All Products
Search

This Product

    Cloud Backup:Cross-account backup vault replication

    Document Center

    Cloud Backup:Cross-account backup vault replication

    Last Updated:Mar 17, 2026

    You can configure cross-account backup vault replication to prevent data loss that results from account mismanagement or to consolidate backups from multiple corporate accounts. This feature lets you select a replication target vault shared by another account to provide cross-account disaster recovery for your backup data. If required, you can quickly restore data from the replication target vault in the other account.

    Background information

    Cloud Backup uses Resource Sharing and Resource Directory to enable cross-account backup vault replication, which allows for flexible and controlled management of cross-account backup data.

    Note

    A replication target vault is the destination for backup vault replication. It stores backup data replicated from other regions or accounts and is used for cross-region or cross-account disaster recovery and data restoration. For more information, see Vault types.

    Although data in a business unit's account is protected by Cloud Backup, a separate backup management account may be required for data security or compliance to store an extra copy of the business unit's data. If the business unit's account is compromised by a security risk, such as a key leak, accidental data deletion, an overdue payment, or business adjustments, the backup data is still available in the backup management account. This data can be used for restoration to ensure business continuity and data recovery. By configuring cross-account backup vault replication, you can automatically synchronize backup data from the business unit's account to the backup management account. This method provides efficient and compliant cross-account data protection.

    How it works

    After you share a replication target vault from a destination account with a source account, you can configure backup vault replication for a backup vault in the source account. When you configure replication, you select the shared replication target vault. All existing and new backup data in the standard storage tier of the source backup vault is continuously and securely synchronized to the replication target vault in the destination account through asynchronous replication. The replication target vault acts as a read-only replica of the source backup vault and is used for disaster recovery and high availability. To use cross-account backup vault replication, you must grant permissions using Resource Sharing. You can also initiate sharing from a Resource Directory.

    The entire replication process runs automatically in the background without manual intervention. This mechanism ensures data consistency and achieves an acceptable recovery point objective (RPO) while balancing cross-region network latency and transmission efficiency. It meets the disaster recovery needs of most business scenarios.

    If data in the source account's backup vault is lost, you can quickly initiate a restore job from the replication target vault to rebuild critical applications and data. This process effectively ensures business continuity.

    image

    Quotas and limits

    • For information about the regions that support cross-account backup vault replication, see Features by region.

    • The data sources that support cross-account backup vault replication are ECS files, OSS, on-premises NAS, File Storage NAS, Tablestore, CPFS, local files, and SAP HANA.

      Important

      For ECS instance data sources, you can only enable cross-region replication in a backup policy.

    • Cross-account backup vault replication is not supported for the following vault types: OSS Backup (30-day free trial), NAS Backup (30-day free trial), Tablestore Backup (30-day free trial), replication target vaults, archive vaults, database backup vaults, or container backup vaults. This feature is also not supported for vaults in an abnormal state, such as ERROR.

    • A single account can create a maximum of 5 replication target vaults in each region.

    • You cannot restore VMware virtual machines from a replication target vault.

    • A backup vault can replicate data to only one replication target vault. If a replication relationship is stopped, the replication target vault cannot be used for another replication relationship.

    • A replication target vault can only be used to store and restore replicated data. You cannot configure backup plans to create backups in it.

    • After you configure cross-account backup vault replication, the lifecycle of backup points in the replication target vault is the same as that in the source vault. You cannot modify the lifecycle.

    • When you enable automatic archiving for a source backup vault, data in the archive storage tier of the source vault is not synchronized to the replication target vault. After data in the standard storage tier of the source backup vault is moved to the archive storage tier, the corresponding data in the replication target vault is also deleted.

    • To delete a source backup vault, you must first stop cross-account backup vault replication. After you stop replication, deleting the source backup vault does not delete the replication target vault.

    • Backup points in a replication target vault are not associated with a backup policy. After a replication relationship is stopped, the backup points in the replication target vault are automatically deleted based on the retention period configured for the source backup vault. You can also manually delete them. Even if the backup policy of the source backup vault is configured to retain at least one version, this setting does not apply to the replication target vault. You cannot modify the retention period of backup points in the replication target vault.

    • Whether the source backup vault uses the Cloud Backup-managed or KMS encryption method, the replication target vault must use the same encryption method.

