3 Start Using N2WS

N2WS opens to the Dashboard – an overview of recent backups, recoveries, alerts, resources, and costs.

Depending on your device resolution, the Alerts tile may not appear in the Dashboard. Regardless of screen resolution, all Alerts are available by selecting Alerts in the toolbar.

3.1 Associating an AWS Account

To associate an AWS account for Recovery, you will need to either:

  • Enter AWS credentials consisting of an access key and a secret key, or

  • Use an IAM role, either on the N2WS server instance or cross-account roles.

There are the steps to associate an N2WS account with an AWS account:

  1. To manage your users and roles and obtain AWS credentials, go to the IAM console at https://console.aws.amazon.com/iam/home?#users

    1. Follow the directions to either add a new account or view an existing account.

    2. Capture the AWS credentials.

  2. To associate the AWS account with an N2WS account, go to N2WS:

    1. In the left panel, select the Accounts tab and then select New.

    2. Complete the fields, entering the required information for the Account Type and Authentication method.

You can add as many AWS accounts as your N2WS edition permits.

3.1.1. Account Type

If you are using the Advanced or Enterprise Edition or a free trial, you will need to choose an account type.

  • The Backup account is used to perform backups and recoveries and is the default 3333.

  • The DR account is used to copy snapshots to as part of cross-account functionality.

    • You choose whether this account is allowed to delete snapshots. If the account not allowed to delete snapshots when cleaning up, the outdated backups will be tagged. Not allowing N2WS to delete snapshots of this account implies that the presented IAM credentials do not have the permission to delete snapshots.

    • Enable Use Secured DR Account to select specific permissions for resource types and activities for prohibition. The Secured DR Account Check operation warns the N2WS user about the existence of Prohibited Permissions in IAM policies of the DR account. Turn on the Check Secured DR Account Periodically toggle to perform a period check of whether the DR account backups are compromised by the presence of the prohibited permissions. For details about period and immediate checking of the account, see section 3.2.

3.1.2. Authentication

N2WS Supports the following methods of authentication:

  • IAM User - Authentication using IAM credentials, access and secret keys.

Using IAM User credentials is not recommended as they are less secure than using IAM roles.

  • CPM Instance IAM Role – If an IAM role was assigned to the N2WS server at launch time or later, you can use that IAM role to manage backups in the same AWS account the N2WS server is in.

Only the root/admin N2WS user is allowed to use the IAM role.

  • Assume Role – This type of authentication requires another AWS account already configured in N2WS. If you want to use one account to access another, you can define a cross-account role in the target account and allow access from the first one. The operation of using one account to take a role and accessing another account is called assume role.

You can add as many AWS accounts as your N2WS edition permits.

To allow account authentication using Assume Role in N2WS:

  1. In the Authentication box, choose Assume Role.

  2. In the Account Number box, type the 12-digit account number, with no hyphens, of the target account.

  3. In the Role to Assume box, type the role name, not the full Amazon Resource Name (ARN) of the role. N2WS cannot automatically determine what the role name is, since it is defined at the target account, which N2WS has no access to yet.

  4. The External ID box is optional unless the cross-account role was created with the 3rd party option.

  5. In the Assuming Account list, choose the account that will assume the role of the target account. If you are the root user or independent user and have managed users defined, an additional selection list will appear enabling you to select the user.

  6. Select Scan Resources to include the current account in tag scans performed by the system. Once Scan Resources is Enabled:

    1. In the Scan Regions list, select the regions to scan. To select all regions, select the checkbox at the top of the list. To filter regions, start typing in the search box.

    2. In the Scan Resource Types list, select the types of resources to scan. Select the top checkbox for all, or use the search box to filter types.

  7. The Capture VPCs option defaults to enabled. Clear Capture VPCs to disable for this account. See section 23.

  8. Select Save.

Scanning only specific resource types can reduce tag scan processing time and is useful when user permissions are limited to certain resource types.

3.2 Secured DR Account

The DR account is a secure entity. In N2WS version 3.2.0, N2WS has taken the security to a higher level with the N2WS Secured DR feature, which hardens N2WS security. It allows the N2WS user to better protect the backups of his resources by making sure that backups kept in the DR account are not compromised through the use of unwanted permissions. N2WS can perform a periodic check to alert the user about IAM Users/Roles of the DR account that have unwanted IAM permissions.

The risk of unwanted permissions is demonstrated in the following example:

  • If an IAM Role of a DR account has an attached policy that includes the “ec2:DeleteSnapshot” permission, the snapshot is in danger of getting deleted.

The N2WS user has the flexibility of defining risky permissions for an account.

To define a 'Secured' DR Account and prohibited permissions:

  1. In the Accounts tab, select a DR account and then select Edit.

  2. Select Use Secured DR Account and then select Select Prohibited Permissions. By default, all permissions are prohibited.

