NetBackup™ Web UI Cloud

Administrator's Guide

Release 10.2
Last updated: 2023-03-17

Legal Notice
Copyright © 2023 Veritas Technologies LLC. All rights reserved.

Veritas, the Veritas Logo, and NetBackup are trademarks or registered trademarks of Veritas
Technologies LLC or its affiliates in the U.S. and other countries. Other names may be
trademarks of their respective owners.

This product may contain third-party software for which Veritas is required to provide attribution
to the third party (“Third-party Programs”). Some of the Third-party Programs are available
under open source or free software licenses. The License Agreement accompanying the
Software does not alter any rights or obligations you may have under those open source or
free software licenses. Refer to the Third-party Legal Notices document accompanying this
Veritas product or available at:

https://www.veritas.com/about/legal/license-agreements

The product described in this document is distributed under licenses restricting its use, copying,
distribution, and decompilation/reverse engineering. No part of this document may be
reproduced in any form by any means without prior written authorization of Veritas Technologies
LLC and its licensors, if any.

THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED

CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED
WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR
NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH
DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. Veritas Technologies LLC SHALL
NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION
WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE
INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE
WITHOUT NOTICE.

The Licensed Software and Documentation are deemed to be commercial computer software
as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19
"Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq.
"Commercial Computer Software and Commercial Computer Software Documentation," as
applicable, and any successor regulations, whether delivered by Veritas as on premises or
hosted services. Any use, modification, reproduction release, performance, display or disclosure
of the Licensed Software and Documentation by the U.S. Government shall be solely in
accordance with the terms of this Agreement.

Veritas Technologies LLC

2625 Augustine Drive
Santa Clara, CA 95054

http://www.veritas.com
Technical Support
Technical Support maintains support centers globally. All support services will be delivered
in accordance with your support agreement and the then-current enterprise technical support
policies. For information about our support offerings and how to contact Technical Support,
visit our website:

https://www.veritas.com/support

You can manage your Veritas account information at the following URL:

https://my.veritas.com

If you have questions regarding an existing support agreement, please email the support
agreement administration team for your region as follows:

Worldwide (except Japan) [email protected]

Japan [email protected]

Documentation
Make sure that you have the current version of the documentation. Each document displays
the date of the last update on page 2. The latest documentation is available on the Veritas
website:

https://sort.veritas.com/documents

Documentation feedback
Your feedback is important to us. Suggest improvements or report errors or omissions to the
documentation. Include the document title, document version, chapter title, and section title
of the text on which you are reporting. Send feedback to:

[email protected]

You can also see documentation information or ask a question on the Veritas community site:

http://www.veritas.com/community/

Veritas Services and Operations Readiness Tools (SORT)

Veritas Services and Operations Readiness Tools (SORT) is a website that provides information
and tools to automate and simplify certain time-consuming administrative tasks. Depending
on the product, SORT helps you prepare for installations and upgrades, identify risks in your
datacenters, and improve operational efficiency. To see what services and tools SORT provides
for your product, see the data sheet:

https://sort.veritas.com/data/support/SORT_Data_Sheet.pdf
 Contents

Chapter 1 Managing and protecting cloud assets ......................... 7

About protecting cloud assets ........................................................... 8
Limitations and considerations ........................................................ 10
Configure Snapshot Manager's in NetBackup ..................................... 11
Configure a third-party CA certificate .......................................... 12
Add a Snapshot Manager ......................................................... 13
Add a cloud provider for a Snapshot Manager .............................. 14
Associate media servers with a Snapshot Manager ....................... 18
Discover assets on Snapshot Manager ....................................... 18
Edit a Snapshot Manager ......................................................... 20
Enable or disable a Snapshot Manager ....................................... 20
(Optional) Add the Snapshot Manager extension .......................... 21
Managing intelligent cloud groups .................................................... 21
Create an intelligent cloud group ............................................... 22
Delete an intelligent cloud group ................................................ 25
Protecting cloud assets or intelligent cloud groups ............................... 26
Customize or edit protection for cloud assets or intelligent groups
..................................................................................... 28
Remove protection from cloud assets or intelligent groups .............. 29
Cloud asset cleanup ..................................................................... 29
Cloud asset filtering ...................................................................... 30
AWS and Azure government cloud support ........................................ 33
About protecting Microsoft Azure resources using resource groups
........................................................................................... 33
Before you begin .................................................................... 34
Limitations and considerations .................................................. 34
About resource group configurations and outcome ........................ 35
Troubleshoot resource group permissions ................................... 38
About the NetBackup Accelerator for cloud workloads .......................... 38
How the NetBackup Accelerator works with virtual machines ........... 39
Accelerator forced rescan for virtual machines (schedule attribute)
..................................................................................... 40
Accelerator backups and the NetBackup catalog ........................... 40
Accelerator messages in the backup job details log ....................... 40
Configuring backup schedule for cloud workloads ............................... 41
Backup options for cloud workloads ................................................. 44
 Contents 5

Snapshot replication ..................................................................... 47

Configure AWS snapshot replication ................................................ 47
Using AWS snapshot replication ..................................................... 50
Support matrix for account replication ............................................... 52
Protect applications in-cloud with application consistent snapshots
........................................................................................... 54
Protecting PaaS assets ................................................................. 55
Prerequisites for protecting PaaS assets ..................................... 56
Installing the native client utilities ............................................... 58
Configuring the storage server for instant access .......................... 61
About incremental backup for PaaS workloads ............................. 62
Limitations and considerations .................................................. 62
Discovering PaaS assets ......................................................... 65
Viewing PaaS assets .............................................................. 67
Managing PaaS credentials ...................................................... 67
View the credential name that is applied to a database ................... 67
Add credentials to a database .................................................. 67
Add protection to PaaS assets .................................................. 72
Perform backup now ............................................................... 72

Chapter 2 Recovering cloud assets ................................................. 74

Recovering cloud assets ................................................................ 74

Perform rollback recovery of cloud assets ......................................... 80
Recovering PaaS assets ................................................................ 81
Recovering non-RDS PaaS assets ............................................. 81
Recovering RDS-based PaaS asset ........................................... 82
Recovering Azure protected assets ............................................ 84
Recovering duplicate images from AdvancedDisk ......................... 86

Chapter 3 Performing granular restore ........................................... 87

About granular restore ................................................................... 87

Supported environment list ............................................................. 88
List of supported file systems .......................................................... 89
Before you begin .......................................................................... 90
Limitations and considerations ........................................................ 92
Restoring files and folders from cloud virtual machines ......................... 95
Restoring volumes on cloud virtual machines ..................................... 98
Troubleshooting .......................................................................... 98
 Contents 6

Chapter 4 Troubleshooting protection and recovery of cloud

assets ............................................................................ 105
Troubleshoot cloud workload protection issues ................................. 105
Troubleshoot PaaS workload protection and recovery issues ............... 109
 Chapter 1
Managing and protecting
cloud assets
This chapter includes the following topics:

■ About protecting cloud assets

■ Limitations and considerations

■ Configure Snapshot Manager's in NetBackup

■ Managing intelligent cloud groups

■ Protecting cloud assets or intelligent cloud groups

■ Cloud asset cleanup

■ Cloud asset filtering

■ AWS and Azure government cloud support

■ About protecting Microsoft Azure resources using resource groups

■ About the NetBackup Accelerator for cloud workloads

■ Configuring backup schedule for cloud workloads

■ Backup options for cloud workloads

■ Snapshot replication

■ Configure AWS snapshot replication

■ Using AWS snapshot replication

■ Support matrix for account replication

 Managing and protecting cloud assets 8
About protecting cloud assets

■ Protect applications in-cloud with application consistent snapshots

■ Protecting PaaS assets

About protecting cloud assets

Using NetBackup, you can now protect your in-cloud workloads. The cloud data
protection framework leverages the Snapshot Manager infrastructure to drive faster
proliferation of cloud providers. In NetBackup 8.3 and later, Snapshot Manager can
protect assets in AWS, Azure, Azure Stack hub and GCP clouds.
The following table describes the tasks.

Table 1-1 Configuring protection for cloud assets

Task Description

Before you begin ensure that
you have the appropriate
permissions.
To manage and protect cloud assets in the web UI you
must have the workload administrator role or similar
permissions. The NetBackup security administrator can
manage your role permissions at an individual asset level
or at the account or subscription level, or at a cloud
provider level.

See the NetBackup Web UI Administrator’s Guide.

Note: For managing hosted applications, you need
Manage Assets and Manage Protection Plans permissions.

Deploy Snapshot Manager Install Snapshot Manager in your environment.

See “Add a Snapshot Manager” on page 13.

Review Snapshot Manager and NetBackup limitations.

See “Limitations and considerations” on page 10.

Configure the Snapshot Register the Snapshot Manager in NetBackup.

Manager
See the NetBackup Snapshot Client Administrator's Guide.
 Managing and protecting cloud assets 9
About protecting cloud assets

Table 1-1 Configuring protection for cloud assets (continued)

Task Description

Add a configuration All the supported cloud providers are displayed in the web
UI.

You need to add the cloud account (configure the cloud

plug-in) for the cloud provider you need. You can create
multiple configurations for each provider.

See “Add a cloud provider for a Snapshot Manager”

on page 14.

For Amazon, you can choose to use IAM role.

See “IAM Role for AWS Configuration” on page 17.

Asset discovery NetBackup retrieves the cloud assets pertaining to the

cloud accounts that are configured in NetBackup. Assets
are populated in NetBackup asset DB.

By default, asset discovery happens every 2 hours and is

configurable.

In case of applications, you can set discovery interval

between 15 minutes to 45 minutes.

See “Discover assets on Snapshot Manager” on page 18.

Create a protection plan Create a protection plan. A protection plan is used to

schedule backup start windows.

See the NetBackup Web UI Administrator’s Guide.

You can also configure the protection plan for snapshot

replication. See “Configure AWS snapshot replication”
on page 47.

Choose to protect a virtual For each cloud provider, a list of discovered assets is
machine, application, or volume displayed. Add the assets to a protection plan.

See the NetBackup Web UI Administrator’s Guide.

You can also choose to protect application using

application consistent snapshots. See “Protect applications
in-cloud with application consistent snapshots” on page 54.
 Managing and protecting cloud assets 10
Limitations and considerations

Table 1-1 Configuring protection for cloud assets (continued)

Task Description

Recover cloud assets
■ You can recover the assets using the recovery points.
See “Recovering cloud assets” on page 74.
See “Recovering cloud assets” on page 74.
See “Perform rollback recovery of cloud assets ”
on page 80.
■ You can also restore the assets using the
nbcloudrestore CLI utility.
Note: Do not use the bprestore CLI for restores
See the NetBackup Commands Reference Guide.

Troubleshooting See “Troubleshoot cloud workload protection issues”

on page 105.

Limitations and considerations

Consider the following when protecting cloud workloads
■ Deletion of Snapshot Manager host entry and its associated plug-ins is not
supported in NetBackup.
If you delete plug-ins that are configured in NetBackup, you cannot recover any
Snapshot Manager images that are associated with that plug-in.
■ Review the NetBackup Snapshot Manager Install and Upgrade Guide for
information on the capabilities of Snapshot Manager.
■ If you have a previous installation of Snapshot Manager, Veritas recommends
that you upgrade the Snapshot Manager and not reinstall it.
If you do reinstall the Snapshot Manager server, you need to reconfigure the
Snapshot Manager and perform all the protection-related steps.
■ By default, Snapshot Manager is configured with port 443.
■ After Snapshot Manager server is added, the host machine tries to use the IPv6
address to discover assets on cloud. If the IPV6 address is found on the host,
the application is configured to use it. If an IPv6 address is not found, the IPv4
address is used.
■ For Snapshot Manager, enhanced auditing is not supported. Thus, when you
add or update a Snapshot Manager, with non-root but NetBackup Admin rights,
during auditing the user is shown as root.
 Managing and protecting cloud assets 11
Configure Snapshot Manager's in NetBackup

■ If you deploy Snapshot Manager using the CloudFormation template, when you
register the on-host agent with the Snapshot Manager node using the command,
the IP address used must be private IP and not public IP.

Note: Veritas recommends having swap space enabled on NetBackup primary

servers that would be used to run backup from snapshot jobs for cloud asset groups.
The recommended size for swap space must be greater than or equal to 1.5 times
of the system memory. In scenarios where swap space enablement is not available,
it is recommend to have systems with higher memory configuration.

Configure Snapshot Manager's in NetBackup

You can add a Snapshot Manager using the NetBackup Web UI. Starting with 8.3,
the Snapshot Manager can discover cloud assets on Amazon Web Services and
Microsoft Azure US Government cloud.
Consider the following important points:
■ You can associate multiple Snapshot Manager's to a NetBackup primary server.
But you can associate only one Snapshot Manager to one NetBackup master
server.
■ You can associate multiple media servers to a Snapshot Manager. Only the
media servers that are linked to your NetBackup primary server can be linked
to a Snapshot Manager.
■ You can now manage Snapshot Manager and control discovery of assets from
the NetBackup WebUI, REST API, and CLI without interacting with the Snapshot
Manager interfaces.
■ For backup from snapshot jobs, the NetBackup media storage associated servers
are used instead of Snapshot Manager associated media servers. The
NetBackup media storage associated servers must be connected to the Snapshot
Manager to facilitate all the Snapshot Manager related operations.
The following table describes the underlying tasks.

Table 1-2 Configuring Snapshot Manager's

Task Description

Add a Snapshot Manager To add a Snapshot Manager in NetBackup,

you must add the credentials and validate the
certificate of the Snapshot Manager. See
“Add a Snapshot Manager” on page 13.
 Managing and protecting cloud assets 12
Configure Snapshot Manager's in NetBackup

Table 1-2 Configuring Snapshot Manager's (continued)

Task Description

Add cloud providers To discover assets on the Snapshot Manager,

you must add the cloud providers. See “Add
a cloud provider for a Snapshot Manager”
on page 14.

Discover assets on Snapshot Manager You can discover assets on the Snapshot
Manager.See “Discover assets on Snapshot
Manager” on page 18.

Associate media servers To offload snapshots and restore workflows

to a media server, you must associate the
media server to the Snapshot Manager.See
“Associate media servers with a Snapshot
Manager” on page 18.

Configure a third-party CA certificate

You can use a self-signed or a third-party certificate to validate your Snapshot
Manager.
Consider the following points:
■ For Windows, you can give a certificate as a file path or install the third party
certificate in the Trusted Root Certificates authorities.
■ To switch from a self-signed certificate to a third-party certificate for an already
added Snapshot Manager, you can update the tpconfig command or edit the
Snapshot Manager API or from NetBackup WebUI.
To configure a third-party CA certificate
1 Generate the third party certificate and private key for your Snapshot Manager.
2 Run the /cloudpoint/scripts/cp_certificate_management.sh script to upload the
certificate, key and trust store to the Snapshot Manager.
3 In NetBackup, create a certificate file and append the certificate of root and all
intermediate CAs in the pem file.
4 In the bp.conf file, at /cloudpoint/openv/netbackup/, create the following
entries:
■ ECA_TRUST_STORE_PATH = /cloudpoint/eca/trusted/cacerts.pem
■ (Optional) VIRTUALIZATION_CRL_CHECK = CHAIN
■ (Optional) ECA_CRL_PATH =/cloudpoint/eca/crl/
 Managing and protecting cloud assets 13
Configure Snapshot Manager's in NetBackup

Note: The CA certificates and CRLs should be present under

/cloudpoint/eca/trusted/cacerts.pem for trust-store, and
/cloudpoint/eca/crl for CRL.

■ The ECA_CRL_PATH option specifies the path to the directory where

the Certificate Revocation Lists (CRL) of the external certificate authority
(CA) are located. All files in ECA_CRL_PATH must be in DER, PEM,
and P7B formats.
■ VIRTUALIZATION_CRL_CHECK option is only required if you want to
check the revocation status of the certificate. By default, the
VIRTUALIZATION_CRL_CHECK option is disabled.
■ You can disable, LEAF, or CHAIN the value of the
VIRTUALIZATION_CRL_CHECK option. For LEAF, revocation status
of the leaf certificate is validated against the CRL. For CHAIN, revocation
status of all certificates from the certificate chain are validated against
the CRL.

Note: Following should be the order in which the certificates are uploaded:
Leaf > Intermediate > Root. If the certificates are not uploaded in the correct
order, Snapshot Manager might not work.

5 Add the Snapshot Manager to NetBackup or run the tpconfig command to

update the certificate for a Snapshot Manager already added to NetBackup.

Add a Snapshot Manager

You can add a Snapshot Manager using NetBackup WebUI. You must provide the
Snapshot Manager credentials and validate the certificate.

Note: To allow backups from snapshots, bi-directional connectivity is required

between Snapshot Manager and NetBackup servers

To add a Snapshot Manager

1 On the left, click Cloud.
2 Click on the Snapshot Manager tab.
3 Click Add.
4 In the Snapshot Manager field, enter one of the following:
■ The host name or IP address of the Snapshot Manager.
 Managing and protecting cloud assets 14
Configure Snapshot Manager's in NetBackup

The host name or IP address must be the same as the one you have
provided at the time of Snapshot Manager configuration during Snapshot
Manager installation.
■ If the DNS server is configured, enter the FDQN of the Snapshot Manager.

5 In Port field, enter the port number for the Snapshot Manager.
The default port value is 443.
6 Click Validate.
7 In the Validate certificate dialog box, click Accept.
8 Enter the Snapshot Manager credentials that have provided at the time of
Snapshot Manager installation.
9 Click Save.

Note: If NetBackup security level is set to VERY HIGH, an additional field Token
is shown where you can provide a Standard Host Token. This is required for
NetBackup certificates generation on Snapshot Manager. You may need to contact
the security administrator or a backup administrator for requesting the additional
security permissions required for generating the token.

Add a cloud provider for a Snapshot Manager

You can protect the assets on the Amazon Web Services (AWS), Google Cloud
Platform (GCP), Microsoft Azure, and Microsoft Azure Stack Hub cloud providers.
Starting with 9.0, the Snapshot Manager can discover Amazon Web Services and
Microsoft Azure US Government cloud workloads.
To add a cloud provider for Snapshot Manager
1 On the left, click Cloud.
2 Click the Providers tab or click Add under the cloud provider for which you
want to add a configuration.
3 Enter a value in the Configuration Name field, in the Add configuration pane.
4 Select the preferred Snapshot Manager.
 Managing and protecting cloud assets 15
Configure Snapshot Manager's in NetBackup

5 Enter the required details.

Cloud provider Parameter Description

Microsoft Azure Credential type: Application service principal

Tenant ID The ID of the AAD directory in which

you created the application.

Client ID The application ID.

Secret key The secret key of the application.

Credential type: System managed Enable system managed identity on

identity Snapshot Manager host in Azure.
Note: Assign a role to the system
managed identity.

Credential type: User managed identity

Client ID The ID of the user managed identity

connected to the Snapshot Manager
host.

Following parameters are applicable for all the above credential type's

Regions One or more regions in which to

discover cloud assets.
Note: If you configure a government
cloud, select US Gov Arizona, US Gov
Texas US, or Gov Virginia.

Resource Group prefix The string with which you want to

append all the resources in a resource
group.

Protect assets even if prefixed The check box determines whether

Resource Groups are not found the assets are protected if they are not
associated to any resource groups.

Cloud provider
Microsoft Azure Stack Hub
Amazon AWS
Note: If the Snapshot Manager is
configured with IAM Config, the
Access Key and Secret Key options
are not available.
Managing and protecting cloud assets 16
Configure Snapshot Manager's in NetBackup
Parameter Description
Using AAD: The endpoint URL in the following
format, that allows Snapshot Manager
Azure Stack Hub Resource Manager
to connect with your Azure resources.
endpoint URL
https://management.<location>.<FQDN>
Tenant ID The ID of the AAD directory in which
you created the application.
Client ID The application ID.
Secret Key The secret key of the application.
Authentication Resource URL The URL where the authentication
(optional) token is sent to.
Using ADFS: The endpoint URL in the following
format, that allows Snapshot Manager
Azure Stack Hub Resource Manager
to connect with your Azure resources.
endpoint URL
https://management.<location>.<FQDN>
Tenant ID The ID of the AAD directory in which
you created the application.
Client ID The application ID.
Secret Key The secret key of the application.
Authentication Resource URL The URL where the authentication
(optional) token is sent to.
Access Key The access key ID, when specified
with the secret access key, authorizes
Snapshot Manager to interact with the
AWS APIs.
Secret Key The secret key of the application.
Regions One or more AWS regions in which to
discover cloud assets.
Note: If you configure a government
cloud, select us-gov-east-1 or
us-gov-west-1.
 Managing and protecting cloud assets 17
Configure Snapshot Manager's in NetBackup

Cloud provider Parameter Description

Google Cloud Platform Project ID The ID of the project from which the
resources are managed. Listed as in
the project_id JSON file.