    Prerequisites

    Procedure

    You can enable cross-account backup vault replication on the Vault Management page or in the Policy Center. After you enable this feature, all existing and new backup data in the standard storage tier of the source backup vault is automatically synchronized to the replication target vault.

    Note

    For information about how to enable Backup Vault Replication when you create or edit a policy, see Policy Center.

    Step 1: Create a replication target vault in the destination account

    Create a replication target vault to serve as the destination for cross-account backup vault replication.

    1. Go to the Cloud Backup console > Vault Management page of the destination account. On the Storage Vaults page, select the destination region.

    2. Click Create Replication Target Vault.

    3. In the Create Replication Target Vault panel, configure the parameters for the replication target vault.

      Parameter

      Description

      Vault Name

      Enter a name for the replication target vault.

      Vault Description

      Enter a description for the replication target vault.

      Vault Resource Group

      Select the resource group to which the replication target vault belongs.

      Vault Encryption Method

      Important

      The encryption method of the replication target vault must be the same as that of the source backup vault.

      Select an encryption method for the replication target vault. The default value is Fully managed by Cloud Backup, which uses the encryption method provided by the backup service.

      If the source backup vault uses a custom key from the Alibaba Cloud KMS service for encryption, click KMS and then select a KMS Key ID. You can select the Use KMS Alias check box to use the alias of the KMS key as the identifier for the KMS Key ID. For more information, see Select a KMS key.

    4. Click OK.

    Step 2: Share the resource with the source account from the destination account

    Important

    After you share a replication target vault with another account, the account that owns the replication target vault is charged for all storage and traffic fees that are incurred. You must evaluate the potential cost risks before you share the resource.

    Share the resources of the destination account with the source account by creating a resource share.

    1. Go to the Cloud Backup console > Vault Management page of the destination account. On the Storage Vaults page, select the destination region.

    2. Move the mouse pointer over the ┇ icon in the Actions column of the replication target vault and select Resource Sharing.

    3. In the Add resources to a resource share panel, configure the sharing information and click OK.

      • If you want to add the current resource to an existing resource share and reuse its principals and permissions, click Select from existing and select an existing resource share.

        The system displays the list of shared resources, principals, and associated permissions in the resource share.

      • If this is the first time you are sharing a resource or you need to isolate permissions, click Create a new resource share and configure the sharing parameters. For more information about the parameters, see Create a resource share.

        Parameter

        Description

        Resource Share Name

        The name of the resource share.

        Principal Scope

        Select the scope of principals. Valid values:

        • Share resources with any account: The resource owner can share resources with any principal.

        • Share resources only within the resource directory: The resource owner can share resources only within the resource directory. This means the management account or a member of the resource directory can share resources with the resource directory itself, its folders, and its members.

        Principals

        Specify the principals. You can Add from Resource Directory or Add manually. Principal types include Alibaba Cloud accounts, resource directory organizations, or folders (organizational units).

        Important

        If a resource directory is not enabled, you can only share resources with specified Alibaba Cloud accounts. The Add from Resource Directory method is supported only when a resource directory is enabled.

        • Share resources with a specified Alibaba Cloud account (UID)

          Set Add Method to Add manually. Then, set Principal Type to Alibaba Cloud account, set Principal ID, and click OK.

        • Share resources with all member accounts in the entire resource directory (including new members)

          You can use either of the following methods:

          • Set Add Method to Add from Resource Directory. Then, select the resource directory organization and click OK.

          • Set Add Method to Add manually. Then, set Principal Type to Resource Directory Organization, set Resource Directory ID, and click OK.

        • Share resources with all members in a specified folder (including new members)

          You can use either of the following methods:

          • Set Add Method to Add from Resource Directory. Then, select the folder and click OK.

          • Set Add Method to Add manually. Then, set Principal Type to Folder (Organizational Unit), set Folder ID, and click OK.

            Folder ID format: fd-string. For instructions on how to obtain a folder ID, see Obtain a Folder ID.

        Associated Permissions

        Configure permissions for the principals (backup vault users). A Cloud Backup replication target vault corresponds to only one permission, AliyunRSDefaultPermissionHBRVault, by default. You cannot modify the associated permission. For permission details, see the Permission Library in the Resource Sharing console.

    4. If you share resources by creating a new resource share, you must accept the resource sharing invitation in the source account.

