Access Gateway backup and restore processes

Backing up your Access Gateway appliances and configurations is a proactive safeguard against data loss, down-time, and other unwanted negative impacts to your business. There are two primary methods of backing up Access Gateway appliances and configurations, and we highly suggest implementing both.

Image-based backup and restore process recommendations

Image-based Backups

Image-based backups are created using the built-in snapshot functionality found in VMware, VirtualBox, and other hypervisor products. The benefit of image-based backups is that the entire Access Gateway appliance and virtual machine is backed up. Here are some details about creating snapshots using some of the most common industry hypervisor solutions.

  • VirtualBox

  • Amazon Web Services (AWS)

Image-based Restore

In the event that you need to revert to a previous state, you can restore to another Access Gateway machine snapshot from the hypervisor interface.

We recommend creating a machine snapshot prior to updating an Access Gateway appliance.

We do not recommend that users restore Access Gateway snapshots as it can cause:

  1. Loss of recent backup files that Access Gateway automatically creates.

  2. Loss of recent changes in the Access Gateway appliance, and the application configurations hosted on Access Gateway may become out of sync with the identity provider.

If Access Gateway is part of a cluster, ensure you revert all nodes to the same snapshot.


  • On a nightly basis (at 12:00AM UTC -5), the Access Gateway appliance automatically creates a backup of the current Access Gateway state. This includes all identity provider and application configurations, custom configurations, and other appliance-specific data.

  • Access Gateway internal backups are stored locally.

  • The default process retains backup archives for two months; archives older than two months are deleted to manage available disk space.

  • Every node in an Access Gateway cluster is synchronized to use the same configuration. However, each node is responsible for creating an individual backup. Backup archives created on individual nodes are not synchronized.


  • An Access Gateway administrator or user must create a service ticket for the Okta Support to restore an Access Gateway appliance to a previous state using the internal backup archives.

  • If an application configuration was modified after a recent backup archive, the application may not be in sync with the identity provider after the restore process. In this case, you must update the application configuration after the restore process is complete.

  • The functionality to restore an Access Gateway backup archive is not available to Access Gateway administrator or users. A service ticket must be created in order to restore an Access Gateway backup archive.

If a restore process is requested for a clustered environment, all nodes must be reverted to the same backup point.