Client Email The email address of the Client ID.

Listed as client_email in the JSON
file.

Private Key The private key. Listed as

private_key in the JSON file.
Note: You must enter this key without
quotes. Do not enter any spaces or
return characters at the beginning or
end of the key.

Regions A list of regions in which the provider

operates.

6 Enter the connection and authentication details in the Add Configuration

pane.
7 Click Save.
The assets on the cloud providers are automatically discovered.

IAM Role for AWS Configuration

If the Snapshot Manager is deployed in cloud, AWS configuration can be configured
to use IAM role for authentication.
See “Add a cloud provider for a Snapshot Manager” on page 14.
Before proceeding, ensure the following:
■ IAM role is configured within AWS. See the NetBackup Snapshot Manager
Install and Upgrade Guide for details.

■ After you upgrade NetBackup and Snapshot Manager to the latest version, you
need to update the credentials. Run the following command:
tpconfig -update -snapshot_manager <snapshot manager host>
-snapshot_manager_user_id <snapshot manager user ID>
-manage_workload <workload type> -security_token <security token>

Note: Post upgrade, credentials are updated to support only IAM role.
 Managing and protecting cloud assets 18
Configure Snapshot Manager's in NetBackup

The following implementations of IAM role are supported:

■ Source account: In this case, the cloud assets that need to be protected are in
the same AWS account as Snapshot Manager. Thus, AWS cloud is aware of
the AWS account ID and role name, you need to only select the region.
■ Cross account: In this case, the cloud assets that need to be protected are in a
different AWS account than Snapshot Manager. Thus, you need to enter the
target account and the target role name details along with the region so that
Snapshot Manager can access those assets.
You need to establish a trust relationship between the source and the target
account. For example, if this is the role ARN for the role you want to use to
configure the plugin:
arn:aws:iam::935923755:role/TEST_IAM_ROLE
So, to configure the plugin, provide the last part of the ARN, the
name:TEST_IAM_ROLE
For more details, refer to the Access AWS Accounts Using IAM Roles related
information in the Amazon Web Services documentation.

Associate media servers with a Snapshot Manager

You can use a media server to offload the snapshots and restores jobs of your
cloud. To enable that you must associate one or more media servers to a Snapshot
Manager. The media servers must be in an active state to run the snapshot or
restore jobs. The media server that you associate with the Snapshot Manager must
be associate to your NetBackup master server also. However, the discovery jobs
run on the NetBackup master server only.
To associate media servers with a Snapshot Manager
1 On the left, click Cloud.
2 Click on the Snapshot Manager tab.
3 From the menu next to the Snapshot Manager, click Advanced settings.
4 In the Media server tab, select one or more media servers that you want
associate with the Snapshot Manager.
5 Click Save.

Discover assets on Snapshot Manager

After you configure your cloud providers with a Snapshot Manager, automatic
discovery is triggered to discover assets from the cloud. During periodic discovery,
NetBackup pulls the assets data from Snapshot Manager every two hours whereas
Snapshot Manager pulls the asset data from cloud provider configurations every
 Managing and protecting cloud assets 19
Configure Snapshot Manager's in NetBackup

one hour. If you disable a Snapshot Manager, all the assets associated with that
server are no longer protected or synced with NetBackup.
You can also manually trigger the cloud asset discovery if required, using the
Discover option for individual cloud provider configurations, or you can trigger a
discovery on a Snapshot Manager to fetch the assets data available on the Snapshot
Manager.
After the first full discovery, NetBackup subsequently performs periodic incremental
discovery of assets for the configured Snapshot Manager. It only detects the
changes, such as addition, removal, or modification of assets, that occurred between
the last and current discovery.

Note: For the accurate incremental discovery, ensure that the time is set correctly
on the NetBackup master server and the Snapshot Manager, according to the
time-zones they are located in, to avoid any issues with the discovery.

The following procedure describes how to perform discovery at the Snapshot

Manager level, which does not actually discover the assets from the Cloud, but only
fetches the point-in-time data from Snapshot Manager.
To discover assets on Snapshot Manager
1 On the left, click Cloud.
2 Click on the Snapshot Manager tab
3 From the menu next to the Snapshot Manager, click Discover.
The following procedure describes how to perform discovery at the configuration
level, which triggers a deep discovery of assets and fetches the point-in-time state
of the assets detecting any additions, modifications, or deletion of assets in the
Cloud.
To discover assets for a cloud provider configuration
1 On the left, click Cloud.
2 Click on the Snapshot Manager tab
3 Click the Snapshot Manager IP or hostname for which to view the cloud
providers.
4 Click on the provider tab for which to view the configurations.
5 From the menu next to the configuration name, click Discover.
 Managing and protecting cloud assets 20
Configure Snapshot Manager's in NetBackup

Note: If the discovery on cloud provider configurations takes more than 30 minutes,
the discovery operation times out. But the subsequent operation continues which
syncs the NetBackup assets with the Snapshot Manager assets.

Change the autodiscovery frequency for Snapshot

Manager
Use nbgetconfig and the nbsetconfig commands to view, add, or change the
autodiscovery option. For example:
CLOUD_AUTODISCOVERY_INTERVAL = number of seconds

See the NetBackup Administrator's Guide, Volume I for more details.

Edit a Snapshot Manager

You can update the Snapshot Manager credentials. However, you cannot edit the
Host name, IP address or Port of a Snapshot Manager.
To edit a Snapshot Manager
1 On the left, click, Cloud.
2 Click on the Snapshot Manager tab.
3 From the menu next to the Snapshot Manager, click Edit.
You can only edit the credentials for Snapshot Manager. You must validate
the certificate before you can update the credentials.
4 Update the credentials.
5 In the Token field, enter a Reissue token for Snapshot Manager
6 Click Save.

Enable or disable a Snapshot Manager

Based on your preference, you can enable or disable a Snapshot Manager. If you
disable a Snapshot Manager, you cannot discover assets or assign protection plans.
To enable or disable a Snapshot Manager
1 On the left, click Cloud.
2 Click on the Snapshot Manager tab.
3 Based on the Snapshot Managerstatus, select Enable or Disable.
 Managing and protecting cloud assets 21
Managing intelligent cloud groups

Note: After disabling a Snapshot Manager protection for the associated assets will
start failing for that server. In that case, unsubscribe the assets from the protection
plans or cancel any pending SLP operations to avoid seeing job failures during the
time it is disabled.

(Optional) Add the Snapshot Manager extension

The Snapshot Manager extension serves the purpose of scaling the capacity of the
Snapshot Manager host to service a large number of requests concurrently running
on the Snapshot Manager server at its peak performance capacity. You can install
one or more Snapshot Manager extensions on-premise or in cloud, depending on
your requirements to run the jobs without putting the host under additional stress.
An extension can increase the processing capacity of the Snapshot Manager host.
The Snapshot Manager extension can have the configuration same or higher as
the Snapshot Manager host.
Supported Snapshot Manager extension environments:
■ VM based extension for on-premise
■ Cloud based extension with managed Kubernetes cluster
Refer to Deploying Snapshot Manager extensions chapter in the latest version of
NetBackup Snapshot Manager Install and Upgrade Guide.

Managing intelligent cloud groups

You can create and protect a dynamic group of assets by defining the intelligent
cloud asset groups based on a set of filters called queries. NetBackup selects the
cloud virtual machines, applications, or volumes based on the queries, and adds
them to the group. An intelligent group automatically reflects changes in the asset
environment and eliminates the need to manually revise the list of assets in the
group when the assets are added or removed from the environment.
Then when you apply protection plan to an intelligent cloud asset group, all the
assets satisfying the query conditions will automatically be protected if the asset
environment changes in future.
 Managing and protecting cloud assets 22
Managing intelligent cloud groups

Note: You can create, update, or delete the intelligent groups only if your role has
the necessary RBAC permissions for the cloud assets that you require to manage.
The NetBackup security administrator can grant you access for an asset type (VM,
PaaS, application, volume, network) associated with a specific account or
subscription, or at a cloud provider level. Refer to the NetBackup Web UI
Administrator's Guide.

Create an intelligent cloud group

To create an intelligent cloud group
1 On the left, click Cloud.
2 Click the Intelligent groups tab and then click + Add.
3 Enter a name and description for the group.
4 Select the cloud provider, account ID, and region.

Note: If region is not specified, then the cloud intelligent group protects assets
across region.

5 Select the Asset type.

6 Then do one of the following:
■ Select Include all assets of the selected type.
This option uses a default query to select all assets for backup when the
protection plan runs.
■ To select only the assets that meet specific conditions, create your own
query: Click Add condition.
 Managing and protecting cloud assets 23
Managing intelligent cloud groups

7 To add a condition, use the drop-downs to select a keyword and operator and
then enter a value.
See the section called “Query options for creating intelligent cloud groups”
on page 24.
To change the effect of the query, click + Condition and click AND or OR,
then select the keyword, operator, and value for the condition. For example:

This example uses AND to narrow the scope of the query: It selects only the
VMs that have cp in their display name and that also have a tag name as eng,
and are in running state.

Note: Special character '<' is not supported in a tag name. If present, asset
group creation will fail.

Note: Known limitation in NetBackup - if you create a query that has the
asset tag names (referenced from your cloud provider) containing spaces or
special characters such as (,), &, \, /, ", [, ], {, }, you cannot later
edit the query for editing any parameters. This does not prevent you from
successfully creating the intelligent group and applying the protection plan to
it. Only the Edit query functionality is affected with this limitation.
To avoid this issue, ensure that the tag names do not contain the specified
special characters and create a new query with the new tag names.

You can also add sub-queries to a condition. Click + Sub-query and click AND
or OR, then select the keyword, operator, and value for the sub-query condition.
 Managing and protecting cloud assets 24
Managing intelligent cloud groups

8 To test the query, click Preview.

The query-based selection process is dynamic. Changes in the virtual
environment can affect which assets the query selects when the protection
plan runs. As a result, the assets that the query selects later when the protection
plan runs may not be identical to those currently listed in the preview.

Note: When using queries in Intelligent groups, the NetBackup web UI might
not display an accurate list of assets that match the query if the query condition
has non-English characters.
Using the not equals filter condition on any attribute returns assets including
those that have no value (null) present for the attribute. For multi-value attributes
such as tag, the assets that do not match at least one of the values of the
attribute are not returned

Note: When you click Preview or you save the group, the query options are
treated as case-sensitive when the assets are selected for the group. Under
Virtual machines, if you click on a VM that was not selected for the group,
the Intelligent groups field reads none.

9 To save the group without adding it to a protection plan, click Add.

To save the group and apply a protection plan to it, click Add and protect.
Select the plan, and click Protect.

Query options for creating intelligent cloud groups

Note: The attribute values may not match exactly with values shown on the cloud
provider's portal. You can refer to the asset details page or the cloud provider's API
response of an individual asset.

Table 1-3 Query keywords

Keyword Description

(all values are case-sensitive)

displayName Asset's display name.

state For example, running, stopped etc.

tag A label assigned to the asset for

categorization.
 Managing and protecting cloud assets 25
Managing intelligent cloud groups

Table 1-3 Query keywords (continued)

Keyword Description

(all values are case-sensitive)

instanceType / machineType / vmSize Asset's instance/machine type or VM size,

depending on the cloud provider selection.

For example, t2.large, t3.large, or b2ms,

d2sv3

Table 1-4 Query operators

Operator Description

Starts with Matches the value when it occurs at the start

of a string.

Ends with Matches the value when it occurs at the end

of a string.

Contains Matches the value you enter wherever that

value occurs in the string.

= Matches only the value that you enter.

!= Matches any value that is not equal to the

value that you enter.

Note: Once you create an intelligent group, you cannot edit the cloud provider
selection for it, but you can edit the name and description, and modify the query as
required.

Delete an intelligent cloud group

To delete an intelligent cloud group
1 On the left, click Cloud.
2 Locate the group under the Intelligent groups tab.
3 If the group is not protected, select it and then click Delete.
4 If the group is protected, click on the group, scroll down and click Remove
protection.
5 Then select that group under the Intelligent groups tab and click Delete.
 Managing and protecting cloud assets 26
Protecting cloud assets or intelligent cloud groups

Protecting cloud assets or intelligent cloud groups

You can create the cloud provider-specific protection plans for your cloud workloads.
Then you can subscribe the assets that are associated with the cloud provider to
a provider-specific protection plan.

Note: If you previously had a protection plan that was applied to assets from different
cloud providers, it is automatically converted to the new provider-specific format.
This conversion happens after an upgrade to NetBackup 9.1. For example, if you
had the assets from Google Cloud and AWS Cloud that are subscribed to one
protection plan, then the protection plan is split. The protection plan is split into two
separate protection plans for each provider.
See the section called “Conversion of protection plans after an upgrade to NetBackup
9.1” on page 27. section.

Use the following procedure to subscribe a cloud VM, application, volume, or an

intelligent group to a protection plan. When you subscribe an asset to a protection
plan, you assign predefined backup settings to the asset.

Note: The RBAC role that is assigned to you must give you access to the assets
that you want to manage and to the protection plans that you want to use.

To protect a cloud asset or an intelligent group

1 On the left, click Cloud.
2 On the Virtual machines tab, or Applications tab, or Volumes tab or
Intelligent groups tab, click the box for the asset or the asset group and click
Add protection.
3 Select a protection plan and click Next.
4 You can adjust the following settings:
■ Schedules and retention
■ Storage options
For more information about storage options in the web UI, review the
Configuring storage section in the NetBackup Web UI Administrator’s Guide.
■ Backup options

5 Click Protect.
 Managing and protecting cloud assets 27
Protecting cloud assets or intelligent cloud groups

Backup now option for immediate protection

Apart from the scheduled protection plans, you can also use the Backup now
option to backup an asset immediately, to safeguard against any unplanned
circumstances.
1. Select a cloud asset or an intelligent group and click Backup now.
2. Then select a protection plan to apply. Only the protection plans relevant to a
specific cloud provider of the asset are displayed as options.
3. Click Start backup.
A backup job is triggered, which can be tracked on the Activity monitor page.
For more information, see NetBackup Web UI Administrator’s Guide.

Conversion of protection plans after an upgrade to

NetBackup 9.1
Note the following points with respect to the automatic conversion of older protection
plans to the new format.
■ Protection plan conversion starts when the asset migration is completed after
the upgrade of NetBackup to 9.1.
■ Old protection plans with no assets subscribed are not converted to the new
format. You can manually delete them.
■ Before or during conversion
■ All the assets are unsubscribed from the old protection plan and subscribed
to the converted protection plan.
■ No new assets can be subscribed to the old protection plan.
■ The Backup now operation fails for the old plan.
■ Customizing or editing the old protection plan is prevented.

■ After successful conversion

■ If the old protection plan was used to protect the assets from only one cloud
provider, then the new plan retains the same name and asset subscription
upon conversion.
■ If the old protection plan was used to protect the assets from multiple cloud
providers, then the name of the old protection plan is retained as before.
The protection plan name is updated to retain the asset subscription for any
one cloud provider upon conversion.
For the other cloud providers which were part of the old plan, new protection
plans are created upon conversion, and only the assets of respective
 Managing and protecting cloud assets 28
Protecting cloud assets or intelligent cloud groups

providers are subscribed to them. New plans are named in the following
format <old_plan_name>_<cloud_provider>.
■ Hence you may see more number of plans in your Protection Plans menu
on the web UI than before.
■ Success messages are shown in the notifications as follows:
The protection plan <protectionPlanName> created during conversion to
new format.
Successfully converted the protection plan <protectionPlanName> to the
new format.
Then you can start managing and applying the converted protection plans
as normal.

Failure scenarios
Refer to the following to know how the failure scenarios are handled during or after
the conversion of protection plans. Also check the notifications for any failure alerts
and take the necessary action.
■ Some of the assets might fail to get unsubscribed from the old protection plan.
In that case, the conversion still continues with the assets that are successfully
unsubscribed. The conversion process for the assets that failed, is retried every
4 hours.
■ After the conversion, some of the assets might fail to get automatically
re-subscribed to the new plan. In that case, you need to manually subscribe
those assets to the converted protection plan.
■ Failure might be encountered when the required access permissions are
assigned to the new, converted protection plan. In that case, you need to
manually assign the access permissions.

Customize or edit protection for cloud assets or intelligent groups

You can edit certain settings for a protection plan, including schedule backup
windows and other options.
To customize or edit the protection plan for a cloud asset
1 On the left, click Workloads > Cloud.
2 On the Virtual machines tab, or Applications tab, or Volumes tab or
Intelligent groups tab, click on the asset that you want to customize the
protection for.
3 Click Customize protection > Continue.
4 You can adjust one or more of the following settings:
 Managing and protecting cloud assets 29
Cloud asset cleanup

■ Schedules and retention

Change the backup start window.
■ Backup options
Enable/disable regional snapshots for Google Cloud assets, or
specify/change snapshot destination resource group for Azure and Azure
Stack Hub assets.

Remove protection from cloud assets or intelligent groups

You can unsubscribe a cloud asset from a protection plan. When the asset is
unsubscribed, backups are no longer performed.
To remove protection from a cloud asset
1 On the left, click Cloud.
2 On the Virtual machines tab, or Applications tab, or Volumes tab or
Intelligent groups tab, click on the asset that you want to remove the protection
for.
3 Click Remove protection > Yes.

Cloud asset cleanup

Cloud assets are cleaned up automatically during cleanup cycle or manually based
on the following criteria:
■ No active protection plan to cloud asset.
■ Asset is not discovered in last 30 days (cleanup age).
■ No recovery points exist.
■ Asset is marked for deletion (asset is deleted on Snapshot Manager).
User can enhance this cloud asset cleanup criteria by updating cleanup-age and
providing specific filter criteria for assets through bp.conf file. Following parameters
must be configured in bp.conffile:
■ CLOUD.CLEANUP_AGE_MINUTES
■ CLOUD.CLEANUP_FILTER
For example,
/usr/openv/netbackup/bin/nbsetconfig

nbsetconfig> CLOUD.CLEANUP_AGE_MINUTES = 180

nbsetconfig> CLOUD.CLEANUP_FILTER = "provider eq 'aws'"

 Managing and protecting cloud assets 30
Cloud asset filtering

nbsetconfig>

User can also manually run the POST query using the cleanup-assets named
query with the following request body and then run GET with query ID obtained
from the POST response, as described in the following example:

{
"data":{
"type":"query",
"attributes":{
"queryName":"cleanup-assets",
"workloads":["cloud"],
"parameters": {
"cleanup_age_minutes": 180
},
"filter": "provider eq 'aws'"
}
}
}

Cloud asset filtering

User can define custom filter based on attributes, which would be used to list assets
into Virtual machines, Applications, PaaS, and Volumes tab.
To create a filter
1 On the left, click Cloud.
2 Under the Virtual machines, Applications, PaaS, or Volumes tab, click on the
Filter icon on the right top of the screen.
The Create filter option is displayed.
3 Click the Create filter option to define custom filter based on attributes to list
assets into Virtual machines, Applications, PaaS, or Volumes tab.
4 To create a filter, enter the details for the following parameters:

Parameter Description

Name Name of the filter.

Description Provide the description for the filter.

Query To select only the assets that meet specific

conditions, create your own query.
 Managing and protecting cloud assets 31
Cloud asset filtering

5 To select only the assets that meet specific conditions, create your own query:
Click + condition.
6 To add a condition, use the drop-downs to select a keyword and operator and
then enter a value.
See the section called “Query options for creating intelligent cloud groups”
on page 24.
To change the effect of the query, click + Condition and click AND or OR,
then select the keyword, operator, and value for the condition. For example:

This example uses AND to narrow the scope of the query: It selects only the
assets that have aws in their display name and that also have a Name as
cloudpoint, and are in running state.

