Part 1 – Backup AWS Resources N2WS Cloud Protection Manager (CPM)

~ David Ball

Toward the end of 2017, I set out to explore methods of backing up AWS instances and resources.  NWN is a Veeam VCSP and so initially I was drawn to Cloud Protection Manager from N2WS as it was slated to be included with the Veeam AWS Availability Suite in order to backup AWS EC2 instances.  Thus, I thought I’d get a head start on my learning curve and being using CPM to backup my AWS instances.

Recently, Veeam acquired N2WS for $42.5 million thus I’m even more certain that my decision to work with CPM was time well spent and I look forward to the integration of the products, especially a single management console though no dates for my backup utopia utility have been promised to the best of my knowledge.

Certainly as with any on-prem IT environment, reliable backup, restore, and DR of cloud environments can be of vital importance.  CPM provides an organization with the following benefits:

  • Block-level and Incremental-Forever Snapshots
    • CPM snapshots are taken at the block level and are the most efficient backup available.  If only part of a file changes, only the modified disk blocks are backed up.  Snapshots can be scheduled with frequencies that range from minutes to months and retained for any period of time allowing great flexibility in Recovery Point Objective(RPO).  Not only does CPM provide backup and restore services for EC2 instances and EBS volumes, it can also backup and restore RDS, Redshift, and Aurora clusters.
  • Live and Consistent Application Backup
    • Perform application consistent backup of production applications without taking systems offline.  CPM includes out-of-the-box support for MySQL, MongoDB, Oracle, PostgreSQL, SQL Server, Exchange, Active Directory, SharePoint and more.  CPM also supports VSS on Windows systems enabling application consistent backups.
  • Policy-Based Backups
    • Offering flexible policy-based backups, CPM delivers complete control over backup operations, including: backup targets and snapshot scheduling that can range from minutes to months.
  • File-Level Restore
    • Restore individual files without having to restore the entire instance or mount the volume.
  • Rapid Recovery and Disaster Recovery
    • Rapidly recover complete servers/instances, specific volumes, or individual files in minimal time. Recover complete instances to other AWS regions or even other AWS accounts.
    • Create “snapshot vaults” to prevent snapshot deletion.  Replicate entire instances to other AWS accounts or regions.  Use one-click instant recovery of volumes and/or complete instances to restore systems into your AWS accounts.
  • IAM Users, Roles, and Multi-Tenancy Support
    • CPM is designed for multi-tenancy, allowing you to protect multiple AWS accounts from a single console. To enhance environment access control, CPM supports IAM roles for secure cross-account federation and access, as well as IAM credentials. CPM also enables creation of multiple users, each managing multiple AWS accounts containing multiple instances.

Deploying a CPM Instance using the AWS Marketplace

The AWS Marketplace is an online store where you can find, buy, and quickly deploy software that runs on AWS.  These software packages are available in the form of Amazon Machine Images (AMIs) that contain all of the information necessary to boot an Amazon EC2 instance with your software.  The AMIs available through the AWS Marketplace have been tested by AWS so you can be confident that the software/AMIs you deploy through the Marketplace will perform as expected, thus you should always check the Marketplace for software you wish to deploy.

  1. Open a web browser and connect to https://aws.amazon.com/marketplace. In the search bar, type cloud protection manager and click the search icon.
  1. When the various Cloud Protection Manager versions are displayed to you. The steps documented here detail the process of deploying the CPM Free Trial version but regardless of the version you choose, the steps should be similar.  With the CPM results displayed, click Cloud Protection Manager Free Trial & BYOL Edition.

P1-1-step2

  1. On the CPM Free Trial page, feel free to review the Pricing Information (change the region to the region in which CPM will be installed) and AMI details. Click Continue when you are ready to deploy the CPM instance.

P1-1-step3

  1. If you are not already signed into the AWS management console, you will be prompted to do so. Enter your AWS credentials and click Sign In.
  1. Once your login is successful, you will be directed to a 1-Click Launch tab. On this tab, specify the following and click Launch with 1-click:
  • Region
  • EC2 Instance Type
  • VPC Settings
    • In this example, I deployed the CPM instance into a private subnet
  • Security Group
  • Key Pair

P1-1-step4P1-1-step4bYou should receive a notice that the CPM instance is being deployed effectively ending the AWS Marketplace CPM launch process.  Launch the AWS management console and connect to the EC2 dashboard to continue the configuration of CPM.

