How to enable the application-consistent backup feature for an ECS instance backup - Cloud Backup

Cloud Backup provides the application-consistent backup feature in collaboration with Cloud Assistant and the backup service. Restoring data from an application-consistent backup prevents log replay when you start applications, such as databases. This ensures that your applications start in a consistent state.

Prerequisites

The Elastic Compute Service (ECS) instance must run one of the following operating systems:
- Windows: Windows Server 2019, Windows Server 2016, and Windows Server 2012.
- Linux: CentOS 7.6 and later, Ubuntu 18.04 and later, and Alibaba Cloud Linux 2 (2.1903 LTS 64-bit).
All disks that are attached to the ECS instance must be enhanced SSDs (ESSDs), and the file systems must be EXT3, EXT4, XFS, or NTFS.
For information about the regions that support ECS instance backup, see Features available by region. Although ECS instance backup is supported in the SAU (Riyadh - Partner Region) region, application-consistent backup is not.
Application-consistent backup is not supported if you enable snapshot-consistent groups, back up multiple ECS instances in a batch, or if any disk attached to the ECS instance is not an ESSD.

Background information

By default, Cloud Backup works with the Alibaba Cloud snapshot service to create crash-consistent backups. If you enable the application-consistent backup feature when you create an instance backup, an application-consistent backup is created based on your configurations.

Application-consistent backups capture in-memory data and in-progress database transactions when the backup is created. This process ensures the consistency of application data and database transactions. Application-consistent backups prevent data corruption, data loss, and log replay when you start database applications. This ensures that your applications start in a consistent state.

Step 1: Configure a RAM role for the ECS instance

Before you enable the application-consistent backup feature, you must configure a RAM role for the ECS instance.

Log on to the Resource Access Management (RAM) console using your Alibaba Cloud account.
Create a RAM role for the application-consistent backup feature. For more information, see Create a RAM role for a trusted Alibaba Cloud service.
The following figure shows an example of how to create the AppSnapshotRoleName RAM role.

Create a custom policy for the application-consistent backup feature. For more information, see Create custom policies.

快照权限

Create the AppSnapshotPolicy policy. This policy grants permissions to query backup information, create backups, configure tags, and query disk information. Use the following policy content.

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecs:DescribeSnapshot*",
                "ecs:CreateSnapshot*",
                "ecs:TagResources",
                "ecs:DescribeDisks"
            ],
            "Resource": [
                "*"
            ],
            "Condition": {}
        }
    ]
}

Attach the custom policy (AppSnapshotPolicy) to the RAM role (AppSnapshotRoleName). For more information, see Grant permissions to a RAM role.
Attach the RAM role (AppSnapshotRoleName) to the destination instance. For more information, see Instance RAM roles.

Step 2: Enable the application-consistent backup feature

For Windows instances, application consistency is achieved using the Volume Shadow Copy Service (VSS).

For Linux instances, you must customize shell scripts (freeze and unfreeze scripts) based on the applications on the ECS instance to achieve application consistency.

Log on to the Cloud Backup console.
In the navigation pane on the left, choose Backup > ECS Instance Backup.
In the top navigation bar, select a region.
In the upper-left corner, click Add ECS Backup.

In the Add ECS Backup dialog box, configure the following parameters.

Select the objects to back up and click Next.
Important
- Select the ECS instances that you want to back up. By default, all disks are backed up. You can click All Disks to select specific disks in the Backup Object dialog box.
  By default, the Protect All Disks switch is enabled to protect all existing disks and any new disks that are attached to the ECS instance. You can disable the Protect All Disks switch and select specific disks to protect.
- You can create backups for up to 99 ECS instances at a time.
- Cloud Backup automatically detects whether the disks and operating system of the selected ECS instance support application-consistent snapshot groups. If the instance is supported, Cloud Backup first attempts to create an application-consistent snapshot group. If the creation requirements for an application-consistent snapshot group are not met, it attempts to create a snapshot-consistent group. If the creation requirements for a snapshot-consistent group are also not met, Cloud Backup creates a crash-consistent backup for each disk.

Configure backup options and click OK.

Select Manual Backup or Associate Backup Policy to specify the backup method. The following tables describe the parameters.

Manual Backup

This option creates a single backup of the ECS instance at the current point in time. You can set the retention period and specify whether to enable application-consistent backup and cross-region replication.

