23 Capturing and Cloning in VPC Environments
VPC support is not available with the Free edition of N2WS.
VPC is an AWS service that allows the definition of virtual networks in the AWS cloud. Users can define VPCs with a network range, define subnets under them, security groups, Internet Getaways, VPN connections, and more. One of the resources of the VPC service is also called ‘VPC’, which is the actual virtual, isolated network.
N2WS can capture the VPC settings of user environments and clone those settings back to AWS:
In the same region and account, for example, if the original settings were lost.
To another region and/or account, such as in DR scenarios.
With VPC resource properties modified in template uploaded with CloudFormation, if required.
Once enabled from General Settings, N2WS will automatically capture VPC settings at pre-defined intervals, such as for cleanup and tag scanning. The root/admin user can enable the feature in the Capture VPC tab of the General Settings screen and set the interval of VPC captures. VPC settings are enabled at the account level, by default, same as tag scanning.
Because VPC configuration metadata is small, VPC does not consume a lot of resources during storage of the capture. Metadata is captured incrementally. If nothing changed since the last capture, the metadata will not be captured again. This is the most common case in an ongoing system, where defined networks do not change frequently.
Regions - N2WS will only capture VPC settings in regions that include backed-up resources. If the customer is not backing up anything in a specific region, N2WS will not try to capture the VPC settings there.
Retention - N2WS will retain the VPC data as long as there are backups requiring it. If N2WS still holds backups from a year ago, the VPC version relevant for that time is still retained. Once there are no relevant backups, N2WS will delete the old VPC captured data.
CloudFormation - N2WS will use the AWS CloudFormation service to clone VPCs to an AWS account. N2WS will create a CloudFormation template with the definitions for the VPC and use the template to launch a new stack and create all the VPC settings in one operation.
The objective of Capture and Clone is to provide the ability to protect VPCs from disaster, by saving VPC configurations and allowing for recovery in any region.
Backed up VPC entities include:
VPC resource configuration
Subnets - N2WS tries to match AZs with similar names and spread subnets in destinations in the same way as in source regions.
Security groups
DHCP Options Sets - Not supporting multi-name in domain server name.
Route tables - Not supporting rules with entities that are specific to the source region.
Network ACLs
Internet Gateways, Egress Internet Gateways
VPN Gateways
The Capture Log in the Capture VPC tab of General Settings reports entities not captured or only partially captured.
VPC capturing:
Accounts are enabled for VPC capturing by default, but this setting can be disabled as needed.
Captures in all regions of interest.
N2WS will capture and save all changes made on AWS for a user’s VPCs.
Not supported: NAT gateways, VPC peering connections, customer gateways, VPN connections, Network interfaces, Elastic IP addresses, VPC Endpoints, VPC Endpoints services, Transit Gateways
VPC cloning:
Every Account that has a VPC captured in a region can clone a version of the VPC to any destination, region, and account.
The subnets of the cloned VPC will be located in the destination’s Availability Zone with respect to their availability in the region.
Users can download a template of VPC resources to manually configure and load it with AWS CloudFormation.
The root user can:
Enable or disable automatic VPC captures for Accounts that are VPC-enabled.
Schedule automatic capture interval.
Initiate an ad hoc capture by selecting Capture Now for all VPC-enabled Accounts, even if VPC is disabled in General Settings.
View the last captured VPCs in the different regions and accounts in Capture Log.
Select
Server Settings > General Settings.In the Capture VPC tab, select Capture VPC Environments to enable the feature.
To change the capture frequency from the default, select a new interval from the Capture VPCs Interval list. Valid choices are from every hour to every 24 hours.
Select Save to update N2WS.
To initiate an immediate capture for all VPC-enabled Accounts regardless of server setting, select Capture Now.
By default, Accounts are enabled to Capture VPCs. VPCs are automatically captured for all enabled Accounts according to the interval configured in the General Settings. To not capture VPCs for an Account, disable the feature in the Account.
To disable, or enable, an individual account for capturing VPCs:
Select the Accounts tab and then select an Account.
Select
Edit.Select Capture VPCs to enable, or clear Capture VPCs to disable.
Select Save.
The following entities are not supported:
Cloning CIDR block IPV6 on a subnet.
Inbound and Outbound Endpoint rules of Security Groups.
Inbound and Outbound rules of Security Groups that refer to a security group on a different VPC.
Route Table rules with NAT Instance as target.
Route Table rules with NAT Gateway as target.
Route Table rules with Network Interface as target.
Route Table rules with VPC peering connection as target.
Route Table rules with status 'Black Hole'.
