AWS Storage Blog
Application-consistent backup for Windows application on Amazon EC2 with AWS Backup
Many users rely on Amazon Elastic Compute Cloud (Amazon EC2) instances and Amazon Elastic Block Store (Amazon EBS) volumes to run their business critical Microsoft Windows-based workloads on AWS. These critical applications often span across multiple EBS volumes attached to EC2 instances. To make sure of the integrity and recovery of such vital workloads, users need an application-consistent backup and restore solution. This solution needs to capture the complete state of the entire application, not just individual volumes. Application-consistent backups are essential, as they preserve the same data as crash-consistent backups, with the additional benefit of including the in-memory data and pending I/O operations. This reduces the risks of data corruption and loss, making the recovery process more reliable. Furthermore, for disaster recovery (DR) purposes, users often prefer to replicate their backups to separate AWS accounts and/or AWS Regions to provide an additional layer of protection against Regional outages or other disasters.
Users can create application-consistent backups for their Windows workloads running on Amazon EC2 by using Windows Volume Shadow Copy Service (VSS), which is an agent used to create VSS application-consistent EBS snapshots. The VSS-enabled backups rely on several key software components working seamlessly together. By carefully coordinating these different pieces – the VSS service, requester, writers, and provider – VSS can non-disruptively coordinate application-aware snapshots. This allows users to backup critical Windows workloads on AWS with application consistency and the benefits of AWS scalability, availability, and automation.
On AWS, users can leverage VSS through services such as AWS Systems Manager Run Command, AWS Backup, or Amazon Data Lifecycle Manager to automate the creation of VSS-enabled EBS snapshots. Common workloads that benefit from this include mission-critical applications such as Microsoft Windows Server, Microsoft SQL Server, and Exchange Server. By using VSS-aware backups, users can make sure of application data integrity during restores.
In this post, we walk through the use of AWS Backup together with AWS Systems Manager to automate the creation and retention of VSS-enabled EBS snapshots for EC2 instances running Windows applications.
Solution overview
With AWS Backup, users can automate and manage application-consistent backups for their Windows workloads running on Amazon EC2. AWS Backup leverages the VSS-enabled snapshot capability through a custom Systems Manager Run Command called AWSEC2-CreateVssSnapshot. This command coordinates with the VSS agent on Windows instances to initiate various VSS snapshot operations such as flushing buffers, freezing I/O, taking the actual EBS snapshot, and then thawing I/O, seamlessly and without disruptions. Users can create backup plans with granular scheduling and retention policies through an intuitive web console, CLI, or API. Then, AWS Backup handles automatically invoking the VSS-enabled snapshots based on the configured policies. This provides a fully-managed solution to backup Windows applications consistently without requiring complex scripts or manual processes.
The diagram illustrates the VSS-enabled snapshot creation using AWS Backup.
Figure 1: High level architecture
Prerequisites
Before setting up application-consistent backups with AWS Backup, a few prerequisite steps must be completed.
1. Install and Configure Systems Manager Agent
The AWS Systems Manager Agent must be installed on EC2 instances intended for backups. It provides an interface for AWS Backup to initiate VSS snapshots remotely. The agent is pre-installed on many AWS-provided Amazon Machine Images (AMIs), but it may need downloading on custom images.
2. Prepare Necessary IAM Permissions
An AWS Identity and Access Management (IAM) role with necessary permissions for VSS snapshot creation must exist. The policy allows actions such as ec2:CreateSnapshot and ssm:SendCommand. A sample policy is provided, but it should be tailored as needed.
3. Assign Backup Role to Instances
The IAM role granting VSS snapshot permissions must be attached to EC2 instances containing applications to backup. AWS Backup assumes this role when backing up the volumes.
4. Install VSS Components
Windows servers need Windows VSS service and providers installation. VSS components must be installed and registered with VSS for application-aware snapshots.
Following these key setup steps makes sure that AWS Backup and associated services can interface properly with EC2 instances and leverage VSS for consistent, automated backups of Windows workloads.
Walkthrough
Now you can create an on-demand backup or managed backup plan to enable VSS in AWS Backup.
1. Create a backup plan.
A) Open the AWS Backup console.
Figure 2: AWS Backup
B) Click Create backup plan on the AWS Backup console. You can also get there by selecting Backup plans from the menu.
Figure 3: AWS Backup – Create backup plan
C) You can start with a template provided by AWS if that works for you. Otherwise, move to the next step.
Figure 4: Create backup plan – Start with a template
D) Select Build a new plan and fill in the information.
Schedule
a) Backup plan name
b) Tags added to backup plan – optional
c) Backup rule name
d) Backup vault. You can choose the “Default” vault or create a new backup vault.
e) Backup frequency – choose how frequently you want AWS Backup to take and store snapshot backups.
