20. Capture & Clone in VPC Environments

VPC is an AWS service which allows the definition of virtual networks in the AWS cloud. N2WS can capture VPC settings and clone them back to AWS.


20 Capturing & Cloning in VPC Environments

20.1 Overview of VPC and CPM

20.2 Features of Capturing and Cloning VPCs

20.3 Configuring VPC Capturing

20.4 Updating Accounts for VPC

20.5 Cloning VPCs

Capture & Clone in VPC Environments

Note: VPC support is not available with the Free edition of CPM.

Overview of VPC and CPM

VPC is an AWS service which allows the definition of virtual networks in the AWS cloud. Users can define VPCs with a network range, define subnets under them, security groups, Internet Getaways, VPN connections, and more. One of the resources of the VPC service is also called ‘VPC’, which is the actual virtual, isolated network.

CPM can capture the VPC settings of user environments and clone those settings back to AWS:

  • In the same region and account, for example, if the original settings were lost.
  • To another region, such as in DR scenarios.
  • With VPC resource properties modified in template uploaded with CloudFormation, if required.

Once enabled from General Settings, CPM will automatically capture VPC settings at pre-defined intervals, such as for cleanup and tag scanning. The root/admin user can enable the feature in the Capture VPC section of the General Settings screen and set the interval of VPC captures. VPC settings are enabled at the account level, by default, same as tag scanning.

Because VPC configuration metadata is small, VPC does not consume a lot of resources during storage of the capture. Metadata is captured incrementally. If nothing changed since the last capture, the metadata will not be captured again. This is the most common case in an ongoing system, where defined networks do not change frequently.

Regions – CPM will only capture VPC settings in regions that include backed-up resources. If the customer is not backing up anything in a specific region, CPM will not try to capture the VPC settings there.

Retention – CPM will retain the VPC data as long as there are backups requiring it. If CPM still holds backups from a year ago, the VPC version relevant for that time is still retained. Once there are no relevant backups, CPM will delete the old VPC captured data.

CloudFormation – CPM will use the AWS CloudFormation service to clone VPCs to an AWS account. CPM will create a CloudFormation template with the definitions for the VPC and use the template to launch a new stack and create all the VPC settings in one operation.

Features of Capturing and Cloning VPCs

The objective of Capture and Clone is to provide the ability to protect VPCs from disaster, by saving VPC configurations and allowing for recovery in any region.

Backed up VPC entities include:

  • VPC resource configuration
  • Subnets – CPM tries to match AZs with similar names and spread subnets in destinations in the same way as in source regions.
  • Security groups
  • DHCP Options Sets – Not supporting multi-name in domain server name.
  • Route tables – Not supporting rules with entities that are specific to the source region.
  • Network ACLs
  • Internet Gateways, Egress Internet Gateways
  • VPN Gateways

Note: The Capture Log in the Capture VPC section of General Settings reports entities not captured or only partially captured.

VPC capturing:

  • Accounts are enabled for VPC capturing by default, but this setting can be disabled as needed.
  • Captures in all regions of interest.
  • CPM will capture and save all changes made on AWS for a user’s VPCs.

Not supported: NAT gateways, VPC peering connections, customer gateways, VPN connections, Network interfaces, Elastic IP addresses, VPC Endpoints, VPC Endpoints services

VPC cloning:

  • Every Account that has a VPC captured in a region can clone a version of the VPC to any region.
  • The subnets of the cloned VPC will be located in the destination’s Availability Zone with respect to their availability in the region.
  • User can download a template of VPC resources to manually configure and load it with AWS CloudFormation.

Configuring VPC Capturing

The root user can:

  • Enable or disable automatic VPC captures for Accounts that are VPC-enabled.
  • Schedule automatic capture interval.
  • Initiate an ad-hoc capture using the Capture Now button for all VPC-enabled Accounts, even if VPC is disabled in General Settings.
  • View the last captured VPCs in the different regions and accounts in Capture Log.

In the Capture VPC section of the General Settings screen, select Enabled in the Capture VPC Environments drop-down list.

C:\Users\Janet\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1E6EAD46.tmp

To change the capture frequency from the default, select a new interval from the Capture VPCs interval list. Valid choices are from every hour to every 24 hours.

Click Apply at the bottom of the General Settings page to update CPM.

To initiate an immediate capture for all VPC-enabled Accounts regardless of server setting, click Capture Now.

Updating Accounts for VPC

By default, Accounts are enabled to Capture VPCs. VPCs are automatically captured for all enabled Accounts according to the interval configured in the General Settings. To not capture VPCs for an Account, disable the feature in the Account.

To disable, or enable, an individual account for capturing VPCs:

Click the Accounts button and select an Account.

