A protection policy is a reusable configuration that defines a schedule for taking snapshots and optionally replicating them to a specified native replication peer or S3 replication peer. It defines how long to retain local snapshots. If the purpose of a protection policy is remote backup to either S3 or a native replication peer without local snapshot retention, then this is achieved by defining no retention for local snapshots.
Once defined, a protection policy can be specified in the configuration of a protected path which protects a specific data path using the specified protection policy.
For example, you could set snapshots and S3 backup to be done on July 1st, 2020 at midnight and then once every day. Snapshots would be taken every day at midnight beginning July 1st and replicated to an S3 replication peer.
From the left navigation menu, select Data Protection and then Protection Policies.
Click + Create Protection Policy.
In the Add Protection Policy dialog, complete the fields:
Enter a name for the protection policy.
Optionally select eipher a replication peer or an S3 replication peer from the dropdown. This defines the peer as a target to which snapshots are copied.
To create a new native replication peer, see Managing Replication Peers.
To create a new S3 replication peer, see Managing S3 Replication Peers.
Enter a prefix for the snapshot names.
The name of each snapshot will be <prefix>_<timestamp>, where <prefix> is the prefix specified here and <timestamp> is the time the snapshot is created, in the format
Tdenotes time and doesn't represent a value,
zzzis the timezone, and the time is accurate to the microsecond). For example, if the prefix is dev, a snapshot taken at 8:15 pm UTC on 20th November 2024 would be named dev_2024-11-20T20:15:06.144783UTC.
If you want to make the protection policy indestructible, enable the Indestructible setting. This setting protects the policy and its snapshots from accidental or malicious deletion. For more information about indestructibility, see Keeping Indestructible Backups.
After saving the protection policy, you won't be able to delete the policy or disable its indestructibility without performing a procedure for authorized unlocking of the cluster's indestructibility mechanism.
If a replication peer is configured, the indestructibility setting will be replicated to the peer.
Set up one or more replication schedules:
If you want to set up multiple schedules, click the Add Schedule button to display more scheduling fields in the dialog.
To set the start time, click in the Start at field. In the calendar that appears, click the start date you want and adjust the start time:
When a protected path is active, it performs an initial data sync to the replication peer or S3 replication peer (if applicable) immediately after being created. The initial sync creates the first restore point. Therefore, the restore point created on the start date is in fact the second restore point.
To set a period, select a time unit from the Period dropdown and enter the number of time units in the Every field.
The minimum interval is 15 seconds.
Configure local snapshot retention:
If you want to retain local snapshots, set the Keep local copy for period. This is the amount of time for which local snapshots are retained on the local cluster.
Select a time unit from the Period dropdown and enter the number of time units in the Keep local copy for field.
If a replication peer is selected, set the Keep remote copy for period. This is the amount of time restore points are retained on the replication peer.
This setting applies only to replication peers and not to replication S3 peers. Restore points are not deleted from replication S3 peers.
The protection policy is created and listed in the Protection Policies page.
To modify the configuration of a protection policy, click to open the Actions menu for the policy and select Edit. Make your changes and then click Update.
You cannot add a replication peer to an existing protection policy that has no replication peer.
Modifying a protection policy that has the indestructible setting enabled requires that the indestructibility mechanism is unlocked on the cluster.
To remove a protection policy, click to open the Actions menu for the policy and select Remove. Click Yes to confirm the removal.
Removal of an indestructible protection policy requires first unlocking the cluster's indestructibility mechanism.
To manage protection policies via the VAST CLI, use the following commands.