Preparing for SaaS application data protection

Before you start protecting your Google Cloud SQL data, complete the following steps:

• Preparing for SaaS application data protection
  • Getting familiar with your SaaS application specifics
  • Configuring SaaS application data backup options

Getting familiar with your SaaS application specifics

Before you start protecting your Google Cloud SQL data, you must get familiar with all prerequisites, limitations, considerations, and/or recommendations in this topic to make sure that your environment is prepared and configured correctly.

Prerequisites

Authentication service account permissions

The authentication service account that you set while adding the SaaS module as a source in R-Cloud must be granted the minimum permissions set within the Google Cloud projects that contain:

• The Google CloudSQL instance that you want to protect.

• Locations where the new instances are going to be created during the restore.

The following permissions must be included in the minimum permissions set:

• cloudsql.databases.create

• cloudsql.databases.delete

• cloudsql.databases.get

• cloudsql.databases.list

• cloudsql.instances.create

• cloudsql.instances.delete

• cloudsql.instances.export

• cloudsql.instances.get

• cloudsql.instances.import

• cloudsql.instances.list

• compute.regions.list

• resourcemanager.projects.get

• storage.buckets.create

• storage.buckets.get

• storage.buckets.getIamPolicy

• storage.buckets.setIamPolicy

• storage.objects.create

• storage.objects.delete

• storage.objects.get

• storage.objects.list

Instead of granting the individual permissions, you can also assign the Cloud SQL Admin, Storage Admin and Compute Viewer roles to the authentication service account or the HYCU Managed Service Account (HMSA).

Limitations

• Backing up the users that are defined on the Google Cloud SQL instances is not supported.

• The R-Cloud module for Google Cloud SQL allows you to back up and restore the MySQL instances. However, after a restore, your MySQL triggers and stored procedures will not be preserved. For details, see Google Cloud documentation.

• The Google Cloud SQL backup or restore cannot be aborted.

• For PostgreSQL:

  • The maximum supported database size is 5 TB due to Cloud Storage limit of 5 TB per single-object size.

  • When performing a restore with the overwrite option enabled (in-place restore), the only allowed database connection is the one established by the module. If there is an additional connection established with your database, the restore will fail.

• For Microsoft SQL Server:

  • System databases (master, msdb, model, and tempdb) are excluded from the backup.

  • Compatibility Level is not checked during the restore operations.

  • Backups done while an instance is in a single-user or read-only mode may cause errors during the import of the exported data.

• For MySQL:

  • System databases (mysql, sys, information_schema, performance_schema) are excluded from the backup.

  • The triggers and the stored procedures are excluded from the backup.

  • Renaming the database when restoring is not supported.

Consideration

If a Google Cloud SQL instance is protected in Google Cloud SQL, you cannot perform the in-place restore for either the main instance or for its replica.

To disable the instance deletion protection, update the Google Cloud SQL instance settings. For instructions, see Google Cloud SQL documentation.

Configuring SaaS application data backup options

Before you start protecting SaaS applications, you can adjust SaaS application protection to the needs of your data protection environment by configuring backup options in R‑Cloud.

Backup options

Backup option	Description
Exclude Resources	Enables you to specify one or more resources to be excluded from the backup.
Options	Enables you to use backup options specific to each SaaS application or SaaS application resource (for example, if you are protecting Google Cloud SQL, you can set the offload option that enables R‑Cloud to delegate the export operation to a separate data mover).
Data Movers	Enables you to specify the source, the region, and the subnet where you want R‑Cloud to create a data mover during the backup. If the specified source is an AWS account, you can also select a security group. If the specified source is an Azure resource group, you must select a network.  Important  For the SaaS applications that run in an AWS account, in an Azure resource group, or in a Google Cloud project: If you do not configure this backup option, R‑Cloud by default creates the data mover in your AWS account, Azure resource group, or Google Cloud project after you set up a target in R‑Cloud or add a source to R‑Cloud.

Prerequisites

• For Google Cloud SaaS applications: Specifically for the HMSA, R‑Cloud requires additional permissions. For details, see Google Cloud permissions required by R‑Cloud.

• Only if you plan to configure the data mover and select the Azure resource group as a source for the data mover. The network that you select must allow your Azure service principal or the HMSP to access the specified source and the targets that store the protected data.

• The data movers must have access to the SaaS applications that you want to protect and to the targets that store the protected data. To ensure this, configure SaaS application backup options so that the data mover uses the appropriate subnet.

   Tip  You can check under which subnet the SaaS applications and the targets are accessible in your cloud provider management console.

Consideration

Only if you plan to store the protected SaaS application data on an Azure target. For security purposes, it is recommended that you configure SaaS application backup options so that R‑Cloud creates the data mover in the Azure resource group to keep the protected data in the same Azure environment during the backup.

Recommendation

If you plan to use targets for storing the protected data, optimize the egress data costs by configuring SaaS application backup options so that the data mover uses the same or the nearest available region as the target.

Procedure

1. In the SaaS panel, select the SaaS application or the resource for which you want to configure backup options.

2. Click  Configuration. The SaaS Configuration dialog box opens.

3. Depending on what you want to do, perform the required action:

   I want to...	Instructions
   Exclude resources from the backup.	On the Exclude Resources tab, select the resources that you want to exclude from the backup.
   Use a backup option specific to my SaaS application or resource.	On the Options tab, specify which of the available backup options you want to use and provide the required information.
   Specify the source, the region, the subnet, the network, or the security group for a data mover.	On the Data Movers tab, do the following: From the Compute drop-down menu, select the source for the data mover.  Important  If the type of the source that you select for the data mover differs from the source where the target specified in the R‑Cloud policy resides, this may result in data egress charges. From the Region drop-down menu, select the preferred region. For Azure resource groups: From the Network drop-down menu, select the preferred network. From the Subnet drop-down menu, select the preferred subnet. For AWS accounts: Optionally, from the Security Group drop-down menu, select the preferred security group. By default, the data mover is created in the default security group of the preferred subnet.

4. Click Save.