5.4. Connecting Acronis Backup Software to Storage Backends via Backup Gateway

The Backup Gateway storage access point (also called “gateway”) is intended for service providers who use Acronis Backup Cloud and/or Acronis Backup Advanced and want to organize an on-premise storage for their clients’ backed-up data.

Backup Gateway enables a service provider to easily configure storage for the proprietary deduplication-friendly data format used by Acronis.

Backup Gateway supports the following storage backends:

  • storage clusters with software redundancy by means of erasure coding
  • NFS shares
  • public clouds, including a number of S3 solutions as well as Microsoft Azure, OpenStack Swift, and Google Cloud Platform

While your choice should depend on scenario and requirements, it is recommended to keep Acronis backup data in the local storage cluster. In this case, you can have the best performance due to WAN optimizations and data locality. Keeping backups in an NFS share or a public cloud implies the unavoidable data transfer and other overhead, which reduces overall performance.

Take note of the following:

  • When configuring Backup Gateway, you will need to provide the credentials of your administrator account in the Acronis backup software.
  • In cases when not local but external storage (e.g., NFS) is used with Backup Gateway, redundancy has to be provided by the said external storage. Backup Gateway does not provide data redundancy or perform data deduplication itself.

5.4.1. Understanding the Infrastructure

The Backup Gateway storage access point runs as services on the Virtuozzo Infrastructure Platform nodes. It is recommended to deploy it on two or more nodes for high availability.

../_images/stor_image53.png

5.4.2. Connecting to the Local Storage Cluster via Backup Gateway

Before you proceed, make sure that the destination storage has enough space for both existing and new backups.

To set up Backup Gateway, do the following:

  1. On the INFRASTRUCTURE > Networks screen, make sure that the ABGW private and ABGW public traffic types are added to your networks.

  2. In the left menu, click STORAGE SERVICES > Backup storage.

  3. Select the node(s) to run the gateway services on and click Create gateway in the right menu.

  4. Select This Virtuozzo cluster as storage type.

  5. Make sure the correct network interface is selected in the drop-down list. Click NEXT.

    If necessary, click the cogwheel icon and configure node’s network interfaces on the Network Configuration screen.

    ../_images/stor_image55_vz.png
  6. On the Volume Parameters tab, select the desired tier, failure domain, and data redundancy mode.

    ../_images/stor_image56_vz.png

    Redundancy by replication is not supported for Backup Gateway.

    You can later change the erasure coding mode on the Backup > Parameters panel.

  7. On the DNS Configuration tab, specify the external DNS name for this gateway, e.g, backupgateway.example.com. Make sure that each node running the gateway service has a port open for outgoing Internet connections and incoming connections from your Acronis backup software. Backup agents will use this address and port to upload the backup data.

    Important

    Configure your DNS server according to the example suggested in the admin panel.

    Important

    Each time you change nodes in the Backup Gateway cluster, adjust the DNS settings accordingly.

    ../_images/stor_image56_4_vz.png

    Click Next.

  8. On the Register in backup software pane, specify the following information for your Acronis product:

    • In Address, specify the address of the Acronis Backup Cloud management portal (e.g., https://cloud.acronis.com/) or the hostname/IP address and port of the Acronis Backup Advanced management server (e.g., http://192.168.1.2:9877).
    • In Account, specify the credentials of a partner account in the cloud or of an organization administrator on the local management server.
  9. Finally, click DONE.

5.4.3. Connecting to External NFS Shares via Backup Gateway

Take note of these limitations:

  • Virtuozzo Infrastructure Platform does not provide data redundancy on top of NFS volumes. Depending on the implementation, NFS shares may use their own hardware or software redundancy.
  • In the current version of Virtuozzo Infrastructure Platform, only one cluster node may store backups on an NFS volume.

Before you proceed, make sure that:

  1. The NFS share has enough space for backups.
  2. Each NFS export is used by only one gateway. In particular, do not configure two Virtuozzo Infrastructure Platform installations to use the same NFS export for backup storage.

