AWS plug-in configuration notes
The Amazon Web Services (AWS) plug-in lets you create, restore, and delete snapshots of the following assets in an Amazon cloud:
Elastic Compute Cloud (EC2) instances
Elastic Block Store (EBS) volumes
Amazon Relational Database Service (RDS) instances
Aurora clusters
Redshift clusters
AWS DocumentDB
AWS Neptune
RDS Custom for SQL
RDS Custom for Oracle
Note:
Before you configure the AWS plug-in, ensure that you have enabled the regions that you want to protect and configured the proper permissions so that NetBackup Snapshot Manager can work with your AWS assets.
NetBackup Snapshot Manager supports the following AWS regions:
Table: AWS regions supported by NetBackup Snapshot Manager
AWS commercial regions | AWS GovCloud (US) regions |
|---|---|
|
|
The following information is required for configuring the NetBackup Snapshot Manager plug-in for AWS:
If NetBackup Snapshot Manager is deployed in the AWS cloud:
Table: AWS plug-in configuration parameters: cloud deployment
NetBackup Snapshot Manager configuration parameter | Description |
|---|---|
For Source Account configuration | |
Regions | One or more AWS regions associated with the AWS source account in which to discover cloud assets. Note: If you deploy NetBackup Snapshot Manager using the CloudFormation template (CFT), then the source account is automatically configured as part of the template-based deployment workflow. |
VPC Endpoint | First DNS name of AWS Security Token Service (STS) endpoint service with no zone specified. |
For Cross Account configuration | |
Account ID | The account ID of the other AWS account (cross account) whose assets you wish to protect using the NetBackup Snapshot Manager instance configured in the Source Account. |
Role Name | The IAM role that is attached to the other AWS account (cross account). |
Regions | One or more AWS regions associated with the AWS cross account in which to discover cloud assets. |
VPC Endpoint | First DNS name of AWS Security Token Service (STS) endpoint service with no zone specified. For example, vpce-044994fccdfd11b6f-k5hd5cx1.sts.us-east-2.vpce.amazonaws.com |
Note:
For an existing NetBackup Snapshot Manager deployed on AWS cloud to be used by using VPC Endpoint, then edit the configured plug-in by adding the VPC Endpoint entry.
See Prerequisites for configuring AWS plug-in using VPC endpoint.
When NetBackup Snapshot Manager connects to AWS, it uses the following endpoints. You can use this information to create a allowed list on your firewall.
Note:
Amazon Web Services recommends using the regional endpoint instead of global endpoints.
ec2.*.amazonaws.com
sts.*.amazonaws.com
rds.*.amazonaws.com
kms. *.amazonaws.com
ebs.*.amazonaws.com
iam.*.amazonaws.com
eks.*.amazonaws.com
autoscaling.*.amazonaws.com
(For DBPaaS protection) dynamodb.*.amazonaws.com, redshift.*.amazonaws.com
(For provider managed consistency) ssm.*.amazonaws.com
In addition, you must specify the following resources and actions:
ec2.SecurityGroup.*
ec2.Subnet.*
ec2.Vpc.*
ec2.createInstance
ec2.runInstances
NetBackup Snapshot Manager provides an option to restores the original network configuration (all the NIC's and IP addresses on the source VM) on AWS:
Private IPs are restored as they were on the source VM, if that IP is available to attach.
For public IPs, the property is restored as it was on the source VM. Based on this attribute, a public IP would be assigned to the VM.
If you are creating multiple configurations for the same plug-in, ensure that they manage assets from different Regions. Two or more plug-in configurations should not manage the same set of cloud assets simultaneously.
When multiple accounts are all managed with a single NetBackup Snapshot Manager, the number of assets being managed by a single NetBackup Snapshot Manager instance might get too large and it would be better to space them out.
To achieve application consistent snapshots,
Ensure that the prerequisites for provider managed consistency are met. For more information, refer to AWS Documentation.
If above prerequisites are not met, then agent/agentless network connections between the remote VM instance and NetBackup Snapshot Manager is required. This would require setting up cross account/subscription/project networking.
Before you configure the plug-in, consider the following:
NetBackup Snapshot Manager does not support AWS Nitro-based instances that use EBS volumes that are exposed as non-volatile memory express (NVMe) devices.
To allow NetBackup Snapshot Manager to discover and protect AWS Nitro-based Windows instances that use NVMe EBS volumes, ensure that the AWS NVMe tool executable file,
ebsnvme-id.exe, is present in any of the following locations on the AWS Windows instance:%PROGRAMDATA%\Amazon\ToolsThis is the default location for most AWS instances.
%PROGRAMFILES%\Veritas\CloudpointManually download and copy the executable file to this location.
System PATH environment variable
Add or update the executable file path in the system's PATH environment variable.
If the NVMe tool is not present in one of the mentioned locations, NetBackup Snapshot Manager may fail to discover the file systems on such instances.
You may see the following error in the logs:
"ebsnvme-id.exe" not found in expected paths!"
To allow NetBackup Snapshot Manager to discover and protect Windows instances created from custom/community AMI.
AWS NVMe drivers must be installed on custom or community AMIs. See this link.
Install the
ebsnvme-id.exeeither in%PROGRAMDATA%\Amazon\Toolsor%PROGRAMFILES%\Veritas\CloudpointFriendly device name must contain the substring "NVMe", or update in Windows registry for all NVMe backed devices.
