Back up your data to the cloud using Bacula Enterprise and Object Storage

The Oracle Cloud Infrastructure Object Storage service is an internet-scale, high-performance storage platform that offers reliable and cost-efficient data durability. The Object Storage service can store an unlimited amount of unstructured data of any content type, including analytic data and rich content, like images and videos.

Oracle Cloud Infrastructure Object Storage provides a standard tier for data that's frequently accessed and requires faster retrieval time, infrequent access for data that's accessed infrequently and isn't sensitive to retrieval time, and an archive tier for long-term storage. You can utilize cross-region replication for disaster recovery scenarios. You can also configure lifecycle management policies on Oracle Cloud Infrastructure Object Storage to move files to the infrequent access tier and delete files, meeting lifecycle rules, and other operations to reduce storage costs. For more information, see Overview of Object Storage in the Explore More section.

Object Storage also supports private access from Oracle Cloud Infrastructure (OCI) resources in a VCN through a service gateway. A service gateway allows connectivity to the Object Storage public endpoints from private IP addresses in private subnets. For example, you can back up database systems to an Object Storage bucket over the OCI backbone instead of over the internet. For more information, see Access to Oracle Services: Service Gateway in the Explore More section.

Therefore, when we have a service as robust as Object Storage to handle data storage and archiving, we need some processes to integrate and automate these services to be performed. In this solution, we intend to show a reference architecture to work with the Bacula Enterprise backup tool on Oracle Cloud and how users can take advantage of this tool to implement their own backup and storage resources through integration with Object Storage.

Architecture

Bacula is software that allows system administrators to manage backup, restore and verification of data from computers in a mixed system network. As it is so flexible, Bacula is considered a backup framework, which can be implemented in the most different corporate structures.

Bacula Enterprise supports both the Standard and Archive tier in Oracle Cloud Object Storage. Regarding the Archive Storage, the user needs to retrieve the necessary volumes for a restore manually via OCI web console or CLI in advance, before submitting the Bacula restore operation. This could also be automated by scripts.

With Bacula Enterprise, it is possible to backup a large amount of different applications with plug-ins for VMs (VMware, Hyper-V, KVM, Xen, Proxmox, and so on), for databases (MySQL, PostgreSQL, Oracle DB, SAP, SQL Server, Active Directory, LDAP, MongoDB, and so on) and for other several tools like Microsoft 365, Google Workspace, Docker, Kubernetes, Hadoop HDFS, Linux and Windows Bare Metal, Zimbra, MS Exchange, Sharepoint and Cloud (Oracle, Amazon Glacier, Google, Azure, Swift and S3).

Bacula catalog is also compatible with OCI MySQL as a service, providing maximum protection against ransomware, including automatic self-backup. The requirements for installing Bacula Enterprise are:
  • A 64 bit server with CentOS, RHEL, SUSE, Oracle Linux 8 (or equivalent), with 32 GB RAM, 2 OCPUs and 250 GB for Bacula backup server and catalog.
  • NAS and/or additional disks must be mounted for backup storage (if applicable). 10 Gigabit or Multi-Gigabit bonding interfaces are recommended. If using Global Deduplication, a small SSD area for deduplication indexes on the Bacula server is required for higher backup performance (2% of the rotational area size).
  • Bacula Server Firewall Ports (inbound TCP): 9101, 9102, 9103 and 9180. Bacula Client Ports: 9102.
  • Installation of the backup server, clients and hypervisors requires root or Administrator access for Windows.
With Bacula you can execute the following tasks:
  • Back up and restore data to and from OCI Object Storage using CLI or BWeb interface.
  • Centralized management (operation, configuration and monitoring) through a multi-user web graphical interface.
  • Native network traffic limit functionality for backups.
  • Authentication of backup services through password and cryptographic key.
  • Use the compatibility feature with OCI Object Storage Retention Rules, which provide immutability, WORM-compliant storage options for data written to Object Storage for data governance, regulatory compliance, and legal hold requirements. This feature is also fundamental to protect against ransomware and human errors.
For more information on Bacula Enterprise, see Bacula Enterprise Overview in the Explore More section.

The following diagrams illustrate reference architectures showing the use of Bacula Enterprise for backup and restore where Bacula Server can be either on-premises or Cloud. The backups are stored in Object Storage and the traffic flows through a private connection using FastConnect or Site-to-Site VPN and DRG integration with Service Gateway.

The following diagram illustrates the reference architecture for Bacula Enterprise - Backup to OCI Object Storage and Backup restore to OCI VM.



oci-bacula-backup-restore-oracle.zip

The architecture shows a process where Bacula (being in an on-premises environment) is accessed through CLI or BWeb interface to send a backup command integrating Bacula with OCI Object Storage. Once the integration and configuration is complete the job will start and the file will be transfered to a bucket in OCI Object Storage using a private connection with FastConnect or Site-to-Site VPN and DRG integration with Service Gateway. After that, a similar process is executed using the restore feature to send the file from OCI Object Storage to a Block Volume attached in a Virtual Machine.

The following diagram illustrates the reference architecture for Bacula Enterprise - Backup to OCI Object Storage (Cloud only). The image shows a process where Bacula (now running in Oracle Cloud) is accessed through CLI or BWeb interface as well to send a backup command integrating Bacula with OCI Object Storage. As in the previous architecture, after the integration and configuration is complete the job will start and the file will be transfered to a bucket in OCI Object Storage using the Service Gateway directly once the full scenario is already in OCI.



oci-bacula-backup-object-storage-oracle.zip

The following diagram illustrates the reference architecture for Bacula Enterprise - Restore to OCI (Cloud only). After the backup is completed as described in the previous image, a similar process is executed as shown in the following image using the restore feature to send the file from OCI Object Storage to a Block Volume attached in a Virtual Machine.



oci-bacula-restore-oracle.zip

The architecture has the following components:

  • Tenancy

    A tenancy is a secure and isolated partition that Oracle sets up within Oracle Cloud when you sign up for Oracle Cloud Infrastructure. You can create, organize, and administer your resources in Oracle Cloud within your tenancy. A tenancy is synonymous with a company or organization. Usually, a company will have a single tenancy and reflect its organizational structure within that tenancy. A single tenancy is usually associated with a single subscription, and a single subscription usually only has one tenancy.

