# 14  Tag-based Backup Management

Cloud and specifically AWS, is an environment based largely on automation. Since all the functionality is available via an API, scripts can be used to deploy and manage applications, servers, and complete environments. There are very popular tools available to help with configuring and deploying these environments, like Chef and Puppet.

N2W allows configuring backup using automation tools by utilizing AWS tags. By tagging a resource, such as EC2 instance, EBS volume, EFS, DynamoDB, or RDS instance, N2W can be notified of what to do with this resource without using the UI. 

To tag Aurora clusters, tag one of the cluster’s DB instances, and N2W will pick it up and back up the entire cluster.

Since tagging is a basic functionality of AWS, it can be easily performed via the API and scripts. For more information on using the API or scripts, see\
<https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/USER_Tagging.html>&#x20;

N2W supports both **`cpm backup`** and **`cpm_backup`** tags (section [14.1](#14-1-the-cpm-backup-tag)) and custom tags (section [14.2](#14.2-custom-tags)).

For Azure, the following options are *not* currently supported:

* Custom tag
* Exclude disk
* Application awareness

{% hint style="info" %}
For information on using tags with Resource Control, see section [15.5](https://docs.n2ws.com/user-guide/15-resource-control#15.5-using-scan-tags-with-resource-control).
{% endhint %}

## 14.1 The 'cpm backup' and 'cpm\_backup' Tags <a href="#id-14-1-the-cpm-backup-tag" id="id-14-1-the-cpm-backup-tag"></a>

To automate backup management for a resource, you can add a tag to that resource named **`cpm backup`** (or **`cpm_backup`**).The tag is lower case with a space or an underscore. N2W will identify this tag and parse its content. In this tag you will be able to specify whether to:

* Ignore the resource and remove it from all backup policies.
* Add the resource to a policy or list of policies.
* Create a new policy, based on an existing one (template), and then add the resource to it.

{% hint style="info" %}
The policy name on the **`cpm backup`** or **`cpm_backup`** tag is case sensitive and should be aligned with the policy name create on CPM.

If an AWS resource has 2 AWS tags with the same tag name, differing only by the case of the letters (upper, lower), then N2W will back up just one tag. The tag name will be in the format of the first tag N2W scans, and the tag value may be from the second tag. Check that tag names are in the same case.
{% endhint %}

Following is a summary table of all **`cpm backup`** and **`cpm_backup`** tag values:

<table data-header-hidden><thead><tr><th width="233.33333333333331">Purpose</th><th width="250">cpm backup cpm_backup Tag Value</th><th>Examples/Values</th></tr></thead><tbody><tr><td>Purpose</td><td><strong>cpm backup</strong> <strong>cpm_backup</strong> Tag Value</td><td>Examples/Values</td></tr><tr><td>Add resource to existing backup policy.<br>See <a href="#14-1-1-adding-to-a-policy-or-policies">14.1.1</a>.</td><td><em>policy1</em></td><td><em>policy1 policy2 policy3</em></td></tr><tr><td>Create policy from a template.<br>See <a href="#14-1-2-creating-a-policy-from-a-template">14.1.2</a>.</td><td><em>new_policy1<strong>:</strong>existing_policy1</em></td><td></td></tr><tr><td>Set backup options for EC2 instances.<br>See <a href="#14-1-3-setting-backup-options-for-ec2-instances">14.1.3</a>.</td><td><p><strong>only-snaps</strong> (create AMIs without reboot)</p><p><strong>initial-ami</strong></p><p><strong>only-amis</strong></p><p><strong>only-amis-reboot</strong> (create AMIs with reboot)</p><p><strong>app-aware</strong> (Windows instance backup agent is same as snapshot and AMI options)</p><p><strong>app-aware-vss</strong> (Enable application consistent with VSS)</p><p><strong>app-aware-script</strong> (Enable application consistent without VSS)</p></td><td><p><em>policy1</em><strong>#only-snaps</strong></p><p><em>new_policy:existing_policy</em><strong>#only-amis</strong></p><p><em>policy1</em><strong>#initial-ami#app-aware</strong></p></td></tr><tr><td>Set backup options for EFS instances. N2W will override EFS configuration with tag values.<br>See <a href="#14-1-4-setting-backup-options-for-efs-instances">14.1.4</a>.</td><td><p><strong>vault</strong><br><strong>role_arn</strong><br><strong>cold_opt</strong></p><p><strong>cold_opt_val</strong><br><strong>exp_opt</strong></p><p><strong>exp_opt_val</strong></p></td><td>Default (example)<br>ARN of role<br>Lifecycle transition: N, D, W, M, Y<br>Integer for D,W,M,Y only<br>When resource expires:<br>P (Policy Gen), N, D, W, M, Y<br>Integer for D, W, M, Y only</td></tr><tr><td>Remove resource from all policies.<br>See <a href="#14-1-5-tagging-a-resource-to-be-removed-from-all-policies">14.1.5</a>.</td><td><strong>no-backup</strong></td><td></td></tr><tr><td>Exclude volumes from backup.<br>See <a href="#14-1-6-excluding-volumes-from-backup">14.1.6</a>.</td><td><p><em>policy1</em><strong>#exclude</strong></p><p>Note<strong>:</strong> Tagged instances are excluded from the <strong>Exclude volumes</strong> option in <strong>General Settings</strong> for <strong>Tag Scan.</strong> Tagged instances are only excluded with the <strong>‘#exclude’</strong> tag.</p></td><td><em>policy1</em><strong>#exclude</strong> <em>policy2</em><strong>#exclude</strong></td></tr></tbody></table>