To set up Backup Gateway, do the following:

  1. On the INFRASTRUCTURE > Networks screen, make sure that the ABGW private and ABGW public traffic types are added to your networks.

  2. In the left menu, click STORAGE SERVICES > Backup storage.

  3. Select the node(s) to run the gateway services on and click Create gateway in the right menu.

  4. Select Network File System as storage type.

  5. Make sure the correct network interface is selected in the drop-down list. Click NEXT.

    If necessary, click the cogwheel icon and configure node’s network interfaces on the Network Configuration screen.

    ../_images/stor_image56_2.png
  6. On the Volume Parameters tab, specify the hostname or IP address of the NFS share as well as the export name. Click NEXT.

    ../_images/stor_image56_3_vz.png
  7. On the DNS Configuration tab, specify the external DNS name for this gateway, e.g, backupgateway.example.com. Make sure that each node running the gateway service has a port open for outgoing Internet connections and incoming connections from your Acronis backup software. Backup agents will use this address and port to upload the backup data.

    Important

    Configure your DNS server according to the example suggested in the admin panel.

    Important

    Each time you change nodes in the Backup Gateway cluster, adjust the DNS settings accordingly.

    ../_images/stor_image56_4_vz.png

    Click Next.

  8. On the Register in backup software pane, specify the following information for your Acronis product:

    • In Address, specify the address of the Acronis Backup Cloud management portal (e.g., https://cloud.acronis.com/) or the hostname/IP address and port of the Acronis Backup Advanced management server (e.g., http://192.168.1.2:9877).
    • In Account, specify the credentials of a partner account in the cloud or of an organization administrator on the local management server.
  9. Finally, click DONE.

5.4.4. Connecting to Public Cloud Storage via Backup Gateway

With Backup Gateway, you can have Acronis Backup Cloud or Acronis Backup Advanced store backups in a number of public clouds: Amazon S3, IBM Cloud, Alibaba Cloud, IIJ, Cleversafe, Microsoft Azure, Swift object storage, Softlayer (Swift), Google Cloud Platform, Wasabi, as well as solutions using S3 with the older AuthV2-compatible authentication methods. However, compared to the local storage cluster, storing backup data in a public cloud increases the latency of all I/O requests to backups and reduces performance. For this reason, it is recommended to use the local storage cluster as storage backend.

Since backups are cold data with specific access rights, it is cost-efficient to use storage classes that are intended for long-term storage of infrequently accessed data. The recommended storage classes include the following:

  • Infrequent Access for Amazon S3
  • Cool Blob Storage for Microsoft Azure
  • Nearline and Coldline Storage for Google Cloud Platform

Note that real data storage costs may be 10-20% higher due to additional fees for operations like data retrieval and early deletion.

5.4.4.1. Important Requirements and Restrictions

  • When working with public clouds, Backup Gateway uses the local storage as the staging area as well as to keep service information. It means that the data to be uploaded to a public cloud is first stored locally and only then sent to the destination. For this reason, it is vital that the local storage is persistent and redundant so the data does not get lost. There are multiple ways to ensure the persistence and redundancy of local storage. You can deploy Backup Gateway on multiple cluster nodes and select a good redundancy mode. If Virtuozzo Infrastructure Platform with the gateway is deployed on a single physical node, you can make the local storage redundant by replicating it among local disks. If Virtuozzo Infrastructure Platform with the gateway is deployed in a virtual machine, make sure it is made redundant by the virtualization solution it runs on.
  • Make sure the local storage cluster has plenty of logical space for staging. For example, if you perform backup daily, provide enough space for at least 1.5 days’ worth of backups. If the daily backup total is 2TB, provide at least 3TB of logical space. The required raw storage will vary depending on the encoding mode: 9TB (3TB per node) in the 1+2 mode, 5TB (1TB per node) in the 3+2 mode, etc.
  • If you are to store backups in an Amazon S3 cloud, keep in mind that Backup Gateway may sometimes block access to such backups due to the eventual consistency of Amazon S3. It means that Amazon S3 may occasionally return stale data as it needs time to render the most recent version of the data accessible. Backup Gateway detects such delays and protects backup integrity by blocking access until the cloud updates.
  • Use a separate object container for each Backup Gateway cluster.

