Back up and restore data across Alibaba Cloud accounts - Cloud Backup

Cloud Backup allows you to back up and restore resources across Alibaba Cloud accounts. This allows you to use centralized and unified policies for disaster recovery and compliance audit. This topic describes how to use an Alibaba Cloud account (Account A) to back up and restore the resources of another Alibaba Cloud account (Account B). To do this, you must create a Resource Access Management (RAM) role within Account B and authorize the service-linked role AliyunServiceRoleForHbrCrossAccountBackup of Account A to assume the RAM role to access the resources of Account B.

Background information

In a typical landing zone architecture, an enterprise has multiple Alibaba Cloud accounts for different departments, and the development or test environment needs to be isolated. However, the enterprise requires centralized and unified policies for disaster recovery and compliance audit.

For example, an enterprise has two Alibaba Cloud accounts: Account A for the production environment and Account B for the test environment. The enterprise needs to back up the resources of Account A and Account B in a unified manner, restore the data of Account A to Account B for development and testing, and restore the data of Account B to Account A for version updates. In this case, the enterprise can select Account A or Account B as the backup account, or create a backup account (Account C). After the required permissions are granted to the backup account, the backup account can back up and restore the data of Account A and Account B.

Limits

Important

The cross-account backup feature can be used in the following scenarios: Elastic Compute Service (ECS) instance backup, ECS file backup, File Storage NAS (NAS) backup, Object Storage Service (OSS) backup, Tablestore backup, ECS database backup, and SAP HANA backup. You can back up ECS instances across Alibaba Cloud accounts. However, after an ECS instance is backed up, you can restore the instance only to the source Alibaba Cloud account. For more information about the supported scenarios, see the Cloud Backup console.
For more information about the regions that support cross-account backup, see Features available in each region.

How authorization works

The following steps show how to authorize Account A to back up the resources of Account B.

Account A creates the AliyunServiceRoleForHbrCrossAccountBackup service-linked role. Cloud Backup uses the role to assume the RAM role of Account B to back up data.

Account B creates a RAM role named hbrcrossrole and then performs the following steps:

Grant precise permissions to the RAM role: Attach the system policy AliyunHBRRolePolicy to the RAM role hbrcrossrole. This policy grants the permissions to access the resources of Account B. The following script shows the content of the policy:

