Skip to main content
Manage Backup Policies for AWS Resources
Updated over a month ago

This article provides a step-by-step guide on how to create a backup policy for your AWS workloads in Druva CloudRanger. You can create policies to backup your Amazon EBS, EC2, RDS, and Redshift resources.

To create a backup policy:

Step 1: On the top navigation bar, select Policies, and then click Create Backup Policy.

Policy.png

Step 2: Specify the following policy Setup information:

  • Add a Name and a brief Description of your policy.

  • Select the Snapshot + Backup to Druva Cloud check box to move snapshots to Druva Cloud for all resources specified within the policy.


πŸ“ Note
​ Ensure that you have provisioned your Druva Cloud Storage and configured appropriate Storage Rules. A backup policy defined to move snapshots to Druva Cloud will be executed only when a corresponding Storage Rule is available. For more information, see Provision Storage on Druva Cloud and Configure Storage Rules.


Step 3: Specify the backup Schedule.

  • Specify the backup Frequency.

    • Create backup every: Choose the backup frequency by day, week, month, or year.
      ​Example:
      Backup every week on Mondayeveryhour at 50 minutes past the hour.
      Backup every month on the 1st day of the month every30 minutes.

    • Backup Window [ Optional ]: Specify the backup from and to time in HH:MM notation.
      ​Note: This field applies only if you specify weekly backup every hour in the Create Backup Every field.

    • Time Zone: Select the time zone that applies to the backup frequency specified.

  • Click Save & Continue.
    ​

Step 4: Specify the Resources for backup.

  • On the Resources tab, click Add to identify resources that you wish to include in the backup.

  • On the Identify Resources page, specify the filter criteria to identify specific resources to include or exclude:


πŸ“ Note
​ Leverage AWS Tags to add multiple AWS resources to a particular Druva backup policy, rather than create multiple include rules to add AWS resources.As a best practice, we recommend that you use AWS Tags to add resources to a backup policy using a single rule.


How Include/Exclude conditions apply on Druva management console:

  • Include rules: When multiple include rules are defined, this translates to an β€˜OR’ condition. In other words, resources are matched against each include rule, and do not have to meet all specified conditions concurrently.

  • Exclude rules: Exclude rules take precedence when the same resource is matched based on the include and exclude criteria selected.
    An exception to this is when an EC2 resource is selected within include and an EBS volume within exclude. In such a scenario, the EBS volume that is part of EC2 will not be excluded from the backup.

  • When multiple tags are defined as part of include/exclude, this translates to an β€˜AND’ condition.

Field

Description

Find Resource types

Select the Resource Type, for example, EBS Volume, EC2, RDS, or Redshift.
You may select All resource types to filter resources across resource types.

In account

Select the CloudRanger account associated with the AWS resources to be specified.
You may select All accounts to identify resources across accounts.

And in region

Select the applicable AWS regions, or select All regions.

Match

Select the match criteria by Resource IDs, Tags, VPC IDs, Subnet IDs, or select All resources.
Based upon the Match selected, you will need to specify the criteria values appropriate to that criteria.
For example:
​Tags: Backup Type ; Values: Daily
​VPC IDs: Select by VPC IDs or VPC Name

  • Similarly, on Exclude Resources, click Add to identify specific resources that you wish to exclude from the backup.

  • The resources identified are then displayed under Include or Exclude Resources, based on your selection criteria.

  • Click the Resource count to view the list of r esources that are filtered using the Include or Exclude criteria:

  • The Resources page displays the list of resources categorized by Resource ID, Type, Region, and by Account. You may use the search or filter feature to locate specific resources by Resource Type or Region.


πŸ“ Note
​ Use the Download as CSV option to download the list of resources identified by the rule as a CSV file.


Filter_Download.png

πŸ“ Note
​ If the Resource Rule applied filters duplicate resources, the duplicate rule will be displayed with aicon on the management console. You can still create rules that identify duplicate resources, but these will be flagged and you may choose to edit the rule, as appropriate.


  • To eliminate a specific resource in the list from your backup policy, select the checkbox against that resource and click Remove.

  • Click Save & Continue.
    ​

Step 5: Specify the criteria for any additional backup Copies.


πŸ“ Note
​ Cross-region and cross-account backups are not supported for Redshift instances.


  • Select the Save extra copies to other regions checkbox to create additional copies of your AWS backups in multiple regions.
    You may specify up to two additional AWS regions to create copies in.

  • Select the Save an extra copy to another account checkbox to create additional copies of your AWS backups in another CloudRanger account.


πŸ“ Note
​The Backup Copy Encryption is applicable only if one or more resources included in the policy is encrypted, and a backup is to be generated. If the source resource is encrypted, then an Encryption Key is applied to the backup operation.


The Backup Copy Encryption options are displayed only when a cross-region or cross-account backup is to be generated for encrypted snapshots.

  • To backup encrypted resources, you will need to define the association of keys between the source and the target regions for that backup.
    To do this, select the Target Key for each target region specified.
    ​

    Encryption2.png
  • Under Resource Backup Options, you have the option to create backups of EC2 resources as AMIs or as snapshots. In the case of AMIs, you may also select your reboot preferences.

  • Click Save & Continue.
    ​

Step 6: Specify the backup Retention criteria.

