- Knowledge Base
- Microsoft Azure
- AKS
- Enable Backups for AKS Clusters
Ensure that your Azure Kubernetes Service (AKS) clusters are configured to use the Azure Backup service to back up cluster data (cluster resources and persistent volumes attached to the cluster) in order to guarantee data protection. Azure Backup can be used to back up AKS clusters by installing the Azure Backup extension within the cluster. The Backup vault interacts with the cluster through this extension to carry out backup and restore operations.
AKS workloads often involve critical applications and databases, and any data loss could lead to costly downtime or compliance issues. Azure Backup provides automated, secure, and scalable backup options for AKS persistent volumes, ensuring data is recoverable in the event of hardware failures, accidental deletions, or malicious attacks. Enabling backups for Azure Kubernetes Service (AKS) clusters ensures data protection, disaster recovery, and business continuity by allowing you to restore critical applications, configurations, and data in case of failures, accidental deletions, or cyberattacks.
Audit
To check whether Azure Backup is enabled and configured for your Azure Kubernetes Service (AKS) clusters, perform the following operations:
Using Azure Portal
01 Sign in to the Microsoft Azure Portal.
02 Navigate to All resources blade at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.
03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.
04 From the Type equalls all filter box, choose Equals, select Kubernetes service, and choose Apply to list only the AKS clusters available in the selected Azure subscription.
05 Click on the name (link) of the AKS cluster that you want to examine.
06 In the resource navigation panel, under Settings, choose Backup to access the Azure Backup configuration settings available for the selected AKS cluster.
07 If the Azure Backup settings are not available on the Backup page, instead the Install Extension button is displayed, the Azure Backup Extension is not installed on the cluster, therefore, data backups are not enabled for the selected Azure Kubernetes Service (AKS) cluster. If the Azure Backup Extension is installed but the backup settings are not configured (i.e. the Configure backup button is displayed), data backups are not enabled for the selected AKS cluster.
08 Repeat steps no. 5 - 7 for each AKS cluster provisioned in the selected Azure subscription.
09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.
Using Azure CLI
01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account:
az account list --query '[*].id'
02 The command output should return the requested subscription identifiers (IDs):
[ "abcdabcd-1234-abcd-1234-abcdabcdabcd", "abcd1234-abcd-1234-abcd-abcd1234abcd" ]
03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output):
az account set --subscription abcdabcd-1234-abcd-1234-abcdabcdabcd
04 Run aks list command (Windows/macOS/Linux) with custom query filters to list the name and the associated resource group for each Azure Kubernetes Service (AKS) cluster available in the selected Azure subscription:
az aks list --output table --query '[*].{name:name, resourceGroup:resourceGroup}'
05 The command output should return the requested AKS cluster names:
Name ResourceGroup ---------------------- ------------------------------ cc-project5-aks-cluster cloud-shell-storage-westeurope cc-data-mining-cluster cloud-shell-storage-westeurope
06 Run k8s-extension list command (Windows/macOS/Linux) with the name of the AKS cluster that you want to examine (and the associated resource group) as identifier parameters, to determine if the Azure Backup Extension is installed on the the selected AKS cluster. This extension is mandatory to be installed to enable backup and restore capabilities for AKS clusters:
az k8s-extension list --cluster-name cc-project5-aks-cluster --resource-group cloud-shell-storage-westeurope --cluster-type managedClusters --query '[*].name'
07 The command output should return the name of each Kubernetes extension installed on the specified AKS cluster. If the k8s-extension list command output returns an empty array (i.e. []), there are no Kubernetes extensions installed on the selected cluster:
[ "azureml", "flux" ]
Check the extensions list returned by the k8s-extension list command output for the "azure-aks-backup" extension. If "azure-aks-backup" is not returned by the command output, the Azure Backup Extension is not installed on the cluster, therefore, data backups are not enabled for the selected Azure Kubernetes Service (AKS) cluster. If the "azure-aks-backup" extension is available, continue the Audit process with the next step.
