All Products
Search

This Product

    Cloud Backup:Before you begin (ACVS)

    Document Center

    Cloud Backup:Before you begin (ACVS)

    Last Updated:Jan 21, 2026

    To enable backup and restore operations for virtual machines (VMs) in Alibaba Cloud VMware Service (ACVS), you must first install and activate a disaster recovery gateway.

    Background information

    ACVS is an enterprise-class public cloud service that is jointly developed by Alibaba Cloud and VMware. ACVS implements VMware's software-defined data center (SDDC) architecture in the cloud. Alibaba Cloud provides sales, operations, and after-sales support for ACVS.

    (Recommended) Use the AccessKey pair of a RAM user for backup and disaster recovery

    Resource Access Management (RAM) is an Alibaba Cloud service that allows you to manage user identities and control access to resources. RAM lets you create and manage multiple identities for an Alibaba Cloud account, and grant multiple permissions to a single identity or a group of identities. Different identities can be authorized to access different Alibaba Cloud resources.

    An AccessKey pair is required when you activate a disaster recovery gateway. Using the AccessKey pair from your root Alibaba Cloud account poses a security risk because it grants broad access to all your cloud resources. Therefore, the recommended best practice is to use an AccessKey pair from a RAM user to activate the disaster recovery gateway. Before you back up data, ensure that a RAM user and an AccessKey pair have been created. For more information, see Create a RAM user and Create an AccessKey pair.

    Prerequisites

    Before you begin, ensure that you have:

    • An activated Cloud Backup service. Activating Cloud Backup is free. Using the VMware backup and disaster recovery feature incurs charges for the Cloud Backup client and backup vault. For more information, see Billing.

    • The username and password for your VMware vCenter Server.

    Usage notes

    Step 1: Prepare the VMware environment

    Before backing up VMs, perform the following operations:

    • Obtain the username and address that are used to log on to the VMware management component.

    • Configure a firewall between your virtual private cloud (VPC) and the dedicated VMware environment.

      By default, the VPC bound when you create the dedicated VMware environment can access only the management components of VMware vCenter and NSX-T, and cannot directly access the NSX-T segments that you create. You must add firewall rules in the NSX-T console to allow network access between the VPC and NSX-T segments. You must also configure CIDR blocks to ensure that the business network can communicate with vCenter and ESXi networks.

    • Add the endpoints and ports to the whitelist of your firewall. This ensures that Cloud Backup can back up and restore VMware VMs as expected.

      For example, if you use ACVS in the China (Shanghai) region, add the MQTT endpoint (post-cn-4590rcihm02-internal.mqtt.aliyuncs.com), the OSS endpoint (*.oss-cn-shanghai-internal.aliyuncs.com), and the VPC endpoint (hbr-vpc.cn-shanghai.aliyuncs.com) to the whitelist of the firewall in the VMWare environment. For more information about endpoints, see What are the endpoints and ports that can be accessed by the Cloud Backup client?

    Step 2: Log on to the ECS jump server

    Create an Elastic Compute Service (ECS) instance in the VPC of the dedicated VMware environment as a jump server for accessing management components such as vCenter Server and NSX-T Manager. Select Windows Server as the operating system. If you enable Internet access from the jump server, configure security settings.

    Note

    When you create the ECS jump server, set the VPC parameter to the VPC that is used by the dedicated VMware environment.

    1. Log on to the ECS console and find the ECS instance that serves as the jump server.

    2. In the Actions column, click Connect.

    3. In the Remote connection dialog box, click Sign in now in the Workbench section.

    4. In the Instance Login dialog box, set Connection Method to Terminal and Authentication to Password-based.

      • Username: Enter administrator.

      • Password: Enter the logon password that you set for the Logon Credentials parameter when you created the ECS instance.

      Confirm the information and click Log On.

    Step 3: Create the disaster recovery gateway

    Create a disaster recovery gateway in the Cloud Backup console, download the gateway package, and then deploy it in your ACVS environment.

    1. Log on to the ECS console and find the ECS instance that serves as the jump server.

    2. In the left-side navigation pane, choose Backup > VMware Backup & Disaster Recovery.

    3. In the top navigation bar, select a region.

    4. On the VMware Backup & Disaster Recovery page, click Create Backup & Disaster Recovery Gateway.

    5. In the Create Backup & Disaster Recovery Gateway panel, configure the parameters and click Create.

      The following table describes the parameters.