Specify the Retention criteria. The standard retention options are pre-populated and you may modify based on your business requirements.


πŸ“ Note
​Druva CloudRanger follows the Grandfather-Father-Son (GFS) retention model. For more information on retention, please see About Retention for Backup Policies.


Field

Description

Retention

Select this option to specify the criteria for tiered retention of backups.

  • All backups retained for: Select the retention duration in hours, days, weeks, months, or years.

  • Select the retention criteria for Weekly, Monthly, or Yearly Backups.

You can choose to modify the default retention duration that is pre-populated.

Never delete

[Optional] Select this option to retain snapshots indefinitely.

Archive

Select the checkbox and specify the retention period to transition snapshots to EBS Archive.
​Example: Move weekly, monthly, and yearly data to EBS Archive after Glacier after 3 weeks.


πŸ“ Note
​The archive policy settings specified here will override any policy-based retention when moving a snapshot with an associated backup policy


EC2 and EBS snapshot retention

You may also specify the snapshot retention criteria. This retention applies to snapshots retained within your AWS environment.

A master snapshot will still be retained, irrespective of the retention set here.


πŸ“ Note
​This field is available only when the Snapshot + Backup to Druva Cloud toggle is enabled to move snapshots to Druva Cloud. Backups on Druva Cloud. will adhere to the retention set at the policy level.


Copy Options

Specify the retention criteria for the additional backup copies.

  • Select Same retention as source backup to retain the retention criteria.

  • Alternatively, you may specify the retention in hours, days, weeks, months, or years.

Enable Data Lock

Set the toggle to enable snapshot immutability, that is the accidental or malicious deletion of snapshots. Once enabled, Data Lock is applied to all snapshots protected by the backup policy. For more information, see Data Lock.

Step 7: Specify Additional Options for the backup.

Select the Execute VSS Consistent Scripts (Windows Only) checkbox to generate consistent snapshots for any Windows server with VSS installed.


πŸ“ Note
​If the selected Backup Policy has servers defined that do not have VSS installed, then a standard AWS EBS snapshot is generated. For more information, please see Generate VSS consistent snapshots for Windows servers.


  • Script Execution: The pre- and post-backup scripts feature offers enterprises the option to generate application-consistent snapshots for common applications like SQL Server. This ensures that the point-in-time snapshots will remain crash-consistent as well as application-consistent.

    • Select the Execute pre- and post-scripts for EC2 instances checkbox to enable script execution when creating a new backup policy.
      In addition, you can manage backup generation in the event that the scripts configured are unavailable.

    • Define the time limit to terminate script execution.
      ​For example: Abort script execution in 5 minutes

    • Select the backup execution criteria if the script is unavailable.

      • Execute backup without the script: Selecting this option will execute the backup without the configured script.

      • Attempt backup execution with warning: Selecting this option will initiate the backup but fail it at the point of execution of script.

      • Failthe backup and generate an error: Selecting this option fails the backup and generates an error corresponding to the backup failure.
        ​


    πŸ“ Note
    ​ You may configure scripts to specific resources from the main Scripts page. For more information, see Configure and Manage Backup Scripts.
    ​


  • Under EC2 Backup Options specify whether the policy should generate an AMI or a Snapshot.

    • Take Snapshot: Select this option to generate a snapshot for each volume attached to the EC2 instance.

    • Take AMIs: Select this option to generate an AMI, and the reboot preferences. In addition, you many choose one of the following backup options for EC2 AMIs:

      • Backup root volume and data volumes (default): Enable this to backup both the data volumes and the root volume that contains the Operating System

      • Backup root volume only: In some cases, the EC2 instances may create a large amount of backup data, in which case you can choose to only backup the root volume and not the data volumes.
        This option helps manage backup size and avoids the backup of the large data volumes, particularly for non-critical data.

      • Create a second 'root volume only' AMI with each backup: Enable this to create a second AMI for all EC2 instances backed up by the policy, which will have the Block Device Mappings adjusted to only contain the root volume.
        ​The backup retention, FLS as well as the Druva Cloud backup functionality will all work for this second AMI as expected. The second AMI is handled by the same job, and will begin to execute once the first AMI has completed. Both the AMIs will not be created together to prevent extra load on the instance.

  • Under Add Tags to Backups specify the tags to be applied to each backup generated by the policy. Tags act as metadata to help identify and organize your AWS resources. Based on the Key selected, you will need to specify the appropriate Value. F or example:
    ​Key: Created by Policy; Value: New
    ​Key: Origin; Value: Specify Origin ID

  • Select the Inherit tags from Source checkbox to inherit or retrieve tags from the Origin servers and apply them to backups generated by the policy.

  • Click Save.


πŸ“ Note
​To manage tags on existing snapshots, please refer to AWS Management Console - Tag Editor.


The backup policy is now successfully defined and is displayed on the main Backup Policies page with the State toggle set to Active.

Modify backup policy state

You can choose to set a backup policy to Active or Disable it. When a new Backup Policy is defined, the State toggle is set to Active by default.


πŸ“ Note
​Disabling a policy suspends all associated activities including backup retention and cleanup.


To modify the state of the backup policy, click the State toggle icon against the backup policy.

Did this answer your question?