Configure cross-account replication for backup vaults to prevent data loss that results from improper account management or to consolidate backups from multiple accounts. When you configure cross-account replication, you select a replication target vault that is shared by another account. This provides cross-account disaster recovery for your backup vaults. If necessary, you can quickly restore data from the replication target vault in the other account.
Background information
Cloud Backup supports cross-account replication of backup vaults based on Resource Sharing and Resource Directory. This allows for flexible and controlled collaboration on backup data management across different accounts.
A replication target vault serves as the destination for backup vault replication. It stores backup data replicated from other regions or other accounts. This vault is used for cross-region or cross-account disaster recovery and data restoration. For more information, see Backup vault types.
Data in departmental accounts is already protected by Cloud Backup. However, for data security or compliance reasons, an independent backup management account may be required to store an extra copy of the data from these accounts. If a department experiences a risk event, such as a key leak, accidental data deletion, an overdue payment, or business adjustments, the backup management account still retains the backup data. This data can be used for recovery, which ensures business continuity and data restorability. By configuring cross-account replication for backup vaults, you can automatically synchronize backup data from departmental accounts to a backup management account. This helps you achieve efficient and compliant cross-account data protection.
How it works
The process begins by sharing the replication target vault from the destination account with the source account. Then, in the source account, backup vault replication is configured and select the shared replication target vault. All existing backup data in the Standard storage class of the source backup vault and all new data are continuously and securely synchronized to the replication target vault in the destination account using an asynchronous replication mechanism. The replication target vault serves as a read-only replica of the source backup vault and is used for disaster recovery and high availability. To use cross-account replication for backup vaults, you must grant permissions for the replication target vault using Resource Sharing. You can initiate sharing based on a Resource Directory.
The entire replication process runs automatically in the background without requiring manual intervention. This mechanism balances cross-region network latency and transmission efficiency. It ensures data consistency and achieves an acceptable recovery point objective (RPO) to meet the disaster recovery needs of most business scenarios.
If data in the source account's backup vault is lost, a recovery operation can be quickly initiated from the replication target vault. This lets you rebuild critical applications and data, which effectively ensures business continuity.
Usage notes
For information about the regions that support cross-account replication of backup vaults, see Features by region.
The data sources that support cross-account replication of backup vaults include ECS files, OSS, on-premises NAS, Apsara File Storage NAS, Tablestore, CPFS, local files, and SAP HANA.
ImportantFor ECS instances, cross-region replicatio can only be enabled within a backup policy.
Cross-account replication is not supported for the following vault types: OSS Backup (30-day Free Trial), NAS Backup (30-day Free Trial), Tablestore Backup (30-day Free Trial), replication target vaults, archive vaults, Database Backup vaults, or container backup vaults. Vaults in an abnormal state, such as ERROR, are also not supported.
Each account can create a maximum of five replication target vaults in each region.
VMware VMs cannot be restored from a replication target vault.
A backup vault can synchronize data to only one replication target vault at a time.
A replication target vault can only be used to store and restore replicated data. You cannot configure backup plans to create backups in it.
After you configure cross-account replication for a backup vault, the lifecycle of backup points in the destination backup vault is consistent with that of the source account while the vault is in the replicating state. You cannot modify the lifecycle.
When automatic archiving is enabled for the source backup vault, data in the Archive storage class of the source vault is not synchronized to the replication target vault. After data in the Standard storage class of the source backup vault is moved to the Archive storage class, the corresponding data in the replication target vault is also deleted.
Before you delete a source backup vault, you must first stop the cross-account replication. After you stop replication, deleting the source backup vault does not delete the replication target vault.
Backup points in a replication target vault are not associated with any backup policy. Therefore, after a replication relationship is stopped, the backup points in the replication target vault are automatically deleted based on the retention period configured in the source backup vault. You can also manually delete them earlier. Even if the backup policy associated with the source backup vault is configured to "retain at least one version", this setting does not take effect in the replication target vault. You cannot modify the retention period of backup points in the replication target vault.
The replication target vault must use the same encryption method as the source backup vault, whether it is Cloud Backup-managed or KMS.
Prerequisites
The Storage Vault Type of the source backup vault must be General Backup. The Storage Vault Type of the destination backup vault must be Replication Target Vault. To view the types of created vaults, see Manage storage vaults. You can create a backup vault when you manage vaults, create a backup policy, or configure a backup vault for a backup source.
To share resources within an organization based on a resource directory, you must complete the following operations:
The owner and the user of the replication target vault must belong to the same Resource Directory.
