23 Capturing and Cloning in VPC Environments

In this section, you will learn how to use a Amazon Virtual Private Cloud (VPC) to launch AWS resources into a logically separate virtual network.
VPC support is not available with the Free edition of N2WS.

23.1 Overview of VPC and N2WS

VPC is an AWS service that allows the definition of virtual networks in the AWS cloud. Users can define VPCs with a network range, define subnets under them, security groups, Internet Getaways, VPN connections, and more. One of the resources of the VPC service is also called ‘VPC’, which is the actual virtual, isolated network.
N2WS can capture the VPC and Transit Gateway settings as root resources, including their related resources, of user environments and clone those settings back to AWS:
  • In the same region and account, for example, if the original settings were lost.
  • To another region and/or account, such as in DR scenarios.
  • With VPC resource properties modified in template uploaded with CloudFormation, if required.
Once enabled from General Settings, N2WS will automatically capture VPC settings at pre-defined intervals, such as for cleanup and tag scanning. The root/admin user can enable the feature in the Capture VPC tab of the General Settings screen and set the interval of VPC captures. VPC settings are enabled at the account level, by default, same as tag scanning.
Because VPC configuration metadata is small, VPC does not consume a lot of resources during storage of the capture. Metadata is captured incrementally. If nothing changed since the last capture, the metadata will not be captured again. This is the most common case in an ongoing system, where defined networks do not change frequently.
  • Regions - N2WS will only capture VPC settings in regions that include backed-up resources. If the customer is not backing up anything in a specific region, N2WS will not try to capture the VPC settings there.
  • Retention - N2WS will retain the VPC data as long as there are backups requiring it. If N2WS still holds backups from a year ago, the VPC version relevant for that time is still retained. Once there are no relevant backups, N2WS will delete the old VPC captured data.
  • CloudFormation - N2WS will use the AWS CloudFormation service to clone VPCs and Transit Gateways to an AWS account. N2WS will create a CloudFormation template with the definitions for the VPC or Transit Gateway and use the template to launch a new stack and create all the VPC or Transit Gateway settings in one operation.

23.2 Features of Capturing and Cloning VPCs and Transit Gateways

  • On Transit Gateways, attachments of type 'Direct Connect Gateways' are not supported.
  • Transit Gateway Policy Tables are not supported.
  • Capturing and cloning Transit Gateways in the following regions is not supported: China regions, Government regions, Jakarta, and Osaka.
  • The clone destination region should have sufficient quotas to hold all resources captured in the source region.
Shared Resource Limitations:
  • The following shared resources are not supported for cloning:
    • Shared Prefix lists
    • Shared Subnets
    • Shared Transit Gateway Multicast Domains
  • A shared Transit Gateway is supported only if the account providing the shared access is defined as a ‘CPM account’.
  • The clone of a Transit Gateway shared with a different account will be cloned to only one target account even though the original Transit Gateway was spread over 2, or more, AWS accounts.
The objective of Capture and Clone is to provide the ability to protect VPCs and Transit Gateways from disaster, by saving VPC and Transit Gateways configurations and allowing for recovery in any region.
  • Backed up VPC entities include:
    • VPC resource configuration
    • Subnets - N2WS tries to match AZs with similar names and spread subnets in destinations in the same way as in source regions.
    • Security groups
    • DHCP Options Sets - Not supporting multi-name in domain server name.
    • Route tables - Not supporting rules with entities that are specific to the source region.
    • Network ACLs
    • Internet Gateways
    • Egress-Only Internet Gateways
    • VPN Gateways
    • Customer Gateways
    • VPN Connections
    • NAT Gateways
    • VPC Peering connections - Not supporting peer on a different AWS account
    • Managed Prefix Lists
The Capture Log in the Capture VPC tab of General Settings reports entities not captured or only partially captured.
  • Backed up Transit Gateway entities include:
    • Transit Gateway resource configuration
    • Related VPCs and related resources to VPC - See above.
    • Transit Gateway attachments:
      • VPC
      • VPN
      • Peering Connection - Requires accepting connection on Peer
      • Connect
    • Transit Gateway Route Tables
    • Transit Gateway Multicast Domains
    • Related Network Interfaces
    • Custom Gateways
    • VPN Connections
    • Managed Prefix Lists
  • VPC and Transit Gateway capturing:
    • Accounts are enabled for VPC Service configuration capturing by default, but this setting can be disabled as needed.
    • Captures in all regions of interest, excluding the unsupported regions.
    • N2WS will capture and save all changes made on AWS for a user’s VPCs and Transit Gateways.
    • Not supported: Carrier gateways, Network interfaces related to VPCs, Elastic IP addresses, VPC Endpoints, VPC Endpoints services, Firewalls, and Traffic Mirroring.

