How do I enable the application-consistent backup feature when I back up an ECS instance? - Cloud Backup

Cloud Backup provides the application-consistent backup feature based on Cloud Assistant and the backup service. The application-consistent backup feature helps prevent unexpected startup operations during data restore, for example, log restore operations at the startup of database applications. This way, all applications start in a consistent state.

Prerequisites

Your Elastic Compute Service (ECS) instance runs one of the following operating systems:
- Windows: Windows Server 2019, Windows Server 2016, and Windows Server 2012.
- Linux: CentOS version 7.6 and later, Ubuntu version 18.04 and later, and Alibaba Cloud Linux version 2 (2.1903 LTS 64-bit).
All disks that are attached to your ECS instance are enhanced SSDs (ESSDs) and the file systems are ext3, ext4, XFS, or New Technology File System (NTFS).
ECS instance backup is available only in some regions. For more information, see Features available in each region. SAU (Riyadh - Partner Region) supports ECS instance backup but does not support application-consistent backup.
Application-consistent backup is not supported if you use a snapshot-consistent group, or back up multiple ECS instances at a time, or if some disks attached to your ECS instance are not ESSDs.

Background information

By default, Cloud Backup creates crash-consistent backup files based on the Alibaba Cloud snapshot service. If you enable the application-consistent backup feature when you back up an ECS instance, Cloud Backup creates an application-consistent backup file based on the actual scenario.

The application-consistent backup feature helps back up in-memory data and in-progress database transactions when backup files are being created. This way, the consistency between the application data and database transactions is ensured. The application-consistent backup feature helps prevent data corruption, data loss, and log restore operations at the startup of database applications. This way, all applications start in a consistent state.

Step 1: Configure a RAM role for the ECS instance

Before you enable the application-consistent backup feature, you must configure a RAM role for the ECS instance.

Log on to the Resource Access Management (RAM) console with your Alibaba Cloud account.
Create a RAM role for the application-consistent backup feature. For more information, see Create a RAM role for a trusted Alibaba Cloud service.
The following figure shows how to create the AppSnapshotRoleName RAM role.

Create a policy for the application-consistent backup feature. For more information, see Create custom policies.

快照权限

Create the AppSnapshotPolicy policy, which grants the permissions to query snapshot details, create snapshots, configure tags, and query disk details. You can use the following policy:

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecs:DescribeSnapshot*",
                "ecs:CreateSnapshot*",
                "ecs:TagResources",
                "ecs:DescribeDisks"
            ],
            "Resource": [
                "*"
            ],
            "Condition": {}
        }
    ]
}

Attach the AppSnapshotPolicy policy to the AppSnapshotRoleName RAM role. For more information, see Grant permissions to a RAM role.
Attach the AppSnapshotRoleName RAM role to the ECS instance. For more information, see Use instance RAM roles to control access to resources.

Step 2: Enable the application-consistent backup feature

For Windows ECS instances, you can use Volume Shadow Copy Service (VSS) to implement application consistency.

For Linux ECS instances, you must configure shell scripts (pre-freeze and post-thaw scripts) based on the applications deployed on the instances to implement application consistency.

Log on to the Cloud Backup console.
In the left-side navigation pane, choose Backup > ECS Instance Backup.
In the top navigation bar, select a region.
In the upper-right corner of the page, click Add ECS Backup.

In the Add ECS Backup panel, perform the following steps:

Specify the backup objects and click Next.
Important
- You must select the ECS instances and disks that you want to back up. Protect All Disks is turned on by default. If you want to protect all disks of an ECS instance, turn on Protect All Disks. In this case, the disks that are later attached to the ECS instance are also protected. If you want to protect only specific disks, turn off Protect All Disks.
- You can associate up to 99 ECS instances with a backup policy.
- Cloud Backup automatically checks whether the selected ECS instances support snapshot-consistent groups. Cloud Backup automatically creates a snapshot-consistent group for the ECS instances that support snapshot-consistent groups. If an ECS instance does not support snapshot-consistent groups, Cloud Backup ensures only the crash consistency of disks. For more information, see Create a snapshot-consistent group.

Configure the backup settings and click OK.

You can select Manual Backup or Auto Backup. The following list describes the parameters.

Manual Backup

Only one backup file is created for the selected ECS instances at the current point in time.

You must specify the retention period of the backup data, whether to enable application-consistent backup, and whether to enable cross-region replication.

