A backup policy defines the schedule, retention period, and lifecycle rules for backups. Policies are independent of data sources and can be applied to multiple sources to generate backup plans. You can create, modify, associate, and delete backup policies in Policy Center.
Scope and limitations
The following limitations apply:
-
Supported regions are listed on the Policy Center console page. Supported features by region.
-
Backup policies currently support only ECS file backup, ECS instance backup, OSS backup, Alibaba Cloud NAS backup, on-premises NAS backup, Tablestore backup, CPFS backup, and on-premises file backup.
-
The Backup Vault applies only to general-purpose backup policies.
-
The auto-archive feature supports only ECS file backup, ECS instance backup, OSS backup, Alibaba Cloud NAS backup, on-premises NAS backup, CPFS backup, and on-premises file backup.
-
Both general-purpose backup policies and instance backup policies support Immutable Backup.
-
The Backup Point Virus Detection feature supports only ECS file backup (new version), on-premises file backup (new version), OSS backup, Alibaba Cloud NAS backup, and on-premises NAS backup.
-
The Associate Resource Tag feature supports only ECS instance backup, ECS file backup, OSS backup, Alibaba Cloud NAS backup, and Tablestore backup.
Prerequisites
You have activated Cloud Backup. Cloud Backup is free to activate.
Notes
If a backup policy's Policy Type is "legacy backup policy", the policy is associated with an instance backup and a backup vault. The following limitations apply:
-
You can still edit legacy backup policies, but you cannot create new ones or associate them with new ECS instance backups. Existing associations are not affected. To back up new ECS instances, create and use a new ECS Instance Backup Policy.
-
A legacy backup policy backs up bound ECS instances using snapshots. These backups are not stored in a backup vault and do not support cross-region replication or automatic archiving.
-
Regarding the backup replication and backup lock features:
-
If a legacy policy is not bound to a backup vault, you can view and edit the instance backup configuration on the ECS Instance Backup page.
-
If a legacy policy is bound to a backup vault, you can view and edit the backup vault configuration on the Policy Center page. The instance backup settings are still displayed on the ECS Instance Backup page but are read-only.
-

Create a backup policy
Create a backup policy before backing up any data source.
Log on to the Cloud Backup console.
In the navigation pane on the left, choose Backup > Policy Center.
In the top navigation bar, select a region.
-
In Policy Center, click Create Backup Policy.
-
In the Create Backup Policy dialog box, configure the Policy Type, Policy Name, Execution Plan, Lifecycle, Auto-archive Settings, Backup Vault Configuration, and Replication Policy, and then click OK.


General Backup Policy
ImportantSelect the policy type based on your business requirements and review the parameter descriptions before proceeding.
Parameter
Description
Policy Type
This policy applies to all backups except for entire ECS instance backups.
Supported data sources include ECS files, on-premises files, OSS, Alibaba Cloud NAS, CPFS, Tablestore, and on-premises NAS. The backup data is stored in a general backup vault.
Policy Name
The backup policy name.
The name must be 2 to 128 characters. It cannot start with
auto, a special character, or a digit. It can contain periods (.), underscores (_), hyphens (-), and colons (:).Schedule
Backup Frequency
NoteIf a backup job is still running when the next job is scheduled to start, the scheduled job is skipped and runs in the next cycle.
-
Hourly: Backups are created at a fixed hourly interval.
-
Daily: Backups are created at a fixed daily interval.
-
Weekly: Backups are created on specified days of the week.
-
Monthly: Backups are created on specified days of the month.
First Execution Time
The start time for the first backup job.
Time Interval
The interval between backup jobs.
Incremental Backup Interval
This parameter applies only to Tablestore. For other data sources, Cloud Backup automatically performs full or incremental backups.
-
No: Disables incremental backups.
-
Specify Time: Specifies the interval for Tablestore incremental backups.
Lifecycle
Retention Period
-
Permanent: Backups are retained permanently.
-
Specify Time: The retention period in days (maximum: 999 years). For example, 210 means backups are deleted after 210 days.
When you configure the Days to Transfer to Archive Tier parameter, data in the archive tier must be retained for at least 60 days. Therefore, the total retention period must be at least the sum of the automatic archiving trigger period and the minimum retention period for the archive tier (60 days).