5.4.4.2. Setting Up Backup Gateway

Before you proceed, make sure that the destination storage has enough space for both existing and new backups.

To set up Backup Gateway, do the following:

  1. On the INFRASTRUCTURE > Networks screen, make sure that the ABGW private and ABGW public traffic types are added to your networks.

  2. In the left menu, click STORAGE SERVICES > Backup storage.

  3. Select the node(s) to run the gateway services on and click Create gateway in the right menu.

  4. Select Public Cloud as storage type.

  5. Make sure the correct network interface is selected in the drop-down list. Click NEXT.

    If necessary, click the cogwheel icon and configure node’s network interfaces on the Network Configuration screen.

    ../_images/stor_image55_vz.png
  6. On the Public cloud parameters pane, do the following:

    1. Select a public cloud provider. If your provider is S3-compatible but not in the list, try AuthV2 compatible.

    2. Depending on the provider, specify Region, Authentication (keystone) URL, or Endpoint URL.

    3. In case of Swift object storage, specify the authentication protocol version and attributes required by it.

    4. Specify user credentials. In case of Google Cloud, select a JSON file with keys to upload.

    5. Specify the folder (bucket, container) to store backups in. The folder must be writeable.

      Use a separate object container for each Backup Gateway cluster.

    Click NEXT.

  7. On the Register in backup software pane, specify the following information for your Acronis product:

    • In Address, specify the address of the Acronis Backup Cloud management portal (e.g., https://cloud.acronis.com/) or the hostname/IP address and port of the Acronis Backup Advanced management server (e.g., http://192.168.1.2:9877).
    • In Account, specify the credentials of a partner account in the cloud or of an organization administrator on the local management server.
  8. Finally, click DONE.

5.4.5. Updating certificate for Backup Gateway

When you register a Backup Gateway in Acronis Backup Cloud or Acronis Backup Advanced, they exchange certificates that are valid for one year. One and a half months before expiration, you will be alerted about the expiring certificate in the admin panel. To update the certificate, you need to connect to your backup software and renew the certificate. Do the following:

  1. On the STORAGE SERVICES > Backup storage screen, click Update certificate.

  2. On the Connect to backup software pane, specify the following information for your Acronis product:

    • In Address, specify the address of the Acronis Backup Cloud management portal (e.g., https://cloud.acronis.com/) or the hostname/IP address and port of the Acronis Backup Advanced management server (e.g., http://192.168.1.2:9877).
    • In Account, specify the credentials of a partner account in the cloud or of an organization administrator on the local management server.
    ../_images/stor_image56_5_vz.png
  3. Click NEXT.

  4. On all nodes included into the ABGW cluster, restart the service:

    # systemctl restart vstorage-abgw
    

5.4.6. Re-registering Backup Gateway in a New Acronis Backup Advanced

To switch a configured Backup Gateway to a different Acronis Backup Advanced instance, re-register the gateway with that instance. To do this:

  1. On the STORAGE SERVICES > Backup storage screen, click Re-register.
  2. On the Re-registration in Acronis Backup tab, specify the following:
    • In Address, specify the hostname/IP address of the target management server and the port 9877 (e.g., http://192.168.1.2:9877). Note that the address must be provided using the HTTP protocol, not HTTPS.
    • In Account, specify the credentials of the management server administrator account.
  3. Click DONE.

5.4.8. Managing Geo-Replication for Backup Gateway

Virtuozzo Infrastructure Platform allows you to enable Backup Gateway replication between two geographically distributed datacenters registered in the Cloud Management Panel. It provides backup data protection against the primary datacenter failure. You can enable geo-replication for Backup Gateways that are set up on different storage backends: a local storage cluster, NFS share, or public cloud.