You can also add sub-queries to a condition. Click + Sub-query and click AND
or OR, then select the keyword, operator, and value for the sub-query condition.

Query options for creating filter

Note: The attribute values may not match exactly with values shown on the cloud
provider's portal. You can refer to the asset details page or the cloud provider's API
response of an individual asset.

Table 1-5 Query keywords

Keyword Description

(all values are case-sensitive)

Server type Type of the server.

 Managing and protecting cloud assets 32
Cloud asset filtering

Table 1-5 Query keywords (continued)

Keyword Description

(all values are case-sensitive)

Instance ID Asset's instance ID, depending on the cloud provider

selection.

Instance name Asset's instance name, depending on the cloud provider

selection.

Name Asset's display name.

Provider Asset's cloud provider name.

Region Asset's cloud provider region name.

Config ID Asset's config ID.

Database service Asset's database service.

Deleted Deleted asset.

Entity type Asset's entity type.

Service domain Asset's service domain.

Snapshot Manager The instance of Snapshot Manager with which the asset
is registered.

Table 1-6 Query operators

Operator Description

Starts with Matches the value when it occurs at the start of a string.

Ends with Matches the value when it occurs at the end of a string.

Contains Matches the value you enter wherever that value occurs
in the string.

= Matches only the value that you enter.

!= Matches any value that is not equal to the value that you
enter.
 Managing and protecting cloud assets 33
AWS and Azure government cloud support

AWS and Azure government cloud support

Starting with 8.3, the Snapshot Manager can discover Amazon Web Services and
Microsoft Azure US Government cloud workloads. After the Snapshot Manager is
added to NetBackup, you can protect the workloads by NetBackup. NetBackup is
compliant with the regulatory requirements including IPv6 support to deploy Snapshot
Managert on the AWS and Azure US government cloud workloads.
After you configure AWS or Azure US Government cloud, the AWS and Azure agent
service is created which discovers the cloud assets based on provided region. The
discovered assets are displayed in NetBackup. Currently, only workloads from
selected regions and mapped endpoint are discovered and protected. For the same
Snapshot Manager host, you cannot use a combination of public and government
clouds.
An error might occur if you update a cloud plug-in when the plug-in assets operations
are in-progress.
Snapshot Manager supports the following GovCloud (US) regions:

Cloud provider GovCloud (US) regions

Amazon Web Services ■ us-gov-east-1

■ us-gov-west-1

Microsoft Azure ■ US Gov Arizona

■ US Gov Texas
■ US Gov Virginia

Note: PaaS assets does not support government cloud.

For information about configuring AWS and Microsoft Azure, See “Add a cloud
provider for a Snapshot Manager” on page 14.

About protecting Microsoft Azure resources using

resource groups
NetBackup lets you define a peer Resource Groups snapshot destination for every
resource group that contains protected virtual machines and volumes.
All resources in Microsoft Azure are associated to a resource group. After a snapshot
is created, it is associated to a resource group. Also, each resource group is
associated to a region. See the following:
 Managing and protecting cloud assets 34
About protecting Microsoft Azure resources using resource groups

https://docs.microsoft.com/en-us/azure/azure-resource-manager/
management/manage-resource-groups-portal
Snapshot Manager creates a snapshot and places the snapshot in resource group
to which the resource belongs even under the following conditions:
■ If you don’t provide a prefix for a resource group
■ Peer resource groups are not created
■ You allow the snapshots to get created
You can configure the settings to place the snapshots in different resource group
than the resource group that is associated with the resource. However, note the
following important points:
■ The peer resource group must be in the same region as the region of the
resource group of the resource.
■ If a peer resource group is not found, the configurations determine whether the
snapshots creation succeeds or fails.
To enable this feature, you must create peer resource groups. Snapshot Manager
then appends the prefix of the resource group that is associated with the resource.
When a snapshot is created, the peer resource group name is derived based on
the prefix and the resource group to which the resource is associated.

Note: You can now directly associate a snapshot to an existing peer resource
group, at the time of creating a protection plan. However the functionality of defining
a peer resource group by specifying a prefix which is described in this section, still
exists.
Refer to information on creating protection plans in the NetBackup Web UI
Administrator’s Guide for the complete procedure.

Before you begin

■ The peer resource groups must be available for resources that are being
protected using the resource group.
■ Regions of a plugin configuration must not overlap with another configuration if
a prefix is specified.

Limitations and considerations

■ Only alphanumeric characters, periods, underscores, hyphen, or parenthesis
are allowed in the resource group names.
■ The prefix length must be less than 89 characters.
 Managing and protecting cloud assets 35
About protecting Microsoft Azure resources using resource groups

■ You cannot use characters that Azure configuration does not allow for resource
group naming conventions.

About resource group configurations and outcome

The following table lists scenarios for virtual machines and resource group setup,
resource configuration, and outcome.

Table 1-7 Configurations and outcome

Resource group Protect assets even if Outcome

prefix prefixed Resource
Groups are not found
check box

Not specified Not selected NetBackup associates the newly

created snapshots in resource group
of the resource.

Specified Not selected NetBackup creates new the

snapshots and associates the
snapshots to the peer resource group
if the following conditions are met:

■ The peer resource group is

created.
■ The peer resource group is in the
same region as the resource
group.

If the conditions are not met,

snapshot jobs fail.

Specified Selected NetBackup creates new snapshots

and associates the snapshots to the
peer resource group if the following
conditions are met:

■ The peer resource group is

created.
■ The peer resource group is in the
same region as the resource
group.

If a peer resource group is not

created or is in a different region then
the newly created snapshot is
associated to the resource group of
the resource that is protected.
 Managing and protecting cloud assets 36
About protecting Microsoft Azure resources using resource groups

Examples of resource group configurations

The following table lists the examples for resource group configurations.

Table 1-8 Example configurations

Conditions Configurations Result

■ OS and all disks are in the ■ Resource Group Prefix Snapshots are created in the
same resource group. value is provided. peer resource group.
■ Peer resource group is ■ The Protect assets even
named correctly. if prefixed Resource
■ Peer resource is located Groups are not found
in the same region as check box is selected.
resource group of
resource.

■ OS and all disks are in ■ Resource Group Prefix Snapshots are created in the
separate resource groups. value is provided. peer resource group.
■ Peer resource groups are ■ The Protect assets even
named correctly. if prefixed Resource
■ Peer resources are Groups are not found
located in the same region check box is selected.
as resource groups of
resources.

■ OS and all disks are in the ■ Resource Group Prefix The snapshots are created in
same resource group. value is provided. original resource group not
■ Peer resource group is ■ The Protect assets even the peer resource group.
created in a different if prefixed Resource
region from the resource Groups are not found
group of the resource. check box is selected.

■ OS and all disks are in the ■
same resource group.
■ Peer resource group is not ■
created.
Resource Group Prefix The snapshots are created in
value is provided. original resource group not
The Protect assets even the peer resource group.
if prefixed Resource
Groups are not found
check box is selected.
 Managing and protecting cloud assets 37
About protecting Microsoft Azure resources using resource groups

Table 1-8 Example configurations (continued)

Conditions Configurations Result

■ OS and all disks are in ■ Resource Group Prefix Snapshots are created in the
separate resource groups, value is provided. peer resource group of RG1
RG1 and RG2. ■ The Protect assets even and original resource group
■ Peer resource groups if prefixed Resource RG2.
RG1 is named correctly Groups are not found
and located in the same check box is selected.
region as the resources.
■ Peer resources group
RG2 is not created.

■ OS and all disks are in ■
same resource group.
■ Peer resource groups are ■
named correctly.
■ Peer resources group is
located different region
than the resource group
of resources.
Resource Group Prefix Snapshots are not created
value is provided. and the job fails.
The Protect assets even
if prefixed Resource
Groups are not found
check box is not selected.

■ OS and all disks are in the ■
same resource group.
■ Peer resource group is not ■
created.
Resource Group Prefix Snapshots are not created
value is provided. and the job fails.
The Protect assets even
if prefixed Resource
Groups are not found
check box is not selected.

■ OS and all disks are in ■ Resource Group Prefix Snapshots are not created
separate resource groups, value is provided. and the job fails.
RG1 and RG2. ■ The Protect assets even
■ Peer resource groups of if prefixed Resource
RG1 and RG2 that is, Groups are not found
snapRG1 and snapRG2 check box is not selected.
are in different regions.
■ Peer resource group
snapRG1 is located in the
same region as the
resource group RG1.
■ The peer resource group
snapRG2 is located in a
different region than
resource group RG2.
 Managing and protecting cloud assets 38
About the NetBackup Accelerator for cloud workloads

Troubleshoot resource group permissions

If appropriate permissions are not assigned to the resource group, the snapshot
creation fails for Azure resources that are associated to resource groups.
Workaround:
To resolve this issue, perform the following steps:
1. Navigate to
https://portal.azure.com/#blade/HubsExtension/BrowseResourceGroups.
2. Click on the resource group, that is to be used in the snapshot.
3. Click on Access control (IAM).
4. Click on Add Role Assignment.
5. Select Role as Owner, Assign Access to as User, and select the Application
(created for Snapshot Manager, to make API calls).
6. Save and try to backup again.

About the NetBackup Accelerator for cloud

workloads
NetBackup Accelerator reduces the backup time for cloud backups. NetBackup
uses reference snapshots to identify the changes that were made within a virtual
machine. Only the changed data blocks are sent to the NetBackup media server,
to significantly reduce the I/O and backup time. The media server combines the
new data with previous backup data and produces a traditional full NetBackup
image that includes the complete virtual machine files.
NetBackup supports Accelerator backup for AWS, Azure and Azure Stack workloads.

Note: Accelerator is most appropriate for virtual machine data that does not
experience a high rate of change.

Accelerator has the following benefits:

■ Performs the full backups faster than traditional backup. Creates a compact
backup stream that uses less network bandwidth between the backup host and
the server. Accelerator sends only changed data blocks for the backup.
NetBackup then creates a full traditional NetBackup image that includes the
changed block data.
■ Accelerator backups support Granular Recovery Technology (GRT).
 Managing and protecting cloud assets 39
About the NetBackup Accelerator for cloud workloads

■ Reduces the I/O on the Snapshot Manager.

■ Reduces the CPU load on the Snapshot Manager.

How the NetBackup Accelerator works with virtual machines

For Azure and Azure Stack backups, Accelerator is activated when you select a
Accelerator supported storage type, like MSDP, OpenStorage, CloudStorage, and
MSDP-C (Azure and AWS).
The NetBackup Accelerator creates the backup stream and backup image for each
virtual machine as follows:
■ If the virtual machine has no previous backup, NetBackup performs a full backup.
■ At the next backup, NetBackup identifies data that has changed since the
previous backup. Only changed blocks and the header information are included
in the backup, to create a full VM backup. The changed blocks are identified by
comparing the previous reference snapshot and the current snapshot. If you
select Keep backup only or Initiate backup when snapshot is about to expire
option in the protection plan, the snapshot is retained for accelerator purpose
till the next backup is completed.
■ The backup host sends to the media server a tar backup stream that consists
of the following: The virtual machine's changed blocks, and the previous backup
ID and data extents (block offset and size) of the unchanged blocks.
■ The media server reads the virtual machine's changed blocks, the backup ID,
and information about the data extents of the unchanged blocks. From the
backup ID and data extents, the media server locates the rest of the virtual
machine's data in existing backups.
■ The media server directs the storage server to create a new full image that
consists of the following: The newly changed blocks, and the existing unchanged
blocks that reside on the storage server. The storage server may not write the
existing blocks but rather link them to the image.
■ Microsoft Azure does not allow more than 200 subsequent incremental
snapshots. If you select the Keep snapshot along with backup option in the
protection plan and specify a such a retention period for the snapshot, so that
it leads to more than 200 incremental snapshots. Then, full backups take place
instead of accelerator. It is recommended to keep a reasonable snapshot
retention period to utilize the accelerator benefits.
■ If the configuration of a VM changes, for example, if a new disk is added to a
VM between two accelerator backups, a full backup is taken for that disk, and
accelerator backup is taken for the existing disks.
 Managing and protecting cloud assets 40
About the NetBackup Accelerator for cloud workloads

Accelerator forced rescan for virtual machines (schedule attribute)

Accelerator forced rescan helps to prevent corrupt backup image issues by manually
executing the ForcedRescan command. When Accelerator forced rescan is used,
all the data on the virtual machine is backed up. This backup is similar to the first
Accelerator backup for a policy. For the forced rescan job, the optimization
percentage for Accelerator is 0. The duration of the backup is similar to a
non-Accelerator full backup.
Force rescan enhances safety, and establishes a baseline for the next Accelerator
backup. This feature protects against any potential damage like failure of checksum
verification on the data in the staging area.
Recommendations for using forced rescan:
■ Do not trigger force rescan for the VMs which are turned off.
■ If the storage location memory is full, you can see a notification in the UI. Initiate
the force rescan only when sufficient memory is available at the storage location.
NetBackup creates a schedule named 'ForcedRescan' for every protected VM. To
manually trigger the backup with force rescan execute the following command in
the command prompt or the Linux terminal:
bpbackup -i -p <policy_name> -s ForcedRescan

For example, bpbackup -i -p

msdp_10mins_FRS+5d990ab5-f791-474f-885a-ae0c30f31c98 -s ForcedRescan

You can obtain the policy name from web UI from the relevant protection plan.

Accelerator backups and the NetBackup catalog

Use of Accelerator does not affect the size of the NetBackup catalog. A full backup
with Accelerator generates the same catalog size as a full backup of the same data
without Accelerator. The same is true of incremental backups: use of Accelerator
does not require more catalog space than the same backup without Accelerator.

Accelerator messages in the backup job details log

When a virtual machine is first backed up, Accelerator is not used for that backup.
The following messages appear in the job details log:

Jul 21, 2021 1:55:52 PM - Info bpbrm (pid=78332) accelerator enabled

Jul 21, 2021 1:55:53 PM - Info bpbrm (pid=78332) There is no
complete backup image match with track journal, a regular full
backup will be performed.
 Managing and protecting cloud assets 41
Configuring backup schedule for cloud workloads

..

Jul 21, 2021 1:56:11 PM - Info bpbkar (pid=1301) accelerator sent

402666496 bytes out of 402664960 bytes to server, optimization 0.0%

When subsequent backups of the virtual machine use Accelerator, the following
messages appear in the job details log:

Jul 21, 2021 2:01:33 PM - Info bpbrm (pid=79788) accelerator enabled

..

Jul 21, 2021 2:02:00 PM - Info bpbkar (pid=1350) accelerator

sent 1196032 bytes out of 402664960 bytes to server, optimization 99.7%

This message is a key trace for Accelerator. In this example Accelerator was
successful at reducing the backup data by 99.7%.

Configuring backup schedule for cloud workloads

You can add backup schedule in the Attributes tab of the Add backup schedule
dialog, while creating a protection plan for the Azure, Azure Stack, AWS and GCP
cloud workloads.
See the Managing protection plans section of the NetBackup Web UI Administrator’s
Guide, for details of how to create a protection plan.
To add backup schedule to a cloud workload
1 On the left, click Protection > Protection plans and then click Add.
2 In Basic properties, enter a Name, Description, and select Cloud, from the
Workload drop-down list.
3 Select a Cloud Provider from the drop-down list, click Next. In Schedules,
click Add schedule.
In the Add backup schedule tab, you can configure the options for retaining
the backup and the snapshot.
 Managing and protecting cloud assets 42
Configuring backup schedule for cloud workloads

4 (For Azure SQL PaaS assets only.) If you have selected Protect PaaS assets
only for the protection plan, select Backup type as Incremental backup or
Full. For incremental backup type, NetBackup taken an initial full backup, and
all subsequent backups capture only incremental changes in the database.
This feature increases backup performance to a great extent. In case of a
schema change, goes back to full backup from incremental backup, and notifies
this activity in the activity monitor.
Assign a longer retention period to full backups than to incremental backups
within a policy. A complete restore requires the previous full backup plus all
subsequent incremental backups. It may not be possible to restore all the files
if the full backup expires before the incremental backups. See “About
incremental backup for PaaS workloads” on page 62.
5 From the Recurrence drop-down, specify the frequency of the backup.
6 In the Snapshot and backup options, do any of the following:
■ Select Keep snapshot along with backup option to retain both the
snapshot and the backup. Specify retention period for both the snapshot
and the backup, using the Keep snapshot for and the Keep backup for
drop-downs. Select Full from the Backup type drop-down. Select Initiate
backup only when the snapshot is about to expire option, to start the
backup job just before the retained snapshot expires.
■ Select Keep snapshot only option, to retain only the snapshot. Specify
retention period for the snapshot using the Keep snapshot for drop-down.
■ (Optional) If you have selected provider as Amazon AWS, and selected
to retain the snapshot by selecting any of the above two options, you
can configure snapshot replication at this point. For more information
about cloud snapshot replication, See “Configure AWS snapshot
replication” on page 47.
■ Select Enable Snapshot replication.
■ In the table, select Region, AWS Account, and Retention period for
the replicated snapshots.

Note: The number of replication copies that you configure is displayed

in the Snapshot replicas column in the Schedules and retention table
in the Schedules tab.

■ Select Keep backup only option, to retain only the backup. The snapshot
expires immediately after the backup. Specify retention period for the backup
using the Keep backup for drop-down. Select Full from the Backup type
drop-down.
 Managing and protecting cloud assets 43
Configuring backup schedule for cloud workloads

Note: As NetBackup supports granular restore only from the snapshot, if

you select Keep Backup Only the granular recovery options do not work.
Similarly, AWS snapshot replication feature does not work if you select
Keep Backup Only.

7 Continue creating the schedule in the Start window tab, as described in the
Managing protection plans section of the NetBackup Web UI Administrator’s
Guide.

Availability of granular recovery for different backup

options
Availability of the granular recovery for files or folders option, depends on the
different backup options that you select for the workload.
■ When you select the Keep snapshot along with backup option, granular
recovery is available.
■ When you select the Keep snapshot only option, granular recovery is available.
■ When you select the Keep backup only option, granular recovery is not
available.
Indexing during backup and snapshot jobs
■ NetBackup performs VxMS (Veritas Mapping Service) based indexing from
snapshot, and inline indexing during the backup from snapshot Jobs. It can
index files irrespective of the region and location of the Snapshot Manager.
VxMS based indexing is currently supported for GCP, AWS, Azure, and Azure
Stack Hub clouds.
■ Indexing is performed during the actual backup or snapshot jobs, but you can
perform the recovery of individual files or folders only from the snapshot copy
using Enable granular recovery for files and folders option.
■ Once the snapshot of the VM assets is created, the 'Index from Snapshot' job
for each of the assets is triggered. You can check the indexing job details in the
Activity Monitor.
■ The VxMS debug logs and the cloud connector debug logs are available in the
/cloudpoint/openv/dm/datamover.<datamover-id>/netbackup/logs folder of the
Snapshot Manager.

Note: If the VM is not in connected state, then the VM backup continues and the
backup job is marked as partially successful. In this case, you cannot restore
individual files or folders as the indexing is not available when the VM is not
connected.
 Managing and protecting cloud assets 44
Backup options for cloud workloads

Backup options for cloud workloads

Note: For a connected VM, a file system consistent snapshot is attempted. In case
a connected VM is stopped later, then the application enters into an error state and
a crash consistent snapshot is taken instead of file system consistent snapshot.
You can refer to the Job monitor and refer the logs if the snapshot taken was crash
consistent or file system consistent snapshot.

Regional snapshots for Google cloud

You can choose to enable regional snapshots for the Google cloud workloads while
creating a protection plan.
If the regional snapshot option is enabled, the snapshot will be created in the same
region in which the asset exists. Otherwise, the snapshot will be created in a
multi-regional location.

Snapshot destination resource group for Azure and Azure

Stack Hub
You can choose to specify a snapshot destination peer resource group while creating
a protection plan for Azure or Azure Stack Hub. While the previous functionality of
defining a peer resource group by specifying a prefix still exists, you can now directly
associate a snapshot to an existing peer resource group at the time of creating a
protection plan.
 Managing and protecting cloud assets 45
Backup options for cloud workloads

If you have selected the cloud provider as Microsoft Azure or Azure Stack Hub
while creating a protection plan, you can select Specify snapshot destination
resource group to associate snapshots to a particular peer resource group within
the same region in which the asset exists. Then select a configuration, subscription,
and a resource group for a snapshot destination.
The snapshot is stored in one of the destination resource groups, in the following
preference:
■ A destination resource group specified in the protection plan
■ A pre-fixed resource group specified in the plugin configuration (for Azure only)
■ A resource group in which the asset exists, if no destination or pre-fixed resource
group is specified in NetBackup.