Parameter	Description
Retention Period	Select the retention period for the backup. You can set the unit to Day, Week, Month, or Year.
Replication to Other Region	Turn on the Replication to Other Region switch to enable cross-region replication and configure the parameters as needed. Destination Region: The region to which backups are automatically replicated. Remote Retention Period: The retention period for cross-region backups. You can set the unit to Day, Week, Month, or Year. Replication Encryption Configuration: The following encryption methods are available: Auto Config: Cloud Backup automatically selects an encryption method based on whether the source disk is encrypted. If the source disk is not encrypted, Cloud Backup directly replicates the backup to the destination region. If the source disk is encrypted, Cloud Backup uses the default key (Default Service CMK) created by the cloud service to encrypt the backup before replicating it to the destination region. Note Key Management Service (KMS) provides default encryption for Alibaba Cloud services. You can view the service key in the KMS console. For more information, see Overview of KMS integration for cloud services. Assign KMS Key: A specified KMS key in the destination region is used for encryption, regardless of whether the source disk is encrypted. The first time you use a specified KMS key for encryption, grant Cloud Backup permissions to access KMS as prompted on the screen. Important After you use a specified KMS key for encryption, you cannot change the key. Before you use a specified KMS key for encryption, create a KMS key in Alibaba Cloud KMS. For more information, see Create a key. After replication to the destination region, if the source ECS instance is infected by a virus or its data is accidentally deleted, you can use the replicated backup to create a new instance and recover the data.
Application Consistent Backup	If you select a single ECS instance that contains only ESSD disks, you can turn on the Application Consistent Backup switch to enable application-consistent backup.

Associate Backup Policy

If you associate a backup policy, Cloud Backup periodically backs up the ECS instance.

Important

In the navigation pane on the left of the console, you can click Policy Center to view the regions where backup policies are supported. To create a backup policy, see Create a backup policy.

Parameter	Description
Backup Policy	Select a backup policy from the drop-down list. Cloud Backup automatically backs up data sources according to the backup policy you set. A backup policy includes settings such as backup vault encryption, backup interval, retention period, cross-region replication policy, and automatic archiving. This helps you flexibly manage your data source assets. If the default backup policy does not meet your needs, click Create Backup Policy or Edit Policy to manage backup policies. For more information about the parameters in a backup policy, see Policy center.
Replication Encryption Configuration	This parameter is required only if the Replication to Other Region switch is turned on in the Backup Policy. Turn on the Replication Encryption Configuration switch and select an encryption method as needed. Auto Config: Cloud Backup automatically selects an encryption method based on whether the source disk is encrypted. If the source disk is not encrypted, Cloud Backup directly replicates the backup to the destination region. If the source disk is encrypted, Cloud Backup uses the default key (Default Service CMK) created by the cloud service to encrypt the backup before replicating it to the destination region. Note Key Management Service (KMS) provides default encryption for Alibaba Cloud services. You can view the service key in the KMS console. For more information, see Overview of KMS integration for cloud services. Assign KMS Key: A specified KMS key in the destination region is used for encryption, regardless of whether the source disk is encrypted. The first time you use a specified KMS key for encryption, grant Cloud Backup permissions to access KMS as prompted on the screen. Important After you use a specified KMS key for encryption, you cannot change the key. Before you use a specified KMS key for encryption, create a KMS key in Alibaba Cloud KMS. For more information, see Create a key.
Application Consistent Backup	If you select a single ECS instance that contains only ESSD disks, you can turn on the Application Consistent Backup switch to enable application-consistent backup.

Click Application Consistent Backup.
- Enable application-consistent backup for a Windows instance
  Note
  If you select Application Consistent Backup, ensure that Cloud Assistant Agent is installed on the ECS instance. In the Windows operating system, the Cloud Assistant Agent process is named AliyunService. For more information, see Overview of Cloud Assistant.
- Enable application-consistent backup for a Linux instance
  Prepare freeze and unfreeze scripts based on the applications on the ECS instance and upload the scripts to the instance.
  Use FTP or Cloud Assistant to upload the freeze and unfreeze scripts to the ECS instance.
  - Application freeze script path: Ensure that only the root user has read, write, and execute permissions for the script (permission 700). Example command: chmod 700 /tmp/prescript.sh. The script must be saved to `/tmp/prescript.sh`.
  - Application unfreeze script path: Only the root user must have read, write, and execute permissions for the script (permission 700). For example, run the following command: chmod 700 /tmp/postscript.sh. The script must be saved to the `/tmp/postscript.sh` path.
  Important
  If you select Application Consistent Backup and correctly configure the scripts, you will create an application-consistent backup.
  If you select Application Consistent Backup but the scripts are not configured correctly, a file system-consistent backup is created instead.
  Sample application-consistent scripts:
  - Download application-consistent scripts for MySQL.
    After you download and deploy the scripts, you must set the MySQL database password in the scripts.
  - Download application-consistent scripts for Oracle.
    After you download and deploy the scripts, you must set the Oracle database installation path in the scripts.
  Note
  After you select Application Consistent Backup, ensure that Cloud Assistant Agent is installed on the ECS instance. On a Linux operating system, the Cloud Assistant Agent process is named aliyun.service. Run the ps aux|grep aliyun.service command to verify the installation. For more information, see Overview of Cloud Assistant.
Click OK.