### 14.1.1 Adding to a Policy or Policies <a href="#id-14-1-1-adding-to-a-policy-or-policies" id="id-14-1-1-adding-to-a-policy-or-policies"></a>

To add a resource (e.g., an EC2 instance) to an existing backup policy, all you need to do is to create the tag for this resource and specify the policy name. For example:

&#x20;policy1: `key:`**`cpm backup`**`, value`**`:policy1`**` ``or key:`**`cpm_backup`**`, value`**`:policy1`** or

&#x20;policy1: `key:`**`cpm_backup`**`, value`**`:policy1`**` ``or key:`**`cpm_backup`**`, value`**`:policy1`**&#x20;

To add the resource to multiple policies all you need to do is to add a list of policy names, separated by spaces: `policy1 policy2 policy3`

{% hint style="warning" %}
You can add an RDS target using the tag scan, but the resource will be added *without* the connection parameters. After the tag scan, you will need to configure the Connection Details in the policy manually. See <https://n2ws.zendesk.com/hc/en-us/articles/28878303166365--AWS-Read-Only-user-for-RDS-to-S3-feature>
{% endhint %}

### 14.1.2 Creating a Policy from a Template <a href="#id-14-1-2-creating-a-policy-from-a-template" id="id-14-1-2-creating-a-policy-from-a-template"></a>

To create a new policy and to add the resource to it, add a new policy name with a name of an existing policy which will serve as a template (separated by semicolon): `tag value: new_policy1:existing_policy1`

You can also add multiple policy name pairs to create additional policies or create a policy (or policies) and to add the resource to an existing policy or policies.

When a new policy is created out of a template, it will take the following properties from it:

* Number of generations
* Schedules
* DR configuration
* Script/agent configuration
* Retry configuration

It will not inherit any backup targets, so you can use a real working policy as a template or an empty one.

**For Script definitions:**

If backup scripts are defined for the template policy, the new one will keep that definition but will not initially have any actual scripts. You are responsible to create those scripts. Since the N2W server is accessible via SSH you can automate script creation. In any case, since scripts are required, the backups will have a failure status and will send alerts, so you will not forget about the need to create new scripts.

**For Windows instances with a backup agent configured:**

If that was the configuration of the original policy, the new instance (assuming it is a Windows instance) will also be assigned as the policy agent. However, since it does not have an authentication key, and since the agent needs to be installed and configured on the instance, the backups will have a failure status. Setting the new authentication key and installing the agent needs to be made manually.

**Auto Target Removal** for the new policy will always be set to **yes and alert**, regardless of the setting of the template policy. The basic assumption is that a policy created by a tag will automatically remove resources that do not exist anymore, which is the equivalent as if their tag was deleted.