08 Run aks list command (Windows/macOS/Linux) with custom query filters to list the resource ID each Azure Kubernetes Service (AKS) cluster available in the selected Azure subscription:
az aks list --query '[*].id'
09 The command output should return the requested AKS cluster IDs:
[ "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourcegroups/cloud-shell-storage-westeurope/providers/Microsoft.ContainerService/managedClusters/cc-project5-aks-cluster", "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourcegroups/cloud-shell-storage-westeurope/providers/Microsoft.ContainerService/managedClusters/cc-prod-kubernetes-cluster" ]
10 Run dataprotection backup-instance list-from-resourcegraph command (Windows/macOS/Linux) with custom query filters to list the ID each AKS cluster configured with a backup instance, available in the selected Azure subscription:
az dataprotection backup-instance list-from-resourcegraph --resource-group cloud-shell-storage-westeurope --datasource-type AzureKubernetesService --query '[*].datasourceId'
11 The command output should return the requested backup data source IDs:
[ "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourcegroups/cloud-shell-storage-westeurope/providers/Microsoft.ContainerService/managedClusters/cc-prod-kubernetes-cluster" ]
If the dataprotection backup-instance list-from-resourcegraph command output does not return the ID of the AKS cluster that you want to examine, data backups are not enabled for the selected Azure Kubernetes Service (AKS) cluster.
12 Repeat steps no. 6 - 11 for each AKS cluster available within the selected Azure subscription.
13 Repeat steps no. 3 – 12 for each subscription created in your Microsoft Azure cloud account.
Remediation / Resolution
To enable and configure data backups for your Azure Kubernetes Service (AKS) clusters using Azure Backup service, perform the following operations:
Using Azure Portal
01 Sign in to the Microsoft Azure Portal.
02 Navigate to Backup vaults blade available at https://portal.azure.com/#browse/Microsoft.DataProtection%2FBackupVaults. An Azure Backup Vault is a secure storage container used to store and manage backup copies for AKS clusters and other Azure cloud resources, safeguarding your data and enabling efficient recovery in case of data loss.
03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.
04 Choose Create and perform the following actions to deploy the Backup Vault required to manage your AKS cluster backups:
- For Basics, provide a name for the new Backup Vault, select the resource group where the resource will be created, and choose the appropriate backup storage redundancy. Geo-redundant storage provides the highest level of data durability, followed by Zone-redundant storage and Locally-redundant storage. Choose Next: Vault Properties > to continue the setup process.
- For Vault Properties, perform the following actions:
- For SECURITY SETTINGS, choose whether to enable immutability and soft delete, and set the data retention period. The retention period is the number of days for which deleted data is retained before being permanently deleted.
- For MANAGED IDENTITY SETTINGS, ensure that Enable System Identity is set to Enabled.
- For ENCRYPTION SETTINGS, choose the encryption key (Microsoft-managed of customer-managed) to encrypt your backup data.
- For RESTORE SETTINGS, choose whether backups within your Backup Vault can be restored to a different Azure subscription and region.
- Choose Next: Tags > to continue the setup.
- For Tags, create the necessary tags and choose Next: Review + create > to validate the configuration information provided during setup.
- For Review + create, review the resource configuration details, then choose Create to deploy your new Azure Backup Vault.
05 Once the deployment is complete, click on the name (link) of the new Backup Vault, select Backup policies under Manage, and choose Add to create a new backup policy. The backup policy defines the frequency of data backups and the retention duration of backups:
- For Basics, provide a name for the new backup policy, and select Kubernetes Services as datasource type. Choose Next: Schedule + retention > to continue the setup process.
- For Schedule + retention, define the backup schedule and choose the retention duration for the backups. A new backup policy has a retention rule defined by default. You can edit this rule but you can't delete it. The default rule defines the retention duration for all the operational tier backups taken. You can also use the Add retention rule button to create additional retention rules to store backups for a longer duration. Choose Next: Review + create* > to continue the setup.
- For Review + create, review the policy configuration details, then choose Create to deploy your new backup policy.
06 Navigate to All resources blade at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.
07 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.