Registry path:
Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_NVMe&Prod_Amazon_Elastic_B\Property Name: FriendlyName
Value: NVMe Amazon Elastic B SCSI Disk Drive
Missing permission exception during discovery: By default, while adding a new AWS provider plug-in configuration, no permission check would be done for AWS cloud related operations. To enable permission check during AWS provider plug-in configuration, add parameter under the AWS section in
flexsnap.conffile.Redshift clusters and databases must be in an available state on the AWS portal in order to allow NetBackup Snapshot Manager to discover and protect Redshift assets. When Redshift cluster is in the available state, assets are marked as Active on NetBackup UI; otherwise, assets are marked as Inactive.
You cannot delete automated snapshots of RDS instances, Redshift clusters, and Aurora clusters through NetBackup Snapshot Manager.
The application consistency of AWS RDS applications depend on the behavior of AWS. (AWS suspends I/O while backing up the DB instance).
This is a limitation from AWS and is currently outside the scope of NetBackup Snapshot Manager.
All automated snapshot names start with the pattern
rds:. For Redshift clusters, it starts withrs:If you are configuring the plug-in to discover and protect AWS Nitro-based Windows instances that use NVMe EBS volumes, you must ensure that the AWS NVMe tool executable file, ebsnvme-id.exe, is present in any of the following locations on the AWS instance:
%PROGRAMDATA%\Amazon\ToolsThis is the default location for most AWS instances.
%PROGRAMFILES%\Veritas\CloudpointManually download and copy the executable file to this location.
System PATH environment variable
Add or update the executable file path in the system's PATH environment variable.
If the NVMe tool is not present in one of the mentioned locations, NetBackup Snapshot Manager may fail to discover the file systems on such instances. You may see the following error in the logs:
"ebsnvme-id.exe" not found in expected paths!"
This is required for AWS Nitro-based Windows instances only. Also, if the instance is launched using the community AMI or custom AMI, you might need to install the tool manually.
NetBackup Snapshot Manager does not support cross-account replication for AWS RDS instances, RDS clusters, or Redshift clusters, if the snapshots are encrypted using the default RDS encryption key (aws/rds). You cannot share such encrypted snapshots between AWS accounts.
If you try to replicate such snapshots between AWS accounts, the operation fails with the following error:
Replication failed The source snapshot KMS key [<key>] does not exist, is not enabled or you do not have permissions to access it.
This is a limitation from AWS and is currently outside the scope of NetBackup Snapshot Manager.
If a region is removed from the AWS plug-in configuration, then all the discovered assets from that region are also removed from the NetBackup Snapshot Manager assets database. If there are any active snapshots that are associated with the assets that get removed, then you may not be able perform any operations on those snapshots.
Once you add that region back into the plug-in configuration, NetBackup Snapshot Manager discovers all the assets again and you can resume operations on the associated snapshots. However, you cannot perform restore operations on the associated snapshots.
NetBackup Snapshot Manager supports commercial as well as GovCloud (US) regions. During AWS plug-in configuration, even though you can select a combination of AWS commercial and GovCloud (US) regions, the configuration will eventually fail.
NetBackup Snapshot Manager does not support IPv6 addresses for AWS RDS instances. This is a limitation of Amazon RDS itself and is not related to NetBackup Snapshot Manager.
For more information, refer to the AWS documentation.
NetBackup Snapshot Manager does not support application consistent snapshots and granular file restores for Windows systems with virtual disks or storage spaces that are created from a storage pool. If a Microsoft SQL server snapshot job uses disks from a storage pool, the job fails with an error. But if a snapshot job for virtual machine which is in a connected state is triggered, the job might be successful. In this case, the file system quiescing and indexing is skipped. The restore job for such an individual disk to original location also fails. In this condition, the host might move to an unrecoverable state and requires a manual recovery.
AWS virtual machine cannot be restored with a security group not owned by the account where the restore is being performed. This is due to a limitation from AWS which restricts creating the EC2 instance on shared VPC's security group that is not owned by the account creating the virtual machine.
For more information, refer to the 'Share your VPC' section of the Amazon VPC User Guide.
For filesystem/application consistent snapshots using AWS Systems Service Manager:
The SSM document created must be removed manually on plug-in/NetBackup Snapshot Manager removal.
Snapshot of the VM workloads having
ext2filesystem would be consistent depending on the kernel/Operating system version.If AWS CLI, AWS VSS components module is not installed on the VM workload, then internet is required to install.
If pre- and post- script is not provided, Linux application consistent snapshot requires VM to be in connected state with application plug-in configured.
For protecting multiple cross-accounts using the source account configuration:
Only after all of the snapshots have expired can the cross-accounts be removed from the inline policy once the configuration has been added and the assets have begun to be protected.
The number of assets handled by a single provider configuration in NetBackup Snapshot Manager may become excessive when several accounts are all maintained with the same provider configuration. Therefore, rather than putting them implicitly under the source account setup, it is best to create a distinct cross-account configuration for accounts with a lot of assets.
Regardless of the type of deployment, only single such source account configuration can be configured to protect multiple cross-accounts.
Any existing cross-account configuration cannot be migrated to a single source provider configuration for protection.