As we all know in the world of IT, nothing goes exactly according to plan. Every smart planner know how to develop a system that can adapt to different situations. The world, as we know, is full of uncertainty and you, as an entrepreneur or CXO would not want your business to be vulnerable to any of that uncertainty. As part of your application SLA, it is mandatory for a company to have a business continuity plan that ensures short recovery time objective (RTO) and recovery point object (RPO).
Your IT infrastructure also needs a business continuity plan (BCP) where you can plan how you will back up your data and ensure a fast recovery in any disaster scenario. A company’s data is the most important factor; without it they cannot function. Therefore, it is essential to have a plan in action which ensures that the database back up is carried out timely and across multiple geographical regions: this way, if one region is affected the business can be recovered in another region, as determined RPO.
AWS Elastic Block Store offers persistent block level storage that is used with Amazon Elastic Compute Cloud (Amazon EC2) instances for persistent data storage. Additionally, EBS offers the option to create point-in-time snapshots that are ideally suited to back up and restore data, protecting against logical data loss and achieving DR capabilities.
Companies as prominent as Linkedin and Sony Pictures have recently been victims of data theft. These cases should prompt every enterprise to design a highly available system with a well-designed backup plan. One option, using AWS, is to copy snapshots to a separate AWS account as a backup. This backup will help for DR in case some disaster strikes the first account. In this article, we will show you how to move data from one AWS account to another without any loss of data with the help of the Cloud Protection Manager (CPM) CLI tool.
Backing Up Snapshots from One AWS Account to Another with CPM CLI
When an account owner wants to share data from one AWS account with another AWS account, the account owner can do so by sharing snapshots. This is done by modifying the snapshot permission attributes, which requires the AWS account ID of the second account. Alternately, you can use a tool such as Cloud Protection Manager (CPM), which provides application-consistent backup options and ensures that data is consistent and copied to separate AWS account. This action can also be achieved with UI, but here the process will be automated using CLI. This section will provide a step-by-step guide to performing the following steps:
- Creating a VPC in the first AWS account
- Setting up a database and web server in that VPC
- Creating a second AWS account and adding its details to CPM
- Setting up a CPM Policy to back up both instances
- Write a script using CPM CLI that will do cross-account recovery to the second AWS.
1. Creating a VPC in the First AWS Account
You can create a virtual private cloud (VPC) in two ways:
- Via the AWS Console:: AWS provides a VPC creation wizard which will automatically launch a VPC with subnets, internet gateway, and route tables. You can find a detailed step-by-step guide to do this here.
- Via the AWS CLI: Before creating a VPC you’ll need to install and configure AWS CLI on your workstation to get started. Once AWS CLI is ready you’ll need to create the following resources after creating the VPC:
- Create and associate IGW (Internet Gateways)
- Create and associate route tables
For more information on this process, refer to this step-by-step guide on how to create VPC via AWS CLI.
2. Setting Up a Database and Web Server in the VPC
In this step you’ll need to create two things:
- Web server (EC2 instance) with WordPress installation: In order to set up a web server you’ll need to launch an Amazon EC2 instance and install WordPress on it. Follow this documentation for a detailed step-by-step guide.
- Database server (MySQL installed on EC2 instance):
- You need to launch an instance in the same VPC. Next, install and configure MySQL.
- Use this MySQL as a WordPress database.
This concludes the creation process for the web and database servers. You should now be able to open the site using the EC2 instance DNS name from a browser.
3. Registering AWS accounts on the CPM Console
Before you can start to register the two AWS account in the CPM console there are a number of prerequisites:
- Either get your AWS Account details or Create an IAM user in accounts you want to register CPM Manager with proper privileges for eg: EC2 full permission.
- Save access key and secret key as you will require it to register an account in next steps.
Once you do those things you can begin the process of registering the two accounts by following the steps below:
- Navigate to CPM console and click on “Manage AWS accounts”:
- Next, you will add two new accounts. Start with your main account, the account where your web server and database server are located. In order to add an account, fill out the fields as shown below:
- Next create account for DR. Here you will register another AWS account.
Once this is done now you’re all set to create backup policy in CPM Manager.
4. Setting Up a CPM Policy to Backup Both Instances
Here we will create a policy which will backup both the web server and the database server.
- In order to create a policy, navigate to the Main tab and select Policy tab. Now, create a new policy:
- Once the policy is created, it’s time to add both instances under the same policy. In the Configure column click on Backup Targets option:
- Select and add an instance to the policy, as shown below:
Once you’ve added all the backup targets, aka instances, to the policy it will look something like this:
- Next, it is necessary to run the backup policy we just created. We will move same backup snapshots to another AWS account. Navigate back to the Main tab and from there to the Policy tab, where you will select your policy and run the same policy ASAP.