      1. Go to the Resource Management console > Resource Sharing > Shared with Me page of the source account. On the Resources Shared To Me page, click Accept in the Status column of the target resource share.

      2. In the Accept Resource Share dialog box, click OK.

        After you accept the invitation, the principal can access the resources in the resource share. New resources added to this resource share are accepted by default.

    Step 3: Configure backup vault replication in the source account

    Configure cross-account backup vault replication to replicate data from the source account to the replication target vault in the destination account.

    1. Go to the Cloud Backup console > Vault Management page of the source account. On the Storage Vaults page, select the region where the source backup vault is located.

    2. In the Actions column of the target backup vault, click Configure Vault Replication.

    3. In the Initiate Vault Replication panel, click Select Replication Target Vault. Then, select the region where the destination vault is located and the shared replication target vault that you created in Step 1.

    4. Click OK.

      After the configuration is complete, Cloud Backup starts to synchronize the historical data of the source backup vault. You can view the synchronization progress in the region of the destination account. After the synchronization is complete, all data in the source backup vault is replicated.image

    Restore data from a replication target vault

    Restore ECS files

    1. Create an ECS instance to which you want to restore data.

      The ECS instance must be in the same region as the replication target vault.

    2. In the Cloud Backup console, create an ECS file restore job.

      Select the replication target vault as the source backup vault and the ECS instance that you created in the previous step as the restore destination. The other configurations are the same as those for creating a backup job. After the restore job is complete, the data is restored to the specified destination.

    Restore OSS

    1. Create an OSS bucket to which you want to restore data.

      The OSS bucket must be in the same region as the replication target vault.

    2. In the Cloud Backup console, create an OSS restore job.

      Select the replication target vault as the source backup vault and the OSS bucket that you created in the previous step as the restore destination. The other configurations are the same as those for creating a backup job. After the restore job is complete, the data is restored to the specified destination.

    Restore Apsara File Storage NAS

    1. Create a File Storage NAS file system to which you want to restore data.

      The File Storage NAS file system must be in the same region as the replication target vault.

    2. In the Cloud Backup console, create a job to restore a single NAS file system in the same region.

      Select the replication target vault as the source backup vault and the File Storage NAS file system that you created in the previous step as the restore destination. The other configurations are the same as those for creating a backup job. After the restore job is complete, the data is restored to the specified destination.

    Restore an SAP HANA instance

    1. Prepare an SAP HANA instance to which you want to restore data.

      The SAP HANA instance must be in the same region as the replication target vault.

    2. In the Cloud Backup console, register the SAP HANA instance.

    3. In the Cloud Backup console, create a job to restore SAP HANA.

      Select the replication target vault as the source backup vault and the SAP HANA instance that you created in the previous step as the restore destination. The other configurations are the same as those for creating a backup job. After the restore job is complete, the data is restored to the specified destination.

    Restore Tablestore

    1. Create a Tablestore instance to which you want to restore data.

      The Tablestore instance must be in the same region as the replication target vault.

    2. In the Cloud Backup console, create a job to restore a Tablestore table.

      Set the source backup vault to the replication target vault, select the Tablestore instance created in Step 1 as the restore object, and use the same configuration as the original backup job. After the recovery is complete, the data is restored to the data source in the region of the replication target vault.

    Restore on-premises NAS

    1. Prepare an on-premises NAS file system to which you want to restore data.

    2. Install a backup client to run the restore job.

    3. In the Cloud Backup console, create a job to restore an on-premises NAS file system.

      Select the replication target vault as the source backup vault and the on-premises NAS file system that you created in the previous step as the restore destination. The other configurations are the same as those for creating a backup job. After the restore job is complete, the data is restored to the specified destination.

    Restore local files

    1. Prepare a local server to which you want to restore data.

      The restored files are saved on this local server. Create a restore folder on the server.

    2. Install a backup client to run the restore job.

    3. In the Cloud Backup console, create a job to restore local files.

      Select the replication target vault as the source backup vault and the local server that you created in the previous step as the restore destination. The other configurations are the same as those for creating a backup job. After the restore job is complete, the data is restored to the specified destination.

    Restore CPFS

    1. Prepare a CPFS file system to which you want to restore data.

      The CPFS file system must be in the same region as the replication target vault.