      Parameter

      Description

      Backup Vault

      The backup vault where backup data will be stored. Valid values:

      • Create Vault: If you select this option, specify a name for the backup vault in the Vault Name field. If you do not configure this parameter, a random name is specified.

      • Select Vault: If you select this option, select a backup vault from the Vault Name drop-down list.

      Important

      After you create a backup vault and store backup data, you are charged for the storage usage of the backup vault. For more information, see Billing methods and billable items.

      The system automatically selects the redundancy type based on what the region supports. In regions that support ZRS, a ZRS-enabled backup or archive vault is created by default. In other regions, a LRS-based backup or archive vault is created. You do not need to select the type manually.

      Vault Name

      The name of the backup vault.

      Vault Resource Group

      This parameter is required only if you set the Backup Vault parameter to Create Vault. This parameter specifies the resource group to which the backup vault belongs.

      Use resource groups to manage resources owned by your Alibaba Cloud account. Resource groups help you simplify the resource and permission management of your Alibaba Cloud account. For more information, see Create a resource group.

      Gateway Name

      A name for the gateway, 1 to 64 characters in length.

      VMware Platform

      The VMware platform on which the VM is deployed. In this example, select Alibaba Cloud VMware Services (ACVS).

      • On-premise vSphere: The VM is deployed in a VMware environment on the on-premises server.

      • Alibaba Cloud VMware Services (ACVS): The VM is deployed on ACVS.

      Network Type

      The network type. In this example, select VPC.

      If you select VPC, the VM that you want to back up must reside in a VPC and the VPC is in the same region as the backup vault.

      Use HTTPS

      Specifies whether to use HTTPS to transmit encrypted data that is stored in a backup vault. Using HTTPS to encrypt data in transit enhances security but may slightly impact transmission performance. If you modify the setting of the Use HTTPS switch, the modification takes effect on the next backup or restore job.

    6. In the Create Backup & Disaster Recovery Gateway panel, click Download Gateway and Download Certificate.

      Note

      The disaster recovery gateway is used to connect your VM to Cloud Backup, and the certificate is used to activate the disaster recovery gateway. A disaster recovery gateway can be downloaded and deployed on the Backup & Disaster Recovery Gateway tab at any time.

    Step 4: Install the gateway

    After downloading the gateway and certificate, install the gateway in your VMware environment. After installation, run backup and restore jobs in the Cloud Backup console:

    1. Log on to the ECS jump server.

      For more information, see Step 2: Log on to the ECS jump server.

    2. Log on to the ACVS console, find the dedicated VMware environment, and then click Login management component in the Actions column.

    3. On the ECS jump server, log on to the vSphere Web Client using the vCenter username and address from Step 2.

    4. In the left-side navigation pane, right-click the VM and select Deploy OVF Template from the shortcut menu.

      ovfmubanFor more information, see Deploying OVF and OVA Templates.

      1. In the Deploy OVF Template dialog box, select Local file. Click Browse, select the gateway package that you downloaded in Step 3: Create the disaster recovery gateway and then click NEXT.

        Note

        To reduce the download time, Cloud Backup provides a gateway package in the open virtual appliance (OVA) format. Use the package to deploy Open Virtual Format (OVF) templates on the vSphere Web Client.

        ovf模板

      2. Enter the name of the OVF template, select the location where you want to deploy the template, and then click NEXT.

        选择位置

      3. Select a computing resource and click NEXT.

        计算资源

      4. Verify the template details and click NEXT.

        详细信息

      5. Select the format of the virtual disk, select a storage resource to which you want to store the files of the deployed template, and then click NEXT.

        选择存储

      6. Select a destination network for each source network and click NEXT.

        选择网络

      7. Configure the network and admin user password, and then click NEXT.

        • If you use DHCP to obtain an IP address, you do not need to specify the Gateway, IP, and Netmask parameters. If you use a static IP address, you must specify the preceding parameters based on the obtained IP address.

        • You must make sure that the specified primary DNS server and secondary DNS server can resolve the domain names of Cloud Backup, vCenter, and ESXi.

          Note

          Enter the IP address of a DNS server that is reachable from the gateway VM and can resolve the required endpoints. If no DNS server is available for mapping domain names to VPC endpoints, enter the server IP address of Alibaba Cloud DNS PrivateZone, for example, 100.100.2.136 or 100.100.2.138.

