How To Copy A Backup In AWS Backup Service
Hello Everyone
Welcome to CloudAffaire and this is Debjeet.
AWS Backup is a regional service and you may get into a situation where you need to copy the backup from one region to another. Or your application architecture uses pilot light disaster recovery technique and you need to configure a continuous copy of the backup from one region to another region. In AWS backup, you can either define your backup copy configuration directly in your backup plan which solved the continuous copy of backup from one region to another or you can also initiate an ad-hoc backup copy job to copy a backup as per your own requirement. If your account is part of AWS organization, then you can also copy a backup from one member account to another member account in your organization.
In this blog post, we will discuss how to copy a backup from one region to another region in AWS backup service. We are going to create a EBS volume in the source region which we will then backup in the source region default backup vault and finally we will copy this backup to target region’s default backup vault.
How To Copy A Backup In AWS Backup Service:
Prerequisites:
- AWS CLI installed and configured with proper access. You can use below link to install and configure AWS CLI.
https://cloudaffaire.com/how-to-install-aws-cli/
https://cloudaffaire.com/how-to-configure-aws-cli/
Step 1: Create an IAM role for the backup service.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 |
## Create assume role policy definition cat <<'EOF'> backup_assume_role_policy.json { "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": "backup.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } EOF ## Create IAM role aws iam create-role \ --role-name backup_iam_role \ --assume-role-policy-document file://backup_assume_role_policy.json ## Add AWS managed AWS_backupRole policy to the role aws iam attach-role-policy \ --role-name backup_iam_role \ --policy-arn arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup && aws iam attach-role-policy \ --role-name backup_iam_role \ --policy-arn arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForRestores ## Get the role ARN ACCOUNT_ID=$(aws sts get-caller-identity | jq -r .Account) && IAM_ROLE_ARN=arn:aws:iam::$ACCOUNT_ID:role/backup_iam_role && echo $IAM_ROLE_ARN |
Step 2: Create a new EBS volume in the source region.
|
1 2 3 4 5 6 7 8 9 |
## Create a new ebs volume in source region EBS_VOL_ID=$(aws ec2 create-volume \ --volume-type gp2 \ --availability-zone ap-south-1a \ --region ap-south-1 \ --tag-specifications 'ResourceType=volume,Tags=[{Key=Name,Value=myebs}]' \ --size 1 | jq -r .VolumeId) && EBS_VOL_ARN="arn:aws:ec2:ap-south-1:$ACCOUNT_ID:volume/$EBS_VOL_ID" && echo $EBS_VOL_ARN |
Step 3: Create a backup of the EBS volume in the source region.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
## Create a backup in source region BACKUP_JOB_ID=$(aws backup start-backup-job \ --backup-vault-name Default \ --resource-arn $EBS_VOL_ARN \ --iam-role-arn $IAM_ROLE_ARN \ --start-window-minutes 60 \ --complete-window-minutes 120 \ --region ap-south-1 | jq -r .BackupJobId) && echo $BACKUP_JOB_ID ## List backup jobs aws backup list-backup-jobs \ --region ap-south-1 ## Get details on the backup job aws backup describe-backup-job \ --backup-job-id $BACKUP_JOB_ID \ --region ap-south-1 |
Note: The backup job may take some time to get completed, please refere the “State” section in the output and proceed to next step when its “COMPLETED”.
Step 4: Validate the backup by checking if a recovery point was created for your backup.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
## Get protected resource details in source region PROTECTED_RESOURCE_ARN=$(aws backup list-protected-resources \ --region ap-south-1 | jq -r .Results[0].ResourceArn) && aws backup describe-protected-resource \ --region ap-south-1 \ --resource-arn $PROTECTED_RESOURCE_ARN ## Get recovery point details in source region RECOVERY_POINT_ARN=$(aws backup list-recovery-points-by-resource \ --region ap-south-1 \ --resource-arn $PROTECTED_RESOURCE_ARN | jq -r .RecoveryPoints[0].RecoveryPointArn) && aws backup describe-recovery-point \ --backup-vault-name Default \ --recovery-point-arn $RECOVERY_POINT_ARN \ --region ap-south-1 |
Step 5: Copy the backup from source region to target region.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 |
## Get backup vault details in target region aws backup describe-backup-vault \ --backup-vault-name Default \ --region us-east-1 ## Since we are using the deafult vault, you may need to login ## to aws console and open Backup service in target region ## this will autometically create the default vault for you ## Copy the backup from source region to target region US_VAULT_ARN=$(aws backup describe-backup-vault \ --backup-vault-name Default \ --region us-east-1 | jq -r .BackupVaultArn) && aws backup start-copy-job \ --recovery-point-arn $RECOVERY_POINT_ARN \ --source-backup-vault-name Default \ --destination-backup-vault-arn $US_VAULT_ARN \ --iam-role-arn $IAM_ROLE_ARN \ --region ap-south-1 ## List all the copy jobs in source region aws backup list-copy-jobs \ --region ap-south-1 ## Get copy job details in source region COPY_JOB_ID=$(aws backup list-copy-jobs \ --region ap-south-1 | jq -r .CopyJobs[0].CopyJobId) && aws backup describe-copy-job \ --copy-job-id $COPY_JOB_ID \ --region ap-south-1 |
Note: It may take some time to complete the copy backup job, please refer the “State” section in the output of the above command when its “COMPLETED” proceed to next step.
Our copy backup job successfully executed and now we should have a recovery point in the traget region using which we can restore the EBS volume in the target region.
Step 6: Validate the backup copy in the target region.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
## Get Default vault details in target region aws backup describe-backup-vault \ --backup-vault-name Default \ --region us-east-1 ## Observe "NumberOfRecoveryPoints": 1 ## Get protected resource details in target region US_PROTECTED_RESOURCE_ARN=$(aws backup list-protected-resources \ --region us-east-1 | jq -r .Results[0].ResourceArn) && aws backup describe-protected-resource \ --region us-east-1 \ --resource-arn $US_PROTECTED_RESOURCE_ARN ## Get recovery point details in target region US_RECOVERY_POINT_ARN=$(aws backup list-recovery-points-by-resource \ --region us-east-1 \ --resource-arn $US_PROTECTED_RESOURCE_ARN | jq -r .RecoveryPoints[0].RecoveryPointArn) && aws backup describe-recovery-point \ --backup-vault-name Default \ --recovery-point-arn $US_RECOVERY_POINT_ARN \ --region us-east-1 |
We have successfully copied the backup from one region to another in AWS backup service.
Next, we will delete all the resources created in this demo.
Step 7: Clean up.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 |
## Delete the recovery point in target region aws backup delete-recovery-point \ --backup-vault-name Default \ --recovery-point-arn $US_RECOVERY_POINT_ARN \ --region us-east-1 ## Delete the recovery point in the source region aws backup delete-recovery-point \ --backup-vault-name Default \ --recovery-point-arn $RECOVERY_POINT_ARN \ --region ap-south-1 ## Delete the ebs volume aws ec2 delete-volume \ --volume-id $EBS_VOL_ID \ --region ap-south-1 ## Delete the backup IAM role aws iam detach-role-policy \ --role-name backup_iam_role \ --policy-arn arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup && aws iam detach-role-policy \ --role-name backup_iam_role \ --policy-arn arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForRestores && aws iam delete-role \ --role-name backup_iam_role |
Hope you have enjoyed this article. To know more about AWS Backup, please refer below official documentation
https://docs.aws.amazon.com/aws-backup/index.html