Navigation

Cloud Provider Snapshots

Note

This feature is not available for M0 (Free Tier), M2, and M5 clusters. For more information, see Atlas M0 (Free Tier), M2, and M5 Limitations.

Atlas Cloud Provider Snapshots provide localized backup storage using the native snapshot functionality of the cluster’s cloud service provider.

Atlas only supports cloud provider snapshots for Microsoft Azure or Amazon Web Services (AWS) backed clusters. A project using the Atlas Cloud Provider Snapshots cannot create snapshots of any cluster hosted on Google Cloud Provider (GCP).

You can enable cloud provider snapshots during the cluster creation or during the modification of an existing cluster. From the cluster configuration modal, toggle Do you want to enable backup? to Yes and select the Cloud Provider Snapshots card.

Important

Atlas only allows one backup method per project. Once you select a backup method for a cluster in a project, Atlas locks the backup service to the chosen method for all subsequent clusters in that project.

For example, in a project where one or more clusters use cloud provider snapshots, you cannot enable continuous backups for any cluster in that project.

To change the backup method for the project, disable backups for all clusters in the project, then re-enable backups using your preferred backup methodology. Atlas deletes any stored snapshots when you disable backup for a cluster.

Consider creating a separate project for clusters where a different backup method is required.

Note

Atlas supports Cloud Provider Snapshots for sharded clusters running MongoDB version 3.4+ with the following limitations:

  • Atlas does not guarantee causal consistency of your data.
  • You cannot restore an existing snapshot to a cluster after you change that cluster’s topology by adding or removing a shard. However, you can restore an existing snapshot to another cluster with a matching topology.
  • You cannot manually migrate chunks in a cluster during a snapshot without the risk of creating an inconsistent shapshot.

Cloud Provider Snapshots with Encryption at Rest

Atlas encrypts all snapshot volumes, ensuring the security of cluster data at rest (Encryption at Rest). For projects and clusters using Encryption at Rest Using Your Key Management, Atlas applies an additional layer of encryption to your snapshot storage volumes using the Key Management Service (KMS) provider configured for the cluster.

For clusters using AWS IAM as their Key Management Service, Atlas uses the project’s customer master key (CMK) and AWS IAM user credentials at the time of the snapshot to automatically encrypt the snapshot data files. This is an additional layer of encryption on the existing encryption applied to all Atlas storage and snapshot volumes.

Atlas stores the unique ID of the CMK and the AWS IAM user credentials used to access the CMK. Atlas uses this information when restoring the snapshot. For complete documentation on restoring an encrypted snapshot, see Restore a Snapshot of a Cluster with Encryption at Rest.

To view the key used to encrypt a snapshot:

  1. From the Clusters view of the Atlas UI, click on the cluster name.
  2. Click the Backup tab, then click Snapshots.
  3. Note the Encryption Key ID for each snapshot in the cluster. Atlas lists the CMK used to encrypt the snapshot. Unencrypted snapshots display Not enabled.

Important

Atlas requires access to the encryption key associated to the snapshot’s Encryption Key ID to successfully restore that snapshot.

Before deleting am Encryption Key ID used with Atlas Encryption at Rest using your Key Management, check every backup-enabled cluster in the project for any snapshots still using that Encryption Key ID. Once you delete an encryption key, all snapshots encrypted with that key become inaccessible and unrecoverable.

Atlas automatically deletes backups in accordance to the Snapshot Scheduling and Retention Policy. Once Atlas deletes all snapshots depending on a given Encryption Key ID, you can delete the key safely.

If disabling a Encryption Key ID, you must re-enable the key before restoring a snapshot encrypted with that key.

For clusters using Azure Key Vault as their Key Management Service, Atlas uses the project’s Key Identifier, Key Vault Credentials, and Active Directory application account credentials at the time of the snapshot to automatically encrypt the snapshot data files. This is an additional layer of encryption on the existing encryption applied to all Atlas storage and snapshot volumes.

Atlas stores the unique ID of the Azure Key Identifier used the encrypt the snapshot. Atlas also stores the Azure Key Vault credentials and the Active Domain application account credentials used to access the Key Identifier. Atlas uses this information when restoring the snapshot. For complete documentation on restoring an encrypted snapshot, see Restore a Snapshot of a Cluster with Encryption at Rest.

To view the key used to encrypt a snapshot:

  1. From the Clusters view of the Atlas UI, click on the cluster name.
  2. Click the Backup tab, then click Snapshots.
  3. Note the Encryption Key ID for each snapshot in the cluster. Atlas lists the Key Identifier used to encrypt the snapshot. Unencrypted snapshots display Not enabled.

Important

Atlas requires access to the encryption key associated to the snapshot’s Encryption Key ID to successfully restore that snapshot.

Before deleting am Encryption Key ID used with Atlas Encryption at Rest using your Key Management, check every backup-enabled cluster in the project for any snapshots still using that Encryption Key ID. Once you delete an encryption key, all snapshots encrypted with that key become inaccessible and unrecoverable.

