Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

AWS Backup Restore Testing for EC2 always fails with "Restore metadata is invalid." due to NetworkInterfaces field

0

All restore jobs triggered by AWS Backup Restore Testing for EC2 resources fail consistently with Restore metadata is invalid. The failure occurs in
under 15 seconds, before any resource is provisioned, indicating metadata validation rejection prior to RunInstances.

Region: us-east-1 Restore Testing Plan: Restore_Testing_Teste_Cloudformation

Root cause identified:

AWS Backup serializes the NetworkInterfaces field into the EC2 recovery point metadata at backup time. This field contains instance-specific values: a fixed NetworkInterfaceId (e.g. eni-0fbe9f0d1302418ea) and a fixed PrivateIpAddress (e.g. 172.31.19.180). When Restore Testing attempts to use this
metadata, validation fails because the ENI and IP are no longer available.

The field NetworkInterfaces is not included in the list of overridable keys for RestoreMetadataOverrides, which only accepts: iaminstanceprofilename,
instancetype, subnetid, securitygroupids, requireimdsv2. There is no way to neutralize or replace the NetworkInterfaces field through the Restore
Testing API.

Proof:

A manual start-restore-job using the same recovery point (ami-0c5ecce9404899df0) but with NetworkInterfaces removed from the metadata completed
successfully (Restore Job ID: e53e272f-e3c7-4de2-a805-12bdd31d81a5, Status: COMPLETED, Created instance: i-0f3740438d79a7845).

This confirms the field is the sole cause of the validation failure.

Impact:

AWS Backup Restore Testing is completely non-functional for EC2 resources in any scenario where the original instance no longer exists, which is the
most common real-world use case for restore testing.

Feature request / fix requested:

One of the following:

  1. Add NetworkInterfaces to the list of overridable keys in RestoreMetadataOverrides (accepting an empty string or a clean JSON to replace the captured value)
  2. When subnetid and securitygroupids are provided via RestoreMetadataOverrides, automatically discard the NetworkInterfaces field from the base
    recovery point metadata

This behavior is not documented anywhere. The public documentation for Restore Testing does not mention this limitation.

Topics
ComputeStorage
Tags
Amazon EC2AWS Backup
Language
English
asked 8 days ago54 views
1 Answer
4
Accepted Answer

Seems you have correctly identified a hard limitation of the AWS Backup Restore Testing service. Because NetworkInterfaces is not included in the RestoreMetadataOverrides, as far as I am aware, there is no way to prevent the validation error when the original ENI/IP is unavailable.

Your successful manual test proves that the metadata validation logic in the Restore Testing Plan is too rigid compared to the standard start-restore-job API. Currently, there is no workaround within the automated tool; this would require AWS to either allow overriding that field or to ignore it when subnets/security groups are provided. I suggest opening an AWS Support Ticket in your account to report this as a bug or feature request.

PS: I also could not find any official documentation addressing why this field is captured but not overridable during automated testing.

EXPERT
answered 8 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content