Excluding selected disks from backup

You can configure a protection plan to exclude some disks from the backup and
snapshot which are applicable to all supported cloud vendors including GCP. This
enables you to avoid redundant images of the disks that do not need to be backed
up, and speed up the backups by reducing the volume of data to be processed.
If you are creating a protection plan for AWS, Azure, Azure Stack Hub, or GCP
clouds, you can select Exclude selected disks from backups option and specify
the disks that should not be included in the backup image. You can choose to
 Managing and protecting cloud assets 46
Backup options for cloud workloads

exclude either all the non-boot disks, or the disks that have specific tags associated
with them in the corresponding cloud provider account.

Note: A protection plan that has disk exclusion option enabled can be applied only
to the cloud VM type assets and VM intelligent groups.

Then while restoring the VMs from the Recovery Points tab, refer to the Includes
disks column to view the list of disks that are included or excluded in the backup
image.
Refer to the information on creating a protection plan in the NetBackup Web UI
Administrator’s Guide for the complete procedure.
Notes:
■ In case of LVM, if disks are excluded partially then system might not boot up
properly.
■ In case there is a non supported file system configured on a disk and user wants
to exclude that disk from snapshot, the snapshot would continue to be crash
consistent snapshot as the disk containing non supported file system is excluded.
■ If the user wants to exclude the disk, he/she should have the nofail flag attached
to the data disk prior to taking a snapshot in the /etc/fstab file. This is required
if the user reboot the instance without this volume attached (for example, after
moving the volume to another instance), the nofail mount option enables the
instance to boot even if there are errors mounting the volume. For more
information, refer to the following example entry in the /etc/fstab file:
For example,UUID=aebf131c-6957-451e-8d34-ec978d9581ae /data xfs
defaults,nofail 0 2
■ The user should ensure that assets are properly discovered once there has
been any change in their tags from the cloud provider. Once the policy run is
scheduled for an asset, the disks are excluded as per the discovered data only.
 Managing and protecting cloud assets 47
Snapshot replication

If, the user attaches a tag while the snapshot is in progress, that tag would not
be considered as a part of exclusion. Once discovery is completed, it will be
considered during next protection cycle.
■ In case of OS with non-English locale, if user opts tag based exclusion in
protection plan and disk tag has non-English character, even then disk exclusion
works as expected. But in some cases tag with non-English character is not
correctly captured in job(try) logs and audit logs although there is no functionality
impact as disk exclusion is considered correctly.

Snapshot replication
Replicating a snapshot means saving a copy of the snapshot to another location.
In AWS, another location can be one of the following:
■ different region within the same account.
■ same region in a different account.
■ different region within different account.
For example, an AWS cloud administrator have their assets in the region X. The
snapshots of those assets will also be stored in X region. However, you can also
replicate the snapshots to the Y region within same account or X/Y region in a
different account, for an added level of protection. In NBU Snapshot Manager
terminology, the original location (X) is the replication source, and the location where
snapshots are replicated (Y) is the replication destination.
Replication is performed in three steps. This mechanism is handled internally and
the entire process is completely transparent to the user.
■ Share the snapshot, only if replicating to a cross account. For more information,
see the Share a snapshot section of the AWS documentation.
■ Copy the snapshot. For more information, see the CopySnapshot section of the
AWS documentation.
■ Unshare the snapshot, only if replicating to a cross account.

Configure AWS snapshot replication

Requirements for replicating snapshots
■ Replicating unencrypted snapshots
Ensure that the source and target accounts/regions are configured using the
AWS cloud provider from NetBackup Snapshot Manager. There are no additional
requirements for replicating unencrypted snapshots.
 Managing and protecting cloud assets 48
Configure AWS snapshot replication

■ Replicating encrypted snapshots using AWS KMS

Ensure that the source and target accounts/regions are configured using the
AWS cloud provider from NetBackup Snapshot Manager.
Additionally, to replicate encrypted snapshots to a cross account, the encryption
CMK key from the original location needs to be shared to the target account.
(This shared KMS key is implicitly used while copying the snapshot in the target
account, and the copied snapshot can be replicated by a different key).
Both the source and target locations should have encryption key (KMS key) with
same name; that is, they should have the same key alias (in terms of AWS).
If encryption key with the same name is not present at the target, then the
replicated snapshot is encrypted using the default KMS key in the target location.
■ Permissions for cross account replication
For cross-account replication, the AWS IAM user or role associated with the
snapshot source region's AWS account (source AWS account) must have the
following permissions:
■ ModifySnapshotAttribute and CopySnapshot on the EC2 instance.

■ DescribeKey and ReEncrypt on the KMS key that is used to encrypt the
original snapshot.
For cross-account replication, the AWS IAM user or role associated with the
snapshot replication target region's AWS account (target AWS account) must
have the following permissions:
■ CreateGrant, DescribeKey, and Decrypt on the KMS key that is used to
encrypt the original snapshot.
■ CreateGrant, Encrypt, Decrypt, DescribeKey, and
GenerateDataKeyWithoutPlainText on the KMS encryption key used while
performing the CopySnapshot operation on the original snapshot.

You can choose to replicate snapshots for AWS cloud assets from the primary
location to a remote or a secondary location. The Snapshot Manager's support
cross-region and cross account replication. With snapshot replication you can
achieve the following:
■ Maintain a copy of cloud assets at a different destination for long-term retention
and auditing requirements.
■ Recover cloud assets from the replicated copies from another region in case
there is a region outage.
■ Recover cloud assets from the replicated copies from another account in case
the user account is compromised.
 Managing and protecting cloud assets 49
Configure AWS snapshot replication

Configuration
Review the following information to configure snapshot replication:
■ You can configure snapshot replication when you create a protection plan. See
the NetBackup™ Web UI Administrator's Guide.
■ For cross account replication, you need to establish a trust relationship between
the source and the target account. For more details, refer to the Across AWS
Accounts Using IAM Roles related information in the Amazon Web Services
documentation.

Considerations
Consider the following when you configure cloud snapshot replication:
■ Even if multiple schedules are configured, the replication destination region that
is configured is applied to all the schedules.
■ Cloud snapshot replication is supported only for Amazon cloud providers.

Asset protection criteria

Consider the following before adding cloud assets to a protection plan that is
configured for cloud snapshot replication:
■ Assets must be added to a protection plan that replicates snapshots to a different
region.
For example, assets residing in region ‘aws_account_1-us-east-1’ cannot be
subscribed to a protection plan replicating to the same region
‘aws_account_1-us-east-1’.
■ Assets can be replicated to a different account in the same region.
For example, assets residing in region ‘aws_account_1-us-east-1’ can be
subscribed to a protection plan replicating to the same region but different
account ‘aws_account_2-us-east-1’.
■ Assets that are discovered by a Snapshot Manager must be replicated to the
region that is discovered by the same Snapshot Manager.
For example, assets that are discovered by Snapshot Manager ‘CP1’ cannot
be subscribed to a protection plan replicating to a region that is discovered by
Snapshot Manager ‘CP2’.
■ Only Amazon assets can be subscribed to a protection plan that is configured
for cloud snapshot replication.

Manage concurrent snapshots replications

For better performance, you can tune the number of concurrent snapshot
replications. Amazon has different limits for each asset type to do concurrent
 Managing and protecting cloud assets 50
Using AWS snapshot replication

snapshot replications to a single destination region. For example, RDS has a limit
for 5, EBS has a limit for 5, and EC2 has a limit for 50. For more details refer to
Copy Snapshot related information in the Amazon Web Services documentation.
In NetBackup this limit is defined using the following parameter in the bp.conf file:
MAX_CLOUD_SNAPSHOT_REPLICATION_JOBS_PER_DESTINATION

The default value is 5.

Using AWS snapshot replication

This section elaborates how to create snapshot replicas using the AWS snapshot
replication feature, and restore the replicated snapshots whenever required. Refer
to the NetBackup™ Snapshot Manager Install and Upgrade Guide and the
NetBackup Web UI Administrator’s Guide for details about these steps, otherwise
indicated.

Creating snapshot replications

This section describes how to configure the Source region to create snapshot
replicas in the Target region.
To create replicas
1 Add Snapshot Manager (CP1) in webUI. See “Add a Snapshot Manager”
on page 13.
2 Add AWS plug-in for Source and Target region for replication.
3 Create protection plan and select Region and Account. See “Configuring
backup schedule for cloud workloads” on page 41.
4 Connect and configure an application consistent guest VM using the OnHost
agent.
5 Trigger snapshot-based backup and replicate the snapshots using the protection
plan.
6 Verify the recovery points for snapshot and replica copy.

Restoring from the snapshot replicas in the target region

If the Source region fails, you can restore the VMs belonging to this region, from
the Target region, where you have taken the snapshot replicas. As the Source
region is down, you will initially need to restore the VMs in the Target region.

Note: You cannot restore single files or folders from a replica that was discovered
by an alternate Snapshot Manager in a failed over region.
 Managing and protecting cloud assets 51
Using AWS snapshot replication

Restoring in the target region

1 Disable server CP1 in the Source region from webUI. See “Enable or disable
a Snapshot Manager” on page 20.
2 Register a new Snapshot Manager (CP2) in the target region, from webUI.
3 Add AWS plug-in for only the Target region and account. Let the discovery
complete.
4 To restore VMs:
■ Log on to the NetBackup web UI.
■ On the left, click Cloud, under Workloads. On the Virtual machines tab,
click the machine that you want to recover.
■ Click the Recovery points tab. In the list of images, click Restore in front
of the required Replica image, and click Restore virtual machine.
■ To change the Display name for the VM, enter a new name.
■ Select a subnet (subnet path having VPC).
See “Recovering cloud assets” on page 74.

5 Add appropriate security group to the restored VMs to enable remote access.
6 Uninstall and reinstall the Snapshot Manager agent from the restored VMs,
and then register the Snapshot Manager agents with the new CP2 server.
7 Run a deep discovery from the AWS provider console.
8 Create new protection plan to protect the restored VMs. Trigger a
snapshot-based backup.

Restoring back to the source region from the target region

You can restore the VMs from the Target region to the Source region, once the
source region is back online.
Restoring to the source region
1 Edit the AWS plug-in for CP2 and add the Source region.
2 Create a new protection plan to create a snapshot replica in the Source region.
3 Trigger snapshot-based backup and replicate.
4 Disable the CP2 server in webUI. See “Enable or disable a Snapshot Manager”
on page 20.
5 Enable the CP1 server and trigger deep discovery from AWS provider console.
6 Perform full restore of the VMs from the Target region.
7 Add appropriate security group to enable remote access to restored VMs.
 Managing and protecting cloud assets 52
Support matrix for account replication

8 Uninstall and reinstall the Snapshot Manager agents from the restored VMs,
and then register Snapshot Manager agents with the CP1 server.
9 Run a deep discovery from the AWS console.
10 Use the existing protection plan to protect newly restored VMs.

Support matrix for account replication

Table 1-9 Support matrix for same account replication

Asset types Source asset Source snapshot Replicated

(Region X) (Region X) snapshot (Region
Y)

EBS Volume, EC2 Unencrypted Unencrypted Unencrypted

Instance and
RDS/Aurora Attached disks Attached disks Attached disks
encrypted using encrypted using encrypted using
default AWS KMS default AWS KMS default AWS KMS
key. key. key.

Encrypted using AWS Encrypted using AWS Encrypted using AWS

KMS CMK key (with KMS CMK key (Alias KMS CMK key with
Alias ABC). ABC). name if present (Alias
ABC), else encrypted
using default AWS
KMS key.
 Managing and protecting cloud assets 53
Support matrix for account replication

Table 1-10 Support matrix for different account same region replication

Asset types Source asset Source snapshot Replicated

(Account A (Account A snapshot
Region X) Region X) (Account B
Region Y)

EBS Volume, EC2 Unencrypted Unencrypted Unencrypted

Instance and
RDS/Aurora Encrypted using Encrypted using Not supported
default AWS KMS default AWS KMS
key. key.

Encrypted using AWS Encrypted using AWS Encrypted using AWS

KMS CMK key (with KMS CMK key (with KMS CMK key with
Alias ABC). Alias ABC). name if present (with
Alias ABC), else
encrypted using
default AWS KMS
key.

Table 1-11 Support matrix for different account different region replication

Asset types Source asset Source snapshot Replicated

(Account A (Account A snapshot
Region X) Region X) (Account B
Region Y)

EBS Volume and Unencrypted Unencrypted Unencrypted

EC2 Instance
Encrypted using Encrypted using Not supported
default AWS KMS default AWS KMS
key. key.

Encrypted using AWS Encrypted using AWS Encrypted using AWS

KMS CMK key (with KMS CMK key (with KMS CMK key with
Alias ABC). Alias ABC). name if present (with
Alias ABC), else
encrypted using
default AWS KMS
key.
 Managing and protecting cloud assets 54
Protect applications in-cloud with application consistent snapshots

Table 1-11 Support matrix for different account different region replication
(continued)

Asset types Source asset Source snapshot Replicated

(Account A (Account A snapshot
Region X) Region X) (Account B
Region Y)

RDS Unencrypted Unencrypted Unencrypted

Encrypted using Encrypted using Not supported

default AWS KMS default AWS KMS
key. key.

Encrypted using Encrypted using Not supported

default AWS KMS default AWS KMS
key. key.

Aurora Unencrypted Unencrypted Not supported

Encrypted using Encrypted using Not supported

default AWS KMS default AWS KMS
key. key.

Encrypted using Encrypted using Not supported

default AWS KMS default AWS KMS
key. key.

Protect applications in-cloud with application

consistent snapshots
You can take application consistent (point-in-time) snapshots of the applications
that are deployed on virtual machines in cloud. This lets you perform a point-in-time
recovery of applications.
You can perform original location and alternate location restores for these workloads.
For alternate location restore, consider the following:
■ For alternate location restore of MS SQL workloads, the target host must be
discovered but the application status should not be in connected or configured
state.
■ For alternate location restore of Oracle workloads, the target host must be
discovered but the application status should not be in connected or configured
state.
 Managing and protecting cloud assets 55
Protecting PaaS assets

Before you begin

Ensure that the database is prepared for snapshots. For details review the plug-in
configuration notes in the Veritas Snapshot Manager documentation.
To configure applications for point-in-time recovery
1 Connect to the virtual machine that hosts the applications.
■ After the cloud assets are discovered, go the Virtual Machines tab.
■ Select the virtual machine where the application is hosted. On the top right,
click Manage credentials.
■ Enter the credentials. If the credentials for the VM are not configured, you
must configure the credentials. See the Managing credentials chapter of
the WebUI Administrator Guide.
■ After the virtual machines are connected, the virtual machines state is
updated to Connected.

2 Select the virtual machine where the application is hosted. On the top right,
click Configure application.
3 After the process is complete, the application status is updated to configured.
4 The applications are displayed under the Applications tab after the next
discovery.
5 Apply the protection plan. See the NetBackup Web UI Administrator's Guide.
To edit or update virtual machine credentials
1 Go to the Virtual Machines tab.
2 Select the virtual machines for which you want to update credentials. On the
top right, click Manage credentials.
3 Update the credentials.
To edit or update application configuration
1 Go to the Applications tab.
2 Select the application for which you want to update. On the top right, click Edit
configuration
3 Update the credentials and click Configure.

Protecting PaaS assets

You can manage the PaaS assets after discovered by NetBackup. The assets are
displayed in the PaaS and Applications tabs, under cloud workload. The
 Managing and protecting cloud assets 56
Protecting PaaS assets

Applications tab displays the RDS assets, whereas the PaaS tab displays the
non-RDS assets. You can view, protect, and recover PaaS assets from these two
tabs.

Prerequisites for protecting PaaS assets

NetBackup lets you discover, protect, and restore PaaS assets across different
cloud platforms for a variety of assets. This section details the supported platforms
and databases.

Supported cloud providers

NetBackup enables you to protect PaaS assets with the following cloud providers:
■ Microsoft Azure
■ AWS
■ GCP

Supported databases for different providers

The following table lists the supported databases for each cloud provider.

Table 1-12 Supported databases by PaaS

Providers Supported databases

Microsoft Azure PostgreSQL, SQL Managed Instance, SQL, MariaDB, and MySQL.

The following components are not supported:

Azure SQL - Elastic pool

Azure SQL Managed Instance - Azure Arc

Azure PostgreSQL - Hyperscale (Citus) server group and Azure

Arc enabled PostgreSQL Hyperscale

AWS RDS SQL, RDS PostgreSQL, RDS MySQL, RDS MariaDB, RDS
Aurora MySQL, RDS Aurora PostgreSQL, and DynamoDB.

GCP Cloud SQL for PostgreSQL and Cloud SQL for MySQL

Supported platforms
This section details the supported platforms for primary and media servers.
 Managing and protecting cloud assets 57
Protecting PaaS assets

Table 1-13 Supported platforms for PaaS

NetBackup server Supported platform

Primary RHEL, SUSE, and Windows

Media RHEL

Storage server Universal share on underlying MSDP block storage or

MSDP-Cloud storage STU

Required cloud provider permissions

The credential that you use to add the cloud providers must have all the required
permissions and privileges assigned as mentioned in the NetBackup Snapshot
Manager Installation and Upgrade Guide.

Supported ports
Here are the supported ports for different PaaS databases.

Table 1-14 Supported ports for PaaS

Database PaaS Supported ports

workload

Azure SQL Server 1433

Azure SQL Managed 1433

Instance

Azure MySQL 3306

Azure PostgreSQL 5432

Azure MariaDB 3306

GCP PostgreSQL 5432

GCP MySQL 3306

AWS DynamoDB NA

AWS RDS PostgreSQL 5432

AWS RDS MySQL 3306

AWS MariaDB 3306

AWS RDS AuroraDB 5432

Postgres
 Managing and protecting cloud assets 58
Protecting PaaS assets

Table 1-14 Supported ports for PaaS (continued)

Database PaaS Supported ports

workload

AWS RDS AuroraDB 3306

MySQL

AWS RDS SQL server 1433

Enabling binary logging for MySQL databases

■ For AWS, see
https://aws.amazon.com/premiumsupport/knowledge-center/rds-mysql-functions/
■ For Azure, set the value of the parameter log_bin_trust_function_creators
as 1, as described in the link:
https://learn.microsoft.com/en-us/azure/mysql/single-server/how-to-server-parameters
■ For GCP, do the following:
■ Open the instance and click Edit.
■ Scroll down to Flags section.
■ To set a flag, click Add item, select log_bin_trust_function_creators flag
from the drop-down menu, and set its value to on.
■ Click Save to save your changes. You can confirm your changes under
Flags in the Overview page.

Installing the native client utilities

If you use a build-your-own (BYO) setup, you must install the native client utilities
in your NetBackup environment for your PaaS workload to work.
For NetBackup deployments in Azure Kubernetes Services (AKS) or Elastic
Kubernetes Services (EKS), the native client utilities are packaged as part of
NetBackup media server and primary server no manual installation is required for
them.
Ensure that the network settings like firewall, security group, and DNS configuration
are configured appropriately to access databases within the cloud provider.

Note: If any of these packages are already installed in the media server(s), remove
the packages to avoid conflict with the newer versions of the packages that you
install.
 Managing and protecting cloud assets 59
Protecting PaaS assets

Installing the MySQL client utility

Note: MySQL client utility recommended version is 8.0.31.

RPM Download https://downloads.mysql.com/archives/community/

location

To install, run the following commands in the terminal:

1 rpm -ivh mysql-community-common-<version_no>.x86_64.rpm

2 rpm -ivh mysql-community-client-plugins- <version_no>.x86_64.rpm

3 rpm -ivh mysql-community-libs- <version_no>.x86_64.rpm

4 rpm -ivh mysql-community-client- <version_no>.x86_64.rpm

Note: Avoid using MySQL client utility 8.0.32 version as there is bug reported by
MySQL.

Installing sqlpackage client utility

Note: sqlpackage client utility recommended version is 19.2(Build: 16.0.6296.0).

