23. Capture & Clone in VPC Environments

VPC is an AWS service which allows the definition of virtual networks in the AWS cloud. N2WS can capture VPC settings and clone them back to AWS.

Note: VPC support is not available with the Free edition of N2WS.

Overview of VPC and N2WS

VPC is an AWS service which allows the definition of virtual networks in the AWS cloud. Users can define VPCs with a network range, define subnets under them, security groups, Internet Getaways, VPN connections, and more. One of the resources of the VPC service is also called ‘VPC’, which is the actual virtual, isolated network.

N2WS can capture the VPC settings of user environments and clone those settings back to AWS:

  • In the same region and account, for example, if the original settings were lost.
  • To another region and/or account, such as in DR scenarios.
  • With VPC resource properties modified in template uploaded with CloudFormation, if required.

Once enabled from General Settings, N2WS will automatically capture VPC settings at pre-defined intervals, such as for cleanup and tag scanning. The root/admin user can enable the feature in the Capture VPC section of the General Settings screen and set the interval of VPC captures. VPC settings are enabled at the account level, by default, same as tag scanning.

Because VPC configuration metadata is small, VPC does not consume a lot of resources during storage of the capture. Metadata is captured incrementally. If nothing changed since the last capture, the metadata will not be captured again. This is the most common case in an ongoing system, where defined networks do not change frequently.

  • Regions – N2WS will only capture VPC settings in regions that include backed-up resources. If the customer is not backing up anything in a specific region, N2WS will not try to capture the VPC settings there.
  • Retention – N2WS will retain the VPC data as long as there are backups requiring it. If N2WS still holds backups from a year ago, the VPC version relevant for that time is still retained. Once there are no relevant backups, N2WS will delete the old VPC captured data.
  • Cloud Formation – N2WS will use the AWS CloudFormation service to clone VPCs to an AWS account. N2WS will create a CloudFormation template with the definitions for the VPC and use the template to launch a new stack and create all the VPC settings in one operation.

Features of Capturing and Cloning VPCs

The objective of Capture and Clone is to provide the ability to protect VPCs from disaster, by saving VPC configurations and allowing for recovery in any region.

Backed up VPC entities include:

  • VPC resource configuration
  • Subnets – N2WS tries to match AZs with similar names and spread subnets in destinations in the same way as in source regions.
  • Security groups
  • DHCP Options Sets – Not supporting multi-name in domain server name.
  • Route tables – Not supporting rules with entities that are specific to the source region.
  • Network ACLs
  • Internet Gateways, Egress Internet Gateways
  • VPN Gateways

Note: The Capture Log in the Capture VPC section of General Settings reports entities not captured or only partially captured.

VPC capturing:

  • Accounts are enabled for VPC capturing by default, but this setting can be disabled as needed.
  • Captures in all regions of interest.
  • N2WS will capture and save all changes made on AWS for a user’s VPCs.
  • Not supported: NAT gateways, VPC peering connections, customer gateways, VPN connections, Network interfaces, Elastic IP addresses, VPC Endpoints, VPC Endpoints services, Transit Gateways

VPC cloning:

  • Every Account that has a VPC captured in a region can clone a version of the VPC to any destination, region, and account.
  • The subnets of the cloned VPC will be located in the destination’s Availability Zone with respect to their availability in the region.
  • Users can download a template of VPC resources to manually configure and load it with AWS CloudFormation.

Configuring VPC Capturing

The root user can:

  • Enable or disable automatic VPC captures for Accounts that are VPC-enabled.
  • Schedule automatic capture interval.
  • Initiate an ad-hoc capture using the Capture Now button for all VPC-enabled Accounts, even if VPC is disabled in General Settings.
  • View the last captured VPCs in the different regions and accounts in Capture Log.

C:\Users\Janet\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1E6EAD46.tmp

  1. In the Capture VPC section of the General Settings screen, select Enabled in the Capture VPC Environments drop-down list.
  2. To change the capture frequency from the default, select a new interval from the Capture VPCs interval list. Valid choices are from every hour to every 24 hours.
  3. Click Apply at the bottom of the General Settings page to update N2WS.
  4. To initiate an immediate capture for all VPC-enabled Accounts regardless of server setting, click Capture Now.

Updating Accounts for VPC

By default, Accounts are enabled to Capture VPCs. VPCs are automatically captured for all enabled Accounts according to the interval configured in the General Settings. To not capture VPCs for an Account, disable the feature in the Account.

To disable, or enable, an individual account for capturing VPCs:

  1. Click the Accounts button and select an Account.
  2. In the Capture VPCs drop-down list, select Disabled, or Enabled, and click Update.

Cloning VPCs

The following entities are not supported:

  • Cloning CIDR block IPV6 on a subnet.
  • Inbound and Outbound Endpoint rules of Security Groups.
  • Inbound and Outbound rules of Security Groups that refer to a security group on a different VPC.
  • Route Table rules with NAT Instance as target.
  • Route Table rules with NAT Gateway as target.
  • Route Table rules with Network Interface as target.
  • Route Table rules with VPC peering connection as target.
  • Route Table rules with status ‘Black Hole’.

A VPC-enabled account must have at least one policy with a backup target in order to clone VPCs.

