How can I set up VSS backup in AWS Backup?

Short description

AWS Backup supports application-consistent backups of Microsoft workloads that run on Amazon EC2 instances. This includes Microsoft Windows Server instances and Microsoft applications, such as SQL Server, Active Directory and Exchange Server.

To create application-consistent backups, use the AWS Backup console to take a Windows Volume Shadow Copy Service (VSS).

To use AWS Backup to set up VSS backups for Windows EC2 instances, complete the following steps:

1. If you don't already have an EC2 instance, then create one.
2. Use the AWS Systems Manager console to set up Systems Manager for the EC2 instance.
3. Update the AWS Systems Manager Agent (SSM Agent) that's installed when you associate the EC2 instance.
4. Use SSM Agent to install the AWSVSSComponents package on the EC2 instance.
5. Create an EC2 role with permissions to take VSS backups, and then attach the role to the EC2 instance.
6. Use AWS Backup to take a backup of the EC2 instance.

Prerequisites

To create VSS backups, use the Amazon EC2, Systems Manager, and AWS Backup consoles to complete a number of prerequisites. Make sure that you meet all of the criteria before you begin.

Resolution

Create an EC2 instance

If you don't have an EC2 instance, then create one. You must use a supported instance size and operating system (Windows Server 2012 or later). The following instance sizes aren't supported for VSS backups:

• t3.nano
• t3.micro
• t3a.nano
• t3a.micro
• t2.nano
• t2.micro

Set up Systems Manager on your EC2 instance

If you already set up Systems Manager on your instance, then proceed to the next section. Otherwise, complete the following steps:

1. Open the Systems Manager console.
2. In the navigation pane, choose Quick Setup, and then choose Create.
3. Choose Host Management, and then choose Next.
4. In the Configuration options section, choose the options that you want to allow for your configuration.
5. In the Targets section, choose how you want to configure your host management. You can do this for your Entire organization, Custom organizational units (OUs), or for the Current account that you're signed in to.
6. Choose Create.
7. To verify that your instance is associated with Systems Manager, run this command in the AWS Command Line Interface (AWS CLI):

aws ssm describe-instance-associations-status --instance-id <instance-id>

Note: If you receive errors when running AWS CLI commands, make sure that you’re using the most recent version of the AWS CLI.

Update the SSM Agent that's installed when you associate your instance with Systems Manager

SSM Agent is preinstalled on some EC2 instance types. For more information, see Amazon Machine Images (AMIs) with SSM Agent preinstalled.

To Update SSM Agent, complete the following steps:

1. Open the Systems Manager console.
2. Choose Run Command, and then choose Run Command again.
3. Search for and then choose AWS-UpdateSSMAgent. Choose the radio button next to the command.
4. Under Target Selection, use tags or a resource group to choose your instance. You can also manually choose it.
5. (Optional) configure Output options, Amazon CloudWatch alarms, and SNS notifications.
6. Choose Run.

Install the AWSVSSComponents package on the EC2 instance

To install the VSS package, complete the following steps:

1. Open the Systems Manager console.

2. Choose Run Command, and then choose Run Command again.

3. Search for and then choose AWS-ConfigureAWSPackage. Choose the radio button next to the command.

4. For Command parameters, enter the following:

   Action: Install
   Name: AwsVssComponents
   Version: Leave this field empty so that Systems Manager installs the latest version

5. Under Target Selection, use tags or a resource group to choose your instance. You can also manually choose it.

6. (Optional) configure Output options, Amazon CloudWatch alarms, and SNS notifications.

7. Choose Run.

Create an EC2 role with permissions to take VSS backups

Creating a VSS Backup requires additional permissions that you must attach to the EC2 instance role. Complete the following the steps to create a policy, attach the policy to a role, and then attach the role to your EC2 instance.

1. Create an AWS Identity and Access Management (IAM) policy similar to the policy that's shown in Create an IAM role for VSS-activated snapshots.
2. Create an IAM role called VssSnapshotRole. Attach the policy that you created in step 1 to this IAM role. Then, attach the AWS managed policy AmazonSSMManagedInstanceCore to the role.
3. Attach this role to the EC2 instance.

Use AWS Backup to take a backup of the EC2 instance

Complete the following steps:

1. Open the AWS Backup console.
2. On the Dashboard, choose Create on-demand backup.
3. Add the details of your EC2 instance.
4. For Advanced backup settings, check the VSS checkbox.
5. Choose Create on-demand backup.
6. You can also use a backup plan to create backups. If you use this method, then make sure that you activated the VSS checkbox in your backup plan.

Note: Your EC2 instance must not be in the Stopped state when the VSS backup is running.

Review the results

A backup job with a status of Completed doesn't guarantee that the VSS operation is successful. VSS inclusion is made on a best-effort basis. Complete the following steps to determine if a backup is application consistent, crash consistent, or failed:

1. Open the AWS Backup console.

2. From the navigation pane, under My Account, choose Jobs.

3. Check the status of the backup job. You see one of the following statuses:

   A Completed status indicates that the backup is successful and the application is consistent (VSS).
   A Completed status with a green warning sign indicates that the VSS operation failed, and only a regular backup was created.
   A Failed status means that the backup is unsuccessful.

4. To view additional details for the backup, choose the individual backup job. For example, the details might indicate that the Windows VSS backup failed because of a timeout during the VSS-activated snapshot creation. To troubleshoot VSS errors, see How do I troubleshoot Amazon EC2 VSS failures in AWS Backup?