Restoring From Image-Level Backups

In this article

    The process of restoring an EC2 instance with encrypted EBS volumes from an image-level backup differs depending on whether a worker instance is launched in the same AWS account to which you perform restore or not:

    Note

    Consider the following:

    • An AWS account that owns an IAM role specified for launching worker instances is also referred to as the source AWS account.
    • An AWS account to which you restore an instance is also referred to as the target AWS account.
    • Veeam Backup for AWS always launches a worker instance in a target AWS Region specified in restore settings. For more information, see Managing Worker Instances.

    Restore to Same AWS Account

    If a worker instance is launched in the same AWS account where the restored EC2 instance will reside, to encrypt EBS volumes of the restored EC2 instance, Veeam Backup for AWS uses an IAM role specified to launch worker instances, as described in section Configuring Worker Instance Settings. The IAM role must have permissions to access to the CMK with which you want to encrypt EBS volumes of the restored EC2 instance.

    Restore to Another AWS Account

    If a worker instance is launched in an AWS account that is different from the AWS account where the restored EC2 instance will reside, Veeam Backup for AWS performs the following steps:

    1. Creates empty EBS volumes in the target AWS Region in the source AWS account and attaches them to the worker instance. To protect data that will be restored to these volumes, Veeam Backup for AWS encrypts the created EBS volumes with the default encryption key specified for the target AWS Region.

    To encrypt the volumes, Veeam Backup for AWS uses an IAM role specified to launch worker instances, as described in section Configuring Worker Instance Settings. The IAM role must have permissions to access to the default encryption key specified for the target AWS Region in the source AWS account.

    1. Restores backed-up data to the empty EBS volumes on the worker instance.
    2. Creates an encrypted cloud-native snapshot of the EBS volumes with the restored data.
    3. Shares the created snapshot with the target AWS account.

    Important

    According to AWS limitations, snapshots encrypted with the default key for EBS encryption (aws/ebs alias) cannot be shared between AWS accounts. Thus, if the default encryption key specified for the target AWS Region in the source AWS account is the default key for EBS encryption, Veeam Backup for AWS will not be able to share the snapshot and the restore process will fail. For more information, see this Veeam KB article.

    1. Creates an EC2 instance in the target AWS Region within the target AWS account.
    2. Creates encrypted EBS volumes from the shared encrypted snapshot and attaches them to the created EC2 instance.

    To create and encrypt EBS volumes, Veeam Backup for AWS uses an IAM role specified for the restore operation, as described in section Performing Entire EC2 Instance Restore. The IAM role must have permissions to access the following CMKs:

    • The default encryption key specified for the target AWS Region in the source AWS account.
    • A CMK with which you want to encrypt EBS volumes of the restored EC2 instance (target CMK).

    Restoring From Image-Level Backups 

    I want to report a typo

    There is a misspelling right here:

     

    I want to let the Veeam Documentation Team know about that.