{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "nas:DescribeFileSystems",
        "nas:CreateMountTargetSpecial",
        "nas:DeleteMountTargetSpecial",
        "nas:DescribeMountTargets",
        "nas:DescribeAccessGroups"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "ecs:RunCommand",
        "ecs:CreateCommand",
        "ecs:InvokeCommand",
        "ecs:DeleteCommand",
        "ecs:DescribeCommands",
        "ecs:StopInvocation",
        "ecs:DescribeInvocationResults",
        "ecs:DescribeCloudAssistantStatus",
        "ecs:DescribeInstances",
        "ecs:DescribeInstanceRamRole",
        "ecs:DescribeInvocations",
        "ecs:CreateSnapshotGroup",
        "ecs:DescribeSnapshotGroups",
        "ecs:DeleteSnapshotGroup",
        "ecs:CopySnapshot"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": "bssapi:QueryAvailableInstances",
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "ecs:AttachInstanceRamRole",
        "ecs:DetachInstanceRamRole"
      ],
      "Resource": [
        "acs:ecs:*:*:instance/*",
        "acs:ram:*:*:role/aliyunecsaccessinghbrrole"
      ],
      "Effect": "Allow"
    },
    {
      "Action": [
        "ram:PassRole",
        "ram:GetRole",
        "ram:GetPolicy",
        "ram:ListPoliciesForRole"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "hcs-sgw:DescribeGateways"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "oss:ListBuckets",
        "oss:GetBucketInventory",
        "oss:ListObjects",
        "oss:HeadBucket",
        "oss:GetBucket",
        "oss:GetBucketAcl",
        "oss:GetBucketLocation",
        "oss:GetBucketInfo",
        "oss:PutObject",
        "oss:CopyObject",
        "oss:GetObject",
        "oss:AppendObject",
        "oss:GetObjectMeta",
        "oss:PutObjectACL",
        "oss:GetObjectACL",
        "oss:PutObjectTagging",
        "oss:GetObjectTagging",
        "oss:InitiateMultipartUpload",
        "oss:UploadPart",
        "oss:UploadPartCopy",
        "oss:CompleteMultipartUpload",
        "oss:AbortMultipartUpload",
        "oss:ListMultipartUploads",
        "oss:ListParts"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ots:ListInstance",
        "ots:GetInstance",
        "ots:ListTable",
        "ots:CreateTable",
        "ots:UpdateTable",
        "ots:DescribeTable",
        "ots:BatchWriteRow",
        "ots:CreateTunnel",
        "ots:DeleteTunnel",
        "ots:ListTunnel",
        "ots:DescribeTunnel",
        "ots:ConsumeTunnel",
        "ots:GetRange",
        "ots:ListStream",
        "ots:DescribeStream",
        "ots:CreateIndex",
        "ots:CreateSearchIndex",
        "ots:DescribeSearchIndex",
        "ots:ListSearchIndex"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "cms:QueryMetricList"
      ],
      "Resource": "*"
    },
    {
      "Action": [
        "ecs:DescribeSecurityGroups",
        "ecs:DescribeImages",
        "ecs:CreateImage",
        "ecs:DeleteImage",
        "ecs:DescribeSnapshots",
        "ecs:CreateSnapshot",
        "ecs:DeleteSnapshot",
        "ecs:DescribeSnapshotLinks",
        "ecs:DescribeAvailableResource",
        "ecs:ModifyInstanceAttribute",
        "ecs:CreateInstance",
        "ecs:DeleteInstance",
        "ecs:AllocatePublicIpAddress",
        "ecs:CreateDisk",
        "ecs:DescribeDisks",
        "ecs:AttachDisk",
        "ecs:DetachDisk",
        "ecs:DeleteDisk",
        "ecs:ResetDisk",
        "ecs:StartInstance",
        "ecs:StopInstance",
        "ecs:ReplaceSystemDisk",
        "ecs:ModifyResourceMeta"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "vpc:DescribeVpcs",
        "vpc:DescribeVSwitches"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "kms:ListKeys",
        "kms:ListAliases"
      ],
      "Resource": "*",
      "Effect": "Allow"
    }
  ]
}

Modify the trust policy: Allow only the service-linked role AliyunServiceRoleForHbrCrossAccountBackup of Account A to assume the RAM role of Account B to access the resources of Account B.

Log on to the Cloud Backup console with Account A and add Account B as the backup account. Set the Role Name parameter to hbrcrossrole, which is authorized to access the resources of Account B.
In the Cloud Backup console, switch the logon account from Account A to Account B. Then, you can use Account A to back up and restore the resources of Account B.

The following table describes the operations that Account A and Account B can perform when you use Account A to back up and restore the resources of Account B.

Resources of Account B	Operations that can be performed by Account A (backup management account)	Operations that can be performed by Account B (owner of the resources to be backed up)
ECS instances	View the ECS instances to be backed up for Account B Manage backup policies created for ECS instances Configure backup policies for the ECS instances of Account A and run a backup job Manage ECS backup points and run a restore job	View the ECS instances to be backed up View or use the snapshots created by ECS instance backup in the ECS console
Other types of resources	View the resources to be backed up for Account B Manage backup plans and backup policies Run a backup job or restore job for the resources of Account B	View the resources to be backed up

Billing

You are not charged for using the cross-account backup feature of Cloud Backup. However, Account A that is used to back up and restore data pays for the backup and restoration fees. In ECS instance backup, Account B pays for the snapshot service fees and OSS request fees. For more information, see Billing methods and billable items.

The following table describes the billable items of Account A and Account B that are charged when you use Account A to back up and restore the resources of Account B.

