Configuring EFS on N2WS allows you to determine backup:
- Schedule and frequency
- Lifecycle policy, including moving backups to cold storage, defining expiration options, and deleting them at end of life.
With AWS Backup, you pay only for the amount of backup storage you use and the amount of backup data you restore in the month. There is no minimum fee and there are no set-up charges.
Important: EFS Backup and Restore is performed by AWS Backup Service. When adding an EFS target for the first time in a region, you must create the default backup vault in AWS. Go to the AWS Backup console and choose Backup vaults.
For more information regarding the AWS Backup Service, refer to: https://docs.aws.amazon.com/efs/latest/ug/awsbackup.html
Before continuing, consider the following:
- Currently, AWS Backup service doesn’t support DR for EFS resources.
- Not all regions are available for EFS backup on the AWS Backup service. Currently, the available regions are: US East (N. Virginia), US East (Ohio), US West (Oregon), EU (Ireland), EU (Frankfort), and Asia Pacific (Sydney).
- For regions not enabled by default, such as Asia Pacific (Hong Kong) and Middle East (Bahrain), see section 9.7.
- Backup transitions and expirations are performed automatically according to the configured lifecycle.
- A default or custom IAM role must exist in AWS to create and manage backups on behalf of N2WS. The IAM identity contains the backup and restore policies allowing operations on EFS. If a default was not automatically created, or you prefer to use a custom IAM role, see section 2.
- In the AWS Console, create the EFS in one of the available regions listed in section 8.
In N2WS, in the Backup Targets of a Policy, Add Elastic File Systems.
Configure the backup and restore options:
Complete the EFS Configuration:
Backup Vault – A logical backup container for your recovery points (your EFS snapshots) that allows you to organize your backups.
Note: Default Backup vaults are created in AWS: AWS Backup > Backup vaults.
IAM Role – An IAM identity that has specific permissions for EFS. The following AWS backup permissions should be attached to your IAM role:
- AWSBackupServiceRolePolicyForBackup – Create backups on your behalf across AWS services.
- AWSBackupServiceRolePolicyForRestores – Perform restores on your behalf across AWS services.
- If a default IAM role was not automatically created by AWS, or you require a custom IAM role, see section 8.2. Selecting the preferred IAM role is only required during the EFS policy configuration.
Transition to cold – Select the transition lifecycle of a recovery point (your EFS snapshots). The default is Policy Generations.
Expire – When does a protected resource expire. The default is Never.
Note: Moving a backup to the Freezer will set Expiration Date to Never.
A default or custom IAM role is necessary for AWS to perform EFS operations on behalf of N2WS.
To create a default IAM Role:
- Go to the AWS Backup Service: https://us-east-1.console.aws.amazon.com/backup/
- Click the Create an on-demand backup button.
- For Resource type, select EBS.
- For Volume ID, select any EBS volume to backup.
- Select Default IAM Role.
- Click the Create on-demand backup button. Ignore the error provided by AWS.
- Verify that the following role was created on AWS IAM Service:
To create a custom IAM Role:
- Go to AWS IAM Service: https://console.aws.amazon.com/iam/home#/roles
- Click the Create role button.
- Select AWS Backup and click Next: Permissions.
- Search for BackupService.
- Select the following AWS managed policies:
- Click Next: Tags and then click Next: Review.
- Enter a Role name and click Create role.
EFS can be configured by creating the cpm backup tag with the following values. In this case, N2WS will override the EFS configuration with the tag values:
|vault||Vault. Example: Default|
|role_arn||Arn of role. Example: arn:aws:iam::040885004714:role/service-role/AWSBackupDefaultServiceRole|
N – Never
D – Days
W – Weeks
|M – Months|
Y – Years
|cold_opt_val||Integer for D, W, M, Y only|
|exp_opt||When does resource expire:|
P – Policy Generations
N – Never
D – Days
M – Months
Y – Years
|exp_opt_val||Integer for D, W, M, Y only|
cpm backup my_policy+vault=Default+exp_opt=D+exp_opt_val=1
CPM will backup EFS to the default vault, and set its expiration date to 1 day.
Note: The max length for the cpm backup value is limited to 256 characters.