Backup Strategy Across Clouds
Design backup strategies across clouds: native services, cross-cloud patterns, RPO/RTO planning, and immutable backups.
Prerequisites
- Understanding of backup concepts (RPO, RTO, retention)
- Familiarity with at least one cloud provider's backup tools
Backup Strategy Fundamentals
A comprehensive backup strategy is non-negotiable for production cloud environments. Data loss from accidental deletion, ransomware, application bugs, or infrastructure failures can devastate a business. Each cloud provider offers native backup services with different capabilities, retention limits, and pricing models. In multi-cloud environments, you need a unified backup strategy that works consistently across providers while leveraging each cloud's native strengths.
This guide covers the backup services offered by AWS, Azure, GCP, and OCI, explains RPO (Recovery Point Objective) and RTO (Recovery Time Objective) planning, compares cross-cloud backup patterns, and provides Terraform configurations for automated backup policies.
RPO vs RTO
RPO (Recovery Point Objective): Maximum acceptable data loss measured in time. An RPO of 1 hour means you can tolerate losing up to 1 hour of data. RTO (Recovery Time Objective): Maximum acceptable downtime before services are restored. An RTO of 15 minutes means you need services back online within 15 minutes of a failure. Together, RPO and RTO determine your backup frequency, method, and infrastructure requirements.
Native Backup Services Compared
| Feature | AWS Backup | Azure Backup | GCP Backup & DR |
|---|---|---|---|
| Supported services | EC2, EBS, RDS, DynamoDB, EFS, FSx, S3, DocumentDB | VMs, SQL, Blobs, Files, Disks, AKS, PostgreSQL | Compute Engine, Cloud SQL, GKE, Filestore |
| Centralized management | AWS Backup (single console) | Recovery Services Vault / Backup Vault | Backup & DR Service (management console) |
| Cross-region | Yes (cross-region copy) | Yes (GRS/GZRS vaults) | Yes (multi-region backup) |
| Cross-account | Yes (AWS Organizations) | Yes (cross-subscription) | Yes (cross-project) |
| Encryption | KMS (customer or AWS managed) | Platform-managed or CMK | CMEK or Google-managed |
| Compliance | Backup Vault Lock (WORM) | Immutable vaults | Backup lock |
AWS Backup Configuration
# Create a backup vault
aws backup create-backup-vault \
--backup-vault-name production-vault \
--encryption-key-arn "arn:aws:kms:us-east-1:123456789012:key/key-id"
# Create a backup plan
aws backup create-backup-plan --backup-plan '{
"BackupPlanName": "production-daily",
"Rules": [
{
"RuleName": "daily-backup",
"TargetBackupVaultName": "production-vault",
"ScheduleExpression": "cron(0 2 * * ? *)",
"StartWindowMinutes": 60,
"CompletionWindowMinutes": 180,
"Lifecycle": {
"MoveToColdStorageAfterDays": 30,
"DeleteAfterDays": 365
},
"CopyActions": [
{
"DestinationBackupVaultArn": "arn:aws:backup:us-west-2:123456789012:backup-vault:dr-vault",
"Lifecycle": {
"DeleteAfterDays": 90
}
}
]
},
{
"RuleName": "hourly-backup",
"TargetBackupVaultName": "production-vault",
"ScheduleExpression": "cron(0 * * * ? *)",
"Lifecycle": {
"DeleteAfterDays": 7
}
}
]
}'
# Assign resources to the backup plan
aws backup create-backup-selection \
--backup-plan-id "plan-id" \
--backup-selection '{
"SelectionName": "all-production",
"IamRoleArn": "arn:aws:iam::123456789012:role/AWSBackupRole",
"Resources": ["*"],
"Conditions": {
"StringEquals": [
{"ConditionKey": "aws:ResourceTag/Backup", "ConditionValue": "true"}
]
}
}'Azure Backup Configuration
# Create a Recovery Services vault
az backup vault create \
--name production-vault \
--resource-group backup-rg \
--location eastus
# Create a backup policy for VMs
az backup policy create \
--vault-name production-vault \
--resource-group backup-rg \
--name daily-vm-policy \
--policy '{
"schedulePolicy": {
"schedulePolicyType": "SimpleSchedulePolicy",
"scheduleRunFrequency": "Daily",
"scheduleRunTimes": ["2026-03-14T02:00:00Z"]
},
"retentionPolicy": {
"retentionPolicyType": "LongTermRetentionPolicy",
"dailySchedule": {"retentionDuration": {"count": 30, "durationType": "Days"}},
"weeklySchedule": {"retentionDuration": {"count": 12, "durationType": "Weeks"}},
"monthlySchedule": {"retentionDuration": {"count": 12, "durationType": "Months"}}
}
}'
# Enable backup for a VM
az backup protection enable-for-vm \
--vault-name production-vault \
--resource-group backup-rg \
--vm myapp-vm \
--policy-name daily-vm-policyGCP Backup Configuration
# Create a backup plan for Compute Engine VMs
gcloud beta compute resource-policies create snapshot-schedule daily-snapshots \
--region=us-central1 \
--max-retention-days=30 \
--on-source-disk-delete=keep-auto-snapshots \
--daily-schedule \
--start-time=02:00 \
--snapshot-labels=backup=daily,env=production \
--storage-location=us
# Attach the snapshot schedule to a disk
gcloud compute disks add-resource-policies myapp-disk \
--resource-policies=daily-snapshots \
--zone=us-central1-a
# Cloud SQL automated backups
gcloud sql instances patch myapp-db \
--backup-start-time=02:00 \
--enable-point-in-time-recovery \
--retained-backups-count=30
# Create an on-demand backup
gcloud sql backups create --instance=myapp-db \
--description="Pre-migration backup"
# GKE backup
gcloud beta container backup-restore backup-plans create daily-gke-backup \
--location=us-central1 \
--cluster=projects/PROJECT/locations/us-central1/clusters/myapp \
--all-namespaces \
--cron-schedule="0 2 * * *" \
--backup-retain-days=30Cross-Cloud Backup Patterns
For maximum resilience, some organizations back up data across cloud providers. This protects against provider-level outages and provides a true multi-cloud disaster recovery capability. However, cross-cloud backup adds complexity and egress costs.