Cloning VPCs includes the following features:

  • Both cross-region and cross-account cloning are supported.
  • The target clone can have a new name. The name will automatically include ‘(cloned)’ at the end.
  • During instance recovery and DR, clones may be optionally created in order to replicate a particular VPC environment before the actual instance recovery proceeds. The new instance will have the environment of the cloned VPC and will subsequently appear at the top of the target region and account list. A typical scenario might be to capture the VPC, clone the VPC for the first instance, and then apply the cloned VPC to additional instances in the region/account.
  • Instances recovered into a cloned VPC destination environment will also have new default entities, such as the VPC’s subnet definition and 1 or more security groups attached to the instance, regardless of the original default entities. Security groups can be changed during recovery.

When cloning VPCs to an AWS account, N2WS generates a JSON template for use with CloudFormation.

  • If the size of the CloudFormation template generated will be over 50 kB, N2WS requires the use of an existing S3 Bucket in the target destination for storing the template. There should be an S3 bucket for each combination of accounts and regions in the destination clone. The template file in a S3 bucket will not be removed after cloning.
  • In addition to having a bucket in the target region in the presented settings, you must choose that bucket when defining where to Upload the CF template to S3.

To clone captured VPCs:

  1. Click the Accounts button and select an account.
  2. In the Actions column, click Clone VPCs for the Account.
  3. In the Capture Source Region drop-down list, select the source region of the capture to clone.
  4. In the VPC drop-down list, select the VPC to clone.
  5. In the Captured at drop-down list, select the date and time of the capture to clone.
  6. In the Clone to Destination Region drop-down list, select the region to create the clone.
  7. In the VPC Name box, a suggested name for the VPC is shown. Clear the box and enter a new VPC name, if needed.
  8. In the Account drop-down list, select the account in which to create the clone.
  9. If the CF template is over 50 kB, the additional section Upload CF template to S3 appears, enter an Existing Bucket Name:
    1. Note: The existing bucket must be located in the selected target region.
  10. Click Clone VPC.

The cloning status message will appear at the top of the dialog box:

  • Successful clone

  • Successful clone with warning – Check the log for further instructions.

When cloning VPCs with resources not supported by N2WS, you can download the CloudFormation template for the VPC, add or modify resource information, and upload the modified template to CloudFormation manually.

To create a clone manually with CloudFormation:

  1. In the Clone VPCs for Account dialog box, complete the fields as described above.
  2. Click CloudFormation Template to download the CloudFormation JSON template.
  3. Modify the template, as required. See section 23.5.1.
  4. Manually upload the modified template with CloudFormation.

Example of CloudFormation Template

{‘AWSTemplateFormatVersion’: ‘2010-09-09’,
 ‘Description’: ‘Template created by N2WS’,
 ‘Resources’: {‘dopt4a7bcf33’: {‘DeletionPolicy’: ‘Retain’,
                                ‘Properties’: {‘DomainName’: ‘ec2.internal’,
                                               ‘DomainNameServers’: [‘AmazonProvidedDNS’]},
                                ‘Type’: ‘AWS::EC2::DHCPOptions’},
               ‘dopt4a7bcf33vpc9d4bcbe6’: {‘DeletionPolicy’: ‘Retain’,
                                           ‘Properties’: {‘DhcpOptionsId’: {‘Ref’: ‘dopt4a7bcf33’},
                                                          ‘VpcId’: {‘Ref’: ‘vpc9d4bcbe6’}},
                                           ‘Type’: ‘AWS::EC2::VPCDHCPOptionsAssociation’},
               ‘sgcd8af6bb’: {‘DeletionPolicy’: ‘Retain’,
                              ‘Properties’: {‘GroupDescription’: ‘default VPC security group’,
                                             ‘GroupName’: ‘default-0’,
                                             ‘SecurityGroupEgress’: [{‘CidrIp’: ‘’,
                                                                      ‘IpProtocol’: ‘-1’}],
                                             ‘SecurityGroupIngress’: [],
                                             ‘Tags’: [{‘Key’: ‘cpm:original:GroupId’,
                                                       ‘Value’: ‘sg-cd8af6bb’}],
                                             ‘VpcId’: {‘Ref’: ‘vpc9d4bcbe6’}},
                              ‘Type’: ‘AWS::EC2::SecurityGroup’},
               ‘vpc9d4bcbe6’: {‘DeletionPolicy’: ‘Retain’,
                               ‘Properties’: {‘CidrBlock’: ‘’,
                                              ‘EnableDnsHostnames’: false,
                                              ‘EnableDnsSupport’: true,
                                              ‘InstanceTenancy’: ‘default’,
                                              ‘Tags’: [{‘Key’: ‘Name’,
                                                        ‘Value’: ‘Public-VPC-for-CF’},
                                                       {‘Key’: ‘cpm:capturetime’,
                                                        ‘Value’: ‘Aug 22, 2018 16:15’},
                                                       {‘Key’: ‘cpm:clonetime’,
                                                        ‘Value’: ‘Aug 25, 2018 21:20’},
                                                       {‘Key’: ‘cpm:original:VpcId’,
                                                        ‘Value’: ‘vpc-9d4bcbe6’},
                                                       {‘Key’: ‘cpm:original:region’,
                                                        ‘Value’: ‘us-east-1’}]},
                               ‘Type’: ‘AWS::EC2::VPC’}}}

Share this post →

Share on twitter
Share on linkedin
Share on facebook
Share on email

Win the Ultimate


attendee pack —$415 value!

giveaway graphic

Visit the N2WS booth at AWS re:Invent for a chance to win prizes!