For example, if you set data to be automatically archived after 30 days, the total retention period must be at least 30 + 60 = 90 days.
Special Retention Period
Cloud Backup supports Special retention period rules that retain the first backup of a specific week, month, or year for a longer duration. A policy can combine weekly, monthly, and yearly rules.
ImportantThe special retention period is subject to the total retention period. Limits:
-
Not applicable to permanently retained backups.
-
The special retention period must be longer than the standard retention period.
-
Cannot exceed 999 years regardless of unit (weeks, months, or years).
Keep At Least One Backup Version
When enabled, the latest backup is protected from deletion by retention expiration or accidental removal. Recommended to prevent data loss from misconfigured retention settings. Retain at least one backup version.
Important-
Takes effect only after a data source is associated with this policy.
-
For general backup policies, at least one replicated backup in the destination region is also retained.
-
Tablestore backups are not supported.
-
The retained latest backup is not auto-archived.
Automatic Archiving
Days to Transfer to Archive Tier
Moves backups to the archive tier after a specified number of days to reduce long-term storage costs. Default storage tier: standard.
Important-
When you use cross-region backup, data in the archive tier of a backup vault is not replicated to another region. After data is moved from the standard tier to the archive tier in the source vault, the corresponding data in the destination vault is also deleted.
-
Archive storage is billed by original data size. Files smaller than 64 KB are billed as 64 KB. Evaluate carefully if your workload has many small files. Automatic archiving.
-
Minimum 30 days in standard tier before archiving. Minimum 60 days in archive tier after archiving.
-
No: Backups remain in the standard tier.
-
Specify Time: 30–65,535 days. Backups must remain in standard tier for at least 30 days before archiving.
If you set Specify Time to 30 days:
-
If the Retention Period is set to Permanent, backups are moved to the archive tier after 30 days and retained permanently.
-
If the Retention Period is 210 days, backups are moved to the archive tier after 30 days, retained for another 180 days, and then automatically deleted. The total retention period is 210 days.
-
Backup Vault
Backup Vault
The vault that stores backups.
-
Create Backup Vault: Creates a new vault. Default name is based on the creation timestamp.
-
Select Vault: Selects an existing vault from the drop-down list.
The system automatically selects the vault type based on region availability: zone-redundant in supported regions, locally redundant in others.
Vault Name
This parameter is required when Backup Vault is set to Create Backup Vault or Select Backup Vault. Enter or select the name of the backup vault.
Vault Resource Group
This parameter is required only when Backup Vault is set to Create Backup Vault. Specifies the resource group to which the backup vault belongs.
Resource groups organize resources for access control within an account. Create a resource group.
Vault Encryption Method
This parameter is required only when Backup Vault is set to Create Backup Vault. Specifies the encryption method for the backup vault.
-
Cloud Backup-managed (Default): The service's default encryption method.
-
KMS: Uses a custom key from Alibaba Cloud Key Management Service (KMS) for encryption. You must specify the KMS KeyId. You can also select the Use KMS Alias checkbox to use the key's alias as its identifier.
After you enable encryption for a backup vault using Key Management Service (KMS), you cannot change the KMS key.
To encrypt a backup vault with a KMS key, you must first create a key ID in KMS. For more information, see Create a key.
ImportantReplication Policy
Backup Vault Replication
Automatically replicates all existing and new data from the source vault's standard tier to a destination vault for cross-region and cross-account protection.
ImportantData in the archive tier is not replicated. When data moves from standard to archive tier in the source vault, the corresponding data in the destination vault is deleted.
-
Cross-region replication incurs storage and data transfer fees. Billing methods and billable items.
-
Enabling Backup Vault Replication in a general backup policy has the same effect as Configure Vault Replication for the associated backup vault. You can configure cross-region backup in the Storage Vaults console.
-
After you enable Backup Vault Replication, the backup vaults associated with the data sources in this policy automatically replicate all existing and future backup points to the destination vault.
NoteReplicated backups share the same retention period as the source backup points.
Replication Target Vault Configuration
You can select an existing destination vault or create a new one.
-
Create replication destination vault: Creates a vault in the current account for cross-region replication.
