Protecting your critical Amazon EBS volumes using AWS Backup

Enterprises use block storage such as Amazon Elastic Block Store (Amazon EBS) for mission-critical workloads because it provides high performance, low latency, and reliable data access needed for demanding applications like databases, ERP systems, and real-time analytics. As EBS volumes often contain critical application data, configurations, or operating system files, backing up and restoring these volumes becomes crucial for maintaining data integrity and availability in cloud environments. If there is data corruption, accidental deletion, or system failure, then having a reliable backup makes sure that data can be quickly restored, minimizing downtime and preventing data loss. Backup strategies provide a safety net, allowing businesses to recover from unexpected incidents without significant disruption.

Organizations use AWS Backup to streamline and automate the backup process for AWS resources such as EBS volumes. It provides a centralized platform for creating and managing backup policies, making sure that EBS volume backups occur automatically and consistently. Performing cross-Region and cross-account backups makes sure that EBS volumes are protected from localized failures, providing robust data protection, improved compliance, and business continuity. Using AWS Backup allows organizations to automate and manage the backup and restore process for EBS volumes, reducing manual effort and minimizing downtime in case of data loss or failure.

In this post, I demonstrate how to create a backup plan for your EBS volumes using two methods: the AWS Backup console, and the AWS Command Line Interface (AWS CLI). Using a standard template, this plan allows you to use AWS Backup to take daily backups of your EBS volumes and retain them for seven days. You can edit the retention, or exclude certain volumes based on your business requirements.

Prerequisites

• An AWS account will be needed for this tutorial. For more information on using AWS Backup for the first time, view the AWS Backup documentation.
• One or more Amazon EBS volumes (including those that are free tier eligible). For the pricing of volumes not in the free tier, refer to the Amazon EBS pricing page. For AWS Backup pricing, refer to the AWS Backup pricing page.
• IAM roles used by AWS Backup to create a backup of the Amazon EBS volume.
  • If a subsequent role is not created, then the default IAM role can be used – AWSBackupDefaultRole.

Getting started with AWS Backup from the AWS management console

Go to console.aws.amazon.com, and to AWS Backup console, as shown in Figure 1.

Figure 1: Select AWS Backup from Services

If this is your first time using AWS Backup, then create your backup plan by going to the Backup plan tab, as shown in Figure 2.

Figure 2: Go to the Backup plans tab from the left hand side of AWS Backup console

Choose Create backup plan, and you are directed to the Create backup plan workflow, as shown in Figure 3.

Figure 3: Landing page for Create backup plan workflow

Choose Start with a template, use the Daily-35day-Retention template, and specify a name for your backup plan, as shown in Figure 4.

Figure 4: Select the Daily-35day-Retention template and specify a name for your Backup plan

Select the DailyBackups rule to edit the retention from 35 days to 7 days. The 7-day retention setting provides the same protection as the default policy by Data Lifecycle Manager (DLM). You can also choose to keep 35-day retention or change it according to your requirement. You can leave the other settings as is, then choose Save Backup Rule, as shown in Figure 5.

Note: If you have existing DLM policies protecting the same EBS volumes, as long as your volume encryption doesn’t change, AWS Backup creates snapshots incremental of the snapshots that DLM created.

Figure 5: Change the Total retention period from the default 35 days to 7 days

After saving the backup rule, you should observe the Create backup plan screen, as shown in Figure 6. Choose the Create Backup Plan button. This backup plan takes daily backups of your resources and keeps them for seven days.

Figure 6: Summary of your backup plan. Select Create plan

You should observe a green banner signaling that your backup plan has been created successfully, as shown in Figure 7. Then, you are directed to assign your currently unprotected EBS volumes to the plan. You can also select the Amazon Elastic Compute Cloud (Amazon EC2) instance, which includes the EBS volumes attached to it.

Figure 7: Assign resources workflow as part of creating your backup plan

To include the EBS volumes, you can choose Include specific resource types, and choose EBS, as shown in Figure 8.

Figure 8: Select EBS from the list of supported services

You can refine the selection further using tags or choose the specific EBS volume that you want to protect. Then, choose Assign resources, as shown in Figure 9.

Figure 9: Select one, many, or all EBS volumes to back up.

You have finished creating a backup policy to protect your EBS volumes from accidental deletion, corruption, or other data loss events. You should observe a green banner signaling your resource assignment has been created successfully, as shown in Figure 10.

Figure 10: Summary of backup plan with Backup rules and Resource assignments

Using the AWS CLI to create your Amazon EBS backup policy

To use the command line, you can use the following template. These commands create a backup plan with a daily rule, 7-day retention, and protection for the EBS volumes in your account.

If this is your first time using the AWS CLI, then follow the instructions in this AWS CLI user guide to set it up.

First, create your backup plan using create-backup-plan.

aws backup create-backup-plan --backup-plan '{"BackupPlanName":"EBSSnapshotDefault","Rules":[{"RuleName":"DailyBackups","ScheduleExpression":"cron(0 5 ? * * *)","StartWindowMinutes":480,"TargetBackupVaultName":"Default","Lifecycle":{"DeleteAfterDays":7}}]}'

After entering this, you get the result with the backup-plan-id of the plan you created (Figure 11).

Figure 11: Result of CLI with backup-plan-id

Use the backupPlanId output to enter the following command to create the EBS volume resource assignment using create-backup-selection. The following command also uses the default service role AWSBackupDefaultServiceRole. Change the IamRole if needed.

aws backup create-backup-selection --backup-plan-id [backupPlanId] --backup-selection '{"SelectionName":"EBSSnapshot","IamRoleArn":"arn:aws:iam::[accountId]:role/service-role/AWSBackupDefaultServiceRole","Resources":["arn:aws:ec2:*:*:volume/*"]}' 

After entering this, you get the result with the resource-assignment ID that you created (Figure 12).

Figure 12: CLI result with the resource-assignment ID

Cleaning up

To avoid incurring future costs, delete the backups if you are no longer need them.

Conclusion

In this post, I walked through using AWS Backup to protect your EBS volumes using the AWS console in a few steps. I also provided a sample of the commands using AWS CLI to create the same backup policy. You have now created backup policies to protect EBS volumes. If a recovery is needed, follow the steps in the AWS Backup Developer Guide to restore your application data.

Thanks for reading this post. To learn more about AWS Backup, visit the AWS Backup Developer Guide. If you have questions or comments, please leave them in the comment section.