For successful geo-replication, the following requirements must be met:

  • Two storage clusters with Backup Gateways are deployed.
  • All storage clusters are updated to the latest version.
  • All storage clusters are registered in the Cloud Management Panel.
  • All storage clusters can reach each other via domain names on TCP port 44445.

5.4.8.1. Enabling Geo-Replication

To set up geo-replication between two storage clusters, primary and secondary, do the following:

  1. On the cluster that will be configured as secondary, click the copy icon next to the DNS name and UID fields to copy its DNS name and UID to clipboard.

    ../_images/stor_image162_1_vz.png
  2. On the cluster that will be configured as primary, click Configure replication and do the following in the Configure replication window:

    1. Paste the DNS name and UID of the secondary cluster into the corresponding fields.
    2. Click Download configuration file to download the configuration file of the primary cluster to your local server.
    3. Click Done.
    ../_images/stor_image162_2_vz.png

    The primary cluster is now configured and ready to be connected to the secondary one, which needs to be configured next.

  3. On the secondary cluster, click Configure replication and do the following in the Configure replication window:

    1. Select the Secondary cluster configuration type.
    2. Upload the the configuration file of the primary cluster from your local server.
    3. Click Done.
    ../_images/stor_image162_3_vz.png

    The secondary cluster is now also configured and ready to be connected to the primary one.

    If after configuring the secondary cluster, you need to change the configuration of the primary cluster for some reason, download the new configuration and upload it to the secondary cluster by clicking the upload icon next to the Configuration file field. Before doing so, make sure the primary cluster UID has not been changed.

  4. Back on the primary cluster, click Connect to enable replication between the two datacenters.

    ../_images/stor_image162_4_vz.png

5.4.8.2. Performing a Failover

If the primary cluster becomes unavailable, you can perform a manual failover by promoting the secondary cluster to primary. This operation will switch the configuration of the secondary cluster, including its DNS name, to the configuration of the primary one. Failover of the primary cluster can be performed in the following cases:

  • The current primary cluster is completely non-operational and isolated from the Internet and any backup agents.
  • Backup agents are unable to communicate with the current primary cluster.
  • The DNS name of the primary cluster has been reconfigured to its IP addresses.

Warning

Promoting the secondary cluster to primary is an irreversible operation that will invalidate all data on the primary cluster. Use it only in case of emergency.

To perform a failover, click Promote to primary on the secondary cluster and then Failover in the confirmation window.

../_images/stor_image162_5_vz.png

If the current primary cluster is still operational, forcibly release all its nodes from Backup Gateway first and then perform a failover.

5.4.8.3. Updating the Geo-replication Configuration

Once a year you need to renew the Backup Gateway certificate. The certificate update changes the cluster configuration, which in turn requires updating the geo-replication configuration. Do the following:

  1. On the primary cluster, update the certificate as described in Updating certificate for Backup Gateway
  2. On the primary cluster, click Download configuration file to download its new configuration to your local server.
  3. On the secondary cluster, click the upload icon next to the Configuration file field to upload the new configuration to the secondary cluster.

5.4.8.4. Disabling Geo-replication

To disable geo-replication, click Disable replication on the primary cluster. To remove the secondary cluster from the geo-replication configuration, gracefully release all its nodes from Backup Gateway (see Releasing Nodes from Backup Gateway).

../_images/stor_image162_6_vz.png

5.4.9. Monitoring Backup Gateway

After you create a Backup Gateway, you can monitor it on the STORAGE SERVICES > Backup storage > OVERVIEW screen. The charts show the following information:

  • the performance of Backup Gateway services
  • the geo-replication speed and backlog (the amount of data waiting to be replicated)
  • object storage speed and backlog (the amount of data waiting to be uploaded to public cloud)

If backlogs do not decrease over time, it means the data cannot be replicated, migrated, or uploaded fast enough. The reason may be insufficient network transfer speed, and you may need to check or upgrade your network.