Enable the resource directory by completing the following configurations: Enable a resource directory, Create a folder, Create a member, Invite an Alibaba Cloud account to join a resource directory, and Move a member.
Ensure that sharing with the resource directory is enabled. If it is not, enable sharing with a resource directory.
Procedure
Cross-account replication for backup vaults can be enabled from the Backup Vaults page or in the Policy Center. After you enable replication, all existing backup data in the Standard storage class of the source backup vault and all new backup data generated after that time are automatically synchronized to the replication target vault.
For information about how to enable Backup Vault Replication when you create or edit a policy, see Policy Center.
Step 1: Create a replication target vault in the destination account
Create a replication target vault to serve as the destination for cross-account replication.
Log on to the Cloud Backup console - Backup Vaults of the destination account. On the Storage Vaults page, select the destination region.
Click Create Replication Target Vault.
In the Create Replication Target Vault panel, configure the parameters for the replication target vault.
Parameter
Description
Vault Name
Enter a name for the replication target vault.
Vault Description
Enter a description for the replication target vault.
Vault Resource Group
Select the resource group to which the replication target vault belongs.
Backup Vault Encryption Method
ImportantThe encryption method of the replication target vault must be the same as that of the source backup vault.
Select an encryption method for the replication target vault. The default method is Cloud Backup-managed, which uses the backup service's built-in encryption.
If the source backup vault is encrypted with a customer master key (CMK) from the Alibaba Cloud Key Management Service (KMS), click KMS and select a KMS KeyId. As needed, select the Use KMS Alias check box to use the alias of the KMS key as the identifier for the KMS Key ID. For more information, see Select a KMS key.
Click OK.
Step 2: Share the resource from the destination account to the source account
After you share a replication target vault with another account, the account that owns the vault is charged for all resulting storage and traffic fees. Evaluate the potential cost risks before sharing.
Share the resource from the destination account to the source account using a resource share.
Log on to the Cloud Backup console - Backup Vaults of the destination account. On the Storage Vaults page, select the destination region.
Hover over the ┇ icon in the Actions column of the replication target vault and select Resource sharing.
In the displayed panel, configure the sharing information.
To add the current resource to an existing resource share and reuse its principals and permissions, click Existing Resource Share and select an existing resource share.
The system displays the list of shared resources, principals, and associated permissions in the resource share.
If this is the first time you are sharing, or if you want to isolate permissions, click New Resource Share and configure the sharing parameters. For more information about the parameters, see Create a resource share.
Parameter
Description
Resource Share Name
The name of the resource share.
Principal Scope
Valid values:
All Accounts: The resource owner can share resources with any principal.
Objects Within Resource Directory: The resource owner can share resources only within the resource directory. This means the management account or a member of the resource directory can share resources with the resource directory itself, its folders, and its members.
Principals
Specify the principals. Add principals from your resource directory or add them manually. Principal types include Alibaba Cloud accounts, resource directory organizations, or folders (organizational units).
ImportantIf you have not enabled a resource directory, you can only share resources with specified Alibaba Cloud accounts. The option to add principals from your resource directory is available only when a resource directory is enabled.
Share resources with a specified Alibaba Cloud account (UID)
Set Add Method to Manual. Then, set Principal Type to Alibaba Cloud Account, enter the Principal ID, and click OK.
Share resources with all member accounts in the entire resource directory (including new members added later)
Use either of the following methods:
Set Add Method to From Resource Directory, select the resource directory organization, and click OK.
Set Add Method to Manual. Then, set Principal Type to Resource Directory, enter the Resource Directory ID, and click OK.
Share resources with all members in a specified folder (including new members added later)
You can use either of the following methods:
Set Add Method to From Resource Directory, select the folder, and click OK.
Set Add Method to Manual. Then, set Principal Type to Folder (Organizational Unit), enter the Folder ID, and click OK.
The folder ID format is `fd-string`. For information about how to obtain a folder ID, see View the basic information of a folder.
Associated Permissions
Configure permissions for the principals (backup vault users). A Cloud Backup replication target vault corresponds to only one default permission, AliyunRSDefaultPermissionHBRVault. You cannot modify the associated permission. To view the specific permission details, go to the Permission Library in the Resource Sharing console.
Click OK.
Step 3: Configure backup vault replication in the source account
Configure cross-account replication for the backup vault to replicate data from the source account to the replication target vault in the destination account.
Log on to the Cloud Backup console - Backup Vaults of the source account. On the Storage Vaults page, select the region where the source backup vault is located.
In the Actions column of the target backup vault, click Configure backup vault replication.