Once the backup is completed for both instances—web server and database server—you can use the CPM CLI to move data from one AWS account to another AWS account.
5. Scripting with CPM CLI to Perform Cross-Account Recovery to the Second AWS Account
Before you start it is necessary for you to perform the following actions in second AWS account:
- Create a VPC (subnet and route tables): You can follow the same steps as we did for creating the VPC for the first account, or you can use Default AWS VPC, depending on where you would like to store your backup.
- Note down following information:
- From Account #1
- Instance IDs: IDs of both web server and database server instances
- From Account #2
- Subnet ID: Subnet ID will be required to copy instance to particular subnet
- Region: You will need to define which region you would like to copy data
- Key pair: In order to launch copied instances you will require key pair so make sure you already have one
- Instance type: You can put any instance type as your business need
- From Account #1
- If you’re performing recovery via CLI then get backup ID of both instances:
- The only way to get this is by using CPM CLI. You can download CPM CLI here.
parameter in CPM CLI to get backup id
- You will also need Security group Ids of the account to be backed up
Recover Instance Using CPM CLI
You can use any instance/workstation to setup a backup via CPM CLI. Before you get started, there are two prerequisites you need to have ready: Python 2.7 and CPM CLI. Download and configured CPM CLI. If you need it, you can find the CPM CLI here.
First of all, check that you have Python installed by using the command python, then download and configure CPM CLI. There will be three files:
- cpm_cli.cfg: CPM CLI enables using a configuration file named cpm_cli.cfg. The file must be located in the same directory where the cpm_cli.py is located
- cpm_cli: This supports several API calls to automate backup and recovery related tasks
- CPM_CLI: PDF documentation
The cpm_cli.cfg file contains the following lines:
[general] apikey= #api key generated showed in below step address= # cpm manager ip address e.g 184.108.40.206 port= 443 # cpm manager ip address user=admin # cpm console username verifycert= # yes/no timeout= # timeout in seconds, default is 60
How to Generate an API Key
- Click on “Notifications,” then click on “Configure API Authentication Key”
- Next, you need to enable API calls and create the authentication key.
- Please copy that key and use it as the “apikey” for any CLI/API call. You can always disable or create a new key, which will cancel the previous one.
Fetch backup ID:
Use the following command to get a backup ID:
Recover an Instance in the Second Account
Once you’ve set up all the above items, you should be ready to perform a test. Here you will use CPM CLI utility
to perform this action.
- Replace the values in snippet given below:
python cpm_cli.py recover-instance --instance-id --backup-id --from-account "" --to-account “” --region --placement subnet --subnet --ip-address new --root-device-source snapshot --security-groups "[‘Security-Group-Id1,Security-Group-Id2’]" --key-pair “” --instance-type=
Here is a sample of how yours would appear:
cpm_cli.py recover-instance --instance-id i-0ec876229c7d5032432 --backup-id=01212 --from-account "Main Account" --to-account "BackupAccount" --region=us-west-2 --placement subnet --subnet "subnet-6fa7rf36" --ip-address "new" --root-device-source "snapshot" --security-groups "[sg-f0c84b8b]"--key-pair "newkeypair" --instance-type=t2.micro
- Once you run this command for the web server and database server, you should get the following output confirming that the recovery has started: You will also notice both the database and web server instances have launched in the backup account. If you receive any error message, check your command for possible errors. After this, you can use the script to schedule the recovery of instances using crontab or a Lambda function which will execute whenever required.You have just learned how to successfully move data from one account to another AWS account using CPM CLI. You will be able to see the website once you’ve changed necessary parameters such as the database IP address (but that is only required if you have a MySQL database hosted on an AWS EC2 instance). After recovery, you should be able to access the same website as the first account via a browser, like the one shown below:
It is important that every organization have a disaster recovery plan in place. Although it rare that an organization would come across a scenario where they would have to put their disaster recovery plan in practice, there is always the chance of a system failure. In this article, we have demonstrated how you can ensure DR by moving data from one AWS account to another by using CPM CLI. The script can restore the backup instance as well verify the data on that instance.
Cloud Protection Manager is an enterprise-class backup, recovery and disaster recovery solution for AWS EC2 instances. It uses snapshots created by policies automatically at regular intervals. Additionally, we saw you can perform instance recovery into another account using CPM’s DR functionality, all of which makes CPM an ideal option for backup and DR strategies.
To find out how you can make your system more secure and easy to use, learn more about Cloud Protection Manager here.