### 14.1.3 Setting Backup Options for EC2 Instances <a href="#id-14-1-3-setting-backup-options-for-ec2-instances" id="id-14-1-3-setting-backup-options-for-ec2-instances"></a>

When adding an instance to a policy, or creating a new policy from template, you may make a few decisions about the instance:

* To create snapshots only for this instance.
* To create snapshots with an initial AMI.
* To schedule AMI creation only.

If this option is not set, N2W will assume the default:

* Snapshots only for Linux.
* Snapshots with initial AMI for Windows instances by adding a backup option after the policy name. The backup option can be one of the following values:

  * **only-snaps**
  * **initial-ami**
  * **only-amis**
  * **only-amis-reboot**

  For example, with an existing policy: `policy1#only-snaps`, or for a new policy based on template and setting AMI creation: `my_new_policy:existing_policy#only-amis`

{% hint style="info" %}
The **only-amis** option will create AMIs without rebooting them. The option **only-amis-reboot** will create AMIs with reboot.
{% endhint %}

For a Windows instance, you can also define backup with **app-aware**, i.e., a backup agent. It is used the same as the snapshots and AMI options.

* When adding the **app-aware** option, the agent is set to the default: VSS is enabled and backup scripts are disabled.
  * **app-aware-vss** - Enable application consistent with VSS.
  * **app-aware-script** - Enable application consistent without VSS.
* Additional configurations need to be made manually, and not with the tag.

You can also combine the backup options: `policy1#initial-ami#app-aware`

### 14.1.4 Setting Backup Options for EFS Instances <a href="#id-14-1-4-setting-backup-options-for-efs-instances" id="id-14-1-4-setting-backup-options-for-efs-instances"></a>

EFS can be configured by creating the **`cpm backup`** (**`cpm_backup`**) tag with the following values. In this case, N2W will override the EFS configuration with the tag values:

<table data-header-hidden><thead><tr><th width="196.01700632524637">Key</th><th>Value</th></tr></thead><tbody><tr><td>Key</td><td>Value</td></tr><tr><td><strong>vault</strong></td><td>Vault. Example: <code>Default</code></td></tr><tr><td><strong>role_arn</strong></td><td>ARN of role. Example: <code>arn:aws:iam::040885004714:role/service-role/AWSBackupDefaultServiceRole</code></td></tr><tr><td><strong>cold_opt</strong></td><td><p>Lifecycle transition:</p><p><code>N</code> – Never                                    <code>M</code> – Months</p><p><code>D</code> – Days                                      <code>Y</code> – Years</p><p><code>W</code> – Weeks</p></td></tr><tr><td><strong>cold_opt_value</strong></td><td>Integer for D, W, M, Y only</td></tr><tr><td><strong>exp_opt</strong></td><td><p>When does resource expire:</p><p><code>P</code> – Policy Generations               <code>W</code> – Weeks</p><p><code>N</code> – Never                                    <code>M</code> – Months</p><p><code>D</code> – Days                                      <code>Y</code> – Years</p></td></tr><tr><td><strong>exp_opt_val</strong></td><td>Integer for D, W, M, Y only</td></tr></tbody></table>

Example:

```
cpm backup my_policy+vault=Default+exp_opt=D+exp_opt_val=1
cpm_backup my_policy2+vault=Default+exp_opt=M+exp_opt_val=2
```

N2W will back up EFS to the default vault, and set its expiration date to 1 day.

{% hint style="info" %}
The max length for the **`cpm backup`**(**`cpm_backup`**) value is 256 characters.
{% endhint %}

### 14.1.5 Tagging a Resource to be Removed from All Policies <a href="#id-14-1-5-tagging-a-resource-to-be-removed-from-all-policies" id="id-14-1-5-tagging-a-resource-to-be-removed-from-all-policies"></a>

By creating the **`cpm backup`**(**`cpm_backup`**) tag with the value **`no-backup`** (lower case), you can tell N2W to ignore the resource and remove this resource from all policies. Also, see section 14.1.