In the Initiate backup vault replication panel, click Select Replication Target Vault. Then, select the region where the destination account's backup vault is located and the shared replication target vault from Step 1.
Click OK.
After you complete the configuration, Cloud Backup starts to synchronize the historical data of the source backup vault. View the synchronization progress in the region of the destination account. After the synchronization is complete, all data in the source backup vault is backed up.
Restore data from a mirror vault
Restore ECS files from a mirror vault
Step 1: Create an ECS instance used for data restoration
Prepare an ECS instance for data restoration. For more information about creating an ECS instance, see Create and manage an ECS instance in the console (express version).
The region of the ECS instance must be the same as that of the mirror vault.
Step 2: Create a restore job in the Cloud Backup console
When creating a restore job, select the created mirror vault as the source vault, and select the ECS instance created in Step 1 as the object to be restored. Make sure other settings match those configured when creating the backup job. After the restore job completes, data is restored to the data source in the region where the mirror vault resides.
For more information, see Recover ECS files.
Restore OSS objects from a mirror vault
Step 1: Create an OSS bucket used for data restoration
For more information, see Create a bucket.
The region of the OSS bucket must be the same as that of the mirror vault.
Step 2: Create a restore job in the Cloud Backup console
When creating a restore job, select the created mirror vault as the source vault, and select the OSS bucket created in Step 1 as the object to be restored. Make sure other settings match those configured when creating the backup job. After the restore job completes, data is restored to the data source in the region where the mirror vault resides.
For more information, see Create an OSS restore job.
Restore NAS files from a mirror vault
Step 1: Create a NAS file system used for data restoration
Prepare a NAS file system for data restoration. For more information about creating a NAS file system, see Create a file system.
The region of the NAS file system must be the same as that of the mirror vault.
Step 2: Create a restore job in the Cloud Backup console
When creating a restore job, select the created mirror vault as the source vault, and select the NAS file system created in Step 1 as the object to be restored. Make sure other settings match those configured when creating the backup job. After the restore job completes, data is restored to the data source in the region where the mirror vault resides.
For more information, see Create a restore job for a single NAS file system in the same region.
Restore an SAP HANA instance from a mirror vault
Step 1: Create an SAP HANA instance used for data restoration
Prepare an SAP HANA instance for data restoration. You must register the SAP HANA instance in the Cloud Backup console.
The region of the SAP HANA instance must be the same as that of the mirror vault.
Step 2: Register the SAP HANA instance in the Cloud Backup console
For more information, see Register an SAP HANA instance.
Step 3: Create a restore job in the Cloud Backup console
When creating a restore job, select the created mirror vault as the source vault, and select the SAP HANA instance created in Step 1 as the object to be restored. Make sure other settings match those configured when creating the backup job. After the restore job completes, data is restored to the data source in the region where the mirror vault resides.
For more information, see Restore an SAP HANA database.
Restore a Tablestore instance from a mirror vault
Step 1: Create a Tablestore instance used for data restoration
Prepare a Tablestore instance for data restoration. For more information about creating a Tablestore instance, see Create a Tablestore instance.
The region of the Tablestore instance must be the same as that of the mirror vault.
Step 2: Create a restore job in the Cloud Backup console
When creating a restore job, select the created mirror vault as the source vault, and select the Tablestore instance created in Step 1 as the object to be restored. Make sure other settings match those configured when creating the backup job. After the restore job completes, data is restored to the data source in the region where the mirror vault resides.
For more information, see Restore a Tablestore table.
Restore an on-premises NAS file system from a mirror vault
Step 1: Create an on-premises NAS file system used for data restoration
Prepare an on-premises NAS file system for data restoration.
Step 2: Install a Cloud Backup client
For more information, see Install a Cloud Backup client.
Step 3: Create a restore job in the Cloud Backup console
When creating a restore job, select the created mirror vault as the source vault, and select the on-premises NAS file system created in Step 1 as the object to be restored. Make sure other settings match those configured when creating the backup job. After the restore job completes, data is restored to the data source in the region where the mirror vault resides.
For more information, see Restore files to an on-premises NAS file system.
Restore on-premises files from a mirror vault
Step 1: Prepare an on-premises server used for data restoration
The on-premises server is used to store restored files. You must create a folder on the server.
Step 2: Install a Cloud Backup client
For more information, see Install a backup client.
Step 3: Create a restore job in the Cloud Backup console
When creating a restore job, select the created mirror vault as the source vault, and select the on-premises server created in Step 1 as the object to be restored. Make sure other settings match those configured when creating the backup job. After the restore job completes, data is restored to the data source in the region where the mirror vault resides.
