Introduction
To perform File Level Restore to the original location, VBAWS uses Amazon Kinesis Data Stream, Amazon SQS and the SSM Agent to send the data back to the original instance. It's necessary to perform a few steps before initiating the restore.
We need a IAM Role with the permissions for SSM, SQS and Kinesis. This IAM Role will be attached to the source instance.
Also, we have the following requirements and limitations:
- The 443 port must be opened in the Security Group attached to the Worker instance to be able to access the file-level recovery browser.
- [For Linux-based EC2 instances] Python v2 or v3 with module 6 must be installed on the source instance.
- If the source EC2 instance operates in a private network, you must create the following VPC endpoints for the subnet to which the instance is connected:
- com.amazonaws.<region>.ec2messages
- com.amazonaws.<region>.ssm
- com.amazonaws.<region>.sqs
- com.amazonaws.<region>.kinesis-streams
- com.amazonaws.<region>.sts
- For EC2 instances running Linux OS, restore of files and folders to the original location is supported only for systemd-based distributions.
- For EC2 instances running Windows OS, restore of files and folders to the original location is supported only if Windows Management Framework (WMF) version 5.1 is installed on the processed instances.
Creating IAM Policy
Let's first create an IAM Policy with the necessary permissions.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Action": [
"sqs:ListQueues",
"sqs:GetQueueUrl",
"kinesis:List*",
"kinesis:Describe*",
"kinesis:Get*",
"sqs:GetQueueAttributes",
"sqs:ListDeadLetterSourceQueues"
],
"Resource": [
"*"
]
}
]
}
Creating IAM Role
Now we must create a IAM Role for EC2 service.
We will add the policy we created in the previous step and the "AmazonSSMManagedInstanceCore".
This policy is required to register the instance to AWS System Manager.
In the end, our IAM Role should be similar to this:
The trusted entities should be similar to this:
Attaching the IAM Role
Now we must attach the IAM Role to the original instance when we're trying to restore files.
Choose the IAM Role.
Wait a few minutes and check if the instance is showing in the Inventory section of AWS SSM.
Performing the File Level Restore
Now we can initiate the File Level Restore.
Choose a restore point.
To be able to restore the files to their original location, we must toggle on the option "Additional restore mode".
When we try to set this option, the VBAWS will try to contact the original instance via SSM.
VBAWS uses Kinesis Data Stream to restore the files and it's charged per-shard basis. By default, VBAWS uses only 1 shard with a fixed data transfer rate of 1MB/s. It's possible to adjust the restore rate, but this will increase the cost for the Kinesis Data Stream during the restore.
You can also select the option "Keep the restore tool at the target instance" to let the restore tool VBAWS uses already installed in this instance for the case you need to restore files again.
Wait for the Worker to start and generate the restore URL.
With the FLR URL ready, we can navigate to the files and folder and choose what we need to restore.
We add to the list and choost the restore option. In this example I choosed the "Keep".
In the end you should see all the files and folder restored.
As I choosed the option "Keep" we created a new folder with the same name witth the word "RESTORED", date and time when the restore was performed.
Restore to original location in a Cross-Account environment
If you or the customer is trying to perform file level restore to original location in a Cross Account environment we must change a few things.
The IAM Role created before is created in the Produciton Account where the instance is located. Also, we need to add a new permission.
{
"Sid": "AssumeRole",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::<account_id_vbaws_is_located>:role/veeam_rto_*"
}
This is necessary because, during the restore, we create temporary IAM Roles in the account where VBAWS is located to perform the data transmission using AWS Kinesis Data Streams, so we need permission to assume the temporary IAM Role. In the example above, I'm using the "veeam_rto_*" because the name always ends with the instance ID we are trying to restore, so using "*"
So our policy should look similar to this:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Action": [
"sqs:ListQueues",
"sqs:GetQueueUrl",
"kinesis:List*",
"kinesis:Describe*",
"kinesis:Get*",
"sqs:GetQueueAttributes",
"sqs:ListDeadLetterSourceQueues"
],
"Resource": [
"*"
]
},
{
"Sid": "AssumeRole",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::886738527459:role/veeam_rto_*"
}
]
}
All the other steps are the same.
More information about this process:
