For more information, see VMware backup and disaster recovery billing.

    • You have obtained the username and password of a VMware user with permissions to access vCenter Server and its resources.

    Notes

    Step 1: Prepare a dedicated VMware environment

    Before you back up virtual machines in a dedicated VMware environment, prepare the following items:

    • Obtain the username and address to log on to VMware management components.

    • Configure the firewalls for the VPC and the dedicated VMware environment.

      By default, a VPC attached to a dedicated VMware environment can access only VMware vCenter and NSX-T management components, not NSX-T segments. Add firewall rules in the NSX-T console to allow network access between the VPC and NSX-T segments. Also configure connectivity between the service CIDR block and the vCenter and ESXi networks.

    • Add the Cloud Backup endpoint domain names and ports to the firewall whitelist.

      For example, if your VMware Service is in the China (Shanghai) region, add the following to the VMware environment firewall whitelist: the management plane MQTT domain name (post-cn-4590rcihm02-internal.mqtt.aliyuncs.com), the data plane OSS domain name (*.oss-cn-shanghai-internal.aliyuncs.com), and the Cloud Backup VPC endpoint domain name (hbr-vpc.cn-shanghai.aliyuncs.com). Which endpoints and ports does a Cloud Backup client access?.

    Step 2: Log on to the ECS jump server

    Create an ECS instance in the VPC of the dedicated VMware environment as a jump server to access management components such as vCenter and NSX-T Manager. We recommend that you use Windows Server as the operating system. If you enable public network access, implement security measures.

    Note

    Set the VPC of the ECS jump server to the VPC of the dedicated VMware environment.

    1. Log on to the ECS console and find the ECS jump server instance.

    2. In the Actions column, click Remote Connection.

    3. In the Remote Connection and Command dialog box, click Log On Now for Workbench Remote Connection.

    4. In the Log on to Instance dialog box, set Connection Method to Terminal Connection and Authentication Method to Password Authentication.

      • Username: administrator.

      • Password: The logon password set when you created the ECS instance.

      Click Log On.

    Step 3: Add a disaster recovery gateway

    Configure and download a disaster recovery gateway to the ACVS environment where the vSphere Client is deployed.

    1. Log on to the Cloud Backup console from the ECS jump server.

    2. In the left-side navigation pane, choose Back Up > VMware Backup & Disaster Recovery.

    3. In the top navigation bar, select a region.

    4. In the upper-right corner of the VMware Backup & Disaster Recovery page, click Create Backup & Disaster Recovery Gateway.

    5. In the Add Disaster Recovery Gateway panel, configure the parameters and click Create.

      Configure the following parameters:

      Parameter

      Description

      Backup Vault

      The backup vault that stores your backups.

      • Create Backup Vault: Enter a vault name. If left empty, a random name is assigned.

      • Select Backup Vault: Select an existing vault from the drop-down list.

      Important

      After you create a backup vault and store backup data, Cloud Backup charges fees for backup storage capacity. For more information, see Billing methods and billable items.

      To ensure maximum redundancy, in regions that support zone-redundant backup vaults, Cloud Backup uses zone-redundant backup vaults by default. If a region only supports locally redundant backup vaults, Cloud Backup uses locally redundant backup vaults. You do not need to select the vault type.

      Vault Name

      Specify a name for the backup vault.

      Vault Resource Group

      Required only when Backup Vault is set to Create Backup Vault. Specifies the resource group for the backup vault.

      Resource groups help you organize resources and manage permissions within your Alibaba Cloud account. For more information, see Create a resource group.

      Gateway Name

      Name for the gateway. Maximum length: 64 characters.

      VMware Environment

      The VMware platform where the virtual machines are deployed. Select Alibaba Cloud VMware Service (ACVS).

      • On-premises vSphere: The virtual machines are deployed in an on-premises VMware environment.

      • Alibaba Cloud VMware Service (ACVS): The virtual machines are deployed in an Alibaba Cloud VMware Service environment.

      Network Type

      The network type. Select VPC.

      The VMs use an Alibaba Cloud VPC and must be in the same region as the backup vault.

      Use HTTPS for Data Transmission

      Specifies whether to use HTTPS for data transmission. HTTPS reduces transmission performance. Changes take effect at the next backup or restore job.

    6. In the Create Backup & Disaster Recovery Gateway panel, click Download Gateway and Download Certificate.

      The downloaded disaster recovery gateway package is the OVF template required for Step 3: Install the disaster recovery gateway.

      Note

      The installation package connects the gateway to Cloud Backup, and the certificate activates it. You can download and deploy the gateway from the client list at any time.

