How do I backup an on-premise database to AWS S3?

Install aws-cli on your database server, create an IAM user with write-only S3 permissions, then pipe your database dump through compression and encryption into `aws s3 cp`. For automated, scheduled backups with restore verification, BackupAgent installs in one command and handles the entire pipeline.

How much bandwidth does cloud database backup use?

With zstd compression, typical databases compress 60-70%. A 10 GB database produces roughly a 3-3.5 GB backup file. On a 100 Mbps uplink, this uploads in about 4-5 minutes. Most teams schedule backups at 2 AM to avoid business-hours bandwidth contention.

What is the cheapest cloud storage for database backups?

Backblaze B2 is the cheapest at ~$0.006/GB/month, roughly 4x cheaper than S3 Standard. For compliance-sensitive workloads, S3 with Intelligent-Tiering or Glacier for older backups provides the best balance of cost and durability. BackupAgent supports S3-compatible storage, which covers B2, MinIO, and most S3 alternatives.

How do I backup to multiple cloud providers for redundancy?

Configure two storage targets in BackupAgent — one primary (e.g., S3 us-east-1) and one secondary (e.g., Azure Blob). After each backup, the encrypted file is uploaded to both. This satisfies the offsite and redundant copies requirements of the 3-2-1-1-0 backup rule.

← Back to Blog

GuideApril 20268 min read

On-Premise Database Backup to Cloud: The Sysadmin Guide

Q: Is it safe to backup databases to the cloud?

Yes, with proper encryption. Always encrypt your backup before it leaves your server using AES-256-GCM. This ensures that even if an attacker gains access to your S3 bucket, they cannot read the data. Never upload unencrypted database backups to any cloud storage.

Quick Answer: Back up on-premise databases to cloud storage by dumping the database, compressing with zstd, encrypting with AES-256-GCM on the source server before data leaves your network, then uploading to S3, Azure Blob, or GCS. BackupAgent automates this as a one-command install on any Linux or Windows server.

Why On-Premise Servers Need Cloud Backups

On-premise databases that back up only to local disk are one event away from total data loss: fire, flood, hardware failure, ransomware. The offsite backup requirement in the 3-2-1 rule exists precisely to handle this.

Cloud object storage solves offsite backup for on-premise servers better than traditional tape or remote disk because it is:

Always available — no manual tape rotation, no VPN setup
Durable — S3, Azure Blob, and GCS all offer 99.999999999% (11 nines) durability
Cheap at scale — S3 Standard costs ~$0.023/GB/month; 100 GB of backups costs $2.30/month
Immutable — S3 Object Lock prevents backup deletion even by compromised credentials

Security Model: Encrypt Before Upload

The most important rule for cloud database backup: encrypt on the source server before any data leaves your network.

This means the cloud provider never sees unencrypted data. Even if your S3 bucket is misconfigured, your IAM credentials are leaked, or the cloud provider is subpoenaed, the backup data is unreadable without the encryption key that lives only on your server (or in your key management system).


# Encrypt locally, THEN upload
pg_dump mydb |   zstd |   openssl enc -aes-256-gcm -pass env:BACKUP_KEY |   aws s3 cp - s3://backups/mydb_$(date +%Y%m%d).dump.zst.enc

Never use cloud-side encryption as your only protection. S3 SSE encrypts data at rest, but if your bucket access is compromised, the provider decrypts it for whoever has the credentials.

S3 Setup for On-Premise Backup

Step 1: Create a dedicated IAM user


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:PutObject",
        "s3:GetObject",
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::my-backup-bucket",
        "arn:aws:s3:::my-backup-bucket/*"
      ]
    }
  ]
}

Write-only access is even better for backup agents. Remove s3:GetObject if your backup server should never be able to read back its own backups — this limits the blast radius of a compromised server.

Step 2: Enable versioning and Object Lock

In the S3 console, enable versioning on your backup bucket. Optionally enable Object Lock in Compliance mode for immutable backups that cannot be deleted before the retention period.

Step 3: Set a lifecycle rule for cost management

Create a lifecycle rule to move backups older than 30 days to S3 Glacier Instant Retrieval (10x cheaper) and expire backups older than 90 days.

Azure Blob Storage Setup


# Install az-cli
curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash

# Create storage account and container
az storage account create --name mybackupstorage --resource-group backups --sku Standard_LRS
az storage container create --name db-backups --account-name mybackupstorage

# Upload encrypted backup
az storage blob upload   --account-name mybackupstorage   --container-name db-backups   --name mydb_$(date +%Y%m%d).dump.zst.enc   --file /tmp/backup.dump.zst.enc

Azure Blob supports immutable storage through time-based retention policies — similar to S3 Object Lock.

Bandwidth and Scheduling Considerations

How much data will you transfer?

Database Size	Compressed Backup	Upload Time (100 Mbps)	Upload Time (1 Gbps)
1 GB	~340 MB	~28 seconds	~3 seconds
10 GB	~3.4 GB	~4.5 minutes	~27 seconds
50 GB	~17 GB	~23 minutes	~2.3 minutes
200 GB	~68 GB	~91 minutes	~9 minutes

Schedule backups at 2–4 AM when network utilization is lowest. For databases over 100 GB, consider incremental backup strategies using pg_basebackup WAL shipping (PostgreSQL) or Percona XtraBackup incremental (MySQL).

The Automated Approach: BackupAgent

Managing backup scripts across multiple on-premise servers creates operational debt: scripts need to be deployed, secrets rotated, cron jobs monitored. When servers are reprovisioned, the backup setup must be rebuilt.

BackupAgent solves this with a centralized agent model:

Install the agent on each database server (one curl command)
Register it in the web dashboard (generates API key, no credentials stored)
Configure storage targets and schedules in the dashboard
Agent handles dump → compress → encrypt → upload → verify on each server

The dashboard shows backup status across all on-premise servers in a single view, with anomaly detection alerting you if backup sizes change unexpectedly.

Frequently Asked Questions

Is it safe to backup databases to the cloud?

Yes, if you encrypt before upload. Use AES-256-GCM on your server before data leaves your network. Never rely solely on cloud-side encryption.

What is the cheapest cloud storage for on-premise database backups?

Backblaze B2 at ~$0.006/GB/month is the cheapest S3-compatible option. S3 with Intelligent-Tiering is a good choice if you need AWS's compliance features. Both work with BackupAgent.

How do I backup to multiple cloud providers?

Configure two storage targets in BackupAgent (or run two upload commands in your backup script). After each backup, the encrypted file uploads to both destinations — satisfying the multi-copy requirement of the 3-2-1-1-0 framework.

Ready to try BackupAgent?

AI-verified database backups in under 5 minutes. Free forever.