Resources of Account B	Billable items of Account A (backup management account)	Billable items of Account B (owner of the resources to be backed up)
ECS instances	Cloud Backup clients for ECS instance backup	Storage usage of ECS snapshots Cross-region replication traffic that is generated when cross-region replication is enabled and storage usage of ECS snapshots that are replicated to the destination region
ECS files	Cloud Backup clients for file backup Storage usage of backup vaults Storage usage of mirror vaults and cross-region replication traffic that is generated when cross-region replication is enabled	/
NAS	Storage usage of backup vaults Storage usage of mirror vaults and cross-region replication traffic that is generated when cross-region replication is enabled	Read and write traffic generated by Cloud Backup when you access Infrequent Access (IA) data in a NAS file system
OSS	Storage usage of backup vaults Storage usage of mirror vaults and cross-region replication traffic that is generated when cross-region replication is enabled	HTTP requests that are sent to OSS
Tablestore	Storage usage of backup vaults Storage usage of mirror vaults and cross-region replication traffic that is generated when cross-region replication is enabled	/
ECS-hosted databases	Rental of database backup vaults Storage usage of database backup vaults	/
SAP HANA	Cloud Backup clients for SAP HANA instance backup Storage usage of backup vaults Storage usage of mirror vaults and cross-region replication traffic that is generated when cross-region replication is enabled	/

Step 1: Assign the AliyunServiceRoleForHbrCrossAccountBackup service-linked role to Account A

To use Account A for cross-account backup and restoration, you must assign the AliyunServiceRoleForHbrCrossAccountBackup service-linked role to Account A.

Role name: AliyunServiceRoleForHbrCrossAccountBackup
Policy: AliyunServiceRolePolicyForHbrCrossAccountBackup
Permission description: The policy allows Cloud Backup to access the resources of other authorized accounts for cross-account backup and restoration.

Important

This operation is required only when you use the cross-account backup feature for the first time.

Log on to the Cloud Backup console with Account A.
In the left-side navigation pane, choose Backup > Cross-Account Backup.
In the dialog box that appears, assign the role as prompted.
In the Service Access Authorization for Cloud Backup dialog box, click Confirm Authorization.
For more information, see Service-linked roles for Cloud Backup.

Step 2: Create a RAM role for Account B

Log on to the RAM console with Account B.
In the left-side navigation pane, choose Identities > Roles.
On the Roles page, click Create Role.
In the Select Role Type step, select Alibaba Cloud Account as the trusted entity and click Next.

In the Configure Role step, configure the parameters and click OK. The following table describes the parameters.

Parameter	Description
RAM Role Name	Enter a name for the RAM role, for example, hbrcrossrole.
Note	Enter a description for the RAM role.
Select Trusted Alibaba Cloud Account	Select Other Alibaba Cloud Account. Then, enter the ID of Account A in the text box. Note You can view the ID of an Alibaba Cloud account on the Security Settings page.

In the Finish step, click Close.

Step 3: Grant permissions to the RAM role

After you create a RAM role, the RAM role does not have permissions. Before Account A can assume the RAM role to access the resources of Account B, you must attach the required system policy or custom policy to the RAM role. In the Precise Permission panel, RAM provides two system policies by default. You can attach one of the system policies to the RAM role.

AdministratorAccess: grants the permissions to manage all cloud resources.
AliyunHBRRolePolicy: (recommended) grants the permissions defined in the system policy of Cloud Backup.

AliyunHBRRolePolicy is used in this example.

Log on to the RAM console with Account B.
In the left-side navigation pane, choose Identities > Roles.
Find the created RAM role, for example, hbrcrossrole, and click the role name to go to the details page of the RAM role.
On the Permissions tab, click Precise Permission.
In the Precise Permission panel, set Type to System Policy, enter AliyunHBRRolePolicy in the Policy Name field, and then click OK.
The system prompts that the exact authorization is successful. Click Close.
Modify the trust policy of the RAM role.
1. On the details page of the RAM role, click the Trust Policy tab.
2. Click Edit Trust Policy.
3. In the script editor, copy the following code to the text box. Replace Account ID with the ID of Account A.
  The following policy allows Account A to obtain a temporary token to manage the cloud resources of Account B in the Cloud Backup console.
  Note
  You can view the ID of an Alibaba Cloud account on the Security Settings page.
```
{
 "Statement": [
     {
         "Action": "sts:AssumeRole",
         "Effect": "Allow",
         "Principal": {
             "RAM": [
                 "acs:ram::Account ID:role/AliyunServiceRoleForHbrCrossAccountBackup"
             ]
         }
     }
 ],
 "Version": "1"
}
```
4. Click Save trust policy document. The configuration is complete.

