Solved

Restore to EC2 - encrypted snapshot as input is not supported


Userlevel 2

I’m trying to restore backups from my S3 object storage as EC2 instances in AWS. I’m receiving this error after the EBS snapshot is created:

Importing VM Error: Failed to import machine to Amazon EC2: Using an encrypted snapshot as input is not supported

The reason for this is the “Always encrypt new EBS volumes” setting, which unfortunately is mandatory in my company.

Is there a way to work around this?

icon

Best answer by pampelix 30 May 2022, 15:08

View original

5 comments

Userlevel 7
Badge +9

Hello @pampelix, kindly have a comprehensive look at this guide: How to work with Amazon EBS encryption using Veeam Backup for AWS: https://www.veeam.com/kb3057 

Userlevel 7
Badge +9

Hi @pampelix, since you have gotten a little input on this issue, I would suggest you you create a support issue (ticket) in order to find a fix. And When this is resolved, please share the results with me.

 

Userlevel 2

Hi @Iams3le ,

Thanks for the link. I’ve seen that page before, but it seems to be talking about different use cases, and a different product.

Anyway, I made sure all mentioned permissions are in place, and I’m still seeing the same error.

Thoughts?

Userlevel 2

Ok, I can shed some light on this now.

The way the process works is:

- Veeam creates a proxy instance

- attaches an EBS volume to the proxy instance

- reads backup block data from S3 and writes it to the EBS volume

- takes a snapshot of the EBS volume

- imports the EBS volume into an AMI, converting from vmdk format.

- launch the AMI as new EC2 instance with all the recovered backup data.

The problem in my particular case is in the second to last step. That’s done via a call to AWS CLI: import-image, and that fails if the EBS snapshot is encrypted.

Unfortunately, in my case that’s a default setting I can’t change, all EBS volumes are encrypted by default in my company. So the error lies actually in AWS, not in Veeam.

Userlevel 7
Badge +9

Ok, I can shed some light on this now.

The way the process works is:

- Veeam creates a proxy instance

- attaches an EBS volume to the proxy instance

- reads backup block data from S3 and writes it to the EBS volume

- takes a snapshot of the EBS volume

- imports the EBS volume into an AMI, converting from vmdk format.

- launch the AMI as new EC2 instance with all the recovered backup data.

The problem in my particular case is in the second to last step. That’s done via a call to AWS CLI: import-image, and that fails if the EBS snapshot is encrypted.

Unfortunately, in my case that’s a default setting I can’t change, all EBS volumes are encrypted by default in my company. So the error lies actually in AWS, not in Veeam.

@pampelix you are right. Amazon supports only selected image formats. Never had to do this then “imports the EBS volume into an AMI”. But only created Instances (VMs) from AMI. I will check this out myself soon. 

Comment