IAM User and Custom Policy Creation

To support backup, restore, and DR operations with the minimal security permissions, a new IAM User (BackupSVC) with custom permissions was created and used for CPM.  Three (3) custom policies (Backup, Restore, and SNS) were created to support CPM operations and are detailed below:

N2WSBackup

{
“Version”: “2012-10-17”,
“Statement”: [
{
“Action”: [
“ec2:CopySnapshot”,
“ec2:CopyImage”,
“ec2:CreateImage”,
“ec2:CreateSnapshot”,
“ec2:CreateTags”,
“ec2:DeleteSnapshot”,
“ec2:DescribeAddresses”,
“ec2:DescribeAvailabilityZones”,
“ec2:DescribeImageAttribute”,
“ec2:DescribeImages”,
“ec2:DescribeInstanceAttribute”,
“ec2:DescribeInstanceStatus”,
“ec2:DescribeInstances”,
“ec2:DescribeKeyPairs”,
“ec2:DescribePlacementGroups”,
“ec2:DescribeRegions”,
“ec2:DescribeSecurityGroups”,
“ec2:DescribeSnapshotAttribute”,
“ec2:DescribeSnapshots”,
“ec2:DescribeSubnets”,
“ec2:DescribeTags”,
“ec2:DescribeVolumeAttribute”,
“ec2:DescribeVolumeStatus”,
“ec2:DescribeVolumes”,
“ec2:DescribeVpcs”,
“ec2:ModifyImageAttribute”,
“ec2:ModifySnapshotAttribute”,
“ec2:ResetSnapshotAttribute”,
“kms:ListKeys”,
“kms:ListAliases”
],
“Sid”: “Stmt1374236955000”,
“Resource”: [

],
“Effect”: “Allow”
},
{
“Action”: [
“rds:CreateDBSnapshot”,
“rds:DeleteDBSnapshot”,
“rds:DescribeDBInstances”,
“rds:DescribeDBClusters”,
“rds:DescribeDBParameterGroups”,
“rds:DescribeDBParameters”,
“rds:DescribeDBSnapshots”,
“rds:DescribeDBSubnetGroups”,
“rds:ListTagsForResource”,
“rds:CopyDBSnapshot”,
“redshift:DescribeClusters”
],
“Sid”: “Stmt1374237153000”,
“Resource”: [

],
“Effect”: “Allow”
}
]
} 

N2WSRestore

{
“Version”: “2012-10-17”,
“Statement”: [
{
“Action”: [
“ec2:AllocateAddress”,
“ec2:AssociateAddress”,
“ec2:AttachVolume”,
“ec2:CreateImage”,
“ec2:CreateVolume”,
“ec2:DeleteVolume”,
“ec2:DeregisterImage”,
“ec2:DescribeImages”,
“ec2:DetachVolume”,
“ec2:ModifyImageAttribute”,
“ec2:ModifyInstanceAttribute”,
“ec2:ModifySnapshotAttribute”,
“ec2:ModifyVolumeAttribute”,
“ec2:RegisterImage”,
“ec2:RunInstances”,
“ec2:StartInstances”,
“ec2:StopInstances”,
“iam:PassRole”
],
“Sid”: “Stmt1374243096000”,
“Resource”: [

],
“Effect”: “Allow”
},
{
“Action”: [
“rds:RestoreDBInstanceFromDBSnapshot”,
“rds:RestoreDBClusterFromSnapshot”
],
“Sid”: “Stmt1374243250000”,
“Resource”: [

],
“Effect”: “Allow”
}
]
}

N2WSNotifications

{
“Version”: “2012-10-17”,
“Statement”: [
{
“Action”: [
“sns:CreateTopic”,
“sns:GetTopicAttributes”,
“sns:Publish”,
“sns:SetTopicAttributes”,
“sns:Subscribe”
],
“Sid”: “Stmt1374246783000”,
“Resource”: [
“*”
],
“Effect”: “Allow”
}
]
}

  1. To create the custom policies, click IAM from the AWS services page
  1. On the IAM dashboard, click Policies | Create Policy

p1-CreatePolicy

  1. On the Create policy page, click the JSON tab, copy/paste one of the custom backup policies into the JSON editor, and click Review Policy.
  1. On the Review policy page, enter a policy Name and Description and then review the policy settings as seen under the Summary heading. Click Create Policy.
  1. Repeat steps #2-4 until all required custom policies are created.

p1-policiescreated

  1. Remain on the IAM dashboard to create the BackupSVC user. Click Users | Add User 
  1. On the Set user details page, enter a User name, set the Access type, and then click Next: Permissions.  For the CPM backup account, BackupSVC was the user name and the Access type was set to Programmatic access as BackupSVC will not need to login to the AWS management console 
  1. On the Set permissions for BackupSVC page, click Attach existing policies directory. In the policy type search box, search for the custom policies created in steps #1-5.  In this example, all custom policies had N2WS at the beginning of the policy name, thus within the search box, the search parameter was N2WS.  Select each of the custom policies created for CPM and click Next: Review.

p1-assignpolicy

  1. On the Review page, verify the user information and click Create user.
  1. Download the user CSV file containing the Shared and Secret Access Keys as they will be required prior to configuring backup policies.

On the next post we’ll look at initializing the CPM appliance and adding an AWS account to it.

Published by David Ball

4 thoughts on “Part 1 – Backup AWS Resources N2WS Cloud Protection Manager (CPM)

  1. Pingback: Part 2 – AWS Backup with CPM – Initializing the Appliance – Virtual Bonzo
  2. Pingback: Part 3 – AWS Backup with CPM – Creating a Backup Schedule and Policy – Virtual Bonzo
  3. Pingback: Part 4 – AWS Backup with CPM – Restoring Files – Virtual Bonzo

  4. How to abort a backup job once it’s started taking snapshot backup in AWS. Is there any option to abort in CPM? Or in AWS console level?

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *