Restoring From Snapshots and Replicas

The process of restoring an RDS or EC2 instance from an encrypted cloud-native snapshot differs depending on whether you perform restore to the same location where the cloud-native snapshot resides or not:

Note

Consider the following:

  • An AWS account in which the cloud-native snapshot resides is also referred to as the source AWS account.
  • An AWS account to which you restore the instance is also referred to as the target AWS account.

Restore to Snapshot Original Location

To restore an EC2 or RDS instance to the original location of a snapshot, Veeam Backup for AWS uses an IAM role specified for the restore operation. To learn how to specify this IAM role, see Performing Entire EC2 Instance Restore (step 3) and Performing RDS Instance Restore (step 3). The IAM role must have permissions to access the following CMKs:

  • CMKs with which the cloud-native snapshot is encrypted.
  • A CMK with which you want to encrypt data of the restored instance.

Restore of EC2 Instance to Different AWS Region

To restore an EC2 instance to a different AWS Region in the same AWS account where the cloud-native snapshot resides, Veeam Backup for AWS performs the following steps:

  1. Copies the encrypted cloud-native snapshot to the target AWS Region.
  2. Creates an EC2 instance in the target AWS Region.
  3. Creates encrypted EBS volumes from the copied encrypted snapshot and attaches them to the created EC2 instance.

To copy the encrypted snapshot, and to create and encrypt EBS volumes, Veeam Backup for AWS uses an IAM role specified for the restore operation. To learn how to specify this IAM role, see Performing Entire EC2 Instance Restore (step 3). The IAM role must have permissions to access the following CMKs:

  • CMKs with which the cloud-native snapshot is encrypted (source CMKs).
  • A CMK with which you want to encrypt EBS volumes of the restored EC2 instance (target CMK).

Restoring From Snapshots and Replicas 

Cross-Account Restore of EC2 Instance to Same AWS Region

To restore an EC2 instance in a different AWS account to the same AWS Region where the cloud-native snapshot resides, Veeam Backup for AWS performs the following steps:

  1. Shares the encrypted cloud-native snapshot with the target AWS account.

To share the encrypted snapshot, Veeam Backup for AWS uses an IAM role specified in the backup policy settings for creating cloud-native snapshots (if you restore from a snapshot) or for copying and storing snapshot replicas (if you restore from a snapshot replica). The IAM role must have permissions to access CMKs with which the cloud-native snapshot is encrypted (source CMKs).

Important

According to AWS limitations, cloud-native snapshots encrypted with the default key for EBS encryption (aws/ebs alias) cannot be shared between AWS accounts. Thus, if the cloud-native snapshot is encrypted with the default key for EBS encryption, Veeam Backup for AWS will not be able to share the snapshot and the restore process will fail. For more information, see this Veeam KB article.

  1. Creates an EC2 instance in the target AWS account in the same AWS Region where the snapshot resides in the source AWS account.
  2. Creates encrypted EBS volumes from the shared encrypted snapshot and attaches them to the created EC2 instance.

To create and encrypt EBS volumes, Veeam Backup for AWS uses an IAM role specified for the restore operation. To learn how to specify this IAM role, see Performing Entire EC2 Instance Restore (step 3). The IAM role must have permissions to access the following CMKs:

  • The CMKs with which the cloud-native snapshot is encrypted (source CMKs).
  • A CMK with which you want to encrypt EBS volumes of the restored EC2 instance (target CMK).

Restoring From Snapshots and Replicas 

Cross-Account Restore of EC2 Instance to Different AWS Region

To restore an EC2 instance to a different AWS Region in a different AWS account, Veeam Backup for AWS performs the following steps:

  1. Shares the encrypted cloud-native snapshot with the target AWS account.

To share the encrypted snapshot, Veeam Backup for AWS uses an IAM role specified in the backup policy settings for creating cloud-native snapshots (if you restore from a snapshot) or for copying and storing snapshot replicas (if you restore from a snapshot replica). The IAM role must have permissions to access the following CMKs:

  • CMKs with which the cloud-native snapshot is encrypted (source CMKs).
  • A CMK with which you want to encrypt EBS volumes of the restored EC2 instance (target CMK).

Important

According to AWS limitations, cloud-native snapshots encrypted with the default key for EBS encryption (aws/ebs alias) cannot be shared between AWS accounts. Thus, if the cloud-native snapshot is encrypted with the default key for EBS encryption, Veeam Backup for AWS will not be able to share the snapshot and the restore process will fail. For more information, see this Veeam KB article.

  1. Copies the shared snapshot to the target AWS Region in the target AWS account.
  2. Creates an EC2 instance in the target AWS Region in the target AWS account.
  3. Creates encrypted EBS volumes from the shared encrypted snapshot and attaches them to the created EC2 instance.

To create and encrypt EBS volumes, Veeam Backup for AWS uses an IAM role specified for the restore operation. To learn how to specify this IAM role, see Performing Entire EC2 Instance Restore (step 3). The IAM role must have permissions to access the following CMKs:

  • The CMKs with which the cloud-native snapshot is encrypted (source CMKs)
  • The CMK with which you want to encrypt EBS volumes of the restored EC2 instance (target CMK).