A VPC-enabled account must have at least one policy with a backup target to clone VPCs.
Cloning VPCs includes the following features:
Both cross-region and cross-account cloning are supported.
The target clone can have a new name. The name will automatically include ‘(cloned)’ at the end.
During instance recovery and DR, clones may be optionally created to replicate a particular VPC environment before the actual instance recovery proceeds. The new instance will have the environment of the cloned VPC and will subsequently appear at the top of the target region and account list. A typical scenario might be to capture the VPC, clone the VPC for the first instance, and then apply the cloned VPC to additional instances in the region/account.
Instances recovered into a cloned VPC destination environment will also have new default entities, such as the VPC’s subnet definition and 1 or more security groups attached to the instance, regardless of the original default entities. Security groups can be changed during recovery.
When cloning VPCs to an AWS account, N2WS generates a JSON template for use with CloudFormation.
If the size of the CloudFormation template generated will be over 50 kB, N2WS requires the use of an existing S3 Bucket in the target destination for storing the template. There should be an S3 bucket for each combination of accounts and regions in the destination clone. The template file in a S3 bucket will not be removed after cloning.
In addition to having a bucket in the target region in the presented settings, you must choose that bucket when defining where to Upload the CF template to S3.
To clone captured VPCs:
Select the Accounts tab and then select an account.
Select
Clone VPC.
In the Capture Source Region drop-down list, select the source region of the capture to clone.
In the VPC drop-down list, select the VPC to clone.
In the Captured at drop-down list, select the date and time of the capture to clone.
In the Clone to Destination Region drop-down list, select the region to create the clone.
In the VPC Name box, a suggested name for the VPC is shown. Enter a new VPC name, if needed.
In the Account drop-down list, select the account in which to create the clone.
If the CF template is over 50 kB, select CloudFormation Template to download a JSON file with cloning information.
In the Upload CF template to S3 dialog box, enter the Existing Bucket Name of a bucket that is located in the selected target region:
Select Clone VPC. At the end of the cloning, a status message will appear in a box:
VPC was Cloned. There may be an informational message that you may need to make manual changes. Check the log for further information.
To view the results of the clone VPC action, select Download Log.
When cloning VPCs with resources not supported by N2WS, you can download the CloudFormation template for the VPC, add or modify resource information, and upload the modified template to CloudFormation manually.
To create a clone manually with CloudFormation:
In the Account Clone VPC screen, complete the fields as described above.
Select CloudFormation Template to download the CloudFormation JSON template.
Modify the template, as required. See the example in section 23.5.1.
Manually upload the modified template with CloudFormation.
{'AWSTemplateFormatVersion': '2010-09-09','Description': 'Template created by N2WS','Resources': {'dopt4a7bcf33': {'DeletionPolicy': 'Retain','Properties': {'DomainName': 'ec2.internal','DomainNameServers': ['AmazonProvidedDNS']},'Type': 'AWS::EC2::DHCPOptions'},'dopt4a7bcf33vpc9d4bcbe6': {'DeletionPolicy': 'Retain','Properties': {'DhcpOptionsId': {'Ref': 'dopt4a7bcf33'},'VpcId': {'Ref': 'vpc9d4bcbe6'}},'Type': 'AWS::EC2::VPCDHCPOptionsAssociation'},'sgcd8af6bb': {'DeletionPolicy': 'Retain','Properties': {'GroupDescription': 'default VPC security group','GroupName': 'default-0','SecurityGroupEgress': [{'CidrIp': '0.0.0.0/0','IpProtocol': '-1'}],'SecurityGroupIngress': [],'Tags': [{'Key': 'cpm:original:GroupId','Value': 'sg-cd8af6bb'}],'VpcId': {'Ref': 'vpc9d4bcbe6'}},'Type': 'AWS::EC2::SecurityGroup'},'vpc9d4bcbe6': {'DeletionPolicy': 'Retain','Properties': {'CidrBlock': '10.0.0.0/24','EnableDnsHostnames': false,'EnableDnsSupport': true,'InstanceTenancy': 'default','Tags': [{'Key': 'Name','Value': 'Public-VPC-for-CF'},{'Key': 'cpm:capturetime','Value': 'Aug 22, 2018 16:15'},{'Key': 'cpm:clonetime','Value': 'Aug 25, 2018 21:20'},{'Key': 'cpm:original:VpcId','Value': 'vpc-9d4bcbe6'},{'Key': 'cpm:original:region','Value': 'us-east-1'}]},'Type': 'AWS::EC2::VPC'}}}