Backup Your AWS Cloud Environment Using CloudFormation – Part 2

cloudformationIn the first part of this series, we explained the ins and outs of CloudFormation as well as why CPM is a good backup solution using tags (which is a plus considering possible CloudFormation updates).

We also discussed the importance of noting that when users update their stacks, their resources may be updated as well. In this article, we will show you how tag based backup with CPM will help you plan CloudFormation template updates.

Before we start, let’s first introduce the following two components:

1. Cloud Protection Manager (CPM)

CPM is an enterprise backup, recovery and disaster recovery solution for EC2. It allows you to automate and maintain backups of your entire EC2 environment as well as achieve application-consistent backups. This is done by providing a mechanism to perform certain tasks before and after snapshots are taken, informing your OS of the backup.

2. AWS Tags:

Tag your AWS resources. Tags are a powerful mechanism used to categorize and differentiate between AWS resources (such as AWS services, alarms, instances, AMIs, and so on). For example, let’s say you want to identify the costs incurred by various departments across different cost centers. You can assign tags to each AWS resource based on its department, which helps monitor usage, and creates consistency and ownership.

Each tag has a key-value pair with a mandatory key and optional value.
Using a consistent set of tag keys makes it easier for you to manage your resources, allowing you to search and filter through resources based on the tags you add.

For this article, we have used the standard AWS LAMP template. As you may know, LAMP represents the solution stack that consists of a Linux OS, Apache web server, MySQL database and PHP programing language. The standard AWS LAMP template will create an EC2 instance with LAMP configurations.

CPM provides multiple ways to achieve regular, application consistent backups. In addition to using the scheduler and policy as defined in MSSQL as well as other backup solutions, you can perform backups with AWS tags. It is important to note that CPM can automatically scan AWS resources and schedule them for backup, provided your instance contains a “cpm_backup” tag key and “<Name of Policy>” value. If a policy with the defined name does not exist, CPM will create the policy.

For this purpose, we modified the standard AWS template to have an additional tag for CPM backup, as shown in the image below (left). When an instance is launched it will then have the additional tag.

n2ws
Once resources are created with CloudFormation, you can configure tags to be scanned in CPM. Only CPM admins or root users can perform tag scanning and need to configure the “general settings” for auto scans.

n2ws

A policy (“policy_tab_backup”) and corresponding schedule are then created:
n2ws

No resources are configured for automated backup with CPM before a scan.
n2ws

However, when a scan is run by CPM, it identifies the resources tagged with “cpm_backup” and schedules backups according to their “policy name”.
n2ws

As outlined in part one, CloudFormation template updates may result in downtime or system disruption. To overcome this, it is very important to perform regular backups, which can be achieved with the help of CPM. CPM takes snapshots at regular intervals:
n2ws
Thus far, we have configured CPM for automated backup with AWS tags.
In the following steps, we are going to modify the CloudFormation template. We want to ensure that data is not lost after the update since this may result in restarting your EC2 instances.
First, check the content of the LAMP instance you created.
n2ws

The LAMP stack also has content as show below:
n2ws

You can modify the template so that while uploading, it will launch new instances with the modified content. Before new resources are created, make sure that the stack has the same data before and after it is updated.

CPM allows you to choose which snapshots you want to restore, up to the most recent. However, you cannot launch an EBS root device instance from the snapshot. This can only be done by registering the snapshot as an AMI, which can be done via CPM’s recovery panel.
n2ws

You can create an AMI from the snapshot during instance recovery.
n2ws

You can use the AMI ID in the new CloudFormation template:
n2ws

When you update the CloudFormation template, ensure that it uses the AMI above to launch a new instance.
n2ws

After making the changes outlined above, you can update the template.
n2ws

This will launch a new instance:
n2ws

as well as update your whole stack according to your modified configuration.
n2ws

Once the stack creation is successful, AWS CloudFormation will terminate the old instance:
n2ws
We made three modifications to the CloudFormation Template:

  1. Added a new AMI that was created from a snapshot
  2. Increased the volume size to 30GB, as shown below:
    n2ws
  3. Modified the content of the instance to include one additional file, as shown below:
    n2ws

The best part is that the new volume includes old data from the snapshot.
n2ws

It is important to note that you should manually delete the AMI if it is no longer required after the stack is updated.

There you have it. In this article, we showed how CPM can help you achieve tag based backup and aid in data recovery even while your stack is updated by CloudFormation.

It’s important to note that while this comes with a handful of advantages, you should still use caution:

  1. Ensure that there is no contradiction between tag content and manual configuration. For example, if a resource is auto scanned by CPM for tag based backup, but you manually removed it from the backup, that resource may still be enabled for auto backup when the next scan runs automatically.
  2. Ensure that policy name changes affect tag scans. If the policy name is updated, it may not match the “value” field of the tag. CPM can help you avoid such mistakes by providing a warning message at the top of your dialog window stating: “* This policy was automatically added by tag scan”, when you open a policy to edit.
  3. If you delete the CloudFormation template, it may delete related resources, but the CPM policy is not automatically deleted because deleting the policy will delete old backup data.

CPM also allows you to view the log of the failed tag scan from “General Settings”. This is helpful to identify any mismatched configuration or naming.

In this article, we have demonstrated how tag based scanning with Cloud Protection Manager (CPM) can help you achieve automatic application consistent backup and recovery. CPM is an enterprise-class backup solution for EC2 based on EBS & RDS snapshots. It supports consistent application backups on Linux as well as Windows servers. CPM is sold in the AWS Marketplace. See our pricing or try it for free.

Share this post →

You might also like: