How do you set up automated Elasticsearch snapshots for data backup?

12 June 2024

In the world of data management, Elasticsearch has gained popularity for its robust, scalable, and efficient full-text search capabilities. But, as with any data management system, regular data backups are crucial. This is where snapshots come into play. A snapshot in Elasticsearch is a backup taken from a running Elasticsearch cluster. You can take a snapshot of individual indices or an entire cluster. In this article, we will guide you on how to set up automated snapshots for your Elasticsearch data backup.

Understanding Elasticsearch Snapshots

Before we delve into the setup, it's essential to get a clear understanding of what Elasticsearch snapshots are. When you create a snapshot of an Elasticsearch cluster, you essentially create a backup of all the data in the cluster at that specific moment in time. Compared to other backup methods, snapshots are more efficient as they backup only changes (deltas) made after the previous snapshot, thus saving both time and storage.

The snapshot process is very safe as it will not affect the performance of your Elasticsearch cluster. Also, the restore process is quite flexible, as you can restore the entire cluster, specific indices, or even individual shards.

Snapshots are stored in a repository, which is a dedicated location where Elasticsearch stores backup data. The repository can be a shared file system, AWS S3, HDFS, Azure Storage Service, or Google Cloud Storage. For this guide, we will be focusing on AWS S3 repositories.

Setting up an AWS S3 Repository for Elasticsearch Snapshots

To start setting up automated Elasticsearch snapshots, first, you need to create a repository where the snapshots will be stored. Here, we are going to use AWS S3.

To create an S3 repository, you need to have an active AWS account and a bucket to store the snapshots. Also, ensure you have the necessary IAM roles set up for Elasticsearch to access the S3 bucket.

The repository can be created using the Elasticsearch API. You can use the following curl command to create a repository:

curl -X PUT "localhost:9200/_snapshot/my_s3_repository" -H 'Content-Type: application/json' -d'
  "type": "s3",
  "settings": {
    "bucket": "my_bucket",
    "region": "us-west-1",
    "base_path": "my_backup_folder",
    "access_key": "my_access_key",
    "secret_key": "my_secret_key"

In this command, replace my_s3_repository with the name you want for your repository, my_bucket with the name of your S3 bucket, us-west-1 with your region, my_backup_folder with the path in your bucket where the snapshots will be stored, and my_access_key and my_secret_key with your AWS access key and secret key respectively.

Creating Elasticsearch Snapshots

After setting up the repository, the next step is creating a snapshot. You can use the Elasticsearch API to create a snapshot manually, or to automate the task, you can use a cron job.

Here's how you can create a snapshot manually:

curl -X PUT "localhost:9200/_snapshot/my_s3_repository/snapshot_1?wait_for_completion=true"

In this command, replace my_s3_repository with the name of your repository and snapshot_1 with the name of your snapshot. The wait_for_completion=true query parameter is optional, and it will make the request block until the snapshot is completed.

To automate the snapshot creation, create a cron job that runs the curl command at a specific time. Here's an example of a cron job that runs a snapshot every day at 12 AM:

0 0 * * * curl -X PUT "localhost:9200/_snapshot/my_s3_repository/snapshot_`date +%m-%d-%Y`?wait_for_completion=true"

In this command, the date +%m-%d-%Y will replace the snapshot name with the current date.

Restoring from Elasticsearch Snapshots

Restoring from a snapshot is a straightforward process. You can restore the entire cluster, specific indices, or even individual shards.

To restore an entire cluster, you can use the following command:

curl -X POST "localhost:9200/_snapshot/my_s3_repository/snapshot_1/_restore"

Replace my_s3_repository with the name of your repository and snapshot_1 with the name of the snapshot you want to restore.

To restore specific indices, you can add a body to the request specifying the indices you want to restore:

curl -X POST "localhost:9200/_snapshot/my_s3_repository/snapshot_1/_restore" -H 'Content-Type: application/json' -d'
  "indices": "index_1,index_2",
  "ignore_unavailable": true,
  "include_global_state": false

In this command, replace index_1,index_2 with the indices you want to restore.

Best Practices for Elasticsearch Snapshots

Lastly, we will outline some best practices when working with Elasticsearch snapshots.

It is recommended to use AWS IAM roles instead of embedding AWS access keys and secret keys in your Elasticsearch API calls. This enhances the security of your data because IAM roles provide temporary security credentials that Elasticsearch can use to make API calls on your behalf.

Another best practice is to monitor the snapshot process. Although the snapshot process won't affect the performance of the Elasticsearch cluster, it's best to monitor the snapshot process to ensure it completes successfully. Elasticsearch provides APIs that you can use to monitor the snapshot process.

Lastly, specify snapshot retention policies. Over time, your AWS S3 bucket can fill up with snapshots. Therefore, specify snapshot retention policies to automatically delete older snapshots, thereby freeing up storage space.

Deleting Elasticsearch Snapshots

As your Elasticsearch cluster continues to generate and store data, you inevitably create more snapshots, which means more storage space is required. To keep your AWS S3 bucket from becoming overwhelmed with older, unnecessary snapshots, it's important to periodically purge them.

Deleting an Elasticsearch snapshot is quite simple. You can use the DELETE HTTP method with the Elasticsearch API to remove a specific snapshot. Here is an example of a deletion command:

curl -X DELETE "localhost:9200/_snapshot/my_s3_repository/snapshot_1"

In this command, replace my_s3_repository with the name of your repository and snapshot_1 with the name of the snapshot you want to delete.

However, as this needs to be done frequently, it's more effective to automate the deletion process based on a retention policy. That's where the Snapshot Lifecycle Management (SLM) policy comes into play.

SLM policies in Elasticsearch can be used to automate the creation, deletion, and retention of snapshots. These policies define when and how often snapshots are created, as well as how long they are kept before deletion.

Here's an example of an SLM policy that creates a snapshot at 2:30 AM every day and retains each snapshot for 30 days:

curl -X PUT "localhost:9200/_slm/policy/nightly-snapshots" -H 'Content-Type: application/json' -d'
  "schedule": "0 30 2 * * ?", 
  "name": "<nightly-snap-{now/d}>", 
  "repository": "my_s3_repository", 
  "config": { 
    "indices": ["*"] 
  "retention": { 
    "expire_after": "30d", 
    "min_count": 5, 
    "max_count": 50 

This SLM policy, nightly-snapshots, will ensure that your older snapshots are automatically removed, freeing up your storage space while maintaining a sufficient backup history.

Keeping up with the data influx in your Elasticsearch cluster is a significant part of managing your IT infrastructure. A well-planned approach to creating automatic snapshots and storing them in an AWS S3 snapshot repository can be a lifesaver in instances of data loss or corruption. However, it's equally important to manage the lifecycle of these snapshots to ensure storage efficiency.

By understanding the importance of Elasticsearch snapshots, knowing how to create a snapshot repository, automate the creation and deletion of snapshots, and restore from a snapshot restore point, you ensure the longevity and efficiency of your Elasticsearch cluster.

Remember that while the snapshot operation doesn't degrade the performance of your Elasticsearch cluster, it's still necessary to monitor the process. You can utilize built-in Elasticsearch APIs for this purpose.

Finally, consider leveraging AWS IAM roles for enhanced security, instead of embedding access credentials in API calls. Regularly revisit and update your snapshot and SLM policies to reflect the changing needs and growth of your Elasticsearch cluster.

Copyright 2024. All Rights Reserved