Creating Multiple AWS Backup Vaults to protect resources


Brett Gillett

3 minute read

Brett Gillett

3 minute read

Ensuring you have regular backups, i.e., snapshots, is a fundamental step in creating reliable, fault-tolerant solutions on the AWS platform.

Luckily, AWS provides a fully managed, easy to use solution which allows us to manage snapshots for several AWS services centrally.

In this article, I’ll discuss how we deployed multiple AWS Backup vaults for a fully managed WordPress deployment.

Before we discuss the details of the AWS Backup solution itself, let’s have a quick look at the overall solution.

We deployed a highly-available, fault-tolerant WordPress site for the customer by using two Availability Zones (AZ) in a single AWS Region.

AWS Backup

AWS Backup is a Regional service that comes with a single backup vault called ‘Default.’ To provide more flexibility, we created individual vaults for each of the (supported) AWS services shown in the reference architecture above - Elastic File System (EFS), Elastic Block Store (EBS), and Elastic Compute Cloud (EC2).

Here’s an example of how we deployed the Backup Vault for EFS:

1
2
3
4
vault2:
    Type: AWS::Backup::BackupVault
    Properties:
      BackupVaultName: !Join ['-',[!Ref environment, efs-vault]]

To finish the setup, we need both a Backup Plan and a Backup Selection. Let’s start with the Backup Plan for EFS.

The Backup Plan is associated with a Vault and provides the rules used by the Backup service - think schedule and retention policy.

Here’s the corresponding CloudFormation definition for the EFS Backup Plan:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
backupPlan2:
    Type: AWS::Backup::BackupPlan
    DependsOn:
      - vault2
    Properties:
      BackupPlan:
        BackupPlanName: !Join ['-',[!Ref environment, efs]]
        BackupPlanRule:
          - CompletionWindowMinutes: 120
            Lifecycle:
              DeleteAfterDays: !Ref daysToKeep
            RuleName: !Join ['-',[!Ref environment, efs]]
            ScheduleExpression: 'cron(0 4 * * ? *)'
            StartWindowMinutes: 60
            TargetBackupVault: !Ref vault2

The last piece of our Backup deployment is selecting which AWS resources we want to protect using AWS Backup. Identifying the resources to be backed up is done via tagging.

Completing this setup with CloudFormation is super easy. Here’s the code snippet we created to protect EFS:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
selection2:
    Type: AWS::Backup::BackupSelection
    DependsOn:
      - backupPlan2
      - vault2
    Properties:
      BackupPlanId: !Ref backupPlan2
      BackupSelection:
        IamRoleArn: {'Fn::ImportValue': !Sub '${iamStack}-backup-role-arn'}
        ListOfTags:
          - ConditionKey: '<customerCode>:backup-resource'
            ConditionValue: efs
            ConditionType: STRINGEQUALS
        SelectionName: !Join ['-',[!Ref environment, 'efs']]

You may notice in the above code snippet we also have defined an IAM role. The AWS Backup service requires access to several other services to perform its activities.

Here’s an example of an IAM Role - again deployed via CloudFormation:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
backupIAMRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - backup.amazonaws.com
            Action:
              - 'sts:AssumeRole'
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup
        - arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForRestores

Pricing

So how much does this cost? If you’re using AWS Backup for EBS, RDS, DynamoDB or the Storage Gateway, there are no additional charges for AWS Backup. You still pay standard snapshot pricing for these backups.

Since EFS does not natively support snapshots using AWS Backup, additional charges will apply.


Orbit

Like what you read? Why not subscribe to the weekly Orbit newsletter and get content before everyone else?