-
This option enables cross-account or cross-region replication by allowing you to select a vault that is either shared from another account or is in a different region within your account.
Destination Region
This parameter is required only if you enable Backup Vault Replication.
The region of the destination backup vault.
Encryption Method of Replication Target Vault
This parameter is required only if you enable Backup Vault Replication and select Create Replication Target Vault.
Specifies the encryption method for the destination vault, which must be the same as that of the source vault. Valid values: Cloud Backup-managed and KMS.
Data Security
Immutable Backup
Once enabled, immutable backup cannot be disabled.
-
When enabled, the backup vault and all backup data within it cannot be deleted before their retention period expires.
-
If backup vault replication is also enabled, the replicated vault and its backup points are also locked.
Backup Point Virus Detection
After you enable backup point virus detection, the system automatically scans backup data for viruses after each backup job is complete. You can view the scan results for each backup point.
Important-
After you enable virus detection in a backup policy, the system performs a full scan on the first backup point and incremental scans on subsequent backup points.
-
Backup point virus detection is a paid feature.
-
A virus detection task cannot be canceled after it starts.
You can disable this feature by turning off the Backup Point Virus Detection switch.
Associate Resource Tag
Automatically associates the backup policy with resources based on their tags.
Resource Type: ECS file, OSS Bucket, Alibaba Cloud NAS, and Tablestore.
Select Resource: You can associate all resources of the specified type or use Specify Tag to associate a subset of resources.
Resource Tag: A resource is associated only if it matches all specified tags. Click Associate Tags to add multiple tags.
The resource tags must correspond to the selected resource type:
-
For ECS file, specify the tags of ECS instances.
-
For OSS Bucket, specify the tags of OSS buckets.
-
For Alibaba Cloud NAS, specify the tags of NAS file systems.
-
For Tablestore, specify the tags of Tablestore instances.
Note-
You can add up to 30 resource tags.
-
When you associate an ECS instance by using tags and the resource type is set to ECS file, Cloud Backup automatically deploys the backup client when the next backup job starts. Conversely, if an ECS instance's tags no longer match the policy and its related backup jobs have expired, Cloud Backup automatically uninstalls the backup client.
-
Each time the backup policy runs, Cloud Backup performs the following tag matching checks:
-
Auto-associate new matching resources: If Cloud Backup finds unassociated data sources with matching tags, it automatically associates them. Backups for these resources begin on the next scheduled run.
-
Auto-adjust existing associations: The system verifies if currently associated data sources still match the policy's tags. If a data source no longer matches, its backup jobs are paused, and the association is removed after its backups expire.
-
Tag Match Detection: Click Detect Now to check which resources match the configured resource tags.
To add resources of multiple types, click Add Resource.
ECS Instance Backup Policy parameters
ImportantSelect the appropriate policy type and review parameter descriptions before proceeding.
Parameter
Description
Policy Type
The policy type.
Applies only to ECS instance backup. Uses snapshot capacity instead of a backup vault.
Policy Name
The backup policy name.
Must be 2–128 characters. Allowed characters: periods (.), underscores (_), hyphens (-), and colons (:). Cannot start with
auto, a special character, or a digit.Schedule
Backup Frequency
The backup frequency.
NoteIf a backup job is still running when the next one is scheduled to start, the new job is skipped and will run during the next cycle.
-
Hourly: Backups are created at a fixed hourly interval.
-
Daily: Backups are created at a fixed daily interval.
-
Weekly: Backups are created on specified days of the week.
-
Monthly: Backups are created on specified days of the month.
First Execution Time
The time when the first backup job runs.
Time Interval
The interval between backup jobs.
Lifecycle
Retention Period
How long backups are retained before automatic deletion.
ImportantECS instance backup does not support permanent retention.
Specify Time: Retention period in days (maximum: 999 years). Example: 210 means backups are deleted after 210 days.
If you configure Days to Transfer to Archive Tier, data moved to the archive tier must be retained for at least 60 days. Therefore, the total retention period must be at least the archiving delay plus 60 days.
For example, if you set data to be archived after 15 days, the total retention period must be at least 15 + 60 = 75 days.
Special Retention Period
Cloud Backup supports Special retention period rules that retain the first backup of a specific week, month, or year for a longer duration. You can combine weekly, monthly, and yearly rules in a single policy.