    2. In the Cloud Backup console, create a job to restore a CPFS file system.

      Select the replication target vault as the source backup vault and the CPFS file system that you created in the previous step as the restore destination. The other configurations are the same as those for creating a backup job. After the restore job is complete, the data is restored to the specified destination.

    Stop cross-account backup vault replication

    Important

    After you stop cross-account backup vault replication, the replication relationship cannot be resumed. Proceed with caution. The replication target vault is detached and can be used only for data restoration.

    To stop cross-account backup vault replication, go to the region where the source backup vault is located. In the Actions column of the source backup vault, click Stop Vault Replication and confirm the action.

    After you stop cross-account backup vault replication, new data from the source backup vault is no longer replicated to the replication target vault. The data that has already been replicated to the replication target vault can still be used for restoration.

    Important

    Deleting a backup vault deletes all backup data in the vault. The corresponding backups cannot be restored. Proceed with caution.

    After you stop cross-account backup vault replication, perform the following operations as needed:

    • Delete data in the replication target vault: On the Create Restore Job page, select the replication target vault and delete the backup data.

    • Enable the backup lock feature for the replication target vault: This prevents the backup data from being accidentally deleted or attacked by ransomware before the retention period expires.

    • Delete data in the source backup vault: Go to the region where the source backup vault is located. Move the mouse pointer over the ┇ icon in the Actions column of the source backup vault and select Delete. Confirm the action to delete the vault.

    Billing

    • When you use cross-account backup vault replication, storage capacity fees are incurred. If the backup vault and the replication target vault are in different regions, cross-region replication traffic fees are also incurred. The account that owns the replication target vault is charged for the storage capacity fees of the replication target vault and the traffic fees that are incurred from cross-region, cross-account replication.

      We recommend that you refer to the Resource Plan Purchase Guide and purchase a subscription resource plan to offset storage capacity fees. Cross-region replication traffic fees can be paid for only using the pay-as-you-go billing method.

    • Cloud Backup does not charge a fee when you use a replication target vault to restore data to a resource in the same region.

      When you restore data to an on-premises NAS file system or a local server over the Internet instead of a VPN or a leased line, outbound traffic fees over the Internet are incurred. Traffic fees are charged based on the actual amount of data restored. For more information, see On-premises NAS restore fees and Local server file restore fees.

    For pricing details, see Cloud Backup Pricing.

    FAQ

    Is cross-account backup vault replication a billable feature?

    The feature itself is free. You are charged for the storage capacity of the replication target vault used in the replication. If the replication occurs across regions, you are also charged for traffic. The account that owns the replication target vault is charged for both storage capacity and traffic fees. For more information, see Billing.

    What is the difference between cross-account backup vault replication and cross-account backup? What are their use cases?

    Cross-account backup vault replication means that a source account that has already performed a backup and generated backup data replicates its backup vault data to another Alibaba Cloud account for backup data redundancy or cross-account use.

    Cross-account backup means that a backup operations account centrally manages backup policies for other accounts. The backup data of the other accounts is stored in the backup operations account. The backup operations account uses this backup data to restore data as needed to achieve centralized management of backup data.

    Both methods are widely used for enterprise data security and compliance. You can choose the method based on your company's specific needs. You can also combine both methods to achieve both centralized backup data management and backup data redundancy.

    Where can I view replication target vaults?

    In the Cloud Backup console, switch to the region where the replication target vault is located. On the Storage Vaults page, you can view the replication target vaults that you created.

    image

    What is the billing basis for the billable storage usage of a replication target vault?

    The Storage Vault Data Size of the replication target vault is its billable storage usage.

    Can I set the synchronization frequency for cross-account backup vault replication?

    For example, the source backup vault is backed up once a day, but the replication target vault only needs to be synchronized once a week.

    No, you cannot. Data from the source backup vault is continuously replicated to the replication target vault.

    Does a replication target vault support zone-redundant storage?

    This feature is supported.

    To maximize the redundancy of backup data, the system automatically selects a vault type based on region support. In regions that support zone-redundant storage, a zone-redundant backup vault is created by default. In other regions, a locally redundant backup vault is created.

    Currently, the regions that support ZRS are China (Hangzhou), China (Shanghai), China (Beijing), China (Zhangjiakou), China (Ulanqab), China (Shenzhen), Hong Kong (China), Japan (Tokyo), Singapore, Indonesia (Jakarta), Germany (Frankfurt), and Malaysia (Kuala Lumpur).

    References