Overview of Cross-Cloud Backup Replication

Scenarios

If your enterprise's core services run on a single cloud platform, a regional fault (such as power failure or network interruption) of the cloud service provider may cause data loss and service suspension. In this case, cross-cloud replication can be used to build a remote multi-active DR system. Cross-cloud replication eliminates the need to build complex disaster recovery (DR) infrastructure, significantly reducing capital investment. It also helps flexibly meet diverse service requirements and tailor replication speeds based on data criticality, offering a double-layer protection for stable operations and effectively mitigating single points of failure within a single cloud environment.

With cross-cloud replication, you can quickly deploy services across clouds. The new resources created from replicated backups are in the same state as the original resources when you took the backup. Cross-cloud replication transfers backup data from the source cloud to other cloud platforms, either through scheduled tasks or manual operations. This enables your enterprise to rapidly scale services across clouds, while ensuring compliance and minimizing data security risks. Cross-cloud replication has become a critical pillar of enterprise data management.

You can select a backup vault and manually replicate it across clouds. Alternatively, you can configure a replication policy to periodically replicate backups to the target cloud.

How Cross-Cloud Replication Works

You can replicate cloud server backups and SFS Turbo backups across clouds.

Server backup replicas can be used to create images and provision servers on the destination cloud. SFS Turbo backup replicas can be used to create file systems on the destination cloud.

As shown in the figure, you can back up resources in HCS Online, replicate the backups to Huawei Cloud, and use the replicas to create images or SFS Turbo file systems on Huawei Cloud. Similarly, you can replicate backups from Huawei Cloud to HCS Online.

Procedure

Figure 1 Cross-cloud replication process

1. Create a hybrid cloud backup 2.0 replication vault on the target cloud to store the replicas. To replicate encrypted backups, you need to select the encryption parameter when creating the vault.
2. Create a cross-cloud credential on the source cloud for authenticating the target cloud. You need to obtain the account ID and AK/SK of the target cloud in advance.
3. Manually create a backup replication task on the source cloud to replicate a single backup or the entire vault.
4. (Optional) Create a cross-cloud replication policy on the source cloud and apply it to the vault. Once applied, backups will be replicated to the target cloud periodically. For details, see Creating a Replication Policy.

Constraints

• Cloud disk backup vaults do not support cross-cloud replication.
• If no backup exists in the vault, the cross-cloud replication task will be skipped. In this case, create a backup and try again.
• When you create an encrypted hybrid cloud 2.0 backup vault, keys shared via Resource Access Manager (RAM) cannot be used for encryption.
• If a backup of a resource has been replicated to the target encrypted vault, the other backups of the resource cannot be manually replicated to non-encrypted vaults. In addition, the vault associated with the resource cannot be replicated to a non-encrypted vault, and the cross-cloud replication task will be skipped.
• If a backup of a resource has been replicated to the target encrypted vault, the other backups of the resource can be manually replicated to encrypted vaults that use the same key as the original encrypted vault.
• If a backup of a resource has been replicated to the target non-encrypted vault, the other backups of the resource cannot be manually replicated to encrypted vaults, and the cross-cloud replication task will be skipped. In addition, the vault associated with the resource cannot be replicated to an encrypted vault, and the cross-cloud replication task will be skipped.
• SFS Turbo backups cannot be replicated to vaults encrypted using RAM shared keys.
• Encrypted backups can only be used to create encrypted cloud servers or file systems.
• Backups replicated to the destination cloud can be replicated back to the source cloud.
• Backup data can only be replicated to the destination region that supports replication.
• A backup cannot be replicated to multiple accounts.
• A backup can be replicated to multiple regions but can have only one replica in each destination region. Replication rules vary with the replication method:
  • Manual replication of a single backup: A backup can be manually replicated again if its replica in the destination region has been deleted.
  • Manual or policy-based vault replication: A vault can only be replicated to a destination region once. It cannot be replicated to that region again, even if its replicas in that region have been deleted.
• A server backup can be replicated only when it meets all the following conditions:
  1. It is an ECS backup. You can check the server type in the Server Type column of the backup list.
  2. It contains system disk data. You can check the disk backup in the backup details.
  3. It is in the Available state. You can check the backup status in the backup list.
• Cross-cloud replication requires that the target cloud user grant the following actions in the identity policy on the new IAM console: cbr:vaults:get, cbr:backups:get, cbr:tasks:get, cbr:backups:import, cbr:backups:delete, cbr::createSnapshotMetadata, cbr::updateSnapshotMetadata, cbr::createThirdAuth, and cbr::listThirdAuth. If you are still using the old IAM console, grant the following actions instead: cbr:vaults:get, cbr:backups:get, cbr:tasks:get, cbr:backups:import, cbr:backups:delete, cbr:snapshotMetadata:create, cbr:snapshotMetadata:update, cbr:thirdAuth:create, and cbr:thirdAuth:list. You are advised to assign the CBRFullAccess permission to the account.