Edit

Share via

Back up Azure Database for PostgreSQL by using the Azure portal

  • Article

This article describes how to back up an Azure Database for PostgreSQL server using Azure portal. You can also to create a backup policy and configure backup for PostgreSQL databases using REST API.

Before you begin, review the supported configurations, feature considerations, and known limitations, along with frequently asked questions.

Configure a backup on PostgreSQL databases

You can configure a backup on multiple PostgreSQL databases across multiple Azure Database for PostgreSQL servers. To configure this kind of backup by using Azure Backup, follow these steps:

  1. Go to Backup vault, select a vault, and then select Backup.

    Screenshot that shows the button for adding a backup.

    Alternatively, you can go to this page from the Backup center.

  2. On the Basics tab, enter the required information.

    Screenshot that shows the tab for entering basic backup information.

  3. On the Backup policy tab, select or create a policy that defines the backup schedule and the retention duration.

    Screenshot that shows the option to add a backup policy.

  4. On the Datasources tab, select Add/Edit.

    Screenshot that shows the button for adding or editing a PostgreSQL database.

  5. On the Select resources to backup pane, choose one of the Azure Database for PostgreSQL servers across subscriptions if they're in the same region as that of the vault. Select the arrow to show the list of databases within a server.

    Screenshot that shows the pane for choosing an Azure Database for PostgreSQL server.

    Note

    You don't need to back up the databases azure_maintenance and azure_sys. Additionally, you can't back up a database that's already backed up to a Backup vault.

    You can back up private endpoint-enabled Azure Database for PostgreSQL servers by allowing trusted Microsoft services in the network settings.

  6. Select Assign key vault to select a key vault that stores the credentials for connecting to the selected database. You should have already created the relevant secrets in the key vault.

    To assign the key vault at the individual row level, click Select a key vault and secret. You can also assign the key vault by selecting multiple rows and then selecting Assign key vault on the action menu.

    Screenshot that shows selections for assigning a key vault.

  7. To specify the secret information, use one of the following options:

    • Enter secret URI: Use this option if the secret URI is shared or known to you. You can get the secret URI from the key vault by selecting a secret and then copying the Secret Identifier value.

      Screenshot that shows how to get a secret U R I.

      However, with this option, Azure Backup has no visibility into the key vault that you referenced. Access permissions on the key vault can't be granted inline. For the backup operation to succeed, the backup admin, along with the PostgreSQL and/or key vault admin, needs to ensure that the Backup vault's access on the key vault is granted manually outside the configure backup flow.

    • Select from key vault: Use this option if you know the key vault and secret names. Then click Select a key vault and secret and enter the details.

      Screenshot that shows selections for assigning a secret store.

      Screenshot that shows the selection of a secret from Azure Key Vault.

      With this option, you (as a backup admin with write access on the key vault) can grant the access permissions on the key vault inline. The key vault and the secret could preexist or be created on the go.

      Ensure that the secret is the Azure Database for PostgreSQL server's connection string in ADO.NET format. The string must be updated with the credentials of the database user who has backup privileges on the server. Learn more about how to create secrets in the key vault.

  8. After you finish updating the information for the key vault and the secret, the validation starts.

    The Azure Backup service validates that it has all the necessary access permissions to read secret details from the key vault and connect to the database. During this process, the status of the chosen data sources on the Configure Backup pane appears as Validating.

    Screenshot that shows the in-progress validation of secrets.

    If one or more access permissions are missing, the service displays one of the following error messages:

    • User cannot assign roles: This message appears when you (as the backup admin) don't have the write access on the Azure Database for PostgreSQL server and/or key vault to assign missing permissions as listed under View details.

      Download the assignment template by selecting the Download role assignment template button on the action menu, and then have the PostgreSQL and/or key vault admin run it. It's an Azure Resource Manager template that helps you assign the necessary permissions on the required resources.

      Screenshot that shows the option to download a role assignment template.

      After the template is run successfully, select Re-validate on the Configure Backup pane.

    • Role assignment not done: This message appears when you (as the backup admin) have write access on the Azure Database for PostgreSQL server and/or key vault to assign missing permissions as listed under View details. Use the Assign missing roles button on the action menu to grant permissions on the Azure Database for PostgreSQL server and/or the key vault inline.

      Screenshot that shows the error about the role assignment not done.

  9. Select Assign missing roles on the action menu and assign roles. After the process starts, the missing access permissions on the key vault and/or the Azure Database for PostgreSQL server are granted to the Backup vault. In the Scope area, you can define the scope at which the access permissions should be granted. When the action is complete, revalidation starts.

    Screenshot that shows the button for assigning missing roles.

    Screenshot that shows the box for defining the scope of access permissions.

