Amazon VPC Resources That Commvault Protects

You can recover full Amazon EC2 instances and related Amazon VPC resources and EC2 network configuration and security posture settings (JSON format).

You can do the following:

  • Back up EC2 instances with supported VPC resources in all supported regions and AWS accounts

  • Recover full Amazon EC2 instances, re-creating any missing VPC resources

  • Recover known, good Amazon EC2 and Amazon VPC network configuration and security settings for forensic investigation (JSON format)

Required Permissions

Before using this capability, verify that the amazon_restricted_role_permissions.json policy is assigned to the IAM user or IAM role that is used to authenticate to the Amazon EC2 hypervisor that contains the VPC resources that you want to protect. For more information, see IAM Policies for Protecting AWS Services with Commvault.

Commvault recommends controlling access to AWS resources using tags or TagKeys to further restrict the scope of access for Commvault data protection operations.

The blocks in amazon_restricted_role_permissions.json that are absolutely required for VPC protection are as follows:

 {
         "Sid":"VPCBackupPermissions",
         "Effect":"Allow",
         "Action":[
            "ec2:GetManagedPrefixListEntries",
            "ec2:DescribeVpnConnections",
            "ec2:DescribeVpcPeeringConnections",
            "ec2:DescribeFlowLogs",
            "ec2:DescribeDhcpOptions",
            "ec2:DescribeTransitGateways",
            "ec2:DescribeNatGateways",
            "ec2:GetSubnetCidrReservations",
            "ec2:DescribeCustomerGateways",
            "ec2:DescribeVpcAttribute",
            "ec2:DescribeInternetGateways",
            "ec2:DescribeTransitGatewayAttachments",
            "ec2:DescribeManagedPrefixLists",
            "ec2:DescribeNetworkAcls",
            "ec2:DescribeRouteTables",
            "ec2:DescribeVpnGateways",
            "ec2:DescribeCarrierGateways",
            "ec2:DescribeEgressOnlyInternetGateways"
         ],
         "Resource":"*"
      },
      {
         "Sid":"VPCRestorePermissions",
         "Effect":"Allow",
         "Action":[
            "ec2:CreateVpc",
            "ec2:DeleteVpc",
            "ec2:AssociateVpcCidrBlock",
            "ec2:AssociateDhcpOptions",
            "ec2:CreateSubnet",
            "ec2:ModifySubnetAttribute",
            "ec2:ModifyVpcAttribute",
            "ec2:CreateSecurityGroup",
            "ec2:DescribeSecurityGroupRules",
            "ec2:RevokeSecurityGroupIngress",
            "ec2:RevokeSecurityGroupEgress",
            "ec2:AuthorizeSecurityGroupIngress",
            "ec2:AuthorizeSecurityGroupEgress",
            "ec2:DeleteSecurityGroup",
            "ec2:AssignPrivateIpAddresses",
            "ec2:CreateDhcpOptions",
            "ec2:DeleteSubnet",
            "ec2:DeleteDhcpOptions",
            "s3:PutObjectTagging"
         ],
         "Resource":"*"
      },

Amazon S3 Bucket for VPC Restores

During restores of VPC resources, the Commvault software creates an Amazon S3 bucket in the AWS account and region that a full instance restore with VPC resources restored, to support cleanup of Commvault-created VPC resources during failed restores. The default name of the bucket is gx-restore-<regionId>-<accountId>.

Configuring Customer-Managed KMS

By default, AWS enables server-side encryption on Amazon S3 buckets using Amazon S3 managed keys (SSE-S3). You can change the encryption method to either of the following:

  • Amazon S3 managed key encryption: To use this encryption method, on the access nodes that are used for EC2 backups and restores, add the AWSS3ServerSideEncryptionMethod entity setting with a value of "AES256".

  • AWS KMS key encryption: To use this encryption method, on the access nodes that are used for EC2 backups and restores, add the AWSS3ServerSideEncryptionMethod entity setting with a value of "aws:kms" and the AWSS3ServerSideEncryptionKMSKeyId entity setting with a value of the KMS key ID.

VPC Resources That Are Protected

Commvault protects the following VPC resources and all associated attributes (unless noted) when performing Amazon EC2 instance backups:

  • DHCP option sets

  • DNS attributes

  • Egress-only internet gateways

  • Elastic network interfaces (Linux, Windows)

  • Internet gateways

  • Managed prefix lists (customer-managed, AWS-managed)

  • NAT gateways

  • Network ACLs (default, custom)

  • Route tables (main, custom)

  • Security groups (VPC, instance)

  • Subnets (public, private, VPN only, isolated)

  • Subnet IP address ranges (IPv4 only, dual stack, IPv6 only)

  • VPCs (default, additional)

  • VPC Flow Logs

  • VPC peering connections

Commvault protects the following AWS PrivateLink resources:

  • VPC endpoints (interface, gateway, endpoint services)

Commvault protects the following AWS Site-to-Site VPN resources:

  • VPN gateways

  • VPN connections

  • Customer gateways

Commvault protects the following AWS Transit Gateway resources:

  • Transit gateways (gateways, attachments)

Commvault protects the following AWS Wavelength resources:

  • Carrier gateways

VPC Resources That Are Restored by a Full Amazon EC2 Instance Restore

To restore supported VPC resources and attributes, run a full restore of one or more Amazon EC2 instances in place or out of place.

A full restore either re-creates missing VPC resources or uses existing resources in the target AWS account and region as follows:

Resource

Re-created

Re-used (if existing)

DHCP option sets

Yes

Yes

Elastic Fabric Adapters

--

Yes

Elastic IPs (public IPs)

--

Yes

Elastic network interfaces (Linux, Windows)

Yes

Yes

Nested security group rules

--

Yes

Network ACLs

--

Yes

Route tables (main, custom)

--

Yes

Security groups (VPC, instance)

Yes

Yes

Subnet CIDR reservations

--

Yes

Subnets (public, private, VPN only, isolated)

Yes

Yes

VPCs (default, additional)

Yes

Yes

VPC Resources That Are Not Protected/Recovered

Loading...