ImportantLimits:
-
The special retention period must be longer than the regular retention period.
-
The special retention period cannot exceed 999 years, whether specified in weeks, months, or years.
Keep At Least One Backup Version
The Keep at least one backup version option protects the latest backup from deletion by retention expiration or accidental removal.
Important-
Takes effect only after a data source is associated with the policy.
-
Replicated backups in the destination region are not affected by the local policy's "Keep at least one backup version" setting.
-
The latest backup is not automatically archived.
Automatic Archiving
Days to Transfer to Archive Tier
Days before backups move to the archive tier. Default tier: standard. Use archiving to reduce long-term storage costs.
Important-
Applies only to new backup points created after configuration. Existing backups cannot be archived.
-
Data in the archive tier is billed as archive snapshots, and the fees are collected by the ECS service. Before a backup point of an ECS Instance is moved to the archive tier, snapshots that have not been successfully archived are billed as standard snapshots, while successfully archived snapshots are billed as archive snapshots.
-
Minimum 14 days in standard tier before archiving. Minimum 60 days in archive tier. Early deletion within the 60-day period incurs charges for the remaining duration.
-
No: Backup data stays in the standard tier and is not moved to the archive tier.
-
Specify Time: 14–65,535 days. Backups must remain in standard tier for at least 14 days before archiving.
For example, if the Specify Time is set to 30 days and the Retention Period for the backup data is 210 days, the backup data is moved to the archive tier after 30 days. It is then retained in the archive tier for an additional 180 days, after which it is automatically deleted. The total retention period is 210 days.
Replication Policy
Replication to Other Region
Immediately and automatically replicates backups to the destination region for cross-region protection.
-
Cross-region replication incurs storage or data transfer fees depending on the data source type. Billing methods and billable items.
-
Cloud Backup provides the following technologies for cross-region replication of backup data:
The cross-region replication of backups is based on snapshot technology and is applicable only to backing up entire ECS instances.
Important-
Only new backups are replicated after enabling; existing backups are not.
-
Disabling this feature does not immediately delete replicated backups. They are deleted when their retention period expires.
Destination Region
If Replication to Other Region is enabled, this parameter specifies the destination region for replicated backups.
Remote Retention Period
If Replication to Other Region is enabled, this parameter sets the retention period for backups in the destination region.
NoteECS instance backup does not support permanent retention.
Specify Time: The total retention period for replicated backups, in days. The default value is 7 days. The maximum period is equivalent to 999 years. Backups are automatically deleted after their retention period expires.
When you set the Archive after days parameter, data in the archive tier must be retained for at least 60 days. Therefore, the total retention period for replicated data must be at least the number of days before archiving plus the 60-day minimum retention period for the archive tier.
For example, if you set data to be automatically archived after 15 days, the total retention period must be at least 15 + 60 = 75 days.
Archive after days
Configure this parameter when you enable the Replication to Other Region feature.
Replicated backups default to standard tier. Configure this to move long-term backups to the archive tier and reduce costs.
Important-
Data in the archive tier is billed as archive snapshot storage by the ECS service. Before a backup for an ECS instance is archived, its unarchived snapshots are billed as standard snapshots. After archiving, they are billed as archive snapshots.
-
Minimum 14 days in standard tier before archiving. Minimum 60 days in archive tier. Early deletion incurs charges for the remaining duration.
-
If the value of Archive after days is greater than or equal to the value of Remote Retention Period, no backups are moved to the archive tier.
-
No: Replicated backups remain in the standard tier and are not moved to the archive tier.
-
Specify Time: 14–65,535 days. Backups must remain in standard tier for at least 14 days before archiving.
For example, assume you select Specify Time and set the period to 30 days. If the Remote Retention Period is 210 days, the replicated backup is moved to the archive tier after 30 days. It is then retained in the archive tier for another 180 days and then automatically deleted. The total retention period is 210 days.
Data Security
Immutable Backup
After you enable immutable backup, you cannot disable it.
-
After you enable this feature, ECS instance backup points cannot be deleted before their retention period expires.
-
Only backups created after this feature is enabled are locked.
-
If cross-region replication is also enabled, replicated backup points in a destination region are also locked.
