Policy-Based Archival of EBS Snapshots to Amazon S3 Storage
Overview
Enterprises often need to retain long-term backup data for business continuity, compliance, customer contracts, and e-Discovery. Storage optimization is an ongoing process of evaluating your data storage needs and choosing a cost-effective AWS storage option that meets business needs. However, AWS does not currently offer an out-of-box low-cost storage tier for EBS snapshots.
You can now automatically transition your Amazon EBS snapshots to Amazon S3 storage classes such as Amazon S3 Standard, S3 Standard-IA, S3 One Zone, S3 Glacier, and S3 Glacier Deep Archive,, significantly reducing costs while retaining long-term availability.
Note: The Archive Snapshots to S3 feature is currently available only for EC2 and EBS backups.
The Archive to S3 feature support will be phased out from the Native Workloads management console over time to ensure minimal business impact. Post the deprecation, Archive to S3 will be unavailable for manual as well as policy-based snapshot archival. You may consider alternative long-term storage solutions including EBS Snapshot Archive, or leverage our Long Term Retention feature for snapshots on Druva Cloud.
Key Advantages
Archiving EBS snapshots to S3 offers the following benefits:
- Cost benefits: Transitioning snapshots to lower-cost storage offers significant savings on long-term retention.
- Ease of use: Policy-based approach to transition EBS snapshots to S3 (and other storage classes).
- Recovery: Recovery of individual files or snapshots from S3.
- File-level search in snapshots: Metadata-based file search to locate files from the snapshots, without having to recover snapshots in S3.
Prerequisites
Before you can archive snapshots to S3, ensure that you have setup the following:
- Update your AWS Access Role by deploying the latest CloudFormation template for each account in which you intend to archive snapshots. Navigate to Account Settings > AWS Access, and update your AWS CloudFormation stack/stackset.
For more information, see Update Existing AWS Access Roles in Druva CloudRanger. - Select the subnets for all account(s) in which you wish to archive snapshots:
- Navigate to Account Settings > Network Settings.
- Select the AWS Region in which the backups are to be archived.
- Select the Subnet corresponding to the Region specified.
The instances that upload data to S3 storage are created within the Subnet(s) selected.
Note:
The subnet must have at least three available IPs at any given time.
The subnet here must be part of a VPC with outbound Internet access or an S3 VPC Endpoint. This will enable the instance(s) to archive the data to S3 storage.
The subnet network ACL must not block outbound access to DNS or HTTPS requests. In addition, the default security group for your selected subnet's VPC must not block outbound access for DNS or HTTPS requests.
This is to facilitate access to DNS requests to locate the IP of the S3 bucket by the URL and HTTPS requests, thus enabling the instance(s) to upload to S3 storage.
Assign preferred Security Group to an instance
A security group controls the inbound and outbound traffic for the EC2 instance and helps secure your cloud environment. Each VPC is associated with a default security group, and you can create additional security groups, as needed. You can assign a security group only with resources in the VPC for which it is created.
Druva CloudRanger assigns the default Security Groups for the selected subnet’s VPC. To assign a preferred Security Group to an instance, you will need to add tags unique to each security group.
- To assign tags, navigate to your Amazon VPC console and select Security Groups.
- Select a particular security group and click Manage tags.
- Select Add tag and set the tag key and value.
Key: druva_cr_s3archive_sg
Value: true
The Security Group with this tag will now override the default security group for that subnet’s VPC. In the absence of this tag, the instances that upload data to S3 storage are created within the default security group.
Policy-Based Archival of EBS Snapshots to S3 Storage
You can automatically transition your Amazon EBS snapshots to Amazon S3 storage classes such as Amazon S3 Glacier and Amazon S3 Glacier Deep Archive via a backup policy.
To automatically archive your EBS snapshots to Amazon S3 storage:
- Log into the Druva CloudRanger console and navigate to Backup Policies.
- Click Create to create a new backup policy or select an existing policy to edit.
- On the Retention tab, specify the S3 archive options under Archive to S3.
- Select the Move backups to S3 checkbox and specify the Storage Class to which the backup is to be transitioned as well as the retention period.
For example: Move weekly, monthly, and yearly backups to Glacier after 3 weeks. - Select the Druva CloudRanger account and AWS region to which the backup is to be archived.
- Click Save & Continue.
Note: The storage class policy settings specified here will override any policy-based retention when moving a snapshot with an associated backup policy
- Select the Move backups to S3 checkbox and specify the Storage Class to which the backup is to be transitioned as well as the retention period.
- Specify the Resources and backup encryption that apply to the policy.
Once active, the backup policy is automatically executed within the defined schedule, or you may choose to execute your policy on-demand.
Note: Once the backup is archived to S3, Druva CloudRanger deletes the original snapshot. However, any policy-based retention remains active.
For more information about available AWS storage classes, refer to the AWS documentation.
Note: The availability of this feature may be limited based on the license type, region, and other criteria. To access this feature, contact your Druva Account Manager or Support.