Configure vaulted backup for Azure Data Lake Storage using Azure portal (preview)

This article describes how to configure vaulted backup for Azure Data Lake Storage (preview) using Azure portal.

Prerequisites

Before you configure backup for Azure Data Lake Storage, ensure the following prerequisites are met:

• The storage account must be in a supported region and of the required types.
• The target account mustn't have containers with the names same as the containers in a recovery point; otherwise, the restore operation fails.

For more information about the supported scenarios, limitations, and availability, see the support matrix.

Create a Backup vault

To back up Azure Data Lake Storage, ensure you have a Backup Vault in the same region. You can use an existing vault, or create a new one.

Create a backup policy for Azure Data Lake Storage (preview)

A backup policy defines the schedule and frequency for backing up Azure Data Lake Storage. You can either create a backup policy from the Backup vault, or create it on the go during the backup configuration.

To create a backup policy for Azure Data Lake Storage from the Backup vault, follow these steps:

1. In the Azure portal, go to the Backup vault > Backup policies, and then select + Add.

2. On the Create Backup Policy pane, on the Basics tab, provide a name for the new policy on Policy name, and then select Datasource type as Azure Data Lake Storage (Preview).

   

3. On the Schedule + retention tab, under the Backup schedule section, set the Backup Frequency as Daily or Weekly and the schedule for creating recovery points for vaulted backups.

4. Under the Add retention section, edit the default retention rule or add new rules to specify the retention of recovery points.

5. Select Review + create.

6. After the review succeeds, select Create.

Grant permissions to the Backup vault on storage accounts

A Backup vault needs specific permissions on the storage account for backup operations. The Storage Account Backup Contributor role consolidates these permissions for easy assignment. We recommend you to grant this role to the Backup vault before configuring backup.

To assign the required role for storage accounts that you want to protect, follow these steps:

1. In the Azure portal, go to the storage account, and then select Access Control (IAM).

2. On the Access Control (IAM) pane, select Add role assignments to assign the required role.

   

3. On the Add role assignment pane, do the following steps:

   1. Role: Select Storage Account Backup Contributor.
   2. Assign access to: Select User, group, or service principal.
   3. Members: Click + Select members and search for the Backup vault you created, and then select it from the search result to back up blobs in the underlying storage account.

4. Select Save to finish the role assignment.

Configure backup for the Azure Data Lake Storage (preview)

You can configure backup on multiple Azure Data Lake Storage.

To configure backup, follow these steps:

1. In the Azure portal, go to the Backup vault, and then select + Backup.

2. On the Configure Backup pane, on the Basics tab, review the Datasource type is selected as Azure Data Lake Storage (preview).

3. On the Backup policy tab, under Backup policy, select the policy you want to use for data retention, and then select Next. If you want to create a new backup policy, select Create new. learn how to create a backup policy.

4. On the Datasources tab, SelectAdd.

   

5. On the Select storage account container pane, provide the Backup instance name, and then click select under Storage account.

   

6. On the Select hierarchical namespace enabled storage account pane, select the storage accounts with Azure Data Lake Storage across subscriptions from the list that are in the region same as the vault.

   

7. On the Select storage account container pane, you can back up all containers or select specific ones.

   After you add the resources, backup readiness validation starts. If the required roles are assigned, the validation succeeds with the Success message.

   

   If access permissions are missing, error messages appear. See the prerequisites.

   Validation errors appear if the selected storage accounts don't have the Storage Account Backup Contributor role. Review the error messages and take necessary actions.

   Error	Cause	Recommended action
   Role assignment not done	The Storage account backup contributor role and the other required roles for the storage account to the vault are not assigned.	Select the roles, and then select Assign missing roles to automatically assign the required role to the Backup vault and trigger an auto revalidation. If the role propagation takes more than 10 minutes, then the validation might fail. In this scenario, you need to wait for a few minutes and select Revalidate to retry validation. You need to assign the following types of permissions for various operations: - Resource-level permissions: For backing up a single account within a resource group. - Resource group or Subscription-level permissions: For backing up multiple accounts within a resource group. - Higher-level permissions: For reducing the number of role assignments needed. Note that the maximum count of role assignments supported at the subscription level is 4,000. Learn more about Azure Role-Based Access Control Limits.
   Insufficient permissions for role assignment	The vault doesn't have the required role to configure backups, and you don't have enough permissions to assign the required role.	Download the role assignment template, and then share with users with permissions to assign roles for storage accounts.

8. Review the configuration details, and then select Configure Backup.

You can track the progress of the backup configuration under Backup instances. After the configuration of backup is complete, Azure Backup triggers the backup operation as per the backup policy schedule to create the recovery points.

Next steps

Restore Azure Data Lake Storage using Azure portal (preview).