08 From the Type equalls all filter box, choose Equals, select Kubernetes service, and choose Apply to list only the AKS clusters available in the selected Azure subscription.
09 Click on the name (link) of the AKS cluster that you want to back up.
10 In the resource navigation panel, under Settings, choose Backup to access the Azure Backup configuration settings available for the selected AKS cluster.
11 Choose Install Extension, and perform the following steps to install the Azure Backup Extension. If the Install Extension button is not available, the extension is already installed and you skip this step:
- For Prerequisites, ensure that all the conditions in the checklist are met, then choose Next to continue the setup.
- For Basics, choose the storage account and the blob container required to store backup data. The storage account must be in the same cloud region and subscription as the cluster. Choose Next to continue.
- For Review + create, review the setup details, then choose Create to install the Azure Backup Extension on your AKS cluster.
12 Choose Configure backup, and perform the following actions to configure data backups for the selected AKS cluster:
- For Basics, choose Select vault to select your new Azure Backup Vault and choose Select Kubernetes cluster to select the AKS cluster that you want to back up. Choose Next to continue the setup.
- For Backup policy, choose the new backup policy created at step no. 5. Choose Next to continue.
- For Datasources, choose Add/Edit to define the backup instance configuration. Provide a unique name for the backup instance and select the namespaces to backup. For fine customization, you can also define the cluster resources that you want to back up and define backup hooks to create application-consistent snapshots of the AKS cluster. Once the backup instance is configured, select the resource group where your snapshots will be stored, and choose Validate to validate the resource. Azure recommends to assign a dedicated resource group to store the snapshots in the operational data store. Choose Next to continue.
- For Review + configure, choose Configure backup to apply the backup configuration to the selected AKS cluster.
13 Repeat steps no. 9 - 12 for each AKS cluster that you want to back up, available in the selected subscription.
14 Repeat steps no. 3 – 14 for each subscription created in your Microsoft Azure cloud account.
Using Azure CLI
01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account:
az account list --query '[*].id'
02 The command output should return the requested subscription identifiers (IDs):
[ "abcdabcd-1234-abcd-1234-abcdabcdabcd", "abcd1234-abcd-1234-abcd-abcd1234abcd" ]
03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output):
az account set --subscription abcdabcd-1234-abcd-1234-abcdabcdabcd
04 Run dataprotection backup-vault create command (OSX/Linux/UNIX) to create the Azure Backup Vault required to manage your AKS cluster backups:
az dataprotection backup-vault create --vault-name tm-project5-backup-vault --resource-group cloud-shell-storage-westeurope --location westeurope --type SystemAssigned --storage-settings datastore-type="VaultStore" type="LocallyRedundant"
05 The command output should return the configuration information available for the new Backup Vault:
{ "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.DataProtection/backupVaults/tm-project5-backup-vault", "identity": { "principalId": "abcdabcd-1234-abcd-1234-abcdabcdabcd", "tenantId": "abcdabcd-1234-abcd-1234-abcdabcdabcd", "type": "SystemAssigned" }, "location": "westeurope", "name": "tm-project5-backup-vault", "properties": { "bcdrSecurityLevel": "Poor", "isVaultProtectedByResourceGuard": false, "provisioningState": "Succeeded", "replicatedRegions": [], "secureScore": "None", "securitySettings": { "softDeleteSettings": { "retentionDurationInDays": 14.0, "state": "On" } }, "storageSettings": [ { "datastoreType": "VaultStore", "type": "LocallyRedundant" } ] }, "resourceGroup": "cloud-shell-storage-westeurope", "type": "Microsoft.DataProtection/backupVaults" }