Download https://docs.microsoft.com/en-us/sql/tools/
locations /sqlpackage-download?view=sql-server-ver15

https://packages.microsoft.com/rhel/7/prod/msodbcsql17-17.10.2.1-1.x86_64.rpm

https://packages.microsoft.com/rhel/7/
prod/unixODBC-2.3.7-1.rh.x86_64.rpm

To install, run the following commands in the terminal:

1 cd ~

2 mkdir sqlpackage

3 unzip ~/Downloads/sqlpackage-linux-<version string>.zip -d

~/sqlpackage

4 echo "export PATH=\"\$PATH:$HOME/sqlpackage\"">> ~/.bashrc

5 chmod a+x ~/sqlpackage/sqlpackage

 Managing and protecting cloud assets 60
Protecting PaaS assets

6 source ~/.bashrc

Note: Ensure that sqlpackage is added as a default path variable.

7 sqlpackage

8 rpm -ivh unixODBC-2.3.7-1.rh.x86_64.rpm

9 rpm -ivh msodbcsql17-17.10.2.1-1.x86_64.rpm

RHEL 9 users perform the following additional steps:

1 Download the Microsoft.NETCore.App.Runtime.linux-x64 from the link:
https://www.nuget.org/api/v2/package/Microsoft.NETCore.App.Runtime.linux-x64/6.0.10
Locate the file: microsoft.netcore.app.runtime.linux-x64.6.0.10.nupkg.
2 Extract the file using a decompression tool like, 7zip.
3 Navigate to:
microsoft.netcore.app.runtime.linux-x64.6.0.10.nupkg\runtimes\linux-x64\lib\net6.0\
4 Copy the file System.Security.Cryptography.X509Certificates.dll from
there to/sqlpackage folder created in step 2 of installing sqlpackage client
utility task.
If you are attaching the 10.1 media server as an external media server with 10.1.1
NetBackup setup, perform the following steps on the 10.1 media server.
For a BYO NetBackup setup:
■ Run the command:
mkdir -p <backup and restore ushare export path>

■ Check the Defaultvers value of NFS in the /etc/nfsmount.conf file.

■ If the Defaultvers value is nfs3, then mount the backup and restore ushare
path with the option nolock. For example: mount <ushare mount path>
<ushare export path> -o nolock

■ If the Defaultvers is nfs4, mount the backup and restore ushare path
without the nolock option.

For NetBackup deployed in AKS and EKS environments:

■ Run the command:
mkdir -p <backup and restore ushare export path>

■ Check the Defaultvers value of NFS from the /etc/nfsmount.conf file.

 Managing and protecting cloud assets 61
Protecting PaaS assets

■ If the Defaultvers value is nfs3, then mount the backup and restore ushare
path with the option nolock For example: mount <ushare mount path>
<ushare export path> -o nolock

■ If the Defaultvers value is nfs4, then mount the v4 version of backup and
restore ushare path without the nolock option.

Installing Postgres client utility

Note: Postgres client utility recommended version is 14.6.

Download RHEL 7 https://download.postgresql.org/pub/repos/yum/14/redhat/rhel-7-x86_64/

locations
RHEL 8 https://download.postgresql.org/pub/repos/yum/14/redhat/rhel-8-x86_64/

RHEL 9 https://download.postgresql.org/pub/repos/yum/14/redhat/rhel-9-x86_64/

To install, run the following commands in the terminal:

1 rpm -ivh postgresql14-libs-14.6-1PGDG.rhel7.x86_64.rpm

2 rpm -ivh postgresql14-14.6-1PGDG.rhel7.x86_64.rpm

Note: lz4 compression package and libicu are required by

postgresql14-14.6-1PGDG.rhel8.x86_64.rpm on RHEL 8 and 9.

Configuring the storage server for instant access

Here is the required configuration for your storage server to support instance access.
1 Ensure that NFS and NGINX are installed.
2 The NGINX version must be the same as the one in the corresponding official
RHEL version release. Install it from the corresponding RHEL yum source
(EPEL).
3 Ensure that the policycoreutils and policycoreutils-python packages
are installed from the same RHEL yum source (RHEL server). Run the following
commands:
■ semanage port -a -t http_port_t -p tcp 10087

■ setsebool -P httpd_can_network_connect 1
 Managing and protecting cloud assets 62
Protecting PaaS assets

4 Ensure that any mount points does not directly mount the /mnt folder on the
storage server. Mount the mount points to its subfolders only.
5 Enable the logrotate permission in selinux using the following command:
semanage permissive -a logrotate_t

About incremental backup for PaaS workloads

NetBackup supports differential incremental backup for Azure SQL server workload.
Incremental backups reduce the backup window significantly in NetBackup. In this
method, NetBackup, backs up only the data that has been changed since the
subsequent full backup.
Differential incremental backup is only supported for those workloads, where the
Change Data Capture feature on the Azure SQL server is enabled.
Guidelines for working with incremental backups for PaaS workloads:
■ Assign a longer retention period to full backups than to incremental backups
within a policy. A complete restore requires the previous full backup plus all
subsequent incremental backups. It may not be possible to restore all the files
if the full backup expires before the incremental backups.
■ Use one storage for full and incremental backups.
■ Do not create long-term copy for incremental backups.
■ Do not expire random incremental backup images. Expiring them may cause
application inconsistency due to data loss. NetBackup relies on previous full
backup and all the subsequent incremental backups.
■ While duplicating, ensure that the full and the incremental backup copies are
duplicated to the target storage. Any of the previous full or incremental images
missing may result in data loss.
■ While importing, ensure that the full and all the incremental backup copies are
imported together. Any of the previous dependent full or incremental images
missing may result in failure.

Limitations and considerations

Consider the following when protecting cloud workloads.

For all databases

■ NetBackup deployments in Flex Appliance and Flex Scale do not support PaaS
workloads.
 Managing and protecting cloud assets 63
Protecting PaaS assets

■ Supports only default the ports for all the databases across providers. Workload
instances configured with the custom ports are not supported.
■ Database names containing the characters '#' and '/' are not supported for
backup and restore operations. Also, the database name should adhere to
naming conventions suggested by the cloud vendors.
■ Backup and restore of a database with multi-byte or non-English characters are
not supported for a primary server running Windows and having back-level
media server with a version less than 10.1.1.
■ You can duplicate the PaaS backup image to a supported storage server. But
before you start a restore, you need to duplicate the image, back to an MSDP
server with universal share enabled. See “Recovering duplicate images from
AdvancedDisk” on page 86.
■ With NetBackup 10.2, you can perform backup and restore of supported Azure
PaaS databases with Managed Identity based database authentication. This is
not supported for Azure Database for MariaDB server. This feature requires at
least one media server of version 10.2 or higher.
■ For authentication of Azure database, It is recommended to use User Assigned
managed identity to work across all media servers. Using a database user
created with a system-assigned managed identity, associated with the media
server or vm-scale-set (AKS/EKS), does not work with any other media server
or media in any other vm-scale set (AKS/EKS).

For PostgreSQL
■ Restore of security privileges is not supported.
■ During restore you can use –no-owner and –no-privileges option. After restore,
the metadata captured at the time of backup, are shown as owner/ACL in the
progress log restore activity on web UI.
■ Restore does not fail, if the owner/role does not exist on the destination.
■ Post restore, the database has the role associated according to the credentials
provided in NetBackup against the destination instance.
■ Users need to modify the ownership of databases post restore.
■ Backup and restore are not supported if the only SSL (Secure Sockets Layer)
connection is enforced at the server level for GCP PostgreSQL workload.
■ Azure Postgres database restore from single to flexible server or vice versa is
not supported because of the cloud provider limitations.
■ Following characters are not supported in database name in restore workflow:
&, (, ), <, >, \, |, /, ;, `, ‘, and “.
 Managing and protecting cloud assets 64
Protecting PaaS assets

■ Uppercase username is not supported for new users added after PostgreSQL
server creation.

For AWS DynamoDB

■ Alternates restore for region and account is not supported.
■ Restore from imported images from a different primary server is only supported
using NetBackup REST API.

For AWS RDS SQL

■ Only Express and Web editions for AWS RDS SQL are supported.
■ For credential validation, IAM is not supported for AWS RDS SQL. You can use
the username and password method.
■ Only Amazon RDS data management type is supported. The data management
type RDS Custom is not supported for AWS RDS SQL instance editions.

For MySQL
■ Restore operation require superuser privileges if the dump file contains CREATE
DEFINER statement for backups taken on version lower than 10.2.
■ Backup taken on version 10.2 or higher cannot be restored using version lower
than 10.2.
■ Backup and restore are not supported if the only SSL connection is enforced at
the server level for GCP MySQL workload.
■ You can restore MySQL database to an alternate instance with another MySQL
version than the backup instance, depending on MySQL's version compatibility.

For Azure SQL and SQL Managed Instance

■ The Azure VM which is used as a media server, should be in the same Vnet as
that of an Azure-managed instance. Alternatively, if the media server and SQL
managed instance are in different Vnet, then both the Vnets must be peered to
access the database instance.
■ Backup fails when Readlock is placed on the database or resource group.
■ Backup is partially successful when Deletelock is placed on the database or
resource group. The tempdb stale entry does not get deleted from the Azure
cloud portal. You need to manually delete it.
■ To restore a database on an Azure SQL server or Azure Managed Instance,
you must assign AAD admin privilege on the target server, before beginning the
restore, to the following, as required:
■ The system or the user-managed identity of the media servers.
 Managing and protecting cloud assets 65
Protecting PaaS assets

■ The vm-scale-set in which NetBackup media is deployed (in case of AKS

or EKS deployment).

For Azure SQL incremental backup

■ You can enable Change Data Capture (CDC) only on databases tiers S3 and
above. Sub-core (Basic, S0, S1, S2) Azure SQL Databases are not supported
for CDC.
■ You may encounter backup or restore issues for databases having encrypted
columns in table. As a workaround, Microsoft suggests using Publish/Extract
commands to tackle this issue.
■ Restore may fail for database having blob data in table.
■ To duplicate incremental backups on different storage servers; NetBackup
generates different copy numbers for the same recovery point. If you try to
restore an incremental copy where no earlier reference of full and other
incremental backup is present, the restore fails.
■ Note that incremental backup can run only on NetBackup version 10.2 and
above media server.
■ The user ID used for the cloud service must have permission to enable and
disable CDC. Without this permission, you can see errors like: 3842: "Failed to
enable CDC" and 3844: "Failed to disable CDC".
■ Any attempt to enable CDC fails if a custom schema or user named cdc exists
in the database. The term cdc is reserved for system use.
■ If you restore to any edition other than Standard or Enterprise, the operation is
blocked because CDC requires SQL Server Standard or Enterprise editions.
Error message 932 is displayed.
■ Avoid backing up databases with BLOB data tables. If a table contains BLOB
data, then the backup might be successful, but the restore fails.

Discovering PaaS assets

NetBackup lets you discover, protect, and restore PaaS database assets. You can
also discover and restore Azure SQL database and Azure SQL managed database
assets backed up by Microsoft Azure. The supported backup modes are Point in
time backup and Long-term retention backup.
 Managing and protecting cloud assets 66
Protecting PaaS assets

Note: If you have upgraded the NetBackup Snapshot Manager (previously

CloudPoint) from version 10.0 to 10.1. For all users with custom roles, the PaaS
assets are marked as deleted in the PaaS tab. The assets do not show any
recovery-point on them, instead new assets with same name are visible. The old
assets get removed from the PaaS tab after the subsequent scheduled asset cleanup
(default duration is 30 days). As a work-around for this problem, re-assign
permissions of all the new asset to the existing RBAC role or create a new custom
role. For more information, see NetBackup WebUI Administrator's Guide.

Note: If you change the Snapshot Manager cloud plug-in configuration from Azure
service principal to Azure managed identity, the status of the previously discovered
PaaS assets are displayed deleted. NetBackup Snapshot Manager removes the
deleted assets every 24 hours, if you want to perform backup or recovery before
the scheduled cleanup, contact Veritas Technical Support.

To discover PaaS assets:

1 Add a Snapshot Manager. See “Add a Snapshot Manager” on page 13.
2 Add Microsoft Azure, GCP, or AWS as a provider. See “Add a cloud provider
for a Snapshot Manager” on page 14.
3 Run a discovery. See “Discover assets on Snapshot Manager” on page 18.
After the discovery is complete, you can find all the discovered Azure
PostgreSQL, MariaDB, SQL Managed Instance, SQL, MySQL and GCP Cloud
SQL for PostgreSQL, Cloud SQL for MySQL, or AWS Dynamo DB assets in
the PaaS tab, in the Cloud workload.
All discovered AWS RDS PostgreSQL, RDS MySQL, RDS MariaDB, RDS
SQL, and AuroraDB assets appear in the Applications tab. The RDS instances
support provider snapshot-based backups as well as NetBackup managed
backups.
NetBackup can manage and protect all the assets listed under the PaaS tab.
Additionally, Azure SQL database and Azure SQL Managed database assets
can also be backed up by Microsoft Azure.

Note: When you create and delete a PaaS asset with same name in intervals, and
if the PaaS asset is deleted after discovery, web UI shows old data until the next
periodic discovery runs.
 Managing and protecting cloud assets 67
Protecting PaaS assets

Viewing PaaS assets

To view PaaS assets:
1 On the left, click Cloud under Workloads.
2 In the PaaS tab, the assets that are available to you are displayed. The RDS
assets are displayed in the Applications tab.
You can perform Add protection, Backup now, Manage credential operations
in the displayed assets.
For DynamoDB assets the Manage credentials option is not available.
For the deleted assets, you can only manage credentials.

Managing PaaS credentials

You can add credentials for a database listed in the PaaS and Applications tab
under Cloud workload. You can add, edit, or delete PaaS credentials from the
central Credential management console in NetBackup.

View the credential name that is applied to a database

You can view the named credential that is configured for the databases in the
Credential name column of the PaaS tab. If the credentials are not configured for
a particular asset, this field is blank.
To view the credentials for PaaS databases:
1 On the left, select Workloads > Cloud> PaaS tab.
2 Click Show or hide columns above the database list table.
3 Select Credential name to display the credential name column.

Add credentials to a database

You can add or modify credentials for a database listed in the PaaS tab.
To add or change credentials
1 On the left, click Workloads > Cloud.
In the PaaS tab, the assets that are available to you are displayed. The RDS
assets are displayed in the Applications tab.
2 Select the database in the table, then click Manage credentials.
3 Select a Validation host. The validation host must be the RHEL media server
which has connectivity to the PaaS workload.
 Managing and protecting cloud assets 68
Protecting PaaS assets

You can add existing credentials or create new credentials for the database:
■ To select an exiting credential for the account, select the Select from
existing credentials option, select the required credential from the table
below, and click Next.
■ To add a new credential for the account, select Add credentials, and click
Next. Enter a Credential name, Tag, and Description for the new
credential. Under Service credentials:
■ Select Role based database authentication (Applicable for supported
database service) to use AWS IAM, Azure System Managed and User
Managed authentication.
■ Select IAM database authentication (Applicable for Amazon RDS
only) for Amazon RDS assets only, and specify a Database user
name.
See “Creating an IAM database username” on page 69.

Note: If the Snapshot manager is deployed in-cloud with an attached

IAM role having the required permission. You must also deploy the
media server in same cloud environment and attach the same IAM
role. Otherwise, the backup jobs for the AWS assets fail.

■ Select Azure System Managed Identity authentication or Azure

User Managed Identity authentication as required. Enter the
username of the database, and click Next.
To perform backup and restore operations utilizing managed identity
authentication, you must configure AAD admin to the source and
target database servers.

Note: If the snapshot manager deployed in cloud with an attached

Managed Identity having the required permissions, attach the same
identity to the media server. For AKS and EKS deployments attach
the same Managed identity to the VM scale set.

■ Select Password authentication and specify the username and the

password for the database server. Click Next.

■ Add a role that you want to have access to the credential. To add new
permissions to a role:
■ Click Add.
■ Select a role.
 Managing and protecting cloud assets 69
Protecting PaaS assets

■ Select the credential permissions that you want the role to have.
■ Click Save.

4 Click Next to finish creating the credential.

For more information about credentials and how to edit or delete a credential, see
NetBackup Web UI Administrator’s Guide.

Creating an IAM database username

To create an IAM username:
1 Enable IAM DB authentication on the RDS DB instance.
2 Create Database user using master login (rds_iam
■ For MySQL create the username using master login (rds_iam):
■ mysql --protocol=tcp --host=instance_fqdn --user=admin -p --port=3306
■ CREATE USER iamuser IDENTIFIED WITH AWSAuthenticationPlugin
as 'RDS';
■ GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP,
RELOAD, PROCESS, REFERENCES, INDEX, ALTER, SHOW
DATABASES, LOCK TABLES, CREATE VIEW, SHOW VIEW, CREATE
ROUTINE, ALTER ROUTINE, EVENT, TRIGGER ON *.* TO
`iamuser`@'%' WITH GRANT OPTION;

■ For PostgreSQL create the user under server.

■ psql -h instance_fqdn -U postgres
■ CREATE USER iamuser WITH LOGIN;
■ GRANT rds_iam TO iamuser;
■ ALTER ROLE iamuser WITH LOGIN CREATEDB;
■ GRANT postgres TO iamuser;

3 Attach the RDS policy to the IAM role attached to the NetBackup media server.

Creating a system or user managed identity username

For Azure SQL Server and Managed Instance
Do any of the following configurations:
Configure managed identity user as AAD admin:
■ Set AAD admin on the SQL server or the Managed instance.
 Managing and protecting cloud assets 70
Protecting PaaS assets

■ Go to Settings > Azure Active Directory > Set admin. Search and set
system-assigned or user-assigned managed identity, and save.

Note: Only those media servers configured as system-assigned managed

identity as AAD admin can perform backup and restore.

Create managed identity user on the database using SSMS client:

■ To set AAD admin for SQL server to create user, go to Settings > Active Directory
admin > Set admin. Pick active directory the user, and save.
■ Login to the SQL database or Managed database to create user under that
database.

CREATE USER [<managed_identity>] FROM EXTERNAL PROVIDER;

ALTER ROLE db_owner ADD MEMBER [<managed_identity>];

■ Provide login permission for that user on the SQL Server, run

# CREATE USER [<managed_identity>] FROM EXTERNAL PROVIDER;

# ALTER ROLE loginmanager ADD MEMBER [<managed_identity>];

Note: You must create users for all media servers communicating with the
database using the system-assigned managed identity.

Note: To restore database, you must configure the managed identity user as
AAD admin on the target server.

For MySQL
■ To configure the AAD admin for MySQL server to create user, go to Settings >
Active Directory admin > Set admin. Pick the active directory user, and save.
■ Get the client ID for managed identity using Azure CLI, run

# az ad sp list --display-name <managed_identity> --query [*].appId

--out tsv

■ Generate access token to login, using Azure CLI, run:

# az account get-access-token --resource-type oss-rdbms

■ Login using the AAD admin user and access token, run:
 Managing and protecting cloud assets 71
Protecting PaaS assets

# mysql -h <server name> --user <user name>

--enable-cleartext-plugin --password=<token>

■ Create the manage identity user and grant the permissions, run:

# SET aad_auth_validate_oids_in_tenant = OFF;

# CREATE AADUSER '<db_user>' IDENTIFIED BY
'<Generated_client_id>';
# GRANT USAGE, DROP, SELECT, CREATE, SHOW VIEW, EVENT, LOCK
TABLES , ALTER, CREATE VIEW, INSERT, REFERENCES, ALTER ROUTINE,
PROCESS ON *.* TO '<db_user>'@'%'

For PostgreSQL
■ To configure the AAD admin for PostgreSQL server to create user, go to Settings
> Active Directory admin > Set admin. Pick the active directory user, and save.
■ Get client ID for the managed identity:

# az ad sp list --display-name <managed_identity> --query

[*].appId --out tsv

■ Generate the access token required to login, run:

# az account get-access-token --resource-type oss-rdbms

■ Export the password for the generated token, run:

# export PGPASSWORD=<token>

■ Login using the AAD admin user and the access token, run:

# psql “host=<host name> port=5432 dbname=<dbname> user=<user

name> sslmode=require”

■ Create user and grant permission, run:

# SET aad_auth_validate_oids_in_tenant = OFF;

# CREATE ROLE <db_user> WITH LOGIN PASSWORD '<client_id>' IN ROLE azure_a
# GRANT azure_pg_admin TO <db_user>;
# ALTER USER smipguser CREATEDB;
# ALTER USER smipguser Replication;
 Managing and protecting cloud assets 72
Protecting PaaS assets

Note: Only user managed identity is supported for MySQL Flexible Server. Managed
Identity support is not available for PostgreSQL Flexible Server.

