How to share a backup set of a PolarDB cluster - PolarDB

Sharing database backups with other teams or partners for data analysis, testing, or migration often involves slow and complex data exports. The shared backup set feature in PolarDB simplifies this process. This feature is based on the Alibaba Cloud Resource Sharing service and lets you securely grant another Alibaba Cloud account access to specific backup sets to restore data to a new cluster in their own account.

Note

This feature is currently in beta. To enable it for your account, submit a ticket.

How it works

When you share a backup set, you are not copying the backup data. Instead, you are granting another Alibaba Cloud account (the "resource user") read-only access to a backup set that remains within your account (as the "resource owner"). This process is managed by Alibaba Cloud's Resource Sharing service, which uses RAM for secure permission control. The resource user can see the shared backup set in their PolarDB console and use it to restore data to a new cluster. They cannot delete, modify, or re-share the backup set.

Benefits

High efficiency: Sharing is nearly instantaneous. It eliminates the time and cost associated with transferring terabyte-scale data between accounts.
High security: Data never leaves your account. Access is controlled through Alibaba Cloud's RAM, preventing data exposure and eliminating the need to share account keys.
Low cost: The resource owner pays for the backup storage. The resource user pays only for the new resources they create, such as a new cluster restored from the shared backup.
Easy management: You can share, view, and revoke access to your backups at any time through the console.

Before you start

Cluster type:
- Shared backup set is not supported for Multi-master Cluster (Limitless) Edition clusters.
- Shared backup set is not supported for clusters in High-availability Mode with Three-zone deployment (with hot standby storage cluster and logger node enabled).
- Shared backup sets from the cluster recycle bin is not supported.
- An active backup set must exist.
Encryption feature: The Transparent Data Encryption (TDE) or disk encryption feature must be disabled.
Permissions: The RAM user or role that performs the sharing operation must have administrator permissions for PolarDB (AliyunPolardbFullAccess) and the Resource Sharing service (AliyunResourceCenterFullAccess).

Limitations

Note the following limitations when you use the shared backup set feature:

Sharing quantity limits:
- A single backup set can be shared with a maximum of 64 Alibaba Cloud accounts.
- By default, a single Alibaba Cloud account can share a maximum of 1,000 resources as a resource owner. To share more backup sets, you can Apply for a quota to increase the limit to 1,024.
  Note
  - The Resource Sharing service limits a single Alibaba Cloud account to sharing a maximum of 1000 resources as a resource owner.
  - PolarDB limits a single Alibaba Cloud account to sharing a maximum of 1,024 backup sets as a resource owner.
Sharing cross-region backup sets (backup set ID starts with rp-xxx) is not supported. Sharing and restoration are supported only within the same region. For example, if you share a backup set of a cluster in the China (Beijing) region, you can restore the cluster only in the China (Beijing) region using another Alibaba Cloud account.
Sharing backup sets between the Aliyun website (aliyun.com) and the Alibaba Cloud international website (alibabacloud.com) is not supported.
A principal cannot reshare a shared backup set with other accounts. Secondary sharing is not supported.
The sharing relationship is tied to the lifecycle of the backup set and its cluster. The principal loses access to the backup set if the resource owner unsubscribes from (releases) the cluster, deletes the backup set, the backup set is automatically released upon expiration, or the owner manually cancels the share.
Note
The revocation of access permissions is processed based on the system task schedule and is expected to take 10 minutes. During this period, although the access permissions still exist, the backup set cannot be used to restore a cluster.

Billing

The shared backup set feature is free of charge.
The resource owner is responsible for the storage costs of the backup set. For more information about billing rules, see Billing rules for backup storage (beyond the free quota).
Principals are not charged for accepting a shared backup set. However, when they use the backup set to restore data or clone a new cluster, they are charged based on the specifications of the new cluster.