23.3 Updating Accounts for VPC

By default, Accounts are enabled to Capture VPCs. VPCs are automatically captured for all enabled Accounts according to the interval configured in the General Settings. To not capture VPCs for an Account, disable the feature in the Account.
To disable, or enable, an individual account for capturing VPCs:
  1. 1.
    Select the Accounts tab, and then select an Account.
  2. 2.
  3. 3.
    Select Capture VPCs to enable, or clear Capture VPCs to disable.
  4. 4.
    Select Save.

23.4 Configuring Capture of VPC Entities

The root user can:
  • Enable or disable automatic capture of VPC entities for Accounts that are VPC-enabled.
  • Schedule automatic capture interval.
  • Initiate an ad hoc capture by selecting Capture Now for all VPC-enabled Accounts, even if VPC is disabled in General Settings.
  • View the last captured VPCs and Transit Gateways in the different regions and accounts in Show Log.
  1. 1.
    Server Settings > General Settings.
  2. 2.
    In the Capture VPC tab, select Capture VPC Environments to enable the feature.
  3. 3.
    To change the capture frequency from the default, select a new interval from the Capture VPCs Interval list. Valid choices are from every hour to every 24 hours.
  4. 4.
    Select Save to update N2WS.
  5. 5.
    To initiate an immediate capture for all VPC-enabled Accounts regardless of server setting, select Capture Now.

23.5 Cloning VPCs and Transit Gateways

Both cross-region and cross-account cloning are supported for VPCs and Transit Gateways.

23.5.1 Cloning VPCs

The following entities are not supported:
  • Inbound and Outbound Endpoint rules of Security Groups.
  • Inbound and Outbound rules of Security Groups that refer to a security group on a different VPC.
  • Route Table rules with NAT Instance as target.
  • Route Table rules with Network Interface as target.
  • Route Table rules with VPC peering connection as target.
  • Route Table rules with status 'Black Hole'.
Prerequisites, Conditions, and Limitations
  • Before cloning, verify that the destination region has sufficient quotas for all resources captured in the source region.
  • Cloning a VPN connection with an Authentication type other than 'Pre Shared Keys' is not supported. Attempting to clone this VPN connection requires manually replacing it after cloning.
  • When cloning a VPC Peering Connection, the accepter VPC must exist in the peer destination region. Download and edit the CloudFormation template.
  • When cloning a NAT Gateway with public connectivity, the Elastic IP allocation ID must exist and be available. Download and edit the CloudFormation template.
  • When cloning includes a Customer Gateway, if the original Customer Gateway exists, it will be used; otherwise, it will be created.
  • Cloning a VPC Peering connection with a VPC peer on a different AWS account is not supported. Download and edit the CloudFormation template.
A VPC-enabled account must have at least one policy with a backup target to clone VPCs.
Cloning VPCs includes the following features:
  • The target clone can have a new name. The name will automatically include ‘(cloned)’ at the end.
  • During instance recovery and DR, clones may be optionally created to replicate a particular VPC environment before the actual instance recovery proceeds. The new instance will have the environment of the cloned VPC and will subsequently appear at the top of the target region and account list. A typical scenario might be to capture the VPC, clone the VPC for the first instance, and then apply the cloned VPC to additional instances in the region/account.
  • Instances recovered into a cloned VPC destination environment will also have new default entities, such as the VPC’s subnet definition and 1 or more security groups attached to the instance, regardless of the original default entities. Security groups can be changed during recovery.

23.5.2 Cloning Transit Gateways

The following item is not supported:
  • Capturing and Cloning Transit Gateways on the following regions is not supported: Osaka, Jakarta, the Government regions, and China regions.
Instructions and limitations:
  • Cloning a Transit Gateway that includes in its resources a larger number of different AZs references than the number of AZs on Clone region cannot be performed. Download and edit the CF template.
  • Transit Gateway peer attachment is not supported if cloned Transit Gateway is an Accepter and not a Requester.
  • If the original Transit Gateway had ‘DefaultRouteTableAssociation’ and/or ‘DefaultRouteTablePropagation’ in ‘enable’ state, on the cloned Transit Gateway, it will be ‘disable’. Change the flag 'enable' and choose default Route Table on VPC Console.
  • Cloning routes Propagation/Association of VPN to Route Table is not supported. Manually add the missing routes on VPC Console.
  • Cloning of Managed Prefix List references of Transit Gateway Route Table is not supported. Manually add the missing details on VPC Console.
    • The downloaded Clone log will indicate that a reference is required to be made manually.
    • The Transit Gateway Route Table that requires a reference to a Managed Prefix List will have a Tag pointing to the Prefix list to reference.
    • The cloned Managed Prefix List that needs to be referenced will also indicate the referencing Transit Gateway Route Tables entity.
  • Transit Gateway Connect Peer that is related to Connect Transit Gateway attachment is not supported. Manually add the missing details on VPC Console.
  • When cloning includes a Customer Gateway – if the original Customer Gateway exists, it will be used, otherwise, it will be created.
  • If the VPC includes VPN connections, you may need to re-establish the connections using the new VPN tunnels configuration.
A VPC-enabled account must have at least one policy with a backup target to clone Transit Gateways.
Cloning VPCs includes the following features:
  • The target clone can have a new name. The name will automatically include ‘(cloned)’ at the end.