Step 4: Add a backup account

Log on to the Cloud Backup console with Account A.
In the top navigation bar, select a region.
Important
If you want to back up the ECS files, NAS files, OSS objects, Tablestore tables, or ECS instances that are owned by Account B in Region C, select Region C. In other words, add a backup account in the region where the resources to be backed up are located.
In the left-side navigation pane, choose Backup > Cross-Account Backup.
On the Cross-Account Backup page, click Add Backup Account.

In the Add Backup Account dialog box, configure the following parameters and click OK.

Parameter	Description
Alibaba Cloud Account ID	Enter the ID of your Alibaba Cloud account. In this example, enter the ID of Account B. Note You can view the ID of an Alibaba Cloud account on the Security Settings page.
Role Name	Enter the name of the created RAM role. In this example, enter hbrcrossrole, which is created in Step 2: Create a RAM role for Account B. Important You can click Check Permissions to check whether the authorization configurations are correct. If an error is prompted, modify the authorization configurations and try again. If the check is passed, the following message appears: You are authorized to access the resources of this role.
Account Alias	Enter an account alias to help you manage the backup account.

After the backup account is created, it is displayed on the Cross-Account Backup page.

zhanghao

Step 5: Perform cross-account backup

After the backup account is created, you can log on to the Cloud Backup console with Account A, switch the logon account to Account B, and then back up the data sources of Account B.

Log on to the Cloud Backup console with Account A.
In the top navigation bar, select the region where the resources that you want to back up reside.
Click Logon Account and select Account B.
In the left-side navigation pane, select a backup feature to perform cross-account backup.
Important
The cross-account backup feature can be used in the following scenarios: ECS file backup, NAS backup, OSS backup, Tablestore backup, database backup, and SAP HANA backup. You can back up ECS instances across Alibaba Cloud accounts. However, after an ECS instance is backed up, you can restore the instance only to the source Alibaba Cloud account. For more information about the supported scenarios, see the Cloud Backup console.
For example, if you select ECS File Backup, you can view the ECS assets of Account B in the ECS instance list. After data backup is complete, the data sources of Account B are backed up to the backup vaults of Account A.

Step 6: Restore data across accounts

After you back up the data sources of Account B by using Account A, the backup vaults store the backup data of Account A and Account B. The backup vaults are common backup vaults. You can restore data from any historical backup point in the backup vaults to Account A or Account B.

Switch the account.
The backup vaults are common backup vaults. Both Account A and Account B can restore data by using historical backup points in the backup vaults. Switch to the account whose data you want to restore.
Creates a restore job. To create a restore job for different data sources, see the following topics:

Disable cross-account backup

Important

After you disable the cross-account backup feature for Account A and Account B, Account A can no longer back up data sources from Account B. Evaluate your business requirements and proceed with caution.
We recommend that you do not disable the cross-account backup feature for other accounts. If you do not perform backup and restoration operations, no additional fees are incurred.
After you disable the cross-account backup feature, the backup data is still stored in the backup vaults of Cloud Backup. You are still charged for the storage usage of backup vaults. For more information about how to stop being billed, see How do I stop being billed for Cloud Backup? Data cannot be restored after its backup is deleted.

Switch to Account B. Find the data sources, uninstall the Cloud Backup client (if any), unregister the associated instances, and delete the backup vault. For more information, see How do I stop being billed for Cloud Backup?
Switch to Account A. On the Cross-Account Backup page in the Cloud Backup console, delete Account B.
Delete the RAM role that is created for Account B.
1. Log on to the RAM console with Account B.
2. In the left-side navigation pane, choose Identities > Roles.
3. Find the RAM role created for Account B, for example, hbrcrossrole. Click Delete Role in the Actions column.

Cloud Backup:Back up data across Alibaba Cloud accounts

Background information

Limits

How authorization works

Billing

Step 1: Assign the AliyunServiceRoleForHbrCrossAccountBackup service-linked role to Account A

Step 2: Create a RAM role for Account B

Step 3: Grant permissions to the RAM role

Step 4: Add a backup account

Step 5: Perform cross-account backup

Step 6: Restore data across accounts

Disable cross-account backup

References