-
This feature does not affect the normal use of the corresponding cloud disks and snapshots, such as creating cloud disks or sharing snapshots.
Associate Resource Tag
Automatically associates the policy with resources based on their tags.
Resource Type: ECS instance.
Select Resource: You can associate all resources of the specified type or use Specify Tag to associate a subset of resources.
Resource Tag: A resource is associated only if it matches all specified tags. Click Associate Tags to add multiple tags. Specify the tags for the ECS instances.
Note-
You can add up to 30 resource tags.
-
Each time the backup policy runs, Cloud Backup performs the following tag-matching checks:
-
Auto-associate: Cloud Backup automatically associates any new, unassociated data sources that match the policy's tags. These resources are included in the next backup.
-
Update associations: If an associated data source no longer matches the policy's tags, its backup jobs are paused, and the association is removed after the current backup cycle ends.
-
Tag match detection: Click Detect Now to check which resources match the tags you have set.
To add resources of multiple types, click Add Resource.
The new policy appears in the Policy Center list.
-
If you set Policy Type to General Backup Policy, the policy appears as shown below.

-
If you set Policy Type to ECS Instance Backup Policy, the policy appears as shown below.

-
Associate backup policies with data sources
Associate resources with a backup policy to enable automatic backups:
-
Associate a backup policy when you create a backup plan for a data source.
-
In the backup policy list, associate resources in batches by resource ID.
-
Use resource tags for automatic association. Automatic resource association based on tags.
Click
to the left of a backup policy to view the associated data sources.
Associate resources in bulk
After creating a backup policy, click Associate Resource in the Actions column to associate resources in bulk.
For general-purpose backup policies:
-
If you select ECS File as the resource type, select one or more ECS instances from the ECS Instance drop-down list.
The policy automatically backs up the selected ECS instances. By default, the backup includes all files except for those in system directories. (For a list of the specific system directories, see the console.)
-
If you select OSS as the resource type, select one or more OSS buckets from the OSS Bucket drop-down list.
The policy automatically backs up the selected OSS buckets (Standard and Infrequent Access). By default, the backup includes the entire bucket.
-
If you select NAS as the resource type, select one or more NAS file systems from the NAS Filesystem drop-down list.
The policy automatically backs up the selected NAS file systems (General-purpose). By default, the backup includes the entire file system.
-
If you select Tablestore as the resource type, select one or more Tablestore instances from the Tablestore Instance drop-down list.
The policy automatically backs up the selected Tablestore instances. By default, the backup includes the entire instance.
For ECS instance backup policies:
-
If you select ECS Instance as the resource type, select one or more ECS instances from the ECS Instance drop-down list.
The policy automatically backs up the selected ECS instances. By default, the backup includes all cloud disks.
To add resources of different types, click Associate Resource.
Modify a backup policy
Find the policy in the list and click Edit Policy in the Actions column. Changes take effect on the next backup run.
Immediate policy backup
-
Run an immediate backup job for all data sources covered by a backup policy.
Find the target policy in the policy list, and in the Actions column, select . After the job completes, you can view progress on the Backup Jobs page for each data source.
-
Run an immediate backup job for a target data source.
Click
to expand the backup policy details, then select the target data source from the left-side menu. In the Actions column for the target data source, select .
Detach backup policy
To detach a backup policy from a data source, select the data source in the navigation pane, click the Backup Plans tab, and find the target backup plan. In the Actions column, choose . This detaches the backup policy, and the backup plan no longer runs.
After you detach a backup policy from a data source, the associated backup plan stops running, leaving the data source unprotected. Existing backups are not affected. Proceed with caution.
Delete a backup policy
To delete a backup policy, find it in the policy list and select in the Actions column. Deleting a backup policy stops its associated backup jobs, but retains the existing backup data.
-
You must first disassociate a backup policy from all data sources before you can delete it.
-
Deleting a backup policy stops its backup jobs, leaving the associated data sources unprotected. Proceed with caution.
Dissociate a resource tag
To dissociate a resource tag from a backup policy, find the policy in the policy list, click Edit Policy in the Actions column, and then click the
icon for the resource tag. Dissociating a resource tag automatically removes its associated data sources from the backup policy. The change takes effect the next time the backup policy runs.