Protect Tanzu Kubernetes Grid Workloads With Tanzu Mission Control Data Protection

Introduction to Tanzu Mission Control Data Protection

Data Protection in Tanzu Mission Control (TMC) is provided by Velero which is an open-source project. TMC data protection can be used to back up Kubernetes clusters both on-premises and in a public cloud with the ability to select a subset of the resources in the cluster.

When data protection is enabled on a Kubernetes cluster, the data backup is stored external to the TMC. TMC leverages AWS native S3 functionality to store the Kubernetes data backup. If you don't want to use AWS S3 to store K8 backup, you can bring your own S3-compatible storage and configure it as the target location for storing K8 backup.

The data protection features of Tanzu Mission Control enable you to create backups of the following types:

  • all resources in a cluster
  • selected namespaces in a cluster
  • specific resources in a cluster identified by a given label

You can also schedule regular backups and manage the backups by specifying a retention period for each backup and deleting backups that are no longer needed.

Note: Data Protection is not enabled on the TKG cluster by default.


This document discusses how to backup and restore your Kubernetes workloads running in a Tanzu Kubernetes Grid cluster with Tanzu Mission Control Data Protection.


The Application

For the purpose of data protection demonstration, a sample Yelb application is used which is a 3-tier application. You can find more information about Yelb at

The below diagram shows the high-level architecture of the Yelb application.

The yelb application is deployed as a K8 instance in the TKG workload cluster and has a frontend, backend, and database to store data.

The yelb application is deployed in a dedicated namespace named 'yelb' and in this example backup & restoration of this namespace will be demonstrated. For storing backup, AWS S3 storage will be used.


Before using TMC Data Protection, ensure that you have met the following pre-requisites:

  • Your VMware Cloud Services Organization is subscribed to the Tanzu Mission Control service.
  • You have registered the TKG management and the workload cluster in the TMC portal.
  • You have deployed at least one Kubernetes application in the TKG workload cluster.
  • Your TKG workload cluster nodes should be able to talk to the internet.
  • You have either an AWS subscription to use the S3 storage or have your own S3-compatible storage that can talk to Tanzu Mission Control.

Enable and Use Data Protection

Create Account Credentials

To enable Data Protection in TMC you must first set up an Account Credential. The credential indicates where the Velero extension should store the data backup.

Step 1 - On the Accounts tab of the Administration page, click Create Account Credential, and then select the type of credential to create.

To use the AWS S3 storage managed by Tanzu Mission Control in your cloud provider account, select AWS data protection credential.

Enter a descriptive name for the new credential and then click the Generate Template button. Tanzu Mission Control generates the template and automatically downloads it.

This template can be fed into the AWS CloudFormation stack to automate the creation of all the required resources in AWS, such as S3 buckets, IAM roles, and so on.

Step-2 -  You have to log in to your AWS console and apply the CloudFormation template. The instructions for the AWS side configuration is documented in TMC official documentation.

When the deployment of the CloudFormation stack completes, click on the stack, and from the output tab, copy the ARN of the IAM role created for the Cloud Provider Account.

Go to to learn about ARNs.

Navigate back to the TMC portal and proceed to Step-3. Paste the ARN that you have copied earlier and click CREATE CREDENTIAL.

You can see your newly created credential listed on the Administration page in the Tanzu Mission Control console. 

Configure Target Location

Create a data protection target location that you can use for storage of backups that you generate using VMware Tanzu Mission Control.

When you run a backup using Tanzu Mission Control, the resources that you specify to be backed up are written to a storage location that you have configured as a Target location.

To create a target location, follow the steps below:

Step 1 - Navigate to the Administration > Target Locations > Create Target Location and select the TMC Managed AWS S3 storage.

Step 2 - Select the account credential that you created earlier and then click Next.

Step 3 - Specify the cluster groups whose clusters can use this target location for backups.