In the Capture VPCs drop-down list, select Disabled, or Enabled, and click Update.

Cloning VPCs

The following entities are not supported:

  • Cloning CIDR block IPV6 on a subnet.
  • Inbound and Outbound Endpoint rules of Security Groups.
  • Inbound and Outbound rules of Security Groups that refer to a security group on a different VPC.
  • Route Table rules with NAT Instance as target.
  • Route Table rules with NAT Gateway as target.
  • Route Table rules with Network Interface as target.
  • Route Table rules with VPC peering connection as target.
  • Route Table rules with status ‘Black Hole’.

A VPC-enabled account must have at least one policy with a backup target in order to clone VPCs.

Note: Cross-region cloning is supported. Cross-account cloning will be supported in a future version.

New default entities, such as a Security Group, will be created in the destination environment regardless of the original default entities.

When cloning VPCs to an AWS account, CPM generates a JSON template for use with CloudFormation. If the size of the CloudFormation template generated will be over 50 kB, CPM requires the use of an existing S3 Bucket for storing the template. There should be an S3 bucket for each combination of accounts and regions in the destination clone. The template file in a S3 bucket will not be removed after cloning.

To clone captured VPCs:

  1. Click the Accounts button and select an account.
  2. In the Actions column, click Clone VPCs for the Account.

In the Source Region drop-down list, select the source region of the capture to clone.

In the VPC drop-down list, select the VPC to clone.

In the Captured at drop-down list, select the date and time of the capture to clone.

In the Clone to Destination Region drop-down list, select the region to create the clone.

If the CF template is over 50 kB, the additional section Upload CF template to S3 appears:

Enter an Existing Bucket Name.

Click Clone VPC.

The cloning status message will appear at the top of the dialog box:

Successful clone

Successful clone with warning – Check the log for further instructions.

When cloning VPCs with resources not supported by CPM, you can download the CloudFormation template for the VPC, add or modify resource information, and upload the modified template to CloudFormation manually.

To create a clone manually with CloudFormation:

  1. In the Clone VPCs for Account dialog box, complete the fields as described above.
  2. Click CloudFormation Template to download the CloudFormation JSON template.
  3. Modify the template, as required. See section 1.5.1.
  4. Manually upload the modified template with CloudFormation.

Example of CloudFormation Template

{‘AWSTemplateFormatVersion’: ‘2010-09-09’,
‘Description’: ‘Template created by CPM’,
‘Resources’: {‘dopt4a7bcf33’: {‘DeletionPolicy’: ‘Retain’,
‘Properties’: {‘DomainName’: ‘ec2.internal’,
‘DomainNameServers’: [‘AmazonProvidedDNS’]},
‘Type’: ‘AWS::EC2::DHCPOptions’},
‘dopt4a7bcf33vpc9d4bcbe6’: {‘DeletionPolicy’: ‘Retain’,
‘Properties’: {‘DhcpOptionsId’: {‘Ref’: ‘dopt4a7bcf33’},
‘VpcId’: {‘Ref’: ‘vpc9d4bcbe6’}},
‘Type’: ‘AWS::EC2::VPCDHCPOptionsAssociation’},
‘sgcd8af6bb’: {‘DeletionPolicy’: ‘Retain’,
‘Properties’: {‘GroupDescription’: ‘default VPC security group’,
‘GroupName’: ‘default-0’,
‘SecurityGroupEgress’: [{‘CidrIp’: ‘’,
‘IpProtocol’: ‘-1’}],
‘SecurityGroupIngress’: [],
‘Tags’: [{‘Key’: ‘cpm:original:GroupId’,
‘Value’: ‘sg-cd8af6bb’}],
‘VpcId’: {‘Ref’: ‘vpc9d4bcbe6’}},
‘Type’: ‘AWS::EC2::SecurityGroup’},
‘vpc9d4bcbe6’: {‘DeletionPolicy’: ‘Retain’,
‘Properties’: {‘CidrBlock’: ‘’,
‘EnableDnsHostnames’: false,
‘EnableDnsSupport’: true,
‘InstanceTenancy’: ‘default’,
‘Tags’: [{‘Key’: ‘Name’,
‘Value’: ‘Public-VPC-for-CF’},
{‘Key’: ‘cpm:capturetime’,
‘Value’: ‘Aug 22, 2018 16:15’},
{‘Key’: ‘cpm:clonetime’,
‘Value’: ‘Aug 25, 2018 21:20’},
{‘Key’: ‘cpm:original:VpcId’,
‘Value’: ‘vpc-9d4bcbe6’},
{‘Key’: ‘cpm:original:region’,
‘Value’: ‘us-east-1’}]},
‘Type’: ‘AWS::EC2::VPC’}}}

Share this post →