There is no way to properly back up data residing in an IaaS cloud vendor without incurring some kind of egress charges (i.e. data transfer fees). You must create an air gap between the resource you are backing up and the place you are storing that backup — and the only way to do that will create transfer fees. The only thing you can do is minimize those fees as much as possible.
Don’t be the next CodeSpaces.com
Back in 2014, CodeSpaces advertised itself as a safe place to store your code. All of their VMs and databases — and all of their backups of those VMs and databases — were stored in a single AWS account in a single region. In what I believe is the first major ransomware attack, a hacker gained control of their account and told them they were going to delete it if CodeSpaces did not cough up the ransom. CodeSpaces tried to lock the hacker out and the hacker responded by completely deleting their AWS account.
CodeSpaces.com ceased to exist at that moment. All of their customer data was deleted. All of their configuration data and intellectual property were deleted. All backups of everything were also deleted. That’s what happens when you store everything in a single account in a single region; a single disaster or attack can take out everything.
This time it happened to be a hacker, but it could have just as well been a data center fire (e.g. the OVH data center fire that happened in March of this year), or any number of natural disasters or terrorist attacks. This is why we don’t put all our eggs in one basket. For what it’s worth, the attack also could have been stopped by enabling multi-factor authentication (MFA), but they had failed to do that as well.
The 3-2-1 rule still applies
This simple rule that describes the basic definition of a backup is just as relevant today as it was when Peter Krogh coined it. Make three copies of your data, store them on two different media, and store one of them somewhere else. So many people focus so much on the three copies, but they ignore the “2” and “1” in the “3-2-1 rule.”
You cannot store your backups on the same system that you’re backing up. This is the number one reason why I reject the built-in data protection mechanisms in SaaS vendors like Microsoft 365, Salesforce, and Google Workspace. They are all simply additional records inside the same database; they are not backups.
Just as importantly, you need to store one copy of the backups far away from the original. Not only is this as valid today as it was many years ago, it is perhaps even more valid. When a bad actor can delete your entire data center with a single stroke of a keyboard, you need to make sure that you have at least one copy of that data center as far away from it as possible.
Create an electronic air gap
In the old days, we would make a copy and hand it to a “man in the van.” That really isn’t possible in the cloud world, so how do you accomplish getting a backup “off-site?” The modern-day equivalent of an Iron Mountain vault is a separate account in a separate region that stores one copy of all of your backups. I actually like the idea of doing this with a single account which holds all backups of the other accounts your company happens to use.
This other account should have its own authentication and authorization systems, and you should use as much multi-factor authentication that you can muster. For example, I like the idea of multi-person authentication which I discuss in this article. The idea is to divide the multiple factors between multiple people, so that a single person cannot delete everything.
Copying your backups to a region different from where the primary data resides protects them from natural disasters and terrorist attacks. Storing in separate accounts that do not share the same usernames and password as your primary accounts helps protect from hackers and malware. You must do both to do this properly.
An air gap in the cloud costs money
No matter how you back up your IaaS cloud resources, you will be transferring backups out of that resource. When you do that, you incur data transfer fees, otherwise known as egress charges — every major cloud vendor has such charges. They tend to be less when you are transferring between regions of the same vendor, and higher if you are transferring out to the Internet. For example, you will typically pay $0.01-$0.02 per gigabyte to transfer data between regions in most cloud vendors, and $0.05-$0.10 per gigabyte to transfer data out to the Internet.
This is why I’m saying there is no way to properly back up an IaaS cloud resource without incurring some kind of egress charge. There is no way around this; it is simply a new charge that you’re going to need to take into account in your backup and recovery design. No vendor will be able to make air gapped backups of cloud resources without incurring these charges; the only question is how big the charges will be.
The way to minimize them is to use block-level incremental forever backups and source-side global deduplication technologies to minimize the amount of data that needs to be transferred to get the job done.
Restores can also cost you money
If the resources you are hosting in your cloud account are VMs running your favorite backup and recovery software, and backing up your data center to the cloud, you will also incur egress charges every time you do a restore. If you use object storage to store your backups in the cloud, you will also incur a fee for each object you retrieve during the restore.
The only way around this is to use a service like Druva that does not run in your cloud account. Druva will incur those charges when you do a restore — not you. Druva charges a single per gigabyte (post-dedupe) or per user fee for everything it backs up; you will not pay extra for restores if you use Druva. You will, however, incur those charges if you run any backup software in your own cloud account.
If you aren’t copying your cloud backups to a separate account and region, now is the time to start. Druva offers the ideal capabilities to help you automate this process, and if you are hosting backup software in your cloud account, you should look at a service that doesn’t require you to do that. Say goodbye to those egress fees.