Step 4 - Provide a name for the target location and click on the create button. When you click Create, Tanzu Mission Control generates a backup location (S3 bucket) that can be used by clusters in the specified cluster groups.

Enable Data Protection for a Cluster

The next step is to enable data protection on your attached or provisioned TKG workload clusters.

To enable data protection on a cluster, follow the steps below:

Step 1 - Navigate to the Clusters tab and click on the TKG cluster for which you want to enable data protection. The data protection option is available under the overview tab of the cluster details page.

Step 2 - Click Enable on the confirmation page.

On enabling data protection, Tanzu Mission Control installs the data protection extension and Velero on your cluster. You can fetch the details by connecting to your TKG workload cluster and running the command: kubectl get all -n velero

# kubectl get all -n velero
NAME                         READY   STATUS    RESTARTS   AGE
pod/restic-7cdtf             1/1     Running   0          47h
pod/restic-hkctl             1/1     Running   0          47h
pod/restic-lzc9z             1/1     Running   0          47h
pod/velero-67554fd54-xshbs   1/1     Running   0          47h

daemonset.apps/restic   3         3         3       3            3           <none>          47h

NAME                     READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/velero   1/1     1            1           47h

NAME                               DESIRED   CURRENT   READY   AGE
replicaset.apps/velero-67554fd54   1         1         1       47h
Backup Kubernetes Data

Step 3 - On the overview page of the TKG workload cluster, click Create Backup to initiate data backup of your Kubernetes applications.

Step 4 - Select the namespaces and objects you want to back up. As mentioned earlier in this article, this example and document only focuses on backing up and restoring the Kubernetes namespaces.

The sample application that has been chosen for this demo resides in the Yelb namespace.

Step 5 - Select the Target location that you have created earlier and click Next.

Step 6 - Specify the backup schedule and click Next.

Step 7 - Select the retention period for the backup that will be taken by TMC and click Next.

Step 8 - Provide a name for the backup schedule and click Create.

To check the status of the backup, navigate to the Data Protection tab of the cluster on which you have enabled data protection.

You can verify the presence of backup data in the TMC managed S3 bucket in the AWS portal.

Restore Kubernetes Data

For the purpose of the demonstration of the restore process, the 'Yelb' application is deleted.

To restore of the 'Yelb' application, navigate to the Data protection tab of the cluster which was backed up and select the backup image from the list and click on the Restore button.

Select the objects you want to restore. In this example, the entire backup image is selected.

Provide a name for the restore image and click Restore.

Data restoration can take some time depending on the size of the backup.

To validate the data restoration, connect to your TKG workload cluster and examine the namespace which is being restored from the backup. The Age column for the restored application validates that the application is spun recently.


Selecting the backup type might vary from organization to organization depending upon the business use case.

For example, backing up individual namespaces rather than protecting the entire Kubernetes cluster might be a good fit for you, as deploying a new workload cluster is quicker than restoring the entire workload cluster as you already have the necessary deployment/configuration files handy for the workload cluster creation.

Backing up clusters based on the labels is more efficient than individually selecting the clusters/namespaces in the scenario where you have multiple TKG clusters and you are using labels to differentiate between the cluster type such as dev and prod clusters.

Tanzu Mission Control makes backup and restoration of Kubernetes data very easy by automating the process of enabling and configuring data protection on a Tanzu Kubernetes Grid cluster. If you have decided to use AWS for storing Kubernetes backup, use the TMC managed AWS S3 storage option (unless you have a specific use case for using custom S3 storage) as Velero will automatically clean up stale backups in the backend when backups expire or you disable data protection on the TKG cluster and ultimately saves you from incurring additional charges on your S3 consumption.

In case you are configuring Customer managed AWS S3 storage option, use lifecycle rules on the S3 bucket for automatic cleanups.

Author and Contributors

Manish Jha has authored this article.





Filter Tags

App Modernization Tanzu Kubernetes VMware Cloud on AWS Document Technical Guide Technical Overview Intermediate Manage