Atlas automatically deletes backups in accordance to the Snapshot Scheduling and Retention Policy. Once Atlas deletes all snapshots depending on a given Encryption Key ID, you can delete the key safely.

If disabling a Encryption Key ID, you must re-enable the key before restoring a snapshot encrypted with that key.

For complete documentation on configuring Encryption at Rest using your Key Management for an Atlas project, see Encryption at Rest Using Your Key Management. You can then either deploy a new cluster enable an existing cluster with Encryption at Rest using your Key Management.

Single Region Cluster Backups

Atlas selects the primary member of the cluster at the time you enable snapshots for the cluster for backup snapshots. Atlas stores the snapshots in the same cloud region as the cluster. Atlas retains snapshots based on the retention policy.

Cloud Provider Snapshot of the Primary

Atlas continues to use that member and its corresponding region for snapshots and snapshot storage, even if that member is no longer the primary.

A Cloud Provider Snapshot of the Secondary

Atlas automatically creates a new snapshot storage volume if the existing snapshot storage volume becomes invalid. Atlas creates the new volume in the same region as the cluster’s current primary. Atlas then takes a full-copy snapshot to maintain backup availability and continues using that member and its corresponding region for further incremental snapshots.

Events that can trigger storage invalidation include:

  • Changing the Atlas cluster instance size,
  • Modifying the Atlas cluster’s storage volume or speed,
  • Changing the Atlas cluster’s AWS region, and
  • Maintenance performed by Atlas or AWS.

To manually reset the snapshot target and storage, disable and re-enable backups for the cluster. Disabling Atlas backups removes all snapshots for the cluster. For more information on snapshot retention, see Snapshot Scheduling and Retention Policy.

Atlas always selects the primary member of the cluster for backup snapshots and stores the snapshots in the same cloud region as the cluster. Atlas retains snapshots based on the retention policy.

Cloud Provider Snapshot of the Primary

If that member steps down to a secondary, Atlas changes the snapshot target to the current primary.

A Cloud Provider Snapshot of the Former Primary

Multi-Region Cluster Backups

Atlas selects the primary member of the cluster at the time you enable snapshots for the cluster for backup snapshots. Atlas stores the snapshots in the same region as the primary member. Atlas retains snapshots based on the retention policy.

Cloud Provider Snapshot of the Primary

If the member steps down to a secondary, Atlas continues to use that member for snapshots. Atlas continues storing snapshots in the same region as that member, even if the primary is in a different region.

A Cloud Provider Snapshot of the Secondary

Atlas automatically creates a new snapshot storage volume if the existing snapshot storage volume becomes invalid. Atlas creates the new volume in the same region as the cluster’s current primary. Atlas then takes a full-copy snapshot to maintain backup availability and continues using that member and its corresponding region for further incremental snapshots.

Events that can trigger storage invalidation include:

  • Changing the Atlas cluster instance size,
  • Modifying the Atlas cluster’s storage volume or speed,
  • Changing the Atlas cluster’s AWS region, and
  • Maintenance performed by Atlas or AWS.

To manually reset the snapshot target and storage, disable and re-enable backups for the cluster. Disabling Atlas backups removes all snapshots for the cluster. For more information on snapshot retention, see Snapshot Scheduling and Retention Policy.

Atlas always selects the primary member of the cluster for backup snapshots and stores the snapshots in the same region as the primary member. Atlas retains snapshots based on the retention policy.

Cloud Provider Snapshot of the Primary

If that member steps down to a secondary, Atlas changes the snapshot target to the current primary.

A Cloud Provider Snapshot of the Former Primary

Atlas stores subsequent snapshots in the region of the new primary member.

Snapshot Scheduling and Retention Policy

Atlas takes the first snapshot when you enable cloud provider snapshots for a cluster and takes subsequent snapshots of the cluster every 24 hours from that point in time. By default, Atlas retains the last 3 snapshots for each cluster.

You can view and customize the snapshot schedule and retention settings:

  1. From the Clusters view, click on the cluster name.
  2. Click on the Backup tab.
  3. Click Backup Policy.

Atlas displays the UTC snapshot time using the 24-hour clock format. To modify the snapshot time, click the dropdown for the hr or min and select your preferred hour or minute for Atlas to take snapshots. The first snapshot taken after updating the snapshot schedule occurs within 24 hours, breaking the default behavior of one snapshot every 24 hours. All subsequent snapshots occur once every 24 hours at the configured point in time.

Atlas displays the number of snapshots to retain in a text input field. Type in your preferred number of snapshots for retention. Changing the number of retained snapshots effects the total cost of backups for the cluster. For complete documentation on cloud provider snapshot billing, see Cloud Provider Snapshots. If you decrease the number of retained snapshots, Atlas immediately deletes the extra snapshots.

Click Save Changes to save any changes you’ve made to either the snapshot schedule or retention settings.

Important

If you disable cloud provider snapshots for a cluster or terminate a cluster that had snapshots enabled, Atlas immediately deletes the backup snapshots for that cluster. For clusters not using Encryption at Rest Using Your Key Management you can download the latest snapshot to preserve any data stored in the cluster.