For more information, see Restore on-premises files.
Restore a CPFS file system from a mirror vault
Step 1: Create a CPFS file system used for data restoration
Prepare a CPFS file system for data restoration.
The region of the CPFS file system must be the same as that of the mirror vault.
Step 2: Create a restore job in the Cloud Backup console
When creating a restore job, select the created mirror vault as the source vault, and select the CPFS file system created in Step 1 as the object to be restored. Make sure other settings match those configured when creating the backup job. After the restore job completes, data is restored to the data source in the region where the mirror vault resides.
For more information, see Restore a CPFS file system.
Stop cross-account replication of backup vaults
After you stop cross-account replication for a backup vault, the current replication relationship cannot be resumed. Proceed with caution. The detached replication target vault can only be used for data restoration.
To stop cross-account replication, go to the region where the source backup vault is located. In the Actions column of the source backup vault, click Stop backup vault replication and confirm the operation.
After you stop cross-account replication, new data from the source backup vault is no longer replicated to the destination. The data already replicated to the replication target vault can still be used for restoration.
Deleting a backup vault removes all backup data within it, and the corresponding backups cannot be restored. Proceed with caution.
After you stop cross-account replication, perform the following operations as needed:
Delete data in the replication target vault: Select the replication target vault and then delete it.
Enable the backup lock feature for the replication target vault: This prevents backup data from being accidentally deleted or attacked by ransomware before the retention period expires.
Delete data in the source backup vault: Go to the region where the source backup vault is located. Hover over the ┇ icon in the Actions column of the source backup vault and select Delete. Confirm the operation to delete the vault.
Billing details
When you use cross-account replication for backup vaults, storage capacity fees are generated. If the source backup vault and the replication target vault are in different regions, cross-region replication traffic fees are also generated. The account that owns the replication target vault is charged for the storage capacity of the vault and any traffic fees generated from cross-region and cross-account replication.
View the Resource plan purchase guide and purchase a subscription resource plan to offset storage capacity fees. Cross-region replication traffic fees support only the pay-as-you-go billing method.
Cloud Backup does not charge a fee when you use a replication target vault to restore data to a resource in the same region.
When you restore data to an on-premises NAS or a local server over the Internet instead of a VPN or a leased line, outbound traffic fees are generated. Traffic fees are charged based on the actual amount of data restored. For more information, see On-premises NAS restore fees and Local server file restore fees.
For detailed pricing information, see Cloud Backup Pricing.
FAQ
Is there a fee for cross-account replication of backup vaults?
The feature itself is free of charge. You are charged for the capacity of the replication target vault that is used during replication. In a cross-region scenario, you are also charged for traffic. The account that owns the replication target vault is charged for both storage capacity and traffic fees. For more information, see Billing details.
What is the difference between cross-account replication of backup vaults and cross-account backup? What are their application scenarios?
Cross-account replication of backup vaults means that a source account has already performed a backup and generated backup data. The source account replicates its own backup vault data to another Alibaba Cloud account to achieve backup data redundancy or enable cross-account use.
Cross-account backup means that a backup operations account centrally issues backup policies to other accounts. The backup data of these other accounts is stored in the backup operations account. The backup operations account uses this backup data to perform data restoration as needed, which achieves centralized management of backup data.
Both methods are widely used in enterprise data security and compliance scenarios. You can also combine both methods to achieve both centralized management and redundancy of backup data.
Where can I view mirror vaults?
Switch to the region where the mirror vault resides. On the Storage Vaults page of the Cloud Backup console, you can view the created mirror vaults.
What is the billing basis for the usage of a mirror vault?
The amount of data stored in the mirror vault is the basis for billing.
Can I set the synchronization frequency for cross-account replication of backup vaults?
For example, the source backup vault is backed up once a day, but the replication target vault only needs to be synchronized once a week.
No, this is not supported. The synchronization frequency cannot be configured, as data is replicated continuously.
Do mirror vaults support zone-redundant storage?
Yes.
To ensure maximum redundancy for your backup data, in regions that support zone-redundant backup vaults, Cloud Backup uses zone-redundant backup vaults by default. If a region only supports locally redundant backup vaults, Cloud Backup uses locally redundant backup vaults. You do not need to manually select the vault type.
Currently, the regions that support zone-redundant backup vaults are China (Hangzhou), China (Shanghai), China (Beijing), China (Zhangjiakou), China (Ulanqab), China (Shenzhen), China (Hong Kong), Japan (Tokyo), Singapore, Indonesia (Jakarta), and Germany (Frankfurt).