### 14.1.6 Excluding Volumes from Backup <a href="#id-14-1-6-excluding-volumes-from-backup" id="id-14-1-6-excluding-volumes-from-backup"></a>

N2W can exclude a volume from an instance that is backed up on policy using the **`cpm backup`**(**`cpm_backup`**) tag with **`#exclude`** added to the end of the policy name value.

* Add a tag to an instance that you want to back up:

```
Key = cpm backup; Value = policy_name1 policy_name2
Key = cpm_backup; Value = policy_name1 policy_name2
```

![](https://gblobscdn.gitbook.com/assets%2Fdocumentation%2F-MDLsrk86FXshooHfqxf%2F-MDLtKf1QLFs55Bm0gTG%2F0.png?alt=media)

* Add a tag to volumes that you would like to exclude from being backed up:

```
Key = cpm backup; Value = policy_name1#exclude policy_name2#exclude
key = cpm_backup; Value = policy_name1#exclude policy_name2#exclude
```

![](https://gblobscdn.gitbook.com/assets%2Fdocumentation%2F-MDLsrk86FXshooHfqxf%2F-MDLtKf2-K7WB2RA_o-x%2F1.png?alt=media)

For example, if instance1 has 3 volumes and has a **`cpm backup`**(**`cpm_backup`**) tag with the value `policy1`, adding the **`cpm backup`**(**`cpm_backup`**) tag with value **`policy1#exclude`** to a volume will remove it from the policy.

![](https://content.gitbook.com/content/5oB64hgFIX2jdQ2O72cF/blobs/wisPhL6hH0e1qsoi9JvQ/14-1-6%20Excl%20Vol-cropped.png)

The instance with the excluded volume(s) will be added automatically as a backup target to the policy, after running **Scan Tag**.

{% hint style="info" %}
Tagged instances are not included in the **Exclude volumes** option in the **Tag Scan** tab of **General Settings** and are excluded from backup only when tagged with **#exclude** for the policy.
{% endhint %}

## 14.2  Custom Tags

Custom Tags allow N2W users to easily backup resources using any tag of their choice.

* You can define any number of Custom Tags on a Policy definition.
* Custom tags take precedence over **`cpm backup`**(**`cpm_backup`**) tags if both exist on a server.
* Define Custom Tags with the Names and Values to match the Tags of AWS Resources to add to the Policy.
* If a user-defined Custom Tag exists on an AWS resource, the resource will be automatically added to the Policy during the **Tag Scan** process. See section [14.3](#14-3-tag-scanning).
* It is possible to match an AWS Resource Tag with an N2W Tag Name or Value defined as a Prefix. For example, if the Tag Name ‘Department’ is defined as a Prefix, the following AWS resources that have a Tag Name starting with ‘Department’ will be added to the policy: ‘Department A’, ‘Departments’, and Department\_3’.

{% hint style="warning" %}

* Custom Tags are case-sensitive.
* If the **`cpm backup`**(**`cpm_backup`**) tag is used on a resource with **`no-backup`**, Custom Tags will be ignored and the resource will not be backed up.
* When the **`cpm backup`**(**`cpm_backup`**) tag and a custom tag on a resource point to the same policy name, the custom tag will be ignored.
  {% endhint %}

To see which resources were added to back up, open the Tag Scan log (**Show Log**), and look for a **Custom Tags** match.

**To create Custom Tags**:

1. In the **Policies** tab, select a policy.
2. Select the **More Options** tab.
3. Turn on the **Custom Tags** toggle.
4. Select <img src="https://content.gitbook.com/content/5oB64hgFIX2jdQ2O72cF/blobs/mTpJiDA1RBi5iMwm7abe/New%20icon.png" alt="" data-size="line"> **New**.
5. Define the **Tag Name** and **Tag Value**.
6. If relevant, select **Name is Prefix** and/or **Value is Prefix**.

![](https://gblobscdn.gitbook.com/assets%2F-MCmcYDqe7zxX8UChJRp%2F-MDLwpeQO8mSKP7P5KUO%2F-MDLz7NAkRNSx6wB_D8-%2Fimage.png?alt=media\&token=4b9eaaa2-40b4-4f33-b2d8-e48a49bebf6c)

## 14.3 Tag Scanning <a href="#id-14-3-tag-scanning" id="id-14-3-tag-scanning"></a>

Tag scanning can only be controlled by the admin/root user. When the scan is running, it will do so for all the users in the system but will only scan AWS accounts that have **Scan Resources** enabled. This setting is disabled by default. N2W will automatically scan resources in all AWS regions.