06 Define the backup policy that you want to use for your AKS cluster backups. The following is the policy template for Azure Kubernetes Service (AKS) clusters. Use this policy template to configure your own backup policy and save the policy document to a file named tm-kubernetes-backup-policy.json:
{ "datasourceTypes": [ "Microsoft.ContainerService/managedClusters" ], "name": "AKSPolicy", "objectType": "BackupPolicy", "policyRules": [ { "backupParameters": { "backupType": "Incremental", "objectType": "AzureBackupParams" }, "dataStore": { "dataStoreType": "OperationalStore", "objectType": "DataStoreInfoBase" }, "name": "BackupHourly", "objectType": "AzureBackupRule", "trigger": { "objectType": "ScheduleBasedTriggerContext", "schedule": { "repeatingTimeIntervals": [ "R/2024-10-08T05:00:00+00:00/P1D" ] }, "taggingCriteria": [ { "criteria": [ { "absoluteCriteria": [ "FirstOfDay" ], "objectType": "ScheduleBasedBackupCriteria" } ], "isDefault": false, "tagInfo": { "id": "Daily_", "tagName": "Daily" }, "taggingPriority": 25 }, { "isDefault": true, "tagInfo": { "id": "Default_", "tagName": "Default" }, "taggingPriority": 99 } ] } }, { "isDefault": true, "lifecycles": [ { "deleteAfter": { "duration": "P7D", "objectType": "AbsoluteDeleteOption" }, "sourceDataStore": { "dataStoreType": "OperationalStore", "objectType": "DataStoreInfoBase" } } ], "name": "Default", "objectType": "AzureRetentionRule" }, { "isDefault": false, "lifecycles": [ { "deleteAfter": { "duration": "P7D", "objectType": "AbsoluteDeleteOption" }, "sourceDataStore": { "dataStoreType": "OperationalStore", "objectType": "DataStoreInfoBase" }, "targetDataStoreCopySettings": [ { "copyAfter": { "objectType": "ImmediateCopyOption" }, "dataStore": { "dataStoreType": "VaultStore", "objectType": "DataStoreInfoBase" } } ] }, { "deleteAfter": { "duration": "P84D", "objectType": "AbsoluteDeleteOption" }, "sourceDataStore": { "dataStoreType": "VaultStore", "objectType": "DataStoreInfoBase" }, "targetDataStoreCopySettings": [] } ], "name": "Daily", "objectType": "AzureRetentionRule" } ] }
07 Run dataprotection backup-policy create command (OSX/Linux/UNIX) to create a new backup policy for your Azure Backup Vault, using the policy template configured at the previous step (i.e. tm-kubernetes-backup-policy.json):
az dataprotection backup-policy create --backup-policy-name tm-project5-backup-policy --vault-name tm-project5-backup-vault --resource-group cloud-shell-storage-westeurope --policy tm-kubernetes-backup-policy.json
08 The command output should return the configuration information available for the new backup policy:
{ "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.DataProtection/backupVaults/tm-project5-backup-vault/backupPolicies/tm-project5-backup-policy", "name": "tm-project5-backup-policy", "properties": { "datasourceTypes": [ "Microsoft.ContainerService/managedClusters" ], "objectType": "BackupPolicy", "policyRules": [ { "isDefault": true, "lifecycles": [ { "deleteAfter": { "duration": "P7D", "objectType": "AbsoluteDeleteOption" }, "sourceDataStore": { "dataStoreType": "OperationalStore", "objectType": "DataStoreInfoBase" }, "targetDataStoreCopySettings": [] } ], "name": "Default", "objectType": "AzureRetentionRule" }, { "backupParameters": { "backupType": "Incremental", "objectType": "AzureBackupParams" }, "dataStore": { "dataStoreType": "OperationalStore", "objectType": "DataStoreInfoBase" }, "name": "BackupDaily", "objectType": "AzureBackupRule", "trigger": { "objectType": "ScheduleBasedTriggerContext", "schedule": { "repeatingTimeIntervals": [ "R/2024-10-08T05:00:00+00:00/P1D" ], "timeZone": "Coordinated Universal Time" }, "taggingCriteria": [ { "isDefault": true, "tagInfo": { "id": "Default_", "tagName": "Default" }, "taggingPriority": 99 } ] } } ] }, "resourceGroup": "cloud-shell-storage-westeurope", "type": "Microsoft.DataProtection/backupVaults/backupPolicies" }
09 Run k8s-extension create command (Windows/macOS/Linux) to install the Azure Backup Extension on the selected AKS cluster. This extension is mandatory to be installed to enable backup and restore capabilities for AKS clusters:
az k8s-extension create --name azure-aks-backup --extension-type microsoft.dataprotection.kubernetes --scope cluster --cluster-type managedClusters --cluster-name cc-project5-aks-cluster --resource-group cloud-shell-storage-westeurope --release-train stable --configuration-settings blobContainer=aksbackups storageAccount=project5backups storageAccountResourceGroup=cloud-shell-storage-westeurope storageAccountSubscriptionId=abcdabcd-1234-abcd-1234-abcdabcdabcd