Figure 5: Create backup plan – Build a new plan
Backup window
a) Start time – Specify the time of the day the backups start.
b) Start within – Defines the period of time in which a backup needs to start.
c) Complete within – Defines the period of time during which your backup must complete.
d) Point in time recovery – This is optional. Leave unchecked as it is currently available for Amazon Aurora, Amazon Relational Database Service (Amazon RDS), Amazon Simple Storage Service (Amazon S3), and SAP HANA on Amazon EC2 resources only.
Figure 6: Create backup plan – Backup window
Lifecycle
a) Move backups from warm to cold storage – This is optional. Leave unchecked as it is not currently available for Amazon EC2.
b) Total retention period.
Figure 7: Create backup plan – Lifecycle
c) Copy to destination – This is optional. You can create a copy of the backup in a separate backup vault. You can select the target Region and optionally select to create a copy of the backup in a separate backup vault.
d) Tags added to recovery points – This is optional if you want to add tags to the backups.
Figure 8: Create backup plan – Copy to destination
Advanced backup settings
a) Note this important step. Enable Windows VSS. This helps make sure that the backups are application consistent.
Figure 9: Create backup plan – Windows VSS
b) Select Create plan to complete the backup plan.
Figure 10: Create plan
2. Assign resources to the backup plan.
A) Specify a Resource assignment name.
B) Select Choose an IAM role and select the IAM role created as part of the prerequisites steps.
Figure 11: Assign resources
3. Resource selection.
A) Select “Include specific resource types”. From the drop-down “Select specific resource types” and choose EC2. Windows VSS backup is currently supported for EC2 instances only.
B) For “Instance IDs”, select the EC2 instances that you want to backup. You can select “All instances” to select all.
C) Exclude specific resource IDs from the selected resource types – This is optional if you want to exclude instances.
D) Refine selection using tags – This is optional if you want to filter instances using tags.
E) Select Assign resource to complete the assignment.
Figure 12: Resource selection
The backup plan created is now complete. It runs per the schedule and creates backups.
Validating the backup
Let’s verify the backup jobs that this backup plan has created. A Completed status for a backup job does not guarantee that the VSS portion is successful. VSS inclusion is made on a best-effort basis. Follow these steps to determine if a backup is application-consistent, crash-consistent, or failed.
1. Open the AWS Backup console.
2. Under My account in the left side navigation, select Jobs.
3. Check the status of the backup job. You see one of the following statuses:
A) Completed status indicates that the backup is successful and the application is consistent (VSS).
B) Completed status with a green warning sign indicates that the VSS operation failed, and only a regular backup was created. This status also has a popover message “Windows VSS Backup Job Error encountered, trying for regular backup”.
C) Failed status means that the backup is unsuccessful.
Figure 13: Validating the backup
4. Select the backup job to view additional details of the backup job. For example, the details may read “Windows VSS Backup attempt failed because of timeout on VSS enabled snapshot creation.”
Key considerations
On AWS, VSS-enabled backups support Windows Server 2012 or later and a volume size of up to 64 TB. If the VSS backup fails, then it creates a regular crash-consistent backup. Note that the EC2 instance types on this list are not supported for VSS-enabled Windows backups because they are small instances and might not take the backup successfully.
You can also use Amazon Data Lifecycle Manager to automate the creation, retention, and deletion of EBS snapshots and EBS-backed AMIs. If you wish to use Amazon Data Lifecycle Manager instead of AWS Backup, then refer to this Amazon Storage post.
Cleaning up
We recommend using AWS Backup to automatically delete the backups that you no longer need by configuring your lifecycle when you created your backup plan. However, you might want to manually delete one or more recovery points to stop incurring charges for those.
1. In the AWS Backup console, in the navigation pane, choose Backup vaults.
2. On the Backup vaults page, choose the backup vault where you stored the backups.
3. Choose a recovery point, choose the Actions dropdown, then choose Delete.
4. To delete the recovery points listed, type delete, and then choose Delete recovery points.
Figure 14: Cleaning up
5. AWS Backup begins to submit your recovery points for deletion and displays a progress bar. Keep your browser tab open and do not navigate away from this page during the submission process.
6. At the end of the submission process, AWS Backup presents a status in the banner.
7. If you choose View progress, then you can review the Deletion status of each backup.
Conclusion
In this post, we showed how to leverage AWS Backup to automate and manage application-consistent backups of Windows workloads running on Amazon EC2 without disrupting runtime operations. As Windows applications evolve, AWS Backup’s policy-driven management can be applied regardless of where assets reside and how they are configured, eliminating custom tools.
To get started, refer to the AWS Backup Developer’s Guide. Please comment or ask questions in the comment section.