9 Additional N2WS Backup Topics
Here we cover some backup topics that haven't been addressed earlier.
Last updated
Here we cover some backup topics that haven't been addressed earlier.
Last updated
The N2WS Server runs in a VPC, except in old environments utilizing EC2 Classic. For N2WS to work correctly, it will need outbound connectivity to the Internet. To use AWS endpoints, see .
You will need to provide such connectivity using one of the following methods:
Attaching an Elastic IP.
Using a dynamic public IP, which is not recommended unless there is a dynamic DNS in place.
Enabling a NAT configuration, or
Using a proxy.
You will need to access it using HTTPS to manage it and possibly SSH as well, so some inward access will need to be enabled.
If you will run Linux backup scripts on it, it will also need network access to the backed-up instances.
If N2WS backup agents will need to connect, they will need access to it (HTTPS) as well.
If backup scripts are enabled for a Linux backed-up instance, it will need to be able to get an inbound connection from the N2WS Server.
If a Thin Backup Agent is used in a Windows backed-up instance, the agent will need outbound connectivity to the N2WS Server.
N2WS continues to back up instances even if they are stopped. This may have important implications:
If the policy has backup scripts and they try to connect to the instance, they will fail, and the backup will have Backup Partially Successful status.
If the policy has no backup scripts and VSS is not configured, or if the policy’s options indicate that Backup Partially Successful is considered successful (section ), the backup can continue running, and automatic retention will delete older backups. Every new backup will be considered a valid backup generation.
Snapshots will soon take no storage space since there will be no changes in the volumes, and EBS snapshots are incremental.
Assuming the instance shuts down in an orderly manner and did not crash, backups will be consistent by definition.
Another way to proceed is to make sure the policy is not entirely successful when the instance is stopped by using backup scripts and to keep the default stricter option that treats script failure as a policy failure. This will make sure that the older generations of the policy, before it was stopped, will not be deleted.
If you disable a policy, you need to be aware that this policy will not perform backup until it is enabled again. If you disable it when an instance is stopped, make sure you enable it again when you need the backup to resume
Backups belonging to a policy eventually get deleted. Every policy has its number of generations, and the retention management process automatically deletes older backups.
To keep a backup indefinitely and make sure it is not deleted, move it to the Freezer. There can be several reasons to freeze a backup:
An important backup of an instance you already recovered from so you will be able to recover the same instance again if needed.
A backup of interest, such as the first backup after a major change in the system or after an important update.
You want to delete a policy and only keep one or two backups for future needs.
Elements in the freezer will not be deleted by the automatic Cleanup process.
To move a backup to the Freezer:
Once a backup is moved to the freezer, you will not be able to move it back.
In the left panel, select the Backup Monitor tab.
Type a unique name and an optional description for identification and as keywords for searching and filtering later.
After a backup is in the Freezer:
If you delete the whole policy, frozen backups from the policy will remain.
It is recovered the same way as from a regular backup.
Automatic Cleanup allows you to manage the frequency of the cleanup process and the:
Number of days to keep backup records, even if the backup is deleted.
Number of days after which to rotate single AMIs.
To manage the number of generations saved:
In the General Settings tab, select Cleanup.
In the Cleanup Interval list, select the number of hours between cleanup runs. Select Cleanup Now to start a cleanup immediately.
In each list, select the number of days to:
Rotate Single AMIs
Keep Deleted Records
Keep User Audit logs
Keep Resource Control Records
To keep retry backup records for reporting, select Keep Retry Backup Records.
Backing up independent volumes in a policy is performed regardless of the volume's attachment state. A volume can be attached to any instance or not attached at all, and the policy will still back it up. Backup scripts can determine which instance is the active node of a cluster and perform application quiescence through it.
Following are the ways to exclude volumes from backup:
Enabling the Exclude volumes option in General Settings:
In the Tag Scan tab, select Exclude volumes, and then select Scan Now.
For AWS Regions not enabled by default, users must configure their AWS Account settings.
To configure AWS Account settings to enable Session Tokens for all regions:
In the ‘Security Token Service (STS)’ section, select Change Global endpoint.
In the Change region compatibility of session tokens for global endpoint dialog box, select Valid in all AWS Regions.
You can automatically synchronize S3 buckets using the N2WS S3 Bucket Sync feature. When the policy backup runs, N2WS will copy the source bucket to the destination bucket, without creating a backup. The buckets are selected and configured in Backup Targets of the Policies tab.
Bucket versioning is not supported. The latest version is automatically selected.
If the source S3 bucket object is of the storage class Glacier or Deep Archive, it is not possible to synchronize the bucket. It is necessary to retrieve and restore the object before synchronizing the bucket.
There is a time limitation when syncing between 2 S3 buckets. N2WS will continue performing the synchronization as long as the Maximum session duration for the AWS Role is not exceeded. In the AWS IAM Console, go to the Roles Summary of the CPM instance and select Edit to configure the parameter.
To synchronize S3 buckets:
In the Policies tab, select a policy and then select the Backup Targets tab.
In the Add Backup Targets menu, select S3 Bucket Sync. The Add S3 Bucket Sync screen opens.
Choose one or more buckets, and select Add selected. Selected buckets are removed from the table.
In the Sync Source section, you have options to enter a Source Prefix (Path) and to select whether to Keep Source Prefix at Destination. This option will allow you to combine the source prefix with the destination prefix. For example, if the source prefix is ‘/a/b’ and the destination prefix is ‘/c/d’, the objects will be synchronized to ‘a/b/c/d’.
