Getting started with VCF Part 12 – NSX Manager Backups

I kept seeing an orange banner when I log into my SDDC Manager displaying a warning about my NSX Manager being backed up to the SDDC  appliance rather than an external SFTP server. You may have spotted it in previous posts on VCF 3.9 already. I therefore decided to configure the NSX backups to use an external destination. The steps are very straight-forward but there are a few nuances which I will call out in this post.

First, here is the warning (not sure if it is readable, but it is essentially telling you that backing up NSX Manager to the SDDC Manager is not a good idea):

OK – let’s now configure an external SFTP server for backups to prevent the warning happening in the future.

Step 1. Create privileged vSphere user in Sddc_secured_access group

The backup configuration required a privileged user for authentication purposes. This is done in the vSphere Client, under Administration > Single Sign On > User and Groups.

First, create the privileged user:

And then add that privileged user to the group Sddc_secured_access:

Step 2. Setup SFTP user on destination FTP server/appliance

The Backup configuration requires Secure FTP (SFTP). It does not support simple or anonymous FTP. I used an Isilon appliance available in our lab for this purpose, and it was quite simple to enable the FTP service on it. In order to use SFTP on the Isilon, a dedicated user must be created on the array. This is pretty standard for SFTP, but on the Isilon array I also had to grant the SFTP user SSH privileges. After logging in, I created a sub-folder from the SFTP user’s home folder called SDDC_Backups. This is where the NSX Manager backups will be redirected.

Step 3. Get SSH Fingerprint from the array

We already saw how to get the SSH fingerprint is part 1 of this series, as we needed this from each ESXi host to build the management domain. Here is an example of the command again, but this time we are gettng the SSH Fingerprint from the SFTP server (or in my case, Isilon array). Keep this as it will be needed when we do the Backup configuration in the SDDC Manager Backup Configuration next.

chogan@chogan-a01 ~ % ssh-keyscan [ip address of host] 2>/dev/null | ssh-keygen -lf - | awk '{print $2}'
SHA256:ZleOMi6B3gSn43JEXrD6hfCJCgh1FPICngzYiTXykIk

Step 4. Update Backup Configuration in SDDC Manager

In the Backup Configuration in the SDDC Manager, the following fields now need populating:

  • IP: IP address of the SFTP server
  • Port: 22 (You can only set port 22 for SFTP)
  • Username: SFTP username (in my case, user on Isilon array)
  • Password: SFTP password
  • Backup Directory: Where to ship the NSX Manager backups to – note this must be a fully qualified, absolute path, not a relative path from the SFTP user’s home directory.
  • SSH Fingerprint: As captured in step 3 above
  • Encryption passphrase: Passphrase – must be greater than 12 characters
  • Privileged User name: As captured in step 1 above, needs to include domain of the user
  • Privileged Password: As captured in step 1 above

On saving the backup configuration, the SDDC Manager will automatically reconfigure the backup schedule to use the new backup configuration.

Regarding the backup directory setting, it seems that the configuration will accept a relative path, but the reconfiguration of the backup schedule will fail if it is relative and not absolute. Note that NSX-V seems to accept the relative path to the backup destination and can work with it, but NSX-T requires an absolute path to the backup destination. Both NSX-V and NSX-T accept an absolute path. An absolute path begins at the root folder, i.e. / so my backup destination is as follows – /ifs/home/sftp is the home directory of my sftp user, and SDDC-Backups is where I want the NSX Manager backups to be placed. This full path has to be added in the Backup Directory field. (full path has been slightly truncated by the UI):

And if the Backup Configuration has been successfully validated, you should see something like this when the save operation completes:

Here is the sort of error message that will be displayed if a relative path is used. NSX-T is unable to use it. It’s not easy to understand why this failed from the error, so you’ll need to check the logs.

The logs will report something similar to the following:

Caused by: com.vmware.vapi.std.errors.InvalidRequest: InvalidRequest \
(com.vmware.vapi.std.errors.invalid_request) => {
    messages = [],
    data = struct => {error_message=Field level validation errors: \
    {the value 'SDDC-Backups' is not a fully qualified directory path.}, \
    httpStatus=BAD_REQUEST, details=Field level validation errors: \
    {the value 'SDDC-Backups' is not a fully qualified directory path.}, \
    error_code=255, module_name=common-services}
}

This issue with absolute and relative paths has been raised internally, and will be addressed in a future update.

Step 5. Verify changes have taken effect

To ensure that the changes have taken effect, you can look in the management UI for both NSX-V and NSX-T. Here is the new configuration as viewed from my NSX-T manager. The Backup server, username and destination directory all reflect the entries that were placed in the SDDC Manager Backup Configuration.

There is also a backup status on the NSX-V Dashboard landing page.

Finally, we can check the SFTP server (my Isilon array) to see if the backups are now being redirected to this new location (if we wait long enough for the next set of backups to run):

Looks good to me! So a very straight forward process, but just make sure that the backup destination is a full/absolute path and not a relative path for NSX-T backups.

One Reply to “Getting started with VCF Part 12 – NSX Manager Backups”

  1. This is great stuff Cormac. Thank you. Your explanation about the full path to the SFTP folder for NSX-T is a life-saver. Thanks for posting this.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.