Add protection to PaaS assets

After you discover the PaaS assets, you can add protection to them in the
Applications or PaaS tab in Cloud workload.
To add protection to PaaS assets
1 On the left, click Workloads > Cloud.
2 To protect AWS RDS supported database assets, click the Applications tab.
For other PaaS assets, click the PaaS tab.
3 Check if the asset that you want to protect has a credential.
See “View the credential name that is applied to a database” on page 67..
If the Credential name column is empty, you need to assign a credential to
the asset.
See “Add credentials to a database ” on page 67.
4 To add protection to an asset, select the asset and click Add protection.
An asset must have assigned credentials to be eligible for most operations.
For example, if you want to assign the asset to a protection plan or perform
backup now.
5 Select a protection plan and click Next.
6 Review the configuration settings and click Protect.

Perform backup now

Using this option you can create a one-time backup of the selected asset. This
backup does not affect any future, or scheduled backups.
 Managing and protecting cloud assets 73
Protecting PaaS assets

To perform backup now

1 On the left, click Workloads > Cloud.
To backup AWS RDS supported database assets, click the Applications tab.
For other PaaS assets, click the PaaS tab.

Note: You can see and protect the user-created databases. The system
databases are not shown and protected, as these databases need the cloud
provider's superuser privilege to perform backup and restore.

2 Select the asset, then click Add protection.

3 Select the required protection plan, then click Start backup.
You can view the status of the backup job in the Activity monitor.
The database agents access the database from within the media server
(container, in case of NetBackup deployed in AKS and EKS environments),
and perform NFS mount of the Universal share path on the media server
(backup host).

Note: For incremental backup of Azure SQL databases, NetBackup performs a full
backup even if the asset is protected by a protection plan with backup type a
differential incremental.
 Chapter 2
Recovering cloud assets
This chapter includes the following topics:

■ Recovering cloud assets

■ Perform rollback recovery of cloud assets

■ Recovering PaaS assets

Recovering cloud assets

You can restore AWS, Azure, Azure Stack and GCP VM assets from snapshot
copy, replica copy, backup copy, or duplicate copy.
While restoring VMs, NetBackup gives you the option to change certain parameters
of the original backup or snapshot copy. Including options like changing the VM
display name, changing power options of the VM, removing tag associations during
restore, and restoring to an alternate network. You can also restore VMs to an
alternate configuration, to a different zone, to a different subscription, and restore
VMs or disks to a different resource group.
■ For GCP: Select Firewall rule
■ For Azure: Select Network security group
■ For AWS: Select Security group

About the pre-recovery check for VMs

Pre-recovery check indicates how a restore may fail, before the restore is initiated.
The pre-recovery check verifies the following:
■ Usage of supported characters and the length in the display name.
■ Existence of destination network
■ Existence of selected Resource group for VMs and disks
 Recovering cloud assets 75
Recovering cloud assets

■ Existence of source VM snapshot (applicable for restore from snapshot)

■ Existence of the staging location added in the file
/cloudpoint/azurestack.conf (applicable for restore from backup for Azure
stack)
■ Existence of a VM with the same display name.
■ Connectivity with the Snapshot Manager and cloud credential validation.

Supported parameters for restoring cloud assets

The following table summarizes the different parameters that you can change while
restoring assets for different cloud providers.

Table 2-1 Supported parameters for Azure, Azure Stack, GCP, and AWS
snapshot and backup copies

Parameters Snapshot copy Backup copy

Azure Azure GCP Azure Azure GCP

Stack and Stack and
AWS AWS

Change VM Y Y Y Y Y Y
display name

Change power Y Y Y Y Y Y
state of the VM

Remove tag Y Y Y Y Y Y
associations

Restore to a Y Y Y Y Y Y
different
network

Subscription Y Y Y
ID

Change Y Y Y Y
resource
group

Change region Y Y Y
of the VM

Change Y Y
provider
configuration
 Recovering cloud assets 76
Recovering cloud assets

Table 2-1 Supported parameters for Azure, Azure Stack, GCP, and AWS
snapshot and backup copies (continued)

Change Y Y Y Y
resource
group for
disks

Zone Y Y Y Y

Security Y Y Y Y Y Y
group/Firewall
rule/Network
security group

Recovering virtual machines

To recover a VM
1 On the left, click Cloud.
2 Click the Virtual Machines tab.
All the discovered cloud assets for the respective category are displayed.
3 Double-click the protected asset that you want recover.
4 Click the Recovery points tab.
The available images are listed in rows with the backup timestamp for each
image. For AWS workloads you can see replica as well as backup images, if
available.
5 In the Copies column, click the copy that you want to recover. You can see
the backup, snapshot, and replica copy, if available. Click Recover. If you don't
select a copy to restore, the primary copy is selected.
6 Click Restore Virtual Machine.
7 In the Recovery target page, do the following:
If you restore a backup copy, modify the values of these parameters as required:
■ Configuration: To restore to an alternate configuration, select one from
the drop-down.
■ Region: To restore to an alternate region, select one from the drop-down.
■ Subscription: To restore to an alternate subscription, select one from the
drop-down. For Azure and Azure Stack only.
 Recovering cloud assets 77
Recovering cloud assets

■ Resource group: To restore to an alternate resource group, click the search

icon, in the Select resource group dialog, select the required resource
group. For Azure and Azure Stack only.
■ Display name: To change the display name, enter the new one in the field.
The specified display name is validated during the pre-recovery check.

Note: Except in AWS workloads, the following special characters are not
allowed in the display name: ` ~ ! @ # $ % ^ & * ( ) = + _ [ ] { } \\ | ; : ' \" , <
> / ?."

If you restore a snapshot copy, specify only the Resource group and the
Display name.
8 Click Next.
9 In the Recovery options page:
■ If you restore a backup copy, to restore to a different zone, select a Zone.
To select a network available in that zone, click the search icon near
Network configuration, and select a target network for recovery.
User can also select Security group / Network security group / Firewall
rule for AWS, Azure, and GCP cloud providers respectively.
■ (Only for GCP) If you restore a snapshot copy, to restore to a different
region, select a Region. To select a network available in that zone, click
the search icon in Network configuration, and select a target network for
recovery. The list shows networks available in that zone.
■ If you restore a snapshot copy, to restore to a different zone, select a Zone.
To select a network available in that zone, click the search icon in Network
configuration, and select a target network for recovery. The list shows
networks available in that zone.
User can also select Security group / Network security group / Firewall
rule for AWS, Azure, and GCP cloud providers respectively.

In the Advanced section:

■ To keep the VM powered on after recovery, select Power on after recovery.
■ To remove the tags associated with the asset at the time of backup or
creating snapshot, select Remove tag associations.
 Recovering cloud assets 78
Recovering cloud assets

Note: If you do not select the Remove tag associations option, any tag
value for assets should not have spaces, before and after a comma. After
the restoration of an asset, the spaces before and after any comma in the
tag values are removed. For example, the value for the tag
name:created_on: Fri, 02-Apr-2021 07:54:59 PM , EDT, is converted to:
Fri,02-Apr-2021 07:54:59 PM,EDT. You can manually edit the tag values
to reinstate the spaces.

Note: Selection of None for zone means VM will not be placed in any zone
and selection of None for Network security group/Security group/Firewall
rule means that no security rules are applied to the restored VM.

10 Click Next. The pre-recovery check begins. This stage validates all the recovery
parameters and displays errors, if any. You can fix the errors before starting
the recovery.
11 Click Start recovery.
The Restore activity tab shows the job progress.
For information on the recovery status codes, see the NetBackup administrator or
the NetBackup Status Codes Reference Guide, available here:
http://www.veritas.com/docs/000003214

Recovering applications and volumes to its original

location
For GCP, when you restore a snapshot that was created before the upgrade, if the
source disk is not present, a default restored disk, pd-standard is created.
To recover applications and volumes to the original location
1 On the left, click Cloud.
2 Click the Applications or Volumes tab.
All the discovered cloud assets for the respective category are displayed.
3 Double-click on the protected asset that you want recover.
4 Click the Recovery points tab. In the calendar view, click the date on which
the backup occurred.
The available images are listed in rows with the backup timestamp for each
image.
5 On the top right for the preferred recovery point, select Original location.
 Recovering cloud assets 79
Recovering cloud assets

6 Click Start recovery.

7 On the left, click Activity monitor to view the job status.

Recovering applications and volumes to an alternate

location
Considerations
■ For encrypted VM restore in AWS to an alternate location, the key-pair names
must be same on the source and destination region. If not, create a new key-pair
in the destination region that is consistent with the key-pair in the source region.
To recover applications and volumes to alternate location
1 On the left, click Cloud.
2 Click the Applications or Volumes tab.
All the discovered cloud assets for the respective category are displayed.
3 Double-click on the protected asset that you want recover.
4 Click the Recovery points tab. In the calendar view, click the date on which
the backup occurred.
The available images are listed in rows with the backup timestamp for each
image.
5 On the top right for the preferred recovery point, select Alternate location.
6 Select the location where you want to restore the cloud asset.
7 Click Start recovery.
8 On the left, click Activity monitor to view the job status.

Recovery scenarios for GCP VMs with read-only volumes

The following table describes how NetBackup handles the restore/recovery of GCP
VMs that have read-only volumes.

Table 2-2 Recovery scenarios for read-only GCP VMs

Scenario Handling

Restoring a volume from the During restore, the disk is attached in the read/write
snapshot of an attached read-only mode to the original or alternate location.
disk, from the Volumes tab under
Cloud workload.
 Recovering cloud assets 80
Perform rollback recovery of cloud assets

Table 2-2 Recovery scenarios for read-only GCP VMs (continued)

Scenario Handling

Restoring a VM, with a read-only
disk, from a crash-consistent
snapshot, from the Virtual
machines tab under Cloud
workloads.
During restore of such a VM to its original or alternate
location, a read-only disk is restored in a read/write
mode.

Restoring a VM with a read-only
disk, from an app-consistent
snapshot, from the Virtual
machine tab under Cloud
workload.
You can attach a read-only disk to multiple VMs, but
NetBackup discovers it under only one VM.
For a Windows VM, the snapshot fails with a VSS error,
similar to the following:
Failure: flexsnap.GenericError: Failed to take
snapshot (error: Failed to create VSS snapshot of
the selected volumes.)"

For a Linux VM, the snapshot may or may not be

successful for the VM under which the disk is
discovered, but fails for the rest of the VMs due to the
missing dependencies. Error example:

linear_flow.Flow: create snapshot (test-win) of host

linux-1(len=4)' requires ['snap_google-
gcepd-us-west 2-b-7534340043 132122994'] but no
other entity produces said requirements\n
MissingDependencies

In the above case, if a snapshot is successful for a Linux

VM, a read-only disk is restored in a read/write mode.

Perform rollback recovery of cloud assets

The rollback recovery of a cloud asset overwrites the existing data on the original
asset. Unlike virtual machine restore, rollback restore does not create a new copy
of the restored image, but replaces the existing data on the source.

Note: Snapshot replicas do not support rollback. Also, Azure Stack and GCP
workloads does not support rollback restore.
 Recovering cloud assets 81
Recovering PaaS assets

To perform rollback recovery of the cloud asset

1 On the left, click Cloud.
2 Click the Virtual Machines.
All the discovered cloud assets for the respective category are displayed.
3 Double-click on the protected asset you want to recover.
4 Click the Recovery points tab. The available images are listed in rows with
the backup timestamp for each image. In the Copies column, click the snapshot
that you want to recover. Click Recover> Rollback restore.
5 Click Start recovery. The existing data is overwritten.
6 On the left, click Activity monitor > Jobs to view the job status.

Recovering PaaS assets

PaaS assets are listed under the Cloud workload. You can restore AWS RDS
PostgreSQL, RDS MySQL, RDS MariaDB, RDS AuroraDB, and RDS SQL Server
assets from the Applications tab, and all other PaaS assets, from the PaaS tab.
Recovery flows for Azure assets are different based on whether they are NetBackup
protected or Azure protected.
From NetBackup 10.2, you can separately restore the data/schema and metadata
for MySQL database. You need superuser privileges for metadata restore and at
least one media server with a version 10.2 or later.

Note: For MySQL restore, if you do not have admin or root user privileges, then
you must have view permission, along with the restore permissions.

Before performing Instant access recovery ensure to add the key:

MEDIA_SERVER_POD_CIDR in the bp.conf file of the primary server. For NetBackup
deployed in AKS or EKS environment, set its value to the subnets of the media
server pod, as comma-separated values. For example:
MEDIA_SERVER_POD_CIDR=10.0.0.0/8, 10.0.0.0/16

Recovering non-RDS PaaS assets

You can restore the non-RDS PaaS assets from the PaaS tab, under Cloud
workload.
 Recovering cloud assets 82
Recovering PaaS assets

To restore non-RDS PaaS assets:

1 On the left, click Cloud, under Workloads, and click the PaaS tab. Click the
name of the asset that you want to recover.
2 Click the Recovery points tab, for Azure assets, additionally select NetBackup
managed.
The available recovery points are displayed in the table.
3 Click Recover in the row of the image that you want to recover.
4 In the Name field, the original name of the asset appears by default. You can
change the name in the field. You may not be able to change this name later.
5 (Optional) In the Target instance field, the source instance of the asset is
selected by default. To restore to an alternate instance, select the required
instance. Target instance is not available for DynamoDB assets.
6 (Optional, for MySQL databases only.) Select Restore metadata to restore
metadata such as views, triggers, store procedures, and so on.
7 (Optional, for MySQL databases only.) For the target instance credentials for
restore:
■ Select Use already associated credentials to use the credentials that are
already associated with the instance, and click Start recovery.
■ Select Use different credentials to use a different set of credentials, either
existing credentials or create a new one.
See “Add credentials to a database ” on page 67.
The validation host for validating these credentials must be the same as
the one used during backup. If the host used during backup is not available
during credential validation during restore, then validation fails.
(Optional) Select Make default credentials to set these credentials as
default credentials for the asset.

8 Click Start recovery.

The Restore activity tab shows you the status.

Recovering RDS-based PaaS asset

You can restore the RDS-based PaaS assets from the Applications tab, under
the Cloud workload.
 Recovering cloud assets 83
Recovering PaaS assets

To restore RDS-based PaaS assets:

1 On the left, click Cloud, under Workloads, and click the Applications tab.
Click the name of the asset that you want to recover.
2 Click the Recovery points tab, in the calendar, select the date for which you
want to see the recovery points.
The available recovery points are displayed on the right.
3 Click Recover in the row of the image that you want to recover.
4 Under Source databases, select the databases that you want to restore. Click
Add database, in the Add database dialog, select the required databases,
and click Select.
5 Enter a prefix to add to the restored databases, or use the default. This field
must have a value.
6 (Optional) In the Target instance field, the source instance of the asset is
selected by default. To restore to an alternate instance, select the required
instance.
7 (Optional, for MySQL databases only.) Select Restore metadata to restore
metadata such as views, triggers, store procedures, and so on.
8 (Optional, for MySQL databases only.) For the target instance credentials for
restore:
■ Select Use already associated credentials to use the credentials that are
already associated with the instance, and click Start recovery.
■ Select Use different credentials to use a different set of credentials, either
existing credentials or create a new one.
See “Add credentials to a database ” on page 67.
(Optional) Select Make default credentials to set these credentials as
default credentials for the asset.
■ Select a validation host to validate the provided credentials.

9 Click Start recovery.

The Restore activity tab shows you the status.
These two restore workflows implicitly create an instant access mount share against
the recovery point.
 Recovering cloud assets 84
Recovering PaaS assets

Recovering Azure protected assets

NetBackup lets you restore Azure SQL database and Azure SQL managed database
assets that are backed up by Microsoft Azure. The supported backup modes are
Point in time backup and Long-term retention backup.

Note: Restoration in Elastic pool in Instance pool is not supported.

Before proceeding make sure that you have the required permissions to restore
PaaS assets.
To recover point in time backup assets:
1 On the left, click Cloud.
2 Click the PaaS tab.
All the discovered PaaS assets are displayed.
3 Under Recovery points type, select Provider protected.
4 Click Restore in the row of the protected Azure SQL database and Azure SQL
managed database asset that you want to recover.
5 In the Recovery points tab, under Point in time backup, click Restore.
6 Select a date and time under Restore point (UTC). You can select any restore
point, between the earliest restore point, and the:
■ Latest backup time for online databases.
■ Database deletion time for deleted databases.
Microsoft Azure may round off the selected time to the nearest available
recovery point, using UTC time.
The default restore date and time displayed in web UI may differ based on the
selected PaaS asset. For example, for Azure SQL databases, the default
restore time is the current time, and for Azure SQL managed database, the
default restore time is 6 minutes earlier than the current time.
7 Optionally, for Azure SQL databases, enter a name for the restored database
in the Database name field. Database names cannot have special characters
like < > * % & : \ / and ? or control characters. Do not end the name with a
period or space. For more information about Azure resource naming rules, see
https://docs.microsoft.com/en-us/azure/azure-resource-manager
/management/resource-name-rules#microsoftsql
If you do not enter a name, NetBackup automatically assigns a name in the
<dbName>_<Restored time in UTC> format.
 Recovering cloud assets 85
Recovering PaaS assets

8 Optionally, for Azure SQL managed databases, enter the instance name in the
Managed instance field. By default, the instance name of the recovery point
is displayed. You can also search for the managed instance name using the
search option. You can restore to the same region to which your subscription
belongs.
If you cannot see the desired managed instance in the search results, perform
a manual discovery. Also, ensure that you have RBAC access to the managed
instance.
9 Click Next. Once the Pre-recovery check is complete, click Start recovery.
You can check the status of the job in the activity monitor.
To recover long-term retention backup assets:
1 On the left, click Cloud.
2 Click the PaaS tab.
All the discovered PaaS assets are displayed.
3 Click Restore in the row of the protected asset that you want recover.
4 In the Recovery points tab, under Long term retention backup, click Restore
against the image that you want to restore.
5 Optionally, for Azure SQL databases, enter a name for the restored database
in the Database name field. Database names cannot have special characters
like < > * %& : \ / and ? or control characters. Do not end the name with a period
or space. For more information about Azure resource naming rules, see
https://docs.microsoft.com/en-us/azure/azure-resource-manager
/management/resource-name-rules#microsoftsql
If you do not enter a name, NetBackup automatically assigns a name in the
restore_<dbName> format.
6 Optionally, for Azure SQL managed databases, enter the instance name in the
Managed instance field. By default, the instance name of the recovery point
is displayed. You can also search for the managed instance name using the
search option. You can restore to the same region to which your subscription
belongs.
7 Click Next. Once the Pre-recovery check is complete, click Start recovery.
You can check the status of the job in the activity monitor.

Note: Tags from portal as well as Snapshot Manager are not restored. However,
the "createdby: cloudpoint" tag is created while restoring through NetBackup.
 Recovering cloud assets 86
Recovering PaaS assets

Note: For provider protected recovery jobs, any intermittent failures keep the
recovery job running until the next schedule job cleanup runs.

Recovering duplicate images from AdvancedDisk

A 10.1 media server cannot initiate PaaS restores from a duplicated image, if the
image resides on an AdvancedDisk storage or an MSDP cloud storage. As a
workaround, you can perform the following steps:
Pre-requisite:
1. For AdvancedDisk the media server version associated with the MSDP server
must be 10.1 or above.
2. For MSDP cloud storage, media server version used for recovery must be
10.1.1.
3. Ensure that ushare is set up and configured on the MSDP server.
4. Create a universal share on this MSDP storage server. Ensure that you add
the corresponding media server hostname/IP in the export list of ushare.
To recover from AdvancedDisk, do the following:
1 Using the Catalog in web UI, manually duplicate the image to an MSDP storage.
See NetBackup WebUI Administrator's Guide for details.

Note: To duplicate from a second copy, click search again after selecting
duplicate option in catalog view.

2 Once the duplication job completes, ensure that the new recovery point is
visible for the given asset in web UI.
To start a restore job, See “Recovering PaaS assets” on page 81.
To restore using REST API, see section:
recovery/workloads/cloud/scenarios/asset/recover. Refer to NetBackup API
documentation.

