Before backups can occur, you must configure a backup file server. After a backup file server is configured, you can start a backup at any time, or schedule recurring backups.


  • Verify that the SFTP server is running the supported OS and the supported SFTP software. The following table displays the supported and tested software for backup, although other software versions might work.
    Currently supported OS Specifically tested version SFTP software version
    CentOS 8.4 OpenSSH_8.0p1
    7.9 or 7.7 OpenSSH_7.4p1
    RHEL 8.4 OpenSSH_8.0p1
    7.9 or 7.7 OpenSSH_7.4p1
    Ubuntu 20.04 OpenSSH_8.2p1
    18.04 OpenSSH_7.6p1
    Windows Windows Server 2019 Standard OpenSSH_for_Windows_8.1p1
  • Verify that the SFTP server is ready for use and is running SSH and SFTP, using the following commands:
    • $ ssh backup_user@sftp_server
    • $ sftp backup_user@sftp_server
  • Verify the required hashed ECDSA host key is present on the backup server. See Find the SSH Fingerprint of a Remote Server.
  • Ensure that the directory path exists where you want to store your backups and that you have read/write permissions to the directory. You cannot use the root directory (/).
  • If you have multiple NSX-T Data Center deployments, you must use a different directory for storing the backup of each deployment.
  • If your NSX Manager or Global Manager appliance has the DNS server access set to "publish_fqdns": true, you must configure that setting on the new NSX Manager or Global Manager appliance before you begin the restore process. Follow instructions at "Configuring NSX Manager for Access by the DNS Server" in the NSX-T Data Center Installation Guide.


  1. From a browser, log in with admin privileges to the NSX Manager or Global Manager at https://<manager-ip-address>.
  2. Select System > Backup & Restore.
  3. Click Edit under the SFTP Server label to configure your SFTP server.
  4. Enter the IP address or FQDN of the backup file server.
  5. Change the default port if necessary. The default port is 22.
  6. The protocol text box is already filled in.
    SFTP is the only supported protocol.
  7. In the Directory Path text box, enter the absolute directory path where the backups will be stored.
    The directory must already exist and cannot be the root directory ( /). Avoid using path drive letters or spaces in directory names; they are not supported. If the backup file server is a Windows machine, you must use the forward slash when you specify the destination directory. For example, if the backup directory on the Windows machine is c:\SFTP_Root\backup, specify /SFTP_Root/backup as the destination directory.
    The path to the backup directory can contain only the following characters: alphanumerics ( a-z , A-Z, 0-9 ), underscore ( _ ) , plus and minus sign ( + - ), tilde and percent sign ( ~ % ), forward slash ( / ), and period (.).
    The backup process generates a name for the backup file that can be quite long. On a Windows server, the length of the full path name of the backup file can exceed the limit set by Windows and cause backups to fail. To avoid this issue, see the KB article
  8. Enter the user name and password required to log in to the backup file server.
    The first time you configure a file server, you must provide a password. Subsequently, if you reconfigure the file server, and the server IP or FQDN, port, and user name are the same, you do not need to enter the password again.
  9. You can leave the SSH Fingerprint blank and accept or reject the fingerprint provided by the server after you click Save in a later step. If necessary, you can retrieve the SSH fingerprint by using this API: POST /api/v1/cluster/backups?action=retrieve_ssh_fingerprint.
  10. Verify the required ECDSA host key is present on the backup server by running #ssh-keyscan -t ecdsa <backup server IP/FQDN>.
    #ssh-keyscan -t ecdsa ftpserver.corp.local
       #ftpserver.corp.local:22 SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.5
       ftpserver.corp.local ecdsa-sha2-nistp256 
    Starting in NSX-T Data Center 3.2.1, support includes key sizes 256-bit, 384-bit, and 521-bit. In NSX-T Data Center 3.2.0, support includes only 256-bit key size. If the command output does not return a supported ECDSA key, you must configure the key on the backup server. Contact the OS vendor if you need guidance for that configuration.
  11. Enter a passphrase.
    Important: You will need this passphrase to restore a backup. If you forget the passphrase, you cannot restore any backups.
  12. Click Edit under the Schedule label.
    You can schedule recurring backups. You can also trigger backups for configuration changes. You can select both options for recurring backups.When you set up recurring backups, the system automatically backs up the inventory if there is a change in inventory, such as the addition or removal of a Transport Node. This feature is not available for manual backups.

    Inventory backups do not get collected for Global Manager.

    To enable recurring backups:

    1. Click the Recurring Backup toggle.
    2. Click Weekly and set the days and time of the backup, or click Interval and set the interval between backups.
    3. Enabling the Detect NSX configuration change option will trigger an unscheduled full configuration backup when it detects any runtime or non-configuration related changes, or any change in user configuration. For Global Manager, this setting triggers backup if any changes in the database are detected, such as the addition or removal of a Local Manager or Tier-0 gateway or DFW policy.

      You can specify a time interval for detecting database configuration changes. The valid range is 5 minutes to 1,440 minutes (24 hours). This option can potentially generate a large number of backups. Use it with caution.

  13. Click Save.


After you configure a backup file server, you can click Backup Now to manually start a backup at any time. Automatic backups run as scheduled.

You see a progress bar of your in-progress backup.

When the manual or scheduled backup completes, it is listed in the Backup History section of the page. The Last Backup Status label indicates whether the backup was successful and lists the timestamp, node, and cluster details of the appliance backed up. If the backup fails, you can see an error message.

To see a list of available backups if you cannot access an NSX Manager or Global Manager appliance, see Listing Available Backups for details.