Restoring From Snapshots and Replicas 

Restore of RDS Instance to Different AWS Region

To restore an RDS instance to a different AWS Region in the same AWS account where the cloud-native snapshot resides, Veeam Backup for AWS performs the following steps:

  1. Copies the encrypted cloud-native snapshot to the target AWS Region.
  1. Creates an RDS instance from the copied encrypted snapshot in the target AWS Region.

To copy the encrypted snapshot, and to create the RDS instance, Veeam Backup for AWS uses an IAM role specified for the restore operation. To learn how to specify this IAM role, see Performing RDS Instance Restore (step 3). The IAM role must have permissions to access the following CMKs:

  • A CMK with which the cloud-native snapshot is encrypted (source CMK).
  • A CMK with which you want to encrypt the restored RDS instance (target CMK).

Restoring From Snapshots and Replicas 

Cross-Account Restore of RDS Instance to Same AWS Region

To restore an RDS instance in a different AWS account to the same AWS Region where the cloud-native snapshot resides, Veeam Backup for AWS performs the following steps:

  1. Shares the encrypted cloud-native snapshot with the target AWS account.

To share the encrypted snapshot, Veeam Backup for AWS uses an IAM role specified in the backup policy settings for creating cloud-native snapshots (if you restore from a snapshot) or for copying and storing snapshot replicas (if you restore from a snapshot replica). The IAM role must have permissions to access an CMK with which the cloud-native snapshot is encrypted (source CMK).

Important

According to AWS limitations, cloud-native snapshots encrypted with the default encryption key (aws/rds alias) cannot be shared between AWS accounts. Thus, if the cloud-native snapshot is encrypted with the default encryption key, Veeam Backup for AWS will not be able to share the snapshot and the restore process will fail. For more information, see this Veeam KB article.

  1. In the target AWS account, copies the shared snapshot to the same AWS Region where the snapshot resides in the source AWS account, and re-encrypts the snapshot with the CMKs that you specified to encrypt the restored RDS instance.

To copy the shared encrypted snapshot and to re-encrypt it, Veeam Backup for AWS uses an IAM role specified for the restore operation. To learn how to specify this IAM role, see Performing RDS Instance Restore (step 3). The IAM role must have permissions to access the following CMKs:

  • The CMK with which the cloud-native snapshot is encrypted (source CMK).
  • A CMK with which you want to encrypt the restored RDS instance (target CMK).
  1. Creates an encrypted RDS instance from the copied encrypted snapshot in the target AWS account in the same AWS Region where the snapshot resides in the source AWS account.

To create and encrypt the RDS instance, Veeam Backup for AWS uses an IAM role specified for the restore operation. To learn how to specify this IAM role, see Performing RDS Instance Restore (step 3). The IAM role must have permissions to access the CMK with which you want to encrypt the restored RDS instance (target CMK).

Restoring From Snapshots and Replicas 

Cross-Account Restore of RDS Instance to Different AWS Region

To restore an RDS instance to a different AWS Region in a different AWS account, Veeam Backup for AWS performs the following steps:

  1. Shares the encrypted cloud-native snapshot with the target AWS account.

To share the encrypted snapshot, Veeam Backup for AWS uses an IAM role specified in the backup policy settings for creating cloud-native snapshots (if you restore from a snapshot) or for copying and storing snapshot replicas (if you restore from a snapshot replica). The IAM role must have permissions to access the following CMKs:

  • A CMK with which the cloud-native snapshot is encrypted (source CMK).
  • A CMK with which you want to encrypt the restored RDS instance (target CMK).

Important

According to AWS limitations, cloud-native snapshots encrypted with the default encryption key (aws/rds alias) cannot be shared between AWS accounts. Thus, if the cloud-native snapshot is encrypted with the default encryption key, Veeam Backup for AWS will not be able to share the snapshot and the restore process will fail. For more information, see this Veeam KB article.

  1. In the target AWS account, copies the shared snapshot to the same AWS Region where the snapshot resides in the source AWS account.

To copy the shared encrypted snapshot, Veeam Backup for AWS uses an IAM role specified for the restore operation. To learn how to specify this IAM role, see Performing RDS Instance Restore (step 3). The IAM role must have permissions to access the CMK with which the cloud-native snapshot is encrypted (source CMK).

  1. Copies the copied encrypted snapshot to the target AWS Region in the target AWS account and re-encrypts the snapshot with the CMK specified to encrypt the restored RDS Instance.

To copy and re-encrypt the snapshot, Veeam Backup for AWS uses an IAM role specified for the restore operation. To learn how to specify this IAM role, see Performing RDS Instance Restore (step 3). The IAM role must have permissions to access the CMK which you specified to encrypt the restored RDS instance (target CMK).

  1. Creates an encrypted RDS instance in the target AWS Region in the target AWS account.

To create and encrypt the RDS instance, Veeam Backup for AWS uses an IAM role specified for the restore operation. To learn how to specify this IAM role, see Performing RDS Instance Restore (step 3). The IAM role must have permissions to access the CMK with which you want to encrypt the restored RDS instance (target CMK).

Restoring From Snapshots and Replicas 

I want to report a typo

There is a misspelling right here:

 

I want to let the Veeam Documentation Team know about that.