23.5.3 The CloudFormation Template

When cloning VPCs to an AWS account, N2WS generates a JSON template for use with CloudFormation.
  • If the size of the CloudFormation template generated will be over 50 kB, N2WS requires the use of an existing S3 Bucket in the target destination for storing the template. There should be an S3 bucket for each combination of accounts and regions in the destination clone. The template file in a S3 bucket will not be removed after cloning.
  • In addition to having a bucket in the target region in the presented settings, you must choose that bucket when defining where to Upload the CF template to S3.
To clone captured VPCs or Transit Gateways:
  1. 1.
    Select the Accounts tab and then select an account.
  2. 2.
    Clone VPC Entities.
  3. 3.
    In the Capture Source Region section Network Entity Type list, select the source region of the capture to clone.
  4. 4.
    In the Source VPC/Transit Gateway drop-down list, select the item to clone.
  5. 5.
    In the Captured at drop-down list, select the date and time of the capture to clone.
  6. 6.
    In the Clone to Destination section Region drop-down list, select the region to create the clone.
  7. 7.
    In the VPC/Transit Gateway Name box, a suggested name for the cloned item is shown. Enter a new name, if needed.
  8. 8.
    In the Account drop-down list, select the account in which to create the clone.
  9. 9.
    If the CF template is over 50 kB, in the Upload CF template to S3 dialog box, enter the name of an S3 bucket that exists in the selected target region.
  10. 10.
    Select Clone VPC/Clone Transit Gateway. At the end of the cloning, a status message will appear in a box:
    • Cloning VPC/Transit Gateway completed successfully. There may be an informational message that you may need to make manual changes. Check the log, using Download Log, for further information.
  11. 11.
    To view the results of the clone action, select Download Log.
When cloning VPCs with resources not supported by N2WS, you can download the CloudFormation template for the VPC, add or modify resource information, and upload the modified template to CloudFormation manually.
To create a clone manually with CloudFormation:
  1. 1.
    In the Account Clone VPC Entities screen, complete the fields as described above.
  2. 2.
    Select VPC/Transit Gateway CloudFormation Template to download the CloudFormation JSON template.
  3. 3.
    Modify the template, as required. See the example in section 23.5.1.
  4. 4.
    Manually upload the modified template with CloudFormation.

23.5.4 Example of CloudFormation Template

{'AWSTemplateFormatVersion': '2010-09-09',
'Description': 'Template created by N2WS',
'Resources': {'dopt4a7bcf33': {'DeletionPolicy': 'Retain',
'Properties': {'DomainName': 'ec2.internal',
'DomainNameServers': ['AmazonProvidedDNS']},
'Type': 'AWS::EC2::DHCPOptions'},
'dopt4a7bcf33vpc9d4bcbe6': {'DeletionPolicy': 'Retain',
'Properties': {'DhcpOptionsId': {'Ref': 'dopt4a7bcf33'},
'VpcId': {'Ref': 'vpc9d4bcbe6'}},
'Type': 'AWS::EC2::VPCDHCPOptionsAssociation'},
'sgcd8af6bb': {'DeletionPolicy': 'Retain',
'Properties': {'GroupDescription': 'default VPC security group',
'GroupName': 'default-0',
'SecurityGroupEgress': [{'CidrIp': '',
'IpProtocol': '-1'}],
'SecurityGroupIngress': [],
'Tags': [{'Key': 'cpm:original:GroupId',
'Value': 'sg-cd8af6bb'}],
'VpcId': {'Ref': 'vpc9d4bcbe6'}},
'Type': 'AWS::EC2::SecurityGroup'},
'vpc9d4bcbe6': {'DeletionPolicy': 'Retain',
'Properties': {'CidrBlock': '',
'EnableDnsHostnames': false,
'EnableDnsSupport': true,
'InstanceTenancy': 'default',
'Tags': [{'Key': 'Name',
'Value': 'Public-VPC-for-CF'},
{'Key': 'cpm:capturetime',
'Value': 'Aug 22, 2018 16:15'},
{'Key': 'cpm:clonetime',
'Value': 'Aug 25, 2018 21:20'},
{'Key': 'cpm:original:VpcId',
'Value': 'vpc-9d4bcbe6'},
{'Key': 'cpm:original:region',
'Value': 'us-east-1'}]},
'Type': 'AWS::EC2::VPC'}}}