Note: For RDS instance recovery, NetBackup does not display any error or warning
messages, if you initiate the restore from a backup image residing on AdvancedDisk
storage.
 Chapter 3
Performing granular
restore
This chapter includes the following topics:

■ About granular restore

■ Supported environment list

■ List of supported file systems

■ Before you begin

■ Limitations and considerations

■ Restoring files and folders from cloud virtual machines

■ Restoring volumes on cloud virtual machines

■ Troubleshooting

About granular restore

NetBackup enables you to perform a granular restore of files and folders on cloud
virtual machines. You can create snapshots, backup of snapshot and restore, at
the same time you can also locate and restore individual files and folders. You can
also restore volumes from virtual machines.
This process is known as granular restore in which each single file in the snapshot
or backup is considered as a granule or more commonly referred to as single file
restore. NetBackup makes an inventory of all the files within a snapshot or backup
using an indexing process. You can restore specific files from a snapshot only if
that snapshot has been indexed by NetBackup. You can also restore specific files
from a backup only if that backup has been indexed by NetBackup.
 Performing granular restore 88
Supported environment list

The following table helps you understand the flow of enabling granular restore of
volumes, files, and folders:

Table 3-1 Granular restore tasks

Task Description

Connect virtual machines Connect the virtual machines that you want
to use to perform granular restore.

Discover assets on virtual machine Use the Discover option.

Navigate to Cloud > Snapshot Managers >

Snapshot Manager > Actions > Discover.

Create protection plan Create a protection plan.

Ensure that the Enable granular recovery

for files or folders check box is selected in
the Backup options of the protection plan.

Subscribe discovered assets to the protection Add the assets on the VMs connected in the
plan previous step to the protection plan that has
the indexable attribute enabled granular
restore.

Execute protection plan Schedule backup job and indexing or use the
Backup now option. The backup job starts
immediately.

■ Restore file or folder Perform granular restore of a file, folder, or

■ Restore volumes volume.

Note: Restore volumes is not supported for

backup copy.

Supported environment list

The following table lists the supported versions.

Table 3-2 Supported versions

Application Version

NetBackup 10.2

NetBackup backup host OS RHEL 7.x and 8.x

 Performing granular restore 89
List of supported file systems

Table 3-2 Supported versions (continued)

Application Version

Snapshot Manager host OS ■ RHEL 7.x and later, RHEL 8.6

■ Ubuntu 18.04 LTS and 20.04 LTS
Note: The version of the OS (Ubuntu
20.04 LTS) listed on the UI is the version
of the container.

Cloud providers ■ Amazon Web Services

■ Microsoft Azure
■ Microsoft Azure Stack Hub
■ Google Cloud Platform

Snapshot Manager or agent instance type ■ Amazon AWS: t2.large/t3.large

■ Microsoft Azure: D2s_V3Standard
■ Microsoft Azure Stack Hub: DS2_v2
Standard, DS3_v2 Standard
■ Google Cloud Platform: n1.Standard2 and
larger

Snapshot Manager agent host to be protected ■ Linux OS: RHEL 7.x and RHEL 8.2, 8.4
and 8.5
■ Windows OS Version: 2012 R2, 2016,
2019 and 2022

List of supported file systems

The following table provides details about supported files systems.

Platform Discovered file system Partition layouts

RHEL (With consistent ■ ext3 ■ GPT

snapshot property) ■ ext4 ■ MBR
Note: For Google cloud ■ xfs ■ No layout (direct FS)
platform, if agent host is on
operating system version
RHEL 8.x, then Snapshot
Manager must be installed on
host having operating system
version RHEL 8.x.
 Performing granular restore 90
Before you begin

Platform Discovered file system Partition layouts

Windows (With consistent NTFS ■ GPT

snapshot property) ■ MBR

Note: Application consistent snapshot is not supported for ext2 file system version.

Note: GRT is allowed irrespective of destination file-system/partition type (FAT,

ReFS, LDM or LVM).

Before you begin

Ensure the following points are addressed before you perform granular restore.
Configured Snapshot Manager and VM to be protected with granular restore enabled
have the following requirements:
■ (Applicable only for snapshots)
■ (Microsoft Azure and Azure Stack Hub) Even if Snapshot Manager is not
deployed in the same subscription and region as the connected VM, but if
a backup schedule is configured as part of the protection plan, then granular
restore can be performed. For snapshot-only protection plan schedule, for
both Azure and Azure Stack Hub, you need to deploy the Snapshot Manager
host in the same subscription and region as the VMs.
■ Amazon AWS: The Snapshot Manager host and the connected VM must be
in the same account and region.
■ Google Cloud Platform: The Snapshot Manager host and the connected VM
must be in the same project.
■ The cloud plug-in must be configured to protect the assets in the region in
which the Snapshot Manager host is deployed.
■ If you want to restore volume to the same virtual machine and location, you
must detach existing volume and free the slot and then try to restore.

■ The host must be in a connected state and must have required supported
configuration.
■ The host must have the fsConsistent and indexable flags enabled when
connected. The indexable flag is applicable for a snapshot-only protection plan
schedule.
■ Protection plan must have the Enable Granular restore for files and folders
check box enabled.
 Performing granular restore 91
Before you begin

■ Apart from the boot disk and disk that is mounted on "/cloudpoint", no extra disk
should be attached to Snapshot Manager instance explicitly.
■ File systems on the host must be supported.
See “List of supported file systems” on page 89.
■ Configure port 5671 and 443 for open Snapshot Manager host.
■ For agentless restore, in Linux systems, configure the port 22 on the indexable
virtual machines. For Windows platform, configure the ports 135, 445 and the
dynamic/fixed WMI-IN port on the indexable virtual machines.
■ Ensure that the following points are addressed before you perform the single
file restore from backup of snapshot:
■ Supported NetBackup and Snapshot Manager version 10.2 onwards.
■ Granular restore will work only if backup image is restored from MSDP
storage server (version must be 10.2 onwards) with instant access enabled.
■ Target host agent must be upgraded to the latest version.
■ On Windows target host, administrator must have attach and detach policy
enabled for disks. For more information, refer to AttachVirtualDisk function.
■ (For Windows) To restore symlink, agent must be configured using the
required access.
■ Backup must be taken with Granular File and Restore option selected.
■ Target virtual machine must have access to MSDP storage server over the
access to NFS/SMB.
■ Windows target must have the following:
■ ( For restoring window image content with Restoring Access Control list)
Samba user credentials must be stored in windows credential manager
for a MSDP storage server (which is exporting the Instant access share):
On MSDP server, run the smbpasswd -a <username> command to
generate the Samba credentials.
Add DNS name or IP of MSDP server, with above username and
generated password to windows credential manager.
The smbpasswd command will fail if user is not present on MSDP server.
Hence first add user using the useradd <username> command and then
use the smbpasswd command.
■ (For restoring Linux image content) NFS client must be installed.
For more information on how to enable SMB/IA on MSDP, refer to the
NetBackup™ Deduplication Guide.
 Performing granular restore 92
Limitations and considerations

Verify the SMB configuration on MSDP server with the

/usr/openv/pdde/vpfs/bin/ia_byo_precheck.sh precheck script.

Limitations and considerations

Consider the following important points for granular restore.
■ After a restore job is completed, you cannot expand the directories in the File
List section of the restore job.
■ If adequate space is not available on the target location, the restore operation
fails before the copy operation begins.
■ In the activity monitor summary, when the restore job starts it shows the current
file which is the first entry in the restore items. After the job is complete, the
summary goes blank.
■ Bytes transferred and estimated bytes in activity monitor are not updated and
shown as 0.
■ The ephemeral storage devices are ignored when a snapshot is performed. (For
example, Amazon AWS instance store volumes and Microsoft Azure temporary
disks.) These devices are also ignored for indexing as well.
■ The file systems that are created on LDM disks are ignored when host consistent
snapshots are created and indexed.
■ Until old agent (pre-installed) service is not restarted, alternate host restore
(GRT and application) of LVM asset might fail. To support the recovery of LVM
assets, you need to restart the older agents.
■ Granular restore (GRT) or single file restore (SFR) can be performed with the
help of VxMS indexing. VxMS indexing is applicable for all Snapshot Manager
supported file systems. VxMS indexing can be performed for Azure, Azure Stack,
AWS cloud and GCP is performed on an existing mount-based indexing.
■ Host consistent snapshot is supported for EXT2 file system only if it is mounted
as read-only.
■ If any unsupported file systems are present on the host, the host can be added
to the protection plan that is created for granular restore. The protection plans
for granular restore have the Enable granular recovery for files or folders
check box value set to true.
■ Snapshot Manager communicates the number of index jobs that can be run to
NetBackup. NetBackup then throttles the requests. By default, the number of
index jobs is initialized to 2. Post discovery of Snapshot Manager host
capabilities, it is increased to number of disk slots available. However, you can
 Performing granular restore 93
Limitations and considerations

update the value for indexing max_jobs=<value> in flexsnap.conf file to override

this limit.
■ Snapshot Manager host limits the number of disk slots that the cloud providers
enforce. NetBackup throttles the indexing requests to Snapshot Manager. To
achieve this request, during Cloud Asset discovery process, NetBackup fetches
Snapshot Manager host capabilities. These capabilities include the Max no of
index jobs parameter. This parameter is used to limit the requests that are sent
to Snapshot Manager and index job queue in NetBackup. By default, the
maximum number of parallel indexing jobs is 2. But once the cloud plug-in is
configured which discovers the Snapshot Manager host, the capability API
fetches the number of max jobs based on attachment points and available
resources. You can set the limit by adding the indexing max_jobs=x entry in
the config file of the Snapshot Manager host. If the Snapshot Manager host
receives number of indexing requests more than its capability, the requests are
queued.
■ During indexing, OS errors can occur while crawling files, directories, or other
entries. These errors are ignored and the indexing operation continues. To
restore the missing files, you must initiate the granular restore operations on
the parent folder.
■ When you create or mount a disk from the Windows VM, add the drive letter.
This action ensures that the indexing operation can capture the correct drive
letter.
■ In some cases a mount point is not visible when you browse for add files or
folders in the recovery point. Consider the following reasons:
■ The "/" (root file system) is on an LVM, and
■ The mount point is not directly related to "/" (root file system).
In this scenario, search for the mount point from the right panel and then restore
the files or folders successfully.
For example, if a disk is mounted on /mnt1/mnt2 where /mnt1 is any directory
on the "/" (root FS which is on LVM setup) and mnt2 is a mount point inside
mnt1, the "mnt2" is not visible in the tree on the left panel. However, you can
search and restore files or folders inside mount point.
■ To restore files and folders from VM snapshot recovery points, the /etc/fstab
file on the Linux servers, must have entries based on the file system UUID,
instead of device paths. The device paths can change depending on the order
in which Linux discovers the devices during system boot.
■ While restoring application or file systems from one OS version to another OS
version, refer to the OS and application vendor’s compatibility matrix. Restore
of file system from higher version to lower version is not recommended.
 Performing granular restore 94
Limitations and considerations

■ A user group cannot restore a drive as source to an alternate folder as the

destination. A user group does not have the writer permission to create a new
folder.
■ The agentless connection cannot restore the encrypted file by Windows (or
EFS) through Granular File Level Restore (Restore files and folder option).
However you can restore the file through volume level restore and then decrypt
the file.
■ Files stored on volume mounted on folder (junction point) can be restored only
if underlying disk has GPT partition layout. If volume is mounted using drive
letter, then files can be restored irrespective of partition layout of the underlying
disk.
■ Consider the following limitations for single file restore from backup of snapshot:
■ If restoring files/folders when source host is Linux and target host is Windows,
then
■ File attributes cannot be restored on windows host and only the content
of the file is restored.
■ If there is any symlink in selected files/folders for restoration, then the
symlink will not be restored.

■ In case of Original Location Restore, available size check before copy is

skipped.
■ If restoring files/folders when source host is Linux and target host is Linux,
then socket and block files would not be restored.
■ Restoration of files and folders is not supported when they reside on LDM
disks/dynamic disks/storage spaces.
■ Live mount retained during partial restore success would be removed/expired
before retention period expiry, if media server or PureDisk Deduplication
Engine and Veritas Provisioning file system daemon service restarts.
■ If Media servers are not upgraded to 10.2, then master server on 10.2 will
be used to connect to NetBackup Snapshot Manager.
■ Junction point on windows after indexing is seen as format like Volume
{4e3f8396-490a-400a-8abf-5579cafd4c0f} in Add files. If junction point is
selected in Add files for single file restore from backup operation then select
Restore everything to a different location and enable the Require to
restore access control list in Advanced option.
 Performing granular restore 95
Restoring files and folders from cloud virtual machines

Restoring files and folders from cloud virtual

machines
You can restore a single file or folder from a cloud virtual machine.

Note: For Microsoft Azure, Google Cloud Platform, and Amazon AWS NetBackup
supports snapshot and recovery of cloud assets that are encrypted using the keys
that the manager provides.

To restore a file or folder

1 On the left, click Cloud.
2 Click on the Virtual machines tab.
3 Select the virtual machine where the application is hosted. On the top right,
click Connect.
4 After the VM is connected, on the top right, click Add protection.
5 Select a protection plan that is created for granular recovery of files and folders
and click Next.
6 Click Protect.
7 To execute the protection plan, click Backup now.
8 After a snapshot and the two indexing job or two backup from snapshot job for
the assets are complete, click the Recovery points tab.
9 For the preferred recovery point, select Restore files and folders from the
Action menu.
You can also restore files and folders for Snapshot and Backup type of copies
by clicking on Recover and then selecting Restore files and folders for specific
type of copy.
10 In the Add file step, click Add.
11 In the Add files and folders dialog box, select the files you want to restore
and click Add.
You can click the folders or drives on the left to expand and view the files in a
particular folder. You can search files based on their names or extensions.
12 Click Next.
13 In the Recovery target step, perform the following:
 Performing granular restore 96
Restoring files and folders from cloud virtual machines

Dialog box Snapshot copy Backup copy

Restore to Target VM - Select ■ Cloud provider - Select cloud

a VM. A list with all provider to where single file restore
connected VMs is to be performed.
having same ■ Configuration - To restore to an
operating systems alternate configuration, select one
as original target from the drop-down.
host is displayed. If ■ Region - To restore to an alternate
you do not select a region, select one from the
VM, the files are drop-down.
restored to the ■ (For Azure and Azure Stack only)
original VM. Subscription - To restore to an
alternate subscription, select one
from the drop-down.
■ Target VM - Select a VM. A list with
all connected/disconnected and
Linux/Windows VMs are displayed
for cross platform restore.

Restore target options ■ Restore everything to original location

■ Restore everything to a different location
You must then provide a directory location. You can also
enter a UNC path to the location.

Cross platform restore is supported for the following scenarios:

■ NetBackup and Snapshot Manager on one cloud, target host on another
cloud.
■ NetBackup and Snapshot Manager on one cloud, another Snapshot
Manager and target host on another cloud.
■ NetBackup and Snapshot Manager on one cloud, AIR (Auto Image
Replication) restore on another domain.

14 If Restore everything to original location option is selected, then click Next

and select the following preferred option in the Recovery options step:

Dialog box Snapshot copy Backup copy

Options ■ Append string to file names

In the String field, enter the string that you want use to
append. The string is appended before the last extension
of a file.
■ Allow overwrite of existing files
You must have appropriate permissions.
 Performing granular restore 97
Restoring files and folders from cloud virtual machines

Dialog box Snapshot copy Backup copy

Advanced options N/A ■ (Applicable only for Windows to

Windows restore) Require to
restore access control list -
Select the checkbox to restore
access control list which requires
additional operations.
■ Target host NAT gateway IP
address - Enter network address
translation gateway IP address, in
case the target VM is behind a
network gateway and is not directly
accessible.
Note: Only private IP or hostname
allowed.

15 If Restore everything to a different location option is selected, then provide

the Directory for restore and click Next.
16 In the Review step, view the selected options and click Start Recovery.
The restore job for the selected files is triggered. You can view the job details on
the Activity monitor. After the job is successful, you can see summary of restored
files in the job details.

Note: Permission on files are assigned based on uid/guid, during restore to

non-similar environments (where user/groups does not match). Restored files/folders
must have permission to non-intended users/groups on target host. Hence after
successful restore of required files, user must modify the access as per requirement.

Note the following:

When restoring hardlinks for single file restore from Snapshot or Backup (source
Linux VM to target Linux VM), ensure that you follow the following guidelines:
■ When selecting folders and files in Add files and folders dialog box, do not
select redundant entries. For example, selecting a folder and a file that exists
in the same folder, since the folder already has that file.
■ Even if redundant entries are selected, ensure that you do not select the Allow
overwrite of existing files option in Recovery option step. This will result in
failure of copying the hardlink file.
 Performing granular restore 98
Restoring volumes on cloud virtual machines

Restoring volumes on cloud virtual machines

You can restore one or more volumes on a virtual machine.
To restore a volume
1 On the left, click Cloud.
2 Click on the Virtual machines tab.
3 Select the virtual machine where the application is hosted.
4 After the VM is connected, on the top right, click Add protection.
5 Select a protection plan and click Next.
6 Click Protect.
7 To execute the protection plan, click Backup now.
8 To view the recovery points, click the Recovery points tab.
9 On the top right for the preferred recovery point, select Restore volumes.
You can also apply date filters to search across the recovery points.
10 In the Restore volumes dialog box, select one or more volumes.
11 From the Target VM list, select the VM on which you want to restore the
volumes.
In case of restore from a replicated (non-primary) VM, the restore to original
location is not supported. If you do not select a VM, the files are restored to
the original VM.
12 Click Restore.
The restore job for the selected volumes is triggered. You can view the job
details on the Activity monitor.

Troubleshooting
Troubleshooting snapshot restore process for Microsoft
Azure cloud
When you trigger a subsequent (twice) restore operation on the same VM, an error
occurs during restore operation. This error causes the following issues:
■ The tags from original OS disk are not copied to newly created restored OS
disk.
■ User login might fail after the VM restore due to ssh failure.
Workaround:
 Performing granular restore 99
Troubleshooting

Check if the ssh daemon is running on the system. If not, then perform the steps
that are mentioned in the
https://docs.microsoft.com/en-us/azure/virtual-machines/troubleshooting/troubleshoot-ssh-connection
topic.