Parameter	Description
Retention Period	The retention period of the backup data. Unit: days, weeks, months, or years.
Replication Encryption Configuration	Auto Config: Cloud Backup automatically selects an encryption method based on whether the source disk is encrypted. If the source disk is not encrypted, Cloud Backup directly replicates the backups to the specified destination region. If the source disk is encrypted, Cloud Backup uses the default service CMK created by KMS to encrypt the backups, and then replicates the backups to the specified destination region. Note Key Management Service provides default data encryption capabilities for other Alibaba Cloud services. You can view service keys in the Key Management Service console. For more information, see Overview of integration with KMS. Assign KMS Key: Data is encrypted by using the KMS key of the specified destination region, regardless of whether the source disk is encrypted. Important If you enable KMS-based encryption, you cannot modify a KMS key. Before you can use a KMS key to encrypt data, you must create the key in the Key Management Service console. For more information, see Create a CMK.
Application Consistent Backup	If you select a single ECS instance, you can turn on Application Consistent Backup to enable the application-consistent backup feature. For more information, see Enable the application-consistent backup feature.
Replication to Other Region	Turn on Replication to Other Region to enable the cross-region replication feature. Backups are automatically replicated to the Destination Region. If an ECS instance is infected with viruses or data is lost due to accidental deletion, you can use the backups replicated to the destination region to create another ECS instance to restore data.

Auto Backup

Important

If you select a region that supports backup policies, associate a backup policy with the ECS instances that you want to back up. Cloud Backup periodically backs up the ECS instances.

To view the regions that support backup policies, click Policy Center in the left-side navigation pane of the Cloud Backup console. For more information about how to create a backup policy, see Create a backup policy.

If you select a region that does not support backup policies, configure the following parameters to create a backup plan.

Parameter	Description
Backup Policy	Select a proper backup policy from the drop-down list. Cloud Backup automatically backs up data sources based on the backup policy that you configure. Backup policies help you flexibly manage data sources. A backup policy includes the following settings: backup vault encryption method, backup interval, retention period, cross-region replication policy, and automatic archiving of backups. If the default backup policy does not meet your requirements, you can click Create Policy or Edit Policy to create or modify a backup policy. For more information about the parameters in a backup policy, see Manage backup policies.
Replication Encryption Configuration	This parameter is required only if you turn on Replication to Other Region in Backup Policy. Auto Config: Cloud Backup automatically selects an encryption method based on whether the source disk is encrypted. If the source disk is not encrypted, Cloud Backup directly replicates the backups to the specified destination region. If the source disk is encrypted, Cloud Backup uses the default service CMK created by KMS to encrypt the backups, and then replicates the backups to the specified destination region. Note Key Management Service provides default data encryption capabilities for other Alibaba Cloud services. You can view service keys in the Key Management Service console. For more information, see Overview of integration with KMS. Assign KMS Key: Data is encrypted by using the KMS key of the specified destination region, regardless of whether the source disk is encrypted. Important If you enable KMS-based encryption, you cannot modify a KMS key. Before you can use a KMS key to encrypt data, you must create the key in the Key Management Service console. For more information, see Create a CMK.
Application Consistent Backup	If you select a single ECS instance, you can turn on Application Consistent Backup to enable the application-consistent backup feature. For more information, see Enable the application-consistent backup feature.

Select Application Consistent Backup.
- Enable the application-consistent backup feature for a Windows ECS instance
  Note
  If you select Application Consistent Backup, you must install Cloud Assistant Agent on the ECS instance. In Windows, the process of Cloud Assistant Agent is named AliyunService. For more information, see Overview.
- Enable the application-consistent backup feature for a Linux ECS instance
  Write the application pre-freeze and post-thaw scripts based on the applications deployed on the ECS instance and upload the scripts to the ECS instance.
  You can use the FTP service or Cloud Assistant to upload the application pre-freeze and post-thaw scripts to the ECS instance.
  - Application pre-freeze scripts: Run the chmod 700 /tmp/prescript.sh command to grant the read, write, and execute permissions on the scripts only to the root user. /tmp/prescript.sh is the save path of the scripts.
  - Application post-thaw scripts: Run the chmod 700 /tmp/postscript.sh command to grant the read, write, and execute permissions on the scripts only to the root user. /tmp/postscript.sh is the save path of the scripts.
  Important
  If Application Consistent Backup is selected and the scripts are configured as expected, Cloud Backup creates application-consistent backup files.
  If Application Consistent Backup is selected but no scripts are configured or the scripts are not configured as expected, Cloud Backup creates file system-consistent backup files.
  Sample scripts for the application-consistent feature:
  - Download the application-consistent scripts for MySQL.
    After you download and deploy the scripts, you must specify the password of a MySQL database in the scripts.
  - Download the application-consistent scripts for Oracle.
    After you download and deploy the scripts, you must specify the installation path of an Oracle database in the scripts.
  Note
  If you select Application Consistent Backup, you must install Cloud Assistant Agent on the ECS instance. In Linux, the process of Cloud Assistant Agent is named aliyun.service. You can run the ps aux|grep aliyun.service command to check whether Cloud Assistant Agent is installed. For more information, see Overview.
Click OK.