1. In the **General Settings** tab, select the **Tag Scan** tab.
2. Select **Scan Resources**.
3. In the **Tag Scan interval** list, set the interval in hours for automatic scans.
4. To override the exclusion of volumes specified in the UI and to exclude instances tagged with **`#exclude`** for the policy, select **Exclude volumes**. See section [9.6](https://docs.n2ws.com/user-guide/9-additional-backup-topics#9-6-excluding-volumes-from-backup).
5. Select **Save**.
6. To initiate a tag scan immediately, select **Scan Now**.
7. To view the Last Scan, select **Show Log**.

![](https://content.gitbook.com/content/5oB64hgFIX2jdQ2O72cF/blobs/AmogDPx3Nq60iHmUsnjp/14-3%20Tag%20scanning%20-%20cropped.png)

{% hint style="info" %}
Even if scanning is disabled, selecting **Scan Now** will initiate a scan.
{% endhint %}

If you do want automated scans to run, keep scanning enabled and set the interval in hours between scans using the **General Settings** screen. You will also need to enable **Scan Resources** for the relevant N2W Accounts. See section [3.1.2](https://docs.n2ws.com/user-guide/3-start-using-n2ws#3-1-2-authentication).

## 14.4 Pitfalls and Troubleshooting <a href="#id-14-4-pitfalls-and-troubleshooting" id="id-14-4-pitfalls-and-troubleshooting"></a>

The following topics should help guide you when developing tags.

### 14.4.1 Pitfalls <a href="#id-14-4-1-pitfalls" id="id-14-4-1-pitfalls"></a>

There are potential issues you should try to avoid when managing your backup via tags:

* The first is not to create contradictions between the tags content and manual configuration. If you tag a resource and it is added to a policy, and later you remove it from the policy manually, it may come back at the next tag scan. N2W tries to warn you from such mistakes.
* Policy name changes can also affect tag scanning. If you rename a policy, the policy name in the tag can be wrong. When renaming a policy, correct any relevant tag values.
* When you open a policy that was created by a tag scan to edit it, you will see a message at the top of the dialog window: “\* This policy was automatically added by tag scan”.

{% hint style="info" %}
Even if all the backup targets are removed, N2W will not delete any policy on its own, since deletion of a policy will also delete all its data. If you have a daily summary configured (section [17.5](https://docs.n2ws.com/user-guide/17-alerts-announcements-notifications-and-reporting#17-5-daily-summary)), policies without backup targets will be listed.
{% endhint %}

* If the same AWS account is added as multiple accounts in N2W, the same tags can be scanned multiple times, and the behaviour can become unpredictable. N2W Software generally discourages this practice. It is better to define an account once, and then allow delegates (section [18.4](https://docs.n2ws.com/user-guide/18-user-management#18-4-delegates)) access to it. If you added the same AWS account multiple times (even for different users), make sure only one of the accounts in N2W has **Scan Resources** enabled in N2W.

### 14.4.2 Troubleshooting <a href="#id-14-4-2-troubleshooting" id="id-14-4-2-troubleshooting"></a>

Sometimes you need to understand what happened during a tag scan, especially if the tag scan did not behave as expected, such as a policy was not created. In the **General Settings** screen, you can view the log of the last tag scan and see what happened during this scan, as well as any other problems, such as a problem parsing the tag value, that were encountered. Also, if the daily summary is enabled, new scan results from the last day will be listed in the summary.

Ensure tag format is correct. Tips for ensuring correct tag formats are:

* When listing multiple policy names, make sure they are separated by spaces.
* When creating new policy, verify using a colon ‘`:`’ and not a semi-colon ‘`;`’. The syntax is **`new_policy1:existing_policy1`**.
* Use a valid name for the new policy or it will not be created. An error message will be added to scan log.
* Use correct names for existing/template policies.
* Resource scanning order is NOT defined, so use policy names as existing/template only if you are sure that it exists in N2W defined manually or scanned previously.