  • Region

    An Oracle Cloud Infrastructure region is a localized geographic area that contains one or more data centers, called availability domains. Regions are independent of other regions, and vast distances can separate them (across countries or even continents).

  • Compartment

    Compartments are cross-region logical partitions within an Oracle Cloud Infrastructure tenancy. Use compartments to organize your resources in Oracle Cloud, control access to the resources, and set usage quotas. To control access to the resources in a given compartment, you define policies that specify who can access the resources and what actions they can perform.

  • Availability domains

    Availability domains are standalone, independent data centers within a region. The physical resources in each availability domain are isolated from the resources in the other availability domains, which provides fault tolerance. Availability domains don’t share infrastructure such as power or cooling, or the internal availability domain network. So, a failure at one availability domain is unlikely to affect the other availability domains in the region.

  • Virtual cloud network (VCN) and subnets

    A VCN is a customizable, software-defined network that you set up in an Oracle Cloud Infrastructure region. Like traditional data center networks, VCNs give you complete control over your network environment. A VCN can have multiple non-overlapping CIDR blocks that you can change after you create the VCN. You can segment a VCN into subnets, which can be scoped to a region or to an availability domain. Each subnet consists of a contiguous range of addresses that don't overlap with the other subnets in the VCN. You can change the size of a subnet after creation. A subnet can be public or private.

  • Service gateway

    The service gateway provides access from a VCN to other services, such as Oracle Cloud Infrastructure Object Storage. The traffic from the VCN to the Oracle service travels over the Oracle network fabric and never traverses the internet.

  • Object storage

    Object storage provides quick access to large amounts of structured and unstructured data of any content type, including database backups, analytic data, and rich content such as images and videos. You can safely and securely store and then retrieve data directly from the internet or from within the cloud platform. You can seamlessly scale storage without experiencing any degradation in performance or service reliability. Use standard storage for "hot" storage that you need to access quickly, immediately, and frequently. Use archive storage for "cold" storage that you retain for long periods of time and seldom or rarely access.

  • Network Connectivity

    To enable your administrators to manage the environment, you can connect to your existing on-premises infrastructure by using site-to-site IPSec VPN connections or dedicated Oracle Cloud Infrastructure FastConnect circuits. Utilize the private endpoint option to enable private access to services within Oracle Cloud Infrastructure. Private access means that traffic does not go over the Internet.

  • Dynamic routing gateway (DRG)

    The DRG is a virtual router that provides a path for private network traffic between VCNs in the same region, between a VCN and a network outside the region, such as a VCN in another Oracle Cloud Infrastructure region, an on-premises network, or a network in another cloud provider.

  • Virtual Machine (VM)

    A virtual machine (VM) is an independent computing environment that runs on top of physical bare metal hardware. The virtualization makes it possible to run multiple VMs that are isolated from each other. VMs are ideal for running applications that do not require the performance and resources (CPU, memory, network bandwidth, storage) of an entire physical machine. An Oracle Cloud Infrastructure VM compute instance runs on the same hardware as a bare metal instance, leveraging the same cloud-optimized hardware, firmware, software stack, and networking infrastructure.

  • Block volume

    With block storage volumes, you can create, attach, connect, and move storage volumes, and change volume performance to meet your storage, performance, and application requirements. After you attach and connect a volume to an instance, you can use the volume like a regular hard drive. You can also disconnect a volume and attach it to another instance without losing data.

Recommendations

Use the following recommendations as a starting point. Your requirements might differ from the architecture described here.
  • VCN

    When you create a VCN, determine the number of CIDR blocks required and the size of each block based on the number of resources that you plan to attach to subnets in the VCN. Use CIDR blocks that are within the standard private IP address space.

    Select CIDR blocks that don't overlap with any other network (in Oracle Cloud Infrastructure, your on-premises data center, or another cloud provider) to which you intend to set up private connections.

    After you create a VCN, you can change, add, and remove its CIDR blocks.

    When you design the subnets, consider your traffic flow and security requirements. Attach all the resources within a specific tier or role to the same subnet, which can serve as a security boundary.

    Use regional subnets.

  • Routing

    To implement transit routing directly through gateways (DRG to Service Gateway to Object Storage), see the following documentation links in the Explore More section :

    • Private Access to Oracle Service
    • Connect from on-premise to Object Storage via FastConnect

Considerations

Consider the following points when deploying this reference architecture.

  • Performance

    Depending on the amount of data, you can use Oracle Cloud Infrastructure FastConnect or IPSec VPN to manage costs. For faster access, you can use the Object Storage Standard tier to store files that you need frequently.

  • Security

    By default, Oracle Cloud provides encryption of all objects stored in Object Storage buckets. For extra security, you can choose to encrypt these objects using customer-managed keys.

  • Availability

    Object Storage is highly available. However, you can choose to configure cross-region replication to protect against unlikely regional outages.

  • Cost

    Pricing varies depending on which Object Storage tier you choose. So, carefully consider the appropriate tier. Moreover, some objects have retention requirements, and violating the requirements can trigger extra charges. For these requirements and costs, see Overview of Object Storage in the Explore More section.

Acknowledgments

  • Author: Arthur Vianna
  • Contributors: Heitor Faria, Adriano Tanaka, Henrique Ferro