hamburger icon close icon
Cloud Database

How to Protect a Database in the Cloud: 7 Key Practices

Read Next:

Adapting to a cloud-centric infrastructure brings lots of benefits in terms of cost savings, quick setup and time savings, but there are new challenges that IT teams need to deal with in the cloud. One of the most important is figuring out how to protect your cloud databases.

This article is intended for storage admins as well as cloud administrators who are looking for a robust database protection strategy to protect a database in the cloud running on AWS or Azure instances. We’ll look at some of the best practices for database protection, including how NetApp’s cloud solutions can help.

1. Keep Data in Multiple Regions or Zones

When you have your data in the cloud, you will need Amazon Elastic Block Storage (Amazon EBS) or Azure Disk Storage, depending upon which provider you choose for your databases. Each of these are efficient cloud storage systems and provide enterprise-grade storage capabilities in a very cost-effective manner.

To provide high availability and reliability, Amazon EBS and Azure Disk replicate up to three copies of your data in the same Availability Zone to protect against data loss due to server component failure. Even though AWS and Azure promise SLAs of 99.99 percent availability, what happens if your data is only stored in a single region or availability zone and there’s a crash? Disaster!

For database protection, it’s a safer idea to have your data spread across multiple Azure availability zones or AWS Availability Zones (also known as a Multi-AZ configuration) to protect your data from losses such as this.

Take a look at how Amazon RDS or Azure Database is configured in a Multi-AZ setup. So when you set up a database environment, keeping DR (Disaster Recovery) and HA (High Availability) in consideration, make sure that the standby database is replicated in a different availability zone. This way, if your primary instance goes down due to a failure or disaster, then your application can switch to the secondary standby setup from another AZ.

How to Protect a Database in the Cloud: 7 Key Practices disaster recovery high availability for data hybrid cloud data management ontap cloud aws amazon azure data protection efficient cloud storage systemsYou can use Amazon S3 to replicate backups of your cloud databases across multiple regions for increased durability and reliability and also reduce the cost of keeping backups for longer periods. But to further protect your operation using multiple AZs, NetApp’s Cloud Volumes ONTAP (formerly ONTAP Cloud) offers two options: For disaster recovery, there is Cloud Volumes ONTAP’s multi-region disaster recovery, and for high availability, there is Cloud Volumes ONTAP in an AWS high availability configuration.

2. Data Access Control for a Database in the Cloud

As is true with on-premises databases, one of the main concerns in how you protect a database in the cloud is keeping your data secure from unwanted access and data breaches. AWS and Azure security controls allow you to set up highly secure environments for your databases. Let us look at some of the important security considerations.

Virtual Private Cloud (VPC) gives you the ability to run your database instances in logically-isolated and private cloud environments by providing complete control over the virtual networking environment. VPC also allows you to set IP addresses, subnets, and network gateways.

You can set up security groups so that your public-facing applications are open to the internet but protected by another security group that keeps databases and back-end application servers in a private cloud that is inaccessible directly from the internet. With VPC, you can have a hybrid setup such that your database in the cloud and on premises can reside together in one virtual private environment, allowing your data center to access cloud data directly and privately.

3. Safe Data Transit

You may be moving huge amounts of data from on-premises storage or from one cloud to another for an initial migration to the cloud or for another replication need. All of these kinds of data movements require your IT team and storage professionals to find secure solutions for moving, migrating, transforming and data synchronization between the different environments.

During transit, your data is vulnerable to failures, outages or attacks that may result in data loss or cause compliance issues. You need to encrypt all data at rest including data volumes, boot disks, snapshot backups and also your data archives and backups on the Azure Blob or Amazon S3. Additionally, you should configure Amazon CloudTrail or Azure Activity Log to audit all your storage and record events, and to configure AWS Key Management Service (KMS) or Azure Key Vault.

You need to be able to recover from failures or outages that occur during data transit and keep track of data synchronizations schedules. In addition to using provider services, you can use NetApp tools to help you address these challenges. Data encryption can be addressed with the help of Cloud Volumes ONTAP encryption and set up using the OnCommand Cloud Manager, Cloud Volumes ONTAP’s single-pane control panel for your cloud resources.

NetApp’s Cloud Sync offers an efficient, safe and secure data migration and synchronization service. Cloud Sync keeps your data safe by allowing the data to remain in your possession during transit. In addition, it manages your defined sync schedules and ensures full data recovery if a failure occurs during the data transit.

