Automate Your Azure Disk Kubernetes Volume Backup

Photo by Shubham Bombarde on Unsplash

Azure Kubernetes Service uses Azure Disks as the default persistent volume storage option. If your persistent container-based application is business critical, chances are you want to regularly backup the disk volume. Microsoft’s best practice guidance suggests to use either disk snapshots or a third-party tool called Velero. Personally, I leaned towards the use of the built-in Azure snapshot mainly for simplicity’s sake. The main drawback of the disk snapshot method is that it isn’t automated. Here’s a solution to workaround this limitation.

Don’t Have The Right Tool? Then Build It! 🔧

Automating a task in Kubernetes is pretty simple; Just use the built-in CronJob resource to define a time-based scheduled task. Now, how do I execute an Azure disk snapshot from a CronJob’s container? Well, I built a .NET Core cli tool for that called az-snapshot-tool. With the help of the tool, you can create a snapshot in a few lines:

dotnet tool install --global dotnet-az-snapshot-tool
az-snapshot-tool create --tenantId xxx --subscriptionId xxx --resourceGroup myRg --diskName myDisk

Now that we have a tool to simplify the creation of disk snapshot, we can make use of the CronJob resource to schedule a recurring job:

Here’s what we can extract from the above yaml:

• The cron schedule is “daily”. Here’s the documentation about how you can configure the cron expression to your needs.
• We’re using the .NET Core SDK image to install and run the CLI tool. You could be tempted to use the lighter runtime image but it wont allow you to install .NET tools.
• The argument “-l” or “ — retainLimit” passed to the tool limits the retained snapshots to the 7 latest ones. In this case, this is equal to 7 days/1 week. Older snapshots will be removed.
• Authentication credentials are provided through environment variables (AZURE_TENANT_ID, AZURE_CLIENT_ID and AZURE_CLIENT_SECRET). You can use other credential types. The tool uses DefaultAzureCredential which tries multiple different credential types in order of precedence. For example, you could setup aad-pod-identity and the tool will pickup the credentials automatically.

Example of produced disk snapshots.

There you go! Let me know of any issues and/or improvements through the github repository.

Cheers! 🍻