In the Sync Destination section, configure the following, and then select Apply:
Region – Select the destination region to copy to.
Account – Select the destination account to copy to.
S3 Bucket – Select the destination bucket. The account for the destination bucket may be different than the account for the source bucket. See note above for cross-account bucket sync.
Destination Prefix (Path) – Enter the destination prefix, if any. If a prefix is entered, the dynamic message under the box will display the destination prefix. If Keep Source Prefix at Destination was selected, the prefix will be the concatenation of the source and destination prefixes. For example, source prefix ‘abc’ and destination ‘xyz’ will result in a destination prefix of ‘abc/xyz’.
Storage Class – Select the S3 Storage Class or S3 Reduced Redundancy Storage:
Standard – For low latency and high throughput.
Reduced Redundancy - Enables customers to store non-critical, reproducible data at lower levels of redundancy than Amazon S3’s standard storage.
Standard IA - For data that is accessed less frequently, but requires rapid access. Ideal for long-term storage.
Delete Extra – Select to delete files that exist in the destination but not in the source during synchronization.
After the Policy has run, view the backup log to see the S3Sync details.
SAP HANA Database is an in-memory relational database that can run on an AWS EC2 instance.
N2WS creates and stores both an EC2 instance and SAP HANA database snapshots as part of a policy backup. SAP HANA snapshots are stored to an S3 repository. Backups are always full to enable fast restores.
Complete the following prerequisites before creating SAP HANA policies:
AWS Command Line Interface (AWS CLI) Installation
The latest version of the AWS Command Line Interface (AWS CLI) must be installed and functional on the target instance.
SSM Agent Installation
SAP HANA policies require the installation of SSM agent on the EC2 instance before it is added to an N2WS policy. AWS Backint agent configuration is performed by N2WS at the time of policy configuration if the target instance is running. SAP HANA backup commands are sent to EC2 instances.
To support cross-account backups, configure the S3 bucket policy with the following permissions:
Before creating the policy, retrieve the Instance ID and Instance Number from the SYS.M_SYSTEM_OVERVIEW table in the SAP HANA SYSTEMDB database:
You can also check the following path: /hana/shared/<SID>/HDB<instance>/. In this case, the path is /hana/shared/HXE/HDB90/.
To back up an SAP HANA database:
Ensure that the target EC2 instance is running at the time of backup.
1. In the Policy tab, add the EC2 instance to the selected policy.
3. Select Enable SAP HANA Backup and complete the configuration:
SAP HANA SYSTEMDB User – SAP HANA System DB username.
Password – SAP HANA System DB password.
SAP HANA SID – SAP HANA System ID as shown in the SYS.M_SYSTEM_OVERVIEW table of the SYSTEMDB database.
SAP HANA Instance Number - SAP HANA Instance Number as shown in the SYS.M_SYSTEM_OVERVIEW table of the SYSTEMDB database.
SAP HANA S3 (Bucket) – S3 bucket repository for backup.
S3 KMS Key ARN – S3 KMS key attached to the selected bucket.
4. Select Apply and then Save.
Select the backup and then select Move to Freezer.
Frozen backups are identified by the frozen symbolin the Lifecycle Status column of the Backup Monitor tab.
It will only be deleted if you do so explicitly. Use Delete Frozen Item.
You can search and filter frozen backups using as keywords the name or description. To change the name or description, select Edit Frozen Item.
While in the Backup Monitor, you can switch between showing backup records 'in the Freezer' by turning on and off the toggle key and backup records 'not in the Freezer' by turning on and off the toggle key in the Show area on the far right of the filters line.
In the toolbar, select Server Settings.
The S3 Cleanup runs independently according to the retention period configured for the policy in the backup copy settings. See section . The last S3 Cleanup log however is available in the Cleanup tab.
In the toolbar, select Server Settings > General Settings.
Disabling a scheduled backup time. See section .
Excluding a volume from a policy configuration in the UI. See section .
Using an ‘#exclude’ tag for the policy. See section .
To perform certain actions on Asia Pacific (Hong Kong) and Middle East (Bahrain) AWS regions, managing Session Token Services (STS) is required, as Session Tokens from the global endpoint () are only valid in AWS Regions that are enabled by default.
Go to your AWS console and sign in at ​
In the navigation pane, select .
For more information on how to manage your STS, see
Cross-account S3 Bucket Sync is executed with the account of the policy, not the account of the destination S3 bucket, and requires cross-account access permissions to objects that are stored in the destination S3 bucket. For further information, see: ​
In the Backup Targets tab, for each newly added S3 bucket, select the bucket, and then select Configure. The Policy S3 Bucket Sync Configuration screen opens.
If you change the Storage Class of an S3 Bucket in the Policies tab, the Storage Class of an existing destination bucket will not automatically update during the next S3Sync run. In the Policies tab, select the S3 Bucket Sync object, and then select Configure.
To install or update, see l
To install and run an SSM agent, see
To check the status of the SSM Agent, see
N2WS to SAP HANA EC2 instance communication is completed via an SSM agent. Therefore, assign an SSM IAM role with proper permissions to both N2WS and the EC2 instance running SAP HANA. See section ‎.
2. In the Backup Targets tab, select the instance, and then selectConfigure.