4. Cloud Access Control

With cloud computing, you need to set up role-based access and permissions for accessing all your cloud resources, including database instances. For enhanced security you should leverage the Identity and Access Management (IAM) service provided by Azure or AWS. Using security features such as policy definition of responsibility, roles, users and groups, you can protect your data from loss due to user actions or even from infrastructure resource actions such as a code from an Amazon EC2 instance trying to access other resources on the AWS.

As best practice you should create security groups for related permissions based on the defined policies. For instance, you may create a group that has permission only for DBAs and then assign that group to database admins; at the same time you can have a policy implemented as such that they cannot drop the database.

All your databases and data storage should come under the scope of an Identity and Access Management system so that you can keep full control over who has access to what and also identify any compliance measures that might have been missed.

5. Go Hybrid: Hybrid Cloud Architecture

How to Protect a Database in the Cloud: 7 Key Practices disaster recovery high availability for data hybrid cloud data management ontap cloud aws amazon azure data protection efficient cloud storage systems Hybrid cloud architectures have proven to be a boon for companies willing to adopt to cloud infrastructure without abandoning existing on-premises infrastructure.

The major benefit of a hybrid architecture is that hybridity allows you to decide what you want to control on-premises and what you want the cloud provider to handle, which means more ways to protect a database in the cloud. 

Hybridity is also a solution if your company has data compliance requirements that demand you keep certain types of data in-house. If you have data that is critical — such as financial data which should never be in the public domain — you should keep a local on-premises copy of that data even if the provider has all the security measures to protect your data in place. Another benefit is cost efficiency and usage agility.

Databases that require high resource utilization during certain periods of the time can leverage the cloud’s on-demand resource allocation, which saves costs. But managing all of those disparate systems seamlessly can be a challenge, one that NetApp solves with Cloud Volumes ONTAP.

Cloud Volumes ONTAP leverages AWS, Google Cloud, and Azure cloud resources, such as AWS EBS and Google Cloud storage to unify and streamline hybrid cloud architectures and help protect a database in the cloud. Plus, its powerful data deduplication, thin provisioning, and data tiering storage efficiencies make it possible to consume less storage in the cloud and on-prem.

To see how Cloud Volumes ONTAP will work with your cloud provider, you can easily calculate your storage costs with our AWS calculator or Azure calculator.

Using NetApp’s SnapMirror technology, Cloud Volumes ONTAP synchronizes data between your on-premises NetApp storage systems and your public multi-cloud storage, leveraging NetApp’s efficient data snapshots technology. NetApp snapshots are faster than any cloud-native option, as they create instant copies of the baseline data and afterwards only sync the delta data. This makes it easy to recover your system from any point in time as every change that is made to the primary data is saved and can be rolled back.

6. DR for Your Database in the Cloud

SnapMirror data replication plays a crucial role in using Cloud Volumes ONTAP for disaster recovery and cloud data protection, as it is faster and less expensive than comparable transfer costs of the native services offered by cloud providers. This will significantly lower your spend for protecting your database in the cloud. Plus, Cloud Volumes ONTAP allows you to tier disaster recovery copies to inexpensive storage on Amazon S3, and automatically bring that data back up to Amazon EBS for use in recovery scenarios.

7. More Database Protection with HA

For the most database protection from outages, attack, or unexpected failures, Cloud Volumes ONTAP for HA keeps two copies of your environment seamlessly operating at separate nodes, with one environment ready to be failed over to at the first sign of an outage, making sure that your RPO is 0, and your RTO is less than 60 seconds, ensuring business continuity no matter how bad the outage.


Security, compliance, and protection of your data go hand-in-hand with infrastructure and human resources. Having a robust database protection policy is the key and it starts from the very initial phase of any setup. You need to have trained storage, system, and database admin resources who are also well-versed in data compliance requirements to know how to protect databases.

Once you know the challenges involved with database protection, it is helpful to explore tools that provide single window self-service software such as NetApp’s Cloud Volumes ONTAP and Cloud Sync. Cloud Volumes ONTAP and Cloud Sync can help migrate your private data centers to that cloud and seamlessly operate hybrid cloud architectures that take advantage of both storage formats.

New call-to-action
Yifat Perry, Technical Content Manager

Technical Content Manager