5.4.9.1. Advanced Monitoring via Grafana

For advanced monitoring of the ABGW cluster, go to the MONITORING > Dashboard screen and click Grafana dashboard. A separate browser tab will open with preconfigured Grafana dashboards, two of which are dedicated to Acronis Backup Gateway. To see a detailed description for each chart, click the i icon on its left corner.

On the Acronis Backup Gateway dashboard, you need to pay attention to the following charts:

  • Availability. Any time period during which the gateways have not been available will be highlighted in red. In this case, you will need to look into logs on the nodes with the failed service and report a problem. To see the ABGW log, use the following command:

    # zstdcat /var/log/vstorage/abgw.log.zst
    
  • Migration/Replication throughput. The migration chart should be displayed during migration or if the cluster serves as master in a geo-replication configuration. The replication chart should mirror the ingress bandwidth chart.

  • Migration/replication backlog. The migration chart should decrease over time. The replication chart should be near zero, high values are indicative of network issues.

  • Rate limiting/ingress throttling. If the chart is not empty, it means the underlying storage lacks free space and the Backup Gateway is throttling user requests to slow down the data flow. Add more storage space to the cluster to solve the issue. For more information, see https://kb.acronis.com/content/62823.

  • New client connections. A high rate of failed connections due to SSL certificate verification problems on the chart means that clients uploaded an invalid certificate chain.

  • IO watchdog timeouts. If the chart is not empty, it means the underlying storage is not healthy and cannot deliver the required performance.

../_images/abgw-grafana1_1.png

To see the charts for a particular client request, file, and I/O operation, choose them from the drop-down menus above. A high rate of failed requests or operations and high latencies on these charts indicate that the Backup Gateway experiences issues that need to be reported. For example, you can check charts for the “Append” request:

  • The Append rate chart displays the backup data flow from Backup agents to the storage in operations per second (one operation equals one big block of backup data; blocks can be of various size).
  • The Append latency chart shows the time spent on processing requests and should average several tens of milliseconds with peak values below one second.
../_images/abgw-grafana1_2.png

The Acronis Backup Gateway Details dashboard is intended for low-level troubleshooting by the support team. To monitor a particular node, client request, file, and I/O operation, choose them from the drop-down menus above. On the dashboard, you can make sure the Event loop inactivity chart is empty. Otherwise, the Backup Gateway is not healthy on this node and the issue needs to be reported.

../_images/abgw-grafana2.png

5.4.10. Releasing Nodes from Backup Gateway

Backup Gateway is meant to provide access to one specific storage backend. If you need to switch the backend, e.g., from a public cloud to a local storage cluster or one public cloud bucket to another, you need to delete the Backup Gateway by releasing all its nodes and create a new one.

To release one or more nodes from the Backup Gateway cluster, select them on the STORAGE SERVICES > Backup storage > NODES screen and click Release. The Backup Gateway cluster will remain operational until there is at least one node in it.

When the Backup Gateway is deleted, it is also unregistered from your Acronis backup software, which loses access to the storage backend.

Do the following to release the last node in the gateway:

  1. On the STORAGE SERVICES > Backup storage > NODES screen, select the node and click Release.

  2. On the Unregister from backup software panel, choose one of the following:

    • Graceful release (recommended, see note below). Releases the node, deletes the Backup Gateway and unregisters it from your Acronis backup software.

    • Force release. Releases the node, deletes the Backup Gateway but does not unregister it from your Acronis backup software.

      Important

      Choose this option only if you are sure that the gateway has already been unregistered from your Acronis backup software. Otherwise, you will need to register a new gateway in your Acronis backup software and for that you will need to delete and recreate not just the Backup Gateway but also the entire storage cluster.

    ../_images/stor_image56_13_vz.png
  3. Specify the credentials of your administrator account in your Acronis backup software and click NEXT. In case the release is forced, simply click NEXT.