# 8 Using Elastic File System (EFS) Configuring EFS on N2W allows you to determine backup: * Schedule and frequency * Retention * Lifecycle policy, including moving backups to cold storage, defining expiration options, and deleting them at end of life. * Whether to use AWS Backup Vault Lock. See section [8.4](#8.4-support-for-aws-backup-vault-lock). With AWS Backup, you pay only for the backup storage you use and the amount of backup data you restore in the month. There is no minimum fee and there are no set-up charges. {% hint style="info" %} EFS Backup and Restore is performed by AWS Backup Service. When adding an EFS target for the first time in a region, you must create the default backup vault in AWS. Go to the AWS Backup console and choose **Backup vaults**. For more information regarding the AWS Backup Service, refer to ​ {% endhint %} {% hint style="info" %} Before continuing, consider the following: * Check AWS for regions that are available for EFS backup on the AWS Backup service. Currently, regions EU (Milan) and Africa (Cape Town) are not supported by AWS for cross-region DR. * AWS Backup is not available for EFS in the following regions: Asia Pacific (Hong Kong), Europe (Stockholm), South America (Sao Paulo), and Middle East (Bahrain). * Backup transitions and expirations are performed automatically according to the configured lifecycle. * A default or custom IAM role must exist in AWS to create and manage backups on behalf of N2W. The IAM identity contains the backup and restore policies allowing operations on EFS. If a default was not automatically created, or you prefer to use a custom IAM role, see section [8.2](#8-2-creating-iam-roles-in-aws). {% endhint %} ## 8.1 Configuring EFS {% hint style="info" %} Permissions required to get the relevant information about mounted targets and access points are *optional*.\ Backup and recovery will not fail if no permissions are granted to get/set mounted targets or access points. {% endhint %} 1. In the AWS Console, create the EFS in one of the available regions. See section [8](https://docs.n2ws.com/user-guide/8-using-elastic-file-system-efs) for regions not supported for EFS. 2. In N2W, in the **Backup Targets** tab of a Policy, select **Elastic File Systems** in the **Add Backup Targets** menu. 3. In the **Add Elastic File System** screen list, select one or more EFS targets and then select **Add selected**. 4. In the **Backup Targets** tab, select an EFS target and then select **Configure.** 5. Configure the EFS backup and restore options described in section [8.1.1](#8-1-1-efs-backup-and-restore-options). 6. When finished, select **Apply**. 7. Select **Save** in the Backup Targets screen to save the configuration to the policy. ### **8.1.1 Target Backup and Restore Options** * **Backup Vault** – A logical backup container for your recovery points (your target snapshots) that allows you to organize your backups. This method is commonly used for EFS and S3 backups. {% hint style="info" %} Default Backup vaults are created in AWS: **AWS Backup** **>** **Backup vaults**. Prerequisite for Cross-Account backup: In AWS, for each target vault (backup and DR account), update the target access policy to enable the copy of recovery points. See the **Access Policy** section on the vault’s properties page. {% endhint %} * **IAM Role** – An IAM identity that has specific permissions for all supported AWS backup services. The following AWS backup permissions should be attached to your IAM role: * **AWSBackupServiceRolePolicyForBackup** - Create backups on your behalf across AWS services. * **AWSBackupServiceRolePolicyForRestores** - Perform restores on your behalf across AWS services. If a default IAM role was not automatically created by AWS, or you require a custom IAM role, see section [8.2](#8-2-creating-iam-roles-in-aws). Selecting the preferred IAM role is only required during the target configuration. {% hint style="info" %} If adding or removing IAM Role permissions for immediate use, reboot the instance to have the change take effect quickly. {% endhint %} * **Transition to cold storage** – Select the transition lifecycle of a recovery point (your target snapshots). The default is **Never**. {% hint style="info" %} Transition to cold storage is not supported by AWS for S3. {% endhint %} * **Expire** – Define when the protected resource expires. The default is **Policy Generations**. {% hint style="info" %} Moving a backup to the Freezer will set **Expire** to **Never**. {% endhint %} ![](https://content.gitbook.com/content/5oB64hgFIX2jdQ2O72cF/blobs/p0QfTZqlo4pp349ZY3Gw/8-1%20EFS%20Config-cropped.png) ## 8.2 Creating IAM Roles in AWS A default or custom IAM role is necessary for AWS to perform EFS operations on behalf of N2W. {% hint style="info" %} If adding or removing IAM Role permissions for immediate use, reboot the instance to have the change take effect promptly. {% endhint %} **To create a default IAM Role**: 1. Go to the AWS Backup Service: 2. Select **Create an on-demand backup**. 3. For **Resource type**, select **EBS**. 4. For **Volume ID**, select **any EBS volume to backup**. 5. Select **Default IAM Role**. 6. Select **Create on-demand backup**. Ignore the error provided by AWS. 7. Verify that the following role was created on AWS IAM Service: ![](https://gblobscdn.gitbook.com/assets%2Fdocumentation%2F-MDFdvhzgjWwpYd25hZr%2F-MDFe3z-ZuYB4ubN6EqL%2F2.jpeg?alt=media) **To create a custom IAM Role:** 1. Go to AWS IAM Service: 2. Select **Create role**. 3. Select **AWS Backup** and then select **Next: Permissions**. 4. Search for **BackupService**. 5. Select the following AWS managed policies: 1. **AWSBackupServiceRolePolicyForBackup** 2. **AWSBackupServiceRolePolicyForRestores** 6. Select **Next: Tags** and then select **Next: Review.** 7. Enter a **Role name** and select **Create role.** ![](https://gblobscdn.gitbook.com/assets%2Fdocumentation%2F-MDFdvhzgjWwpYd25hZr%2F-MDFe3z01pUHwFnoRWPU%2F3.jpeg?alt=media) ## 8.3 Backup Options for EFS Instances EFS can be configured by creating the **`cpm backup`** or **`cpm_backup`** tag. In this case, N2W will override the EFS configuration with the tag values. See section [14.1.4](https://docs.n2ws.com/user-guide/14-tag-based-backup-management#14-1-4-setting-backup-options-for-efs-instances) for keys and values. ## 8.4 Support for AWS Backup Vault Lock For complete details on using AWS Backup Vault Lock for EFS, see * The lock is created using an AWS API, not the AWS console. * N2W supports AWS Backup Vault Lock by setting the expiration time on an EFS target. * N2W cleanup will work correctly. * User-initiated deletions of a backup, such as delete a specific recovery point, delete all backup record and policy snapshots, will fail. {% hint style="danger" %} **Important**: You *cannot* change the lock’s retention after the AWS ‘cooling period’ has passed. The default ‘cooling period’ is a minimum of 72 hours but is extendable by setting the AWS parameter **ChangeableForDays**. {% endhint %} **To configure N2W to support AWS Backup Vault Lock:** {% hint style="warning" %} If configured with minimum/maximum retention period, the stored recovery points (created or copied) must also have a matching expiration time. {% endhint %} In the EFS Policy Configuration screen, select the **Expire** time on the EFS target. When selecting the **Expire** time, consider that AWS may have a vault lock on the backup.