Cross-Cloud Patterns
| Pattern | Implementation | Cost Impact |
|---|---|---|
| Database export to S3/GCS/Blob | Scheduled pg_dump/mysqldump to another cloud's object storage | Egress fees + storage costs |
| Object storage replication | rclone or custom sync between S3, GCS, and Blob | Egress + API call fees |
| VM image export | Export disk image, upload to another cloud | High (large data transfer) |
| Application-level backup | Application exports data in portable format (JSON/CSV) | Minimal (only essential data) |
# Cross-cloud database backup: AWS RDS to GCS
# Step 1: Export RDS snapshot to S3
aws rds start-export-task \
--export-task-identifier "daily-export-$(date +%Y%m%d)" \
--source-arn "arn:aws:rds:us-east-1:123456789012:snapshot:myapp-db-snapshot" \
--s3-bucket-name "rds-exports" \
--iam-role-arn "arn:aws:iam::123456789012:role/RDSExportRole" \
--kms-key-id "arn:aws:kms:us-east-1:123456789012:key/key-id"
# Step 2: Sync S3 exports to GCS using rclone
rclone sync aws-s3:rds-exports gcs:rds-backup-mirror \
--transfers 16 \
--checkers 8 \
--log-file /var/log/rclone-sync.log
# Cross-cloud object storage sync
rclone sync aws-s3:my-data-bucket azure-blob:my-data-container \
--transfers 32 \
--fast-list \
--log-level INFOBackup Testing and Validation
A backup that has never been tested is not a backup. Regular restore testing validates that your backups are complete, restorable, and meet your RTO requirements.
| Test Type | Frequency | What to Validate |
|---|---|---|
| Restore to test environment | Monthly | Data integrity, application functionality |
| Point-in-time recovery test | Quarterly | PITR accuracy, RPO validation |
| Cross-region restore | Quarterly | DR readiness, RTO measurement |
| Full disaster recovery drill | Annually | End-to-end recovery, team readiness |
Immutable Backups for Ransomware Protection
Enable immutable backups (WORM - Write Once Read Many) to protect against ransomware that targets backup infrastructure. AWS Backup Vault Lock, Azure Immutable Vaults, and GCP Backup Lock prevent backup deletion or modification during the retention period, even by administrators. This is a critical defense against sophisticated attacks.
Terraform Multi-Cloud Backup
# AWS Backup Plan
resource "aws_backup_plan" "production" {
name = "production-backup"
rule {
rule_name = "daily"
target_vault_name = aws_backup_vault.production.name
schedule = "cron(0 2 * * ? *)"
lifecycle {
cold_storage_after = 30
delete_after = 365
}
copy_action {
destination_vault_arn = aws_backup_vault.dr.arn
lifecycle {
delete_after = 90
}
}
}
}
resource "aws_backup_selection" "production" {
name = "production-resources"
plan_id = aws_backup_plan.production.id
iam_role_arn = aws_iam_role.backup.arn
selection_tag {
type = "STRINGEQUALS"
key = "Backup"
value = "true"
}
}
# Azure Backup Policy
resource "azurerm_backup_policy_vm" "production" {
name = "daily-vm-backup"
resource_group_name = azurerm_resource_group.backup.name
recovery_vault_name = azurerm_recovery_services_vault.main.name
backup {
frequency = "Daily"
time = "02:00"
}
retention_daily {
count = 30
}
retention_weekly {
count = 12
weekdays = ["Sunday"]
}
retention_monthly {
count = 12
weekdays = ["Sunday"]
weeks = ["First"]
}
}Tag-Based Backup Policies
Use resource tags to automatically include resources in backup plans. Tag all production resources with Backup=true and configure backup selections to target this tag. This ensures new resources are automatically protected without manual intervention. Combine with policy-as-code (AWS SCP, Azure Policy, GCP Org Policy) to enforce backup tagging.
Key Takeaways
- 1AWS Backup, Azure Backup, and GCP Backup & DR provide centralized per-cloud backup management.
- 2Cross-region backups are essential for disaster recovery; cross-cloud adds maximum resilience.
- 3Tag-based backup policies automatically protect new resources without manual intervention.
- 4Immutable backups (WORM) protect against ransomware targeting backup infrastructure.
Frequently Asked Questions
Should I back up data across cloud providers?
How often should I test backup restores?
Written by CloudToolStack Team
Cloud engineers and architects with hands-on experience across AWS, Azure, and GCP. We write guides based on real-world production patterns, not just documentation rewrites.
Disclaimer: This guide is for educational purposes. Cloud services change frequently; always refer to official documentation for the latest information. AWS, Azure, and GCP are trademarks of their respective owners.