FAQs for Enterprise Backup for VPC

The following questions pertain to the VPC Backup service for Enterprise accounts. If you have other questions you'd like to see answered here, provide feedback by using the Open doc issue or Edit topic links after the FAQs.

What service-to-service authorizations are required?

To create a backup policy and plans and for the backup jobs to run correctly, multiple service-to-service authorizations are required. The IBM Cloud Backup for VPC service needs to be authorized to work with Block Storage for VPC, Block Storage Snapshots for VPC, and Virtual Server for VPC services. For more information, see Establishing service-to-service authorizations.

How can I tell whether authorizations are configured correctly?

When you log in any of the child accounts in the UI, you can view the IAM authorizations by clicking Manage > Access (IAM) > Authorizations.

If any of the required authorizations are missing, the backup job fails. When the backup job fails for this reason, an error message is generated that looks like the following example.

Backup Policy Service for VPC: create backup-policy-job PlanID:r123-d4567 Enterprise sub-account missing S2S setup. AccountID a1234567 -failure

For more information, see Activity Tracker events.

How can I identify the number of resources a backup policy is applied to?

Currently, the number of resources that a backup policy is applied to can't be seen from the enterprise account. When you view the Backup policies for VPC page of the enterprise account in the console, you can click the name of the backup policy that was created for the account. Then, click the applied resources tab to view the list of volumes that the policy applies to. The list includes volumes that were created by users for the account. If the policy is an enterprise-wide policy, the list shows volumes of the enterprise account, and not the volumes of its child accounts. For more information, see Viewing the list of volumes that are associated to a backup policy in the UI.

One way to identify the volumes is to go to the child accounts and list their volumes and filter for the tag that the enterprise policy specified for target resources.

By using the API, you can make a GET /volumes request to list summary information about all volumes of an account and filter the response by the user_tags that associate the volumes to the backup policy. See the following example that lists all volumes with the dev:test tag.

curl -X GET "$vpc_api_endpoint/v1/volumes?version=2023-08-04&generation=2&user_tags=dev:test" \
-H "Authorization: $iam_token"

For more information, see Viewing all Block Storage for VPC volumes with the API.

From the CLI, you can run the ibmcloud is backup-policies command with the --tag option to list all the volumes that have the user tag that associates the volumes to the backup policy. See the following example.

ibmcloud is backup-policies --tag dev:test

For more information, see Listing all backup policies that are filtered by user tags from the CLI.

Where can I find all the backups created?

The backup snapshots are created at the child account level and volumes can be restored at the same child account level. Subaccounts have access to their own backups and not the backups that belong to other child accounts.

The enterprise administrator can make a GET /backup_policies/{backup_policy_id}/jobs request to the VPC API to see a consolidated view of all the backup jobs that belong to the enterprise account backup policy. For more information, see Viewing backup jobs.

How to identify the enterprise CRN?

When you want to create a backup policy for your enterprise account and all child accounts from the CLI or with the API, you need to fetch your enterprise account crn.

To obtain the enterprise CRN programmatically, you need to make a GET /accounts/{accountID} request to the Enterprise API. See the following example.

curl -X GET "https://enterprise.cloud.ibm.com/v1/accounts/$ACCOUNT_ID" -H "Authorization: Bearer <IAM_Token>" -H 'Content-Type: application/json'

In the response, look for the "parent" CRN. The "parent" CRN contains the enterprise ID and the account ID.

To obtain the enterprise CRN from the CLI, run the following command. The output lists the enterprise account name, ID, and CRN.

ibmcloud enterprise show

Obtain enterprise CRN in the UI

In the IBM Cloud console, go to the enterprise dashboard. From there, you can view the enterprise details, accounts, users, and billing information. For more information, see What is an enterprise.

Obtain enterprise CRN from the CLI

Run the following command to see the enterprise account name, ID, and CRN.

ibmcloud enterprise show

For more information, see the CLI reference for ibmcloud enterprise show.

Obtain enterprise CRN with the API

Make an API request to the Enterprise Management API like the following example.

curl -X GET "https://enterprise.cloud.ibm.com/v1/enterprises" -H "Authorization: Bearer <IAM_Token>" -H 'Content-Type: application/json'

For more information, see the API Spec for list enterprises.

What does the health state mean?

When you make a GET /backup_policies/{id} request, the API returns a health_state value as part of the information about the backup policy.

Table 1. Backup policy health states.
Health state	Meaning
`ok`	No abnormal behavior was detected.
`degraded`	Experiencing compromised performance, capacity, or connectivity.
`faulted`	Unreachable, inoperative, or otherwise entirely incapacitated.
`inapplicable`	The health state does not apply because of the current lifecycle state. A resource with a lifecycle state of `failed` or `deleting` also has a health state of `inapplicable`. A `pending` resource can also have this state.

For more information, see the API Spec for Retrieve a backup policy.

Can I change the scope of my backup policy to apply to all the accounts within the enterprise?

No, the scope cannot be changed for an existing backup policy. However, you can delete the old policy and create another with the enterprise-wide scope.