    Step 4: Install the disaster recovery gateway

    Install the downloaded gateway and certificate in your VMware environment to enable backup and restore from the Cloud Backup console.

    1. Log on to the ECS jump server.

      For more information, see Step 2: Log on to the ECS jump server.

    2. Log on to the VMware Service console, find the target dedicated VMware environment, and in the Actions column, click Log on to Management Components.

    3. Use the vCenter username and address from Step 2 to log on to the vSphere Web Client from the ECS jump server.

    4. In the left navigation pane, right-click the target virtual machine and select Deploy OVF Template.

      1. On the Deploy OVF Template page, select Local file. Click Browse, select the gateway file that you downloaded in Step 3: Add a disaster recovery gateway, and then click Next.

        Note

        Cloud Backup provides the gateway installation package in OVA format, which you can deploy directly as an OVF template from the Web Client.

        ovfTemplate

      2. Enter a name for the OVF template, select a deployment location, and then click Next.

        Select Location

      3. Select a compute resource and click Next.

        Compute Resource

      4. Verify the template details and click Next.

        Details

      5. Select a virtual disk format, select a location to store the deployed template files, and then click Next.

        Select Storage

      6. Select a target network for each source network and click Next.

        Select Networks

      7. Configure the network and system user password, and then click Next.

        • If you use DHCP, the Gateway, IP, and Netmask fields are not required. For a static IP address, enter the IP address and related information.

        • The Primary DNS and Secondary DNS must be able to resolve the domain names of Cloud Backup, vCenter, and ESXi.

          Note

          Enter an IP address that connects to the Alibaba Cloud VPC. If no DNS server can resolve Alibaba Cloud VPC domain names, use the Alibaba Cloud VPC DNS servers 100.100.2.136 or 100.100.2.138.

        • The Admin User Name and Admin User Password set the credentials for the gateway VM. This user has root permissions.

        Customize template

      8. Review the configuration data and click Finish.

        Review configuration data

    5. View the task status in the Task Console and wait for the task to complete.

    Step 5: Activate the disaster recovery gateway

    Note

    The system automatically deletes a VMware disaster recovery gateway if it is not activated within 48 hours of its creation.

    1. After the deployment is complete, start the virtual machine that was deployed from the OVF template.

    2. Open a browser and enter http://hostname:8011 in the address bar.

      hostname is the IP address of the gateway that you deployed from the OVF template.

    3. On the Activate Gateway page, configure the following parameters and click Register.

      Parameter

      Description

      AccessKey ID

      Download the AccessKey ID and AccessKey secret from the Alibaba Cloud account with Cloud Backup enabled. Create an AccessKey pair for a RAM user.

      Note

      The AccessKey pair used to activate the backup gateway may expire. If rotated, reactivate the gateway or backups will fail. How do I reset a VMware backup gateway (replace an AccessKey pair)?.

      AccessKey Secret

      Certificate File

      Select the certificate downloaded from the console. If the gateway VM is shut down for more than five days after activation, the certificate becomes invalid and must be re-downloaded and reactivated.

      After the installation is complete, you can view the disaster recovery gateway on the Backup & Disaster Recovery Gateway tab of the VMware Backup & Disaster Recovery page. The status of the gateway is Activated. You can also perform the following operations in the Actions column:

      • Throttle Bandwidth: Set traffic limits for different time periods to prevent backup jobs from overloading VMware resources.

      • <hd> More </hd>:

        • Download Gateway: Download the disaster recovery gateway installation package.

        • Download Certificate: Download the certificate used to activate the disaster recovery gateway.

        • Delete: Deleting a client also deletes its backup data and causes running jobs to fail. Ensure you no longer need the backup data and that no jobs are running.

        • Gateway Settings: Configure HTTPS for data transmission, the maximum number of worker threads, and CPU cores.

      After the operation is complete, you can view the vCenter server on the Managed vCenters tab.image

    Why does adding a vCenter server fail even if the credentials are correct?

    This operation can fail if the password contains any of the following special characters:

    ` ^ ~ = ; ! / ( [ ] { } @ $ \ & # % +

    How do I replace the AccessKey pair for a VMware backup and disaster recovery gateway?

    To reset (reactivate) a VMware backup gateway:

    1. Go to the `data` directory in the client installation path: cd /opt/alibabacloud/hbr/data/

    2. Delete the console.mv.db file: rm -f console.mv.db

    3. Restart the service. For example: systemctl restart hbr.

    4. Reactivate the gateway in the Cloud Backup console using the new AccessKey pair.

    What to do next

    Back up VMware virtual machines