    The Backup vault accesses secrets from the key vault and runs a test connection to the database to validate that the credentials were entered correctly. The privileges of the database user are also checked to see if the database user has backup-related permissions on the database.

    If a low-privileged user doesn't have backup/restore permissions on the database, the validations fail. A PowerShell script is dynamically generated for each record or selected database. Run the PowerShell script to grant these privileges to the database user on the database. Alternatively, you can assign these privileges by using the pgAdmin or PSQL tool.

    Screenshot that shows a Backup vault accessing secrets from a key vault.

    Screenshot that shows the process to start a test connection.

    Screenshot that shows how to provide user credentials to run a test connection.

  10. When Backup readiness shows Success, select the Review and configure tab to proceed to the last step of submitting the operation.

    Screenshot that shows the backup readiness is successful.

    Screenshot that shows the tab for reviewing a backup configuration.

  11. Select Configure backup. Then, track the progress on the Backup instances pane.

    Screenshot that shows the details for a configured backup.

Create a backup policy

You can create a backup policy during the flow for configuring a backup. Alternatively, go to Backup center > Backup policies > Add.

  1. On the Create Backup Policy pane, on the Basics tab, enter a name for the new policy.

    Screenshot that shows the box for a policy name on the pane for creating a backup policy.

  2. On the Schedule and retention tab, define the backup schedule.

    Currently, only the weekly backup option is available. However, you can schedule the backups on multiple days of the week.

  3. Select Add retention rule to define retention settings.

    You can add one or more retention rules. Each retention rule assumes inputs for specific backups, along with the datastore and retention duration for those backups.

  4. To store your backups in one of the two datastores (or tiers), select Vault-standard or Vault-archive (preview).

  5. To move the backup to the archive datastore upon its expiry in the backup datastore, select On-expiry.

    Screenshot that shows the selected option to move a backup to the archive datastore upon its expiry.

    Note

    The Default retention rule is applied in the absence of any other retention rule. It has a default value of three months.

    In the backup datastore, retention duration ranges from seven days to 10 years.

    In the archive datastore, retention duration ranges from six months to 10 years.

  6. Select Add, and then finish the process of reviewing and creating the policy.

Retention rules are evaluated in a predetermined order of priority. The priority is the highest for the yearly rule, followed by the monthly rule, and then the weekly rule.

Default retention settings apply when no other rules qualify. For example, the same recovery point might be the first successful backup taken every week, along with the first successful backup taken every month. However, because the priority of the monthly rule is higher than the priority of the weekly rule, the retention that corresponds to the first successful backup taken every month applies.

Create a secret in the key vault

The secret is the Azure Database for PostgreSQL server connection string in ADO.NET format. It's updated with the credentials of the database user who's granted the backup privileges on the server.

Screenshot that shows the Azure Database for PostgreSQL server connection string as a secret.

Copy the connection string from the Azure Database for PostgreSQL server. Use a text editor to update the user ID and password.

Screenshot that shows the pane for creating a secret and a Notepad file that contains a connection string.

Run the PowerShell script to grant privileges to database users

The PowerShell script that's dynamically generated during the process of configuring a backup accepts the database user as the input, along with the PostgreSQL admin credentials, to grant the backup-related privileges to the database user on the database.

To run the script, make sure that the PSQL tool is on the machine. Also make sure that the PATH environment variable is set appropriately to the PSQL tool's path:

  1. Open Edit the system environment variables in Control Panel.

    Screenshot that shows a search for the Control Panel item to edit system environment variables.

  2. In System Properties > Advanced, select Environment Variables.

    Screenshot that shows the button for setting environment variables in System Properties.

  3. The default environment variables appear.

    Screenshot that shows default environment variables.

    Use the Edit button to set the variables that you need.

    Screenshot that shows the environment variables that you need to set.

To allow network connectivity, ensure that Connection Security settings in the Azure Database for PostgreSQL instance includes the IP address of the machine in the allowlist.

Run an on-demand backup

To trigger a backup that's not in the schedule specified in the policy:

  1. Go to Backup instances and select Backup Now.

    Screenshot that shows the pane for backup instances, including the Backup Now button.

  2. Choose from the list of retention rules that the associated backup policy defined.

    Screenshot that shows retention rules that were defined in a backup policy.

Track a backup job

The Azure Backup service creates a job for scheduled backups or if you trigger an on-demand backup operation for tracking. To view the backup job's status:

  1. Go to the Backup instances pane. It shows the Jobs dashboard with the operations and statuses for the past seven days.

    Screenshot that shows the jobs dashboard.

  2. Select View All to display ongoing and past jobs of this backup instance.

    Screenshot that shows the button for displaying ongoing and past jobs.

  3. Review the list of backup and restore jobs and their statuses. Select a job to view its details.

    Screenshot that shows to details for a selected job.

Related content