A protection policy is a reusable configuration that defines a schedule for taking snapshots and optionally replicating them to a specified native replication peer or S3 replication peer. It defines how long to retain local snapshots. If the purpose of a protection policy is remote backup to either S3 or a native replication peer without local snapshot retention, then this is achieved by defining no retention for local snapshots.
Once defined, a protection policy can be specified in the configuration of a protected path which protects a specific data path using the specified protection policy.
For example, you could set snapshots and S3 backup to be done on July 1st, 2020 at midnight and then once every day. Snapshots would be taken every day at midnight beginning July 1st and replicated to an S3 replication peer.
From the left navigation menu, select Data Protection and then Protection Policies.
Click + Create Protection Policy.
In the Add Protection Policy dialog, complete the fields:
Enter a name for the policy.
Optionally select either a replication peer or an S3 replication peer from the dropdown. This defines the peer as a target to which snapshots are copied.
To create a new native replication peer, see Managing Replication Peers.
To create a new S3 replication peer, see Managing S3 Replication Peers.
Enter a prefix for the snapshot names.
The name of each snapshot will be <prefix>_<timestamp>, where <prefix> is the prefix specified here and <timestamp> is the time the snapshot is created, in the format
Tdenotes time and doesn't represent a value,
zzzis the timezone, and the time is accurate to the microsecond). For example, if the prefix is dev, a snapshot taken at 8:15 pm UTC on 20th November 2024 would be called dev_2024-11-20T20:15:06.144783UTC.
Configure a replication schedule:
The scheduling fields provided enable you to set one frequency period and start time. If you want to configure more than one frequency and start time, you can add additional lines by clicking the Add Schedule button.
To set the start time, click in the Start at field and a calendar appears. Clicking the start date you want in the calendar and adjust the time :
When a protected path is active, it performs an initial data sync to the replication peer or S3 replication peer (if applicable) immediately after being created. The initial sync creates the first restore point. Therefore, the restore point created on the start date is in fact the second restore point.
To set a frequency period, select seconds, minutes, hours or days from the Period dropdown and enter the number of units in the Every field.
The minimum interval is 15 seconds.
If you want the protection policy to be indestructible, enable the Indestructible setting. This setting protects the policy and its snapshots from accidental or malicious deletion. For more information about indestructibility, see Keeping Indestructible Backups.
After saving the protection policy, you won't be able to delete the policy or disable its indestructibility without performing an authorized unlocking of the cluster's indestructibility mechanism.
If a replication peer is configured, the indestructibility property will be replicated to the peer.
Configure local snapshot retention:
If you do not want the policy to keep local snapshots, leave the keep local copy for field blank. Snapshots will be deleted immediately after they are replicated to the replication peer.
If you want the policy to retain local snapshots, set the keep local copy for period. This is the amount of time for which local snapshots will be retained on the local cluster.
If a replication peer is selected, set the keep remote copy for period. This is the amount of time restore points are retained on the replication peer.
This setting applies only to replication peers and not to replication S3 peers. Restore points are not deleted from replication S3 peers.
The policy is created and listed in the Protection Policies page.
To modify the configuration of a protection policy, click to open the Actions menu for the policy and select Edit. Make your changes and then click Update.
You cannot add a replication peer to an existing protection policy that has no replication peer.
Modifying a protection policy that has the indestructible setting enabled requires that the indestructibility mechanism is unlocked on the cluster.
To remove a protection policy, click to open the Actions menu for the policy and select Remove. Click Yes to confirm the removal.
Removal of an indestructible protection policy requires first unlocking the cluster's indestructibility mechanism.
To manage protection policies via the VAST CLI, use the following commands.