10 The command output should return the configuration information available for the installed extension:
{ "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Kubernetes/connectedClusters/cc-project5-aks-cluster/extensions/azure-aks-backup", "name": "azure-aks-backup", "type": "Microsoft.Kubernetes/extensions", "properties": { "autoUpgradeMinorVersion": true, "releaseTrain": "stable", "provisioningState": "Succeeded" } }
11 For the Backup Vault to connect with your AKS cluster, you must enable Trusted Access. To enable the Trusted Access feature, run aks trustedaccess rolebinding create command (Windows/macOS/Linux) for the selected AKS cluster (the command does not produce an output):
az aks trustedaccess rolebinding create --cluster-name cc-project5-aks-cluster --name tm-backup-role-binding --resource-group cloud-shell-storage-westeurope --roles Microsoft.DataProtection/backupVaults/backup-operator --source-resource-id /subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.DataProtection/backupVaults/tm-project5-backup-vault
12 Run dataprotection backup-instance initialize command (Windows/macOS/Linux) to initialize the backup instance request for the selected AKS cluster. The request backup instance object is saved to tm-aks-backup-instance.json:
az dataprotection backup-instance initialize --friendly-name tm-aks-backup-instance --datasource-id /subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.ContainerService/managedClusters/cc-project5-aks-cluster --datasource-location westeurope --datasource-type AzureKubernetesService --policy-id /subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.DataProtection/backupVaults/tm-project5-backup-vault/backupPolicies/tm-project5-backup-policy --snapshot-resource-group-name cloud-shell-storage-westeurope > tm-aks-backup-instance.json
13 Run dataprotection backup-instance create command (Windows/macOS/Linux) to create a new backup instance for the selected AKS cluster, within the Backup Vault created earlier in the Remediation process. For --backup-instance use the request backup instance object saved at the previous step (i.e. tm-aks-backup-instance.json):
az dataprotection backup-instance create --resource-group cloud-shell-storage-westeurope --vault-name tm-project5-backup-vault --backup-instance tm-aks-backup-instance.json
14 The command output should return the configuration information available for the new backup instance:
{ "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.RecoveryServices/vaults/tm-project5-backup-vault/backupInstances/tm-aks-backup-instance", "name": "tm-aks-backup-instance", "type": "Microsoft.RecoveryServices/vaults/backupInstances", "properties": { "provisioningState": "Succeeded", "backupManagementType": "AzureAKS", "sourceResourceId": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.ContainerService/managedClusters/cc-project5-aks-cluster", "backupPolicyId": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.DataProtection/backupVaults/tm-project5-backup-vault/backupPolicies/tm-project5-backup-policy", "protectionState": "Protected", "containerId": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.RecoveryServices/vaults/tm-project5-backup-vault/backupContainers/aksbackups" } }
15 Repeat steps no. 9 - 14 for each AKS cluster that you want to back up, available in the selected subscription.
16 Repeat steps no. 3 – 15 for each subscription created in your Microsoft Azure cloud account.
References
- Azure Official Documentation
- Back up Azure Kubernetes Service by using Azure Backup
- Back up Azure Kubernetes Service using Azure CLI
- Azure PowerShell Documentation
- az account list
- az account set
- az aks list
- az k8s-extension list
- az dataprotection backup-instance list-from-resourcegraph
- az dataprotection backup-vault create
- az dataprotection backup-policy create
- az k8s-extension create
- az aks trustedaccess rolebinding create
- az dataprotection backup-instance initialize
- az dataprotection backup-instance create