Filtering unsupported files and folders

If you try to restore files or folders from partition or file system that are not supported
by Snapshot Manager, then you get the following error in the restore job.
Error nbcs (pid=<processs id>) Failed to restore file(s) and folder(s)
from snapshot for asset <asset name>

Workaround:
If you want to avoid listing files or folder while browsing for single file restore, which
are not supported by Snapshot Manager, then enable CP DISKMAP check by
setting below flag in bp.conf file of NetBackup master server.
CP_DISKMAP_CHECK = true/yes

Backup from restore operation is partially successful

Backup from restore operation is partially successful when disk is full on the selected
target directory. Following messages are displayed:

Dec 29, 2022 2:57:51 PM - Info nbcs (pid=2244) Granular restore(SFR)

is completed
Dec 29, 2022 2:57:51 PM - Info nbcs (pid=2244) Summary of SFR
Operation - Success files/folders count: 0 ,
Failed files/folders count: 1 , Warning files/folders
count: 0, Skipped files/folders count: 0
Dec 29, 2022 2:57:51 PM - Info nbcs (pid=2244)
Detailed restore summary report is available on recovery target
host at location:
/var/log/flexsnap/restore/granular-restore-09b4d44d
.
.
Dec 29, 2022 2:57:51 PM - Warning bprd (pid=1977) Granular Restore
from backup completed with error.
Copy the files manually from live access mount:

ip-10-239-185-241:/mnt/vpfs_shares/vmfiles/8fcc/8fcc132b-a202-49a8-b654-81ff242a718a/livemount

Dec 29, 2022 2:57:51 PM - end Restore; elapsed time 0:01:51

the requested operation was partially successful(1)
 Performing granular restore 100
Troubleshooting

For backup from restore if live mount is created successfully then even though there
is other error reported apart from ASSET_NOT_FOUND, its considered as partial
success. If there is no network devices/filesystem mounted on target location and
disk is full then below messages can be seen in job details:

Jan 02, 2023 12:11:16 AM - Error nbcs (pid=13934)

187776K space required for file/folder restore while 20K is total available s

In this case other network devices/file system must have been mounted on the
target path, hence Snapshot Manager agent considers the free space on device/file
system. But once it tries to copy the file it fails with space error logged into summary
report. For example,

/var/log/flexsnap/restore/granular-restore-09b4d44d in above Job details log

Workaround:
■ Check the summary report on target host location. For example,

/var/log/flexsnap/restore/granular-restore-09b4d44d
[root@ip-10-239-187-148 granular-restore-09b4d44d]# cat root-error.log
Dec 29 09:27:44: ERROR - FILE: /disk1/dl380g9-149-vm15_package.zip
[Error 28] IOError: No space left on device

■ If the file copy operation failed due to disk space, then create some space and
copy the file from live mount.
The live mount path details can be found in the job details as follows:

Dec 29, 2022 2:57:51 PM - Warning bprd (pid=1977) Granular Restore from bac
Copy the files manually from live access mount:
ip-10-239-185-241:/mnt/vpfs_shares/vmfiles/8fcc/8fcc132b-a202-49a8-b654-81f

Partial recovery is observed when user selects a

disconnected target virtual machine
Partial recovery could be due to the following reasons:
■ If the target virtual machine is disconnected (no connectivity through agent).
■ If any failure is seen while copying files/folders on target virtual machine.
■ When a window virtual machine content is restored on Linux target virtual
machine.
In such partial recovery cases, the created instance access will not be deleted and
will be available for next 24 hours.
 Performing granular restore 101
Troubleshooting

The instance access retention interval is configurable by setting

CLOUD_VM_IA_RETENTION_INTERVAL_IN_HOURS key in bp.conf file. (Default
value is 24hrs).
Workaround:
User can perform manual steps to access the Instant access share on target host
and then manfully copy the required files/folders.
(Copy files over NFS) To restore Linux image content on Linux host:
■ To mount an NFS share on a Linux system, install the NFS client package using
the following command:
$ sudo yum install nfs-utils

■ Using the following mount command, mount the Instant access on target Linux
host:

# Create a directory say /mnt/restore

$ mkdir -p /mnt/restore

# Mount the instant access

$ mount -t nfs <InstantAccessServer:InstantAccessPath> /mnt/restore

■ Instant access path can be retrieved from activity manager logs which is in the
following format:
<InstantAccessServer>:/mnt/vpfs_shares/vmfiles/<id>/<InstantAccessId>/livemount

(SMB access) To restore Windows image contents (with ACL) on Windows

target host:
■ SMB credentials of MSDP storage server of source virtual machine image must
be added to the Windows credential manager.
■ Use the given live mount to access virtual hard disks by navigating to Activity
Monitor > Job details.
The virtual hard disks are listed under the folder with vhd_ as the prefix.
■ On the Disk Management dialog box under the Action tab, attach the required
virtual hard disk and click on OK.
■ On the Add Drive Letter or Path dialog box, select Assign the following drive
letter option to assign the letter to Virtual Disk to browse data and click on OK.
■ Navigate to the assigned drive in the above step and copy the data manually.
(Live mount) To restore windows image contents on Linux target host:
 Performing granular restore 102
Troubleshooting

■ Linux must have the cifs package. Obtain the packages using the # yum install
cifs-utils command.

■ Create the mount directory using the # mkdir <my_mount_dir> command.

■ Mount exported path using Samba username and password as follows:
mount -t cifs -o username=<sambauser>
//<InstantAccessServer>/<InstantAccessPath> <my_mount_dir>

■ Copy the files using the following command:

# cp <my_mount_dir>/<file_path> <target_dir_path>

Issues with single file restore from backup of snapshot

Issue/Error Description Workaround

Log path to For information related to restore To resolve the failures or

check details on target host, check the exceptions occurred during single
following logs: file restore on Snapshot Manager,
refer to the following logs on
■ path/file:
Snapshot Manager host:
/tmp/flexsnap-agentless-onhost.log
■ /var/log/flexsnap/restore/granular-restore-* /cloudpoint/logs/flexsnap.log

Pre-recovery When restoring files and folders to Ensure that the target virtual
check fails disconnected target virtual machine, machine is in connected state
the pre-recovery check fails with the with agent configured for
following error: successful restore.

Target VM state: Target VM

<vm_name> has no agent
configured

If recovery is started, restore operation

would be partially successful.
 Performing granular restore 103
Troubleshooting

Issue/Error Description Workaround

Partial recovery When restoring files and folders from
for source Linux source Linux VM to target Windows VM
VM to target without installing NFS client on
Windows VM Windows target machine, then the
(no NFS client) recovery is partially successful with the
following error displayed:
Install NFS client on window
target machine before you
perform restore from Linux VM to
Windows VM.

Error nbcs (pid=42513)

Invalid operation for asset:
<asset_id> Warning bprd
(pid=42045) Granular Restore
from backup completed with
error. Copy the files
manually from live access
mount: <livemount_path>. Note
that live access mount is
available only for 24 hrs.

Restore job fails Restore job fails with the following error Select a different target VM.
for deleted when restoring files and folders on
target VM target VM which is deleted from cloud
environment:

Error nbcs (pid=44859) Target

VM not found, asset_id
<asset_id>

Create Instant Creation of Instant access fails during Verify if Instant access is
access fails restore job if Instant access is not supported on MSDP media server
enabled on MSDP storage server. by using the following pre-check
script:

/usr/openv/pdde/vpfs/bin/ia_byo_precheck.sh

Target VM does If the number of volumes containing the Restore files and folders from less
not have free selected files are more than the number number of volumes.
drives to attach of free available drives on target host
Virtual Disk then the operation fails.

Not enough If media server where MSDP is Disable FIPS on the media server
space: configured has FIPS enabled. where MSDP is installed or add
'*\\driverMapping.json domain user samba credentials
to target VM.
 Performing granular restore 104
Troubleshooting

Issue with Azure cloud provider VM's

If one of VM's disks is not initialized, downloading or restoring VM files using Instant
access fails with the following error:

Jan 24, 2023 11:58:47 AM - Error NBWMC (pid=3716) Internal Error:

('failed to find operation system information, please check the source
VM', ('Failed to expose
VMDK', 1006), None)
Failed to create the instant access mount.
(4001)

Libguestfs is a third party tool used by Instant access to retrieve files from VM
backup. If a disk is not initialized, libguestfs will not be able to handle it.
Workaround:
Initialize the disk, backup the VM and try to download or restore VM files using
Instant access again.
 Chapter 4
Troubleshooting protection
and recovery of cloud
assets
This chapter includes the following topics:

■ Troubleshoot cloud workload protection issues

■ Troubleshoot PaaS workload protection and recovery issues

Troubleshoot cloud workload protection issues

Review the following log files to troubleshoot any issues with protection of cloud
assets:
■ Log files for configuration
■ Log files for snapshot creation
■ Log files for restore operations
■ Log files for snapshot deletion
During troubleshooting, ensure that you have also reviewed the limitations. See
“Limitations and considerations” on page 10.
For troubleshooting issues, see the NetBackup Status Codes Reference Guide.
To view the Snapshot Manager log files, see the Snapshot Manager logs topic in
the NetBackup Snapshot Manager Install and Upgrade Guide.

Log files for configuration

Use the following logs to troubleshoot cloud configuration issues.
 Troubleshooting protection and recovery of cloud assets 106
Troubleshoot cloud workload protection issues

Table 4-1 Log files for configuration

Process Logs

tpconfig Windows
tpconfig command is one way for registering NetBackup install path/volmgr/debug/tpcommand
Snapshot Manager in NetBackup.
UNIX

/usr/openv/volmgr/debug/tpcommand

nbwebservice Windows

Plug-ins are configured using NetBackup REST NetBackup install path/webserver/logs

API.
UNIX

/usr/openv/wmc/webserver/logs

/usr/openv/logs/nbwebservices

nbemm Windows

nbemm stores the Snapshot Manager and plug-in NetBackup install path/path/logs/nbemm
information in EMM database.
UNIX

/usr/openv/logs/nbemm

Log files for asset discovery

Use the following logs to troubleshoot asset discovery issues.

Table 4-2 Log files for asset discovery

Process Logs

ncfnbcs Windows

Verifies if discovery was completed or not. NetBackup install path/bin/vxlogview –o 366

UNIX

/usr/openv/netbackup/bin/vxlogview -o 366

Picloud Windows

Provides the details of discovery operation. NetBackup install path/bin/vxlogview –i 497

UNIX

/usr/openv/netbackup/bin/vxlogview -i 497
 Troubleshooting protection and recovery of cloud assets 107
Troubleshoot cloud workload protection issues

Table 4-2 Log files for asset discovery (continued)

Process Logs

nbwebservice Windows

To get details about the asset database NetBackup install path/webserver/logs

workflows that are part of the discovery operation.
UNIX
Note: Refer to the same log files for details of
/usr/openv/wmc/webserver/logs
assets that are added to protection plan.
/usr/openv/logs/nbwebservices

Log files for snapshot creation

Use the following logs to troubleshoot snapshot creation issues.

Table 4-3 Log files for snapshot creation

Process Logs

nbpem Windows

nbpem PID for given job is available in the NetBackup install path/bin/vxlogview –o 116
NetBackup activity monitor.
UNIX

/usr/openv/netbackup/bin/vxlogview -o 116

nbjm Windows

nbjm PID for given job is available in the NetBackup install path/bin/vxlogview –o 117
NetBackup activity monitor.
UNIX

/usr/openv/netbackup/bin/vxlogview -o 117

nbcs Windows

nbcs PID for given job is available in the NetBackup install path/bin/vxlogview –i 366 -P
NetBackup activity monitor. nbcs_process_id

UNIX

/usr/openv/netbackup/bin/vxlogview -i 366 -P
nbcs_process_id

The nbcs logs are available at the following location:

Windows

NetBackup install path/logs/ncfnbcs

UNIX

/usr/openv/logs/ncfnbcs
 Troubleshooting protection and recovery of cloud assets 108
Troubleshoot cloud workload protection issues

Table 4-3 Log files for snapshot creation (continued)

Process Logs

nbrb Windows

nbrb is requested to provide a media server for NetBackup install path/bin/vxlogview –o 118
a given job. For Cloud, a particular media server
UNIX
is picked up from the associated list of media
servers for a Snapshot Manager. /usr/openv/netbackup/bin/vxlogview -i 118

Log files for restore operations

Use the following logs to troubleshoot restore issues.

Table 4-4
Process Logs

nbwebservice Windows

The snapshot restore operation is triggered by NetBackup install path/webserver/logs

NetBackup REST API.
UNIX

/usr/openv/wmc/webserver/logs

/usr/openv/logs/nbwebservices

bprd Windows

The NetBackup REST API communicates with NetBackup install path/netbackup/logs

bprd to initiate restore.
UNIX

/usr/openv/netbackup/logs/bprd

ncfnbcs Windows

nbcs PID for given job is available in the NetBackup install path/bin/vxlogview –i 366 -P
NetBackup activity monitor. nbcs_process_id

UNIX

/usr/openv/netbackup/bin/vxlogview -i 366 -P
nbcs_process_id

Log files for snapshot deletion

Use the following logs to troubleshoot snapshot deletion issues.
 Troubleshooting protection and recovery of cloud assets 109
Troubleshoot PaaS workload protection and recovery issues

Table 4-5 Log files for snapshot deletion

Process Logs

bpdm Windows
The snapshot delete or clean-up operation is NetBackup install path/netbackup/logs
triggered by bpdm.
UNIX

/usr/openv/netbackup/logs/bpdm

ncfnbcs Windows

nbcs PID for given job is available in the NetBackup install path/bin/vxlogview –i 366 -P
NetBackup activity monitor. nbcs_process_id

UNIX

/usr/openv/netbackup/bin/vxlogview -i 366 -P
nbcs_process_id

Pre-recovery check fails with access denied error during

alternate location restore
When attempting to perform recovery of a VM from a backup image copy, if you do
not have the required privileges assigned to your role to perform alternate location
restore, you encounter the error during the pre-recovery check operation.
This may happen when you have privilege to perform only original location recovery,
and you are trying to do alternate location recovery.
Workaround
■ While doing original location restore, do not change any pre-populated fields in
the pre-recovery page.
■ If you want to perform alternate location recovery, ensure that you have the
required privileges.

Troubleshoot PaaS workload protection and

recovery issues
Backup fails with error: 3808 Cannot check if the database
exists.
You can see the following message in the Activity Monitor:
AuthorizationFailed -Message: The client '<clientId> '<objetId>' does not have
authorization to perform action 'Microsoft.Sql/servers/databases/read' over scope
 Troubleshooting protection and recovery of cloud assets 110
Troubleshoot PaaS workload protection and recovery issues

'<resoourceId>' or the scope is invalid. If access was recently granted, please

refresh your credentials.
Explanation: This error occurs, when the Snapshot Manager and NetBackup are
deployed in AKS, and:
■ The media server pod node pool is a different node pool from the Snapshot
Manager node pool
■ Managed Identity is enabled in the Snapshot Manager Virtual Machine Scale
set
Workaround: Do any of the following:
■ In the media server that you are using for backup and restore, enable Managed
Identity on the Scale set. Also, assign required permission in the role attached
to this managed identity.
■ Create a storage unit on the MSDP server, and use only those media servers
that has Managed Identity enabled on Scale configuration.

Backup fails when the database or the resource group has

Read-only lock applied, and partially successful when
Delete lock is applied.
Explanation: This issue occurs if the Read-only lock or Delete lock attribute is
applied to the database or the resource group.
Workaround: Before performing any backup or restore, remove any existing
Read-only lock and Delete lock attributes from the database or the resource group.

Status Code 150: Termination requested by administrator

Explanation: This appears when you manually cancel a backup or a restore job
from the activity monitor and a database is created on the portal during the partial
restore operation.
Workaround:Manually clean up the database on the provider portal, and temporary
staging location at the universal share mount location under specific directory
created by database name.

Stale status messages in Activity monitor

Explanation: If the Snapshot Manager container service restarts abruptly; the
provider protected restore jobs may remain in the active state and you may not see
the updated status on the activity monitor details page.
Workaround: Restart the workflow containers using the following command in the
Snapshot Manager:
 Troubleshooting protection and recovery of cloud assets 111
Troubleshoot PaaS workload protection and recovery issues

docker restart flexsnap-workflow-system-0-min

flexsnap-workflow-general-0-min

After restarting the containers, the restore jobs are updated with the latest status
in the activity monitor.

Status Code 233: Premature eof encountered

Explanation: Appears if the client name used for backup exceeds the length of
255 characters.
The bpdbm logs confirms the same by displaying the following error message:
db_error_add_to_file: Length of client is too long. Got 278, but
limit is 255. read_next_image: db_IMAGEreceive() failed: text exceeded
allowed length (225)

Note: This is observed when the primary server is RHEL.

Workaround:Rename the database such that the client name fits within the length
of 255 characters.

Error: Broken pipe (32), premature end of file encountered

EXITING with status 42, network read failed
Explanation:Occurs during backup if the client name used is big in length, due to
this the file path length of catalog image exceeds 256 chars and fails with the above
error message in activity monitor.
The bpdbm logs confirms the same by displaying the following error message:
<16> db_error_add_to_file: cannot stat(\\?\C:\Program Files\Veritas
\NetBackup\db\images \azure-midb-1afb87487dc04ddc8fafe453dccb7ca3+
nbux-qa-bidi-rg+eastus+az-sql-mi-bidinet01+
testdb_bidinet02\1656000000\tmp\catstore\
BACKUPNOW+141a73e7-cdc4-4371-823a-f170447dba2d_
1656349831_FULL.f_imgUserGroupNames0): No such file or directory (2)
<16> ImageReadFilesFile::get_file_size: cannot stat(\\?\C:\Program
Files\Veritas\NetBackup\db
\images\azure-midb-1afb87487dc04ddc8fafe453d
ccb7ca3+nbux-qa-bidi-rg+eastus+az-sql-mi-bidinet01+testdb_
bidinet02\1656000000\tmp\catstore\BACKUPNOW+141a73e7-cdc4-4371
-823a-f170447dba2d_1656349831_FULL.f_imgUserGroupNames0): No such
file or directory (2) <16> ImageReadFilesFile::executeQuery: Cannot
copy \\?\C:\Program
Files\Veritas\NetBackup\db\images\azure-midb-1afb87487dc04ddc8fafe453dccb7
 Troubleshooting protection and recovery of cloud assets 112
Troubleshoot PaaS workload protection and recovery issues

ca3+nbux-qa-bidi-rg+eastus+az-sql-mi-bidinet01+testdb_bidinet02\1
656000000\tmp\catstore\BACKUPNOW+141a73e7-cdc4-4371-823a-f170447d
ba2d_1656349831_FULL.f_imgUserGroupNames0

Note: This is observed when the primary server is Windows.

Workaround: Rename the database such that the file path length fits within the
length of 256 characters.

Status Code 3801: Cannot complete the requested

operation.
Explanation:NetBackup is not able to successfully carry out the requested operation.
Recommended action: Please refer to the activity monitor details for possible
reason of failure.

Status Code 3817: Cannot complete the pre-backup

operation
Explanation: The error message seen in dbagentsutil logs as,pg_dump: error:
query failed: ERROR: permission denied for table test;pg_dump: error:
query was: LOCK TABLE public.test IN ACCESS SHARE MODE;Invoked
operation: PRE_BACKUP failed

Occurs when you try to backup a database which has multiple tables with different
roles. If tables have at least one different owner, other than the database owner,
and it is not a member the database owner role, then the backup may fail.
Recommended action: You must have a role that has access to all tables inside
the database which you want to backup or restore.
For example, say that we wanted to backup the School database which has two
tables.
■ student, owner is postgres

■ teacher, owner is schooladmin

Create a new role. Say, NBUbackupadmin

Run the following command to create the role:
postgres=> CREATE USER NBUbackupadmin WITH PASSWORD '***********';

CREATE ROLE

To make this new role a member of postgres and schooladmin role, run:
postgres=> GRANT postgres TO NBUbackupadmin;
 Troubleshooting protection and recovery of cloud assets 113
Troubleshoot PaaS workload protection and recovery issues

GRANT ROLE

postgres=> GRANT schooladmin TO NBUbackupadmin;

GRANT ROLE

Note: You must have a role who is either owner or member of the owner of the
table, for all tables inside database.

Backup fails with Status 40 (Network connection broken)

Explanation: Backups fail due to loss of connectivity to the media server.
Recommended action: You can restart the backup job if the policy has checkpoints
enabled. Once the network issue is resolved, select the incomplete backup job in
web UI and click Resume. The job resumes from the point it was stopped. If
checkpoint is not enabled in the policy, the job shows up as a failed job in the web
UI.

Backup job fails with the error: "Failed to backup

database"
Explanation: The Job details contain additional details: ManagedIdentityCredential
authentication unavailable. The requested identity is not assigned to this resource.
The allocated media server doesn't have any Managed Identity attached to it.
Recommended action: If you use system or user managed identity for the PaaS
Azure SQL and Managed Instances, apply the same set of permissions/rules to
the media server(s) and the snapshot manager. If you use user managed identity,
attach the same user managed identity to the media server(s) and the snapshot
manager.

Error code 3842 - The requested backup type for the

corresponding PaaS asset is unsupported.
Differential incremental backup is supported for only for Azure SQL server. When
you select an unsupported backup type, this error appears.

Error code 3843 or 3844 - Failed to disable CDC.

Appears when you do not have permissions to enable or disable CDC.
Explanation: Give NetBackup the necessary permissions to enable or disable CDC
in your Azure environment.

Note: Do not enable CDC manually. Provide the permissions to NetBackup for
enable or disable CDC.
 Troubleshooting protection and recovery of cloud assets 114
Troubleshoot PaaS workload protection and recovery issues

Error: Client restore EXIT STATUS 5: the restore failed to

recover the requested files Cloud policy restore error
(2824)
Error: ERR - Failed to restore database [<db_name>] with
name [<db_name>]. ERR - Failed to open file ''. Errno = 12:
client restore EXIT STATUS 5: the restore failed to recover
the requested files
Explanation: Occurs during restore if the backup image is generated on 10.2 media
and restore goes to an older (< 10.2) media server.
Workaround: Change the restore media to 10.2 and remove the older media from
storage.