        • Set the Admin User Name and Admin User Password parameters to the username and password of the gateway VM that you created. This user has root permissions and can be used to log on to the VM.

        自定义模板

      8. Verify the configurations and click FINISH.

        查看配置数据

    5. On the Recent Tasks page, view the progress of each deployment task.

    image

    Step 5: Activate the gateway

    Note

    If a VMware disaster recovery gateway is not activated within 48 hours after it is created, Cloud Backup automatically deletes the gateway.

    1. After the deployment tasks are completed, start the VM on which the OVF template is deployed.

    2. Open a browser, and enter http://hostname:8011 in the address bar.

      The value of hostname is the IP address of the gateway on which the OVF template is deployed.

    3. On the Register page, configure the parameters and click Register to log on to the Cloud Backup gateway. The following table describes the parameters.

      Parameter

      Description

      AccessKey ID

      The AccessKey ID and AccessKey secret of the RAM user that is used to access Cloud Backup. You can obtain the AccessKey ID and AccessKey secret of a RAM user from your Alibaba Cloud account for which Cloud Backup is activated. For more information, see How do I create an AccessKey pair for a RAM user?

      Note

      The AccessKey pair used to activate the disaster recovery gateway may expire and be rotated. If the AccessKey pair is rotated, you must reactivate the disaster recovery gateway. Otherwise, the backup fails. For more information, see How do I change the AccessKey pair of a gateway used for VMware backup and disaster recovery to reactivate the gateway?

      AccessKey Secret

      Certificate

      The certificate that you downloaded from the Cloud Backup console. If a VM is shut down for more than five days after you use the certificate to activate the gateway on the VM, the certificate expires. You must download a new certificate and reactivate the gateway.

      After the gateway is installed, the status of the gateway changes to Activated on the Backup & Disaster Recovery Gateway tab of the VMware Backup & Disaster Recovery page. The following operations are available in the Actions column:

      • Throttle Bandwidth: Set traffic limits in different time periods to prevent backup jobs from consuming excessive VMware resources.

      • More:

        • Download Gateway: Download the installation package of the disaster recovery gateway.

        • Download Certificate: Download the certificate used to activate the disaster recovery gateway.

        • Delete: Deleting a Cloud Backup client also deletes its backup data and causes any running jobs to fail. Before you delete a Cloud Backup client, make sure that you no longer need the backup data generated by the client and no backup or restore jobs are being performed by the client.

        • Gateway Settings: Specify whether to transfer data over HTTPS, the maximum number of worker threads, and the maximum number of CPU cores.

      After you complete the preceding operations, view the vCenter Servers on the Managed vCenter Servers tab.

      image

    FAQ

    Why does adding a vCenter Server fail with correct credentials?

    A vCenter Server may fail to be added if the password contains the following special characters:

    ` ^ ~ = ; ! / ( [ ] { } @ $ \ & # % +

    How do I change the AccessKey pair of a gateway used for VMware backup and disaster recovery?

    If your AccessKey pair is rotated or has expired, you must reset the gateway and reactivate it with the new key.

    The following steps are performed on the gateway VM itself, not on the Windows jump server. You will need to access the gateway VM's command-line interface through the vSphere Client.

    To reset and reactivate the gateway:

    1. Log on to your vSphere Client.

    2. In the inventory, locate the disaster recovery gateway VM that you deployed in Step 4: Install the gateway.

    3. Open a console to the VM. Right-click the VM and select Launch Web Console or Launch Remote Console.

    4. Log in to the VM's operating system by using the administrator credentials (Admin User Name and Admin User Password) that you configured during the OVF deployment.

    5. After you are logged in, run the following commands in sequence to reset the gateway's configuration:

      a. Navigate to the data directory:

      cd /opt/alibabacloud/hbr/data/

      b. Delete the existing registration file:

      rm -f console.mv.db

      c. Restart the gateway service to apply the changes:

      systemctl restart hbr

    6. Reactivate the gateway. Open a web browser on your jump server and navigate to the gateway's registration page at http://<gateway-ip-address>:8011.

    7. On the Register page, enter your new AccessKey ID, AccessKey secret, and provide the Certificate file again. Click Register.

    After successful registration, the gateway's status will change to Activated in the Cloud Backup console.

    Next steps

    Back up VMware VMs