Share a backup set

Go to the Clusters page in the PolarDB console and navigate to the Settings and Management > Backup And Restoration page of the target cluster.
On the Data Backups tab, find the backup set that you want to share. In the Actions column, click Share Backups.
In the dialog box that appears, select a sharing method as needed:
Create a new resource share
Select this method if you are sharing for the first time or want to create a separate resource share for this operation.
1. Set Resource Share Name: Enter an easy-to-identify name for the resource share.
2. Set Principal Scope: Select the scope for the principals.
  - All Accounts: The resource owner can share resources with any principal.
  - Objects Within Resource Directory: The resource owner can only share resources within the resource directory. This means the management account or a member of the resource directory can share resources with the resource directory itself, its folders, and its members.
3. Set Principals: Add one or more principals to the current resource share.
4. Click OK.
Select from existing resource shares
Select this method if you want to add this backup set to an existing resource share.
1. Select Resource Share: Select an existing resource share from the Select Resource Share drop-down list. After you make a selection, the Shared Resource List displays the resources that are already shared in the current resource share.
2. (Optional) Edit Principals: Modify the principals in the existing resource share as needed.
3. Click OK.
After you share the backup set, the Attribute column for the target backup set displays Sharing for easy identification.
Note
The Sharing status is displayed only after you set a Principal. If no principal is set, - is displayed.

Accept a shared backup set

After a backup set is shared, the principal must accept the sharing invitation to use the shared backup set.

Go to the Resource Management console. In the navigation pane on the left, choose Resource Sharing > Shared To Me.
In the upper-left corner, select the region where the shared backup set resides.
Find the sharing invitation from the resource owner and click Accept.
After you accept the invitation, the status of the resource share changes to Enabled.

Use a shared backup set

After you accept a shared backup set, you can use it to restore data to a new cluster.

Go to the PolarDB console. In the navigation pane on the left, choose Shared Backups.
On the Shared Backups page, click the Shared With Me tab. Find the target backup set and click Restore Data to New Cluster.

Manage shared backup sets

After you share a backup set or accept a shared backup set, you can manage it centrally in the PolarDB console.

Note

When you (the resource owner) share a backup set, if you do not set a Principal for the backup set, the backup set is not displayed on the My Shares tab.
When a backup set is locked (for example, during a restoration from the backup set or during the conversion from a level-1 backup to a level-2 backup), you cannot modify the sharing settings or cancel the share.

View the sharing relationship of a backup set

On the Shared Backups page, click the My Shares tab. Find the target backup set and click Manage Sharing Relationship.
On the Resource Sharing > My Shares page in the Resource Management console, you can view the Resource Share and Principal for the backup set.

Modify the sharing settings of a backup set

On the Shared Backups page, click the My Shares tab. Find the target backup set and click Share Backup.
In the dialog box that appears, modify the sharing settings as needed.

Cancel sharing a backup set

On the Shared Backups page, click the My Shares tab. Find the target backup set and click Share Backup.
In the dialog box that appears, edit the principals and Remove the relevant ones.

FAQ

After I share a backup set, can I, as the resource owner, still use it normally?

Yes, you can. The sharing operation only grants read-only access to others. It does not affect your normal use of the backup set, including your own data restoration or cloning operations.

Why can't I find the backup set shared with me on the Shared Backups page in the PolarDB console?

This is usually because you have not yet accepted the sharing invitation. Go to the Resource Sharing > Shared With Me page in the Resource Management console to find and accept the invitation. After you accept the invitation, the backup set appears in the list on the Shared With Me tab.

Why is the Share Backup option not available in the Actions column for the backup set?

This option is unavailable if TDE or disk encryption is enabled for your cluster. Sharing encrypted backup sets is not currently supported.

Why do I receive an error when I try to modify the sharing settings of a backup set or cancel the share?

You cannot modify the sharing configuration or cancel the share for a locked backup set. For example, a backup set is locked when it is being used for a restoration operation or being converted from a level-1 backup to a level-2 backup.

PolarDB:Share backup set