  3. For each type of target or action, clear the permissions to be 'allowed', and then select Apply.

  4. Select Save.

N2WS will check for policies whose account has permissions defined as 'prohibited' and list them as compromised in the check log. You can then generate the Secured DR Account Report to identify the accounts and policies at risk. See section 3.2.1.

The required IAM permissions for the DR account to check its users and roles are:

  • iam:ListUsers

  • iam:ListRoles

  • iam:SimulatePrincipalPolicy

  • iam:ListAccessKeys, for authentication

Removing permissions may compromise the safety of N2WS backups. If permissions are removed, a warning alert for the secured DR account will appear as a potential backup risk.

3.2.1 Checking Secured DR Accounts

Two reports are available for checking Secured DR Accounts. If the Check Secured DR AccountShow Log’ indicates that there are compromised permissions, then you can run the Generate Secured DR Report to view the policies and users with the compromised permissions.

  • Check Secured DR Account – Creates a summary status log (Show Log) with the number of policies and accounts with compromised permissions. The check can be run periodically throughout the day or run immediately.

  • Generate Secured DR Report - A detailed list of the AWS policies and the prohibited permissions that are compromised for an account of the current user.

To check Secured DR Accounts:

  1. In the General Settings tab, select the Security tab.

  2. To check the DR accounts periodically during the day, select Check Secured DR Account, select an hourly interval in the Secured DR Check Interval list, and then select Save.

  3. To run the report immediately, select Check Secured DR Account Now, and confirm.

    1. To view the progress and status of the operation, select Background Tasks in the toolbar. Background Tasks only appears after the first Check Secured DR Account or Clone VPC operation. Select View All Tasks.

  4. To view the log, select Show Log. To download, select Download Log in the upper right corner of the log. The Secured_DR_Account_check_log_<date>_<time>.csv file contains Log Time, security Level Type, and Log Message.

To generate Secured DR Account reports:

  1. In the Accounts tab, select a DR (Secured) account.

  2. To check the status of the Secured DR Account periodically during the day:

    1. Select Edit.

    2. Turn on the Check Secured DR Account Periodically toggle.

    3. To view the interval for checking Secured DR Accounts, select the Secured DR Check Interval hours.

    4. Select Save.

  3. To run the detailed report, in the Accounts tab list, select a DR (Secured) Account, and then select Generate Secured DR Report.

The downloaded file (Secured_DR_Account_check_<account>_<date>_<time>.csv) contains a list with the following data:

  • AWS IAM Policy

  • AWS Policy’s User/Role

  • Compromising Permission

3.3. Deleting Accounts

There are two options when deleting an account:

  • Delete the CPM account and all its resources and metadata, BUT leave the AWS account and all its related data on AWS. Select Delete.

  • Delete the CPM account and all its resources and metadata, AND delete the AWS account and all its data, including S3 Repositories. Select Delete Account and Data.

In each case, you will be provided with an explanation of the scope of the delete and a prompt to confirm. In the Delete Account confirmation dialog box, type ‘delete me’ and then select Delete.

3.4 Managing Volume Usage

As part of starting to use N2WS, you might want to enable alerts for when a volume's usage exceeds high and low thresholds. Volume usage reporting can become an integral part of the Dashboard.

If the Volume Usage Alert is enabled, a generic message for volumes exceeding the threshold will appear on the Dashboard Alerts tile. In the Volume Usage Percent tile, the number of volumes below, within, and above the thresholds are shown.

To report volume usage:

  1. In General Settings of the Server Settings, select the Volume Usage Percent tab.

  2. Select Enable Volume Usage Alert.

  3. Enter a percentage in the High Usage Threshold and Low Usage Threshold (%) boxes for when to initiate an alert.

  4. To enable an alert for each time a backup is run on a volume with usage exceeding the High or Low Usage Threshold, select Alert Recurring Volume. The recurring alert is turned off by default, and the alert is initiated only when there is a change in the usage or a change in the threshold that has caused the initiation.

  5. Select Save.

If there is a volume usage alert, select the Volume Usage tab in the main screen to view the specific volume and percentage which initiated the message.

You can evaluate whether additional volumes are nearing the alert thresholds by adjusting the High Usage and Low Usage Thresholds in the Volume Usage screen and selecting the Enter key.

If a volume’s usage changes from high to low, or low to high, there will be an additional alert for that volume.

Changing the usage thresholds in the Volume Usage tab does not change the alert thresholds set in the General Settings tab.

Enabling and configuring usage thresholds while adding a user will override the alert thresholds set in the General Settings tab.

3.5 Importing Non-N2WS Backups to S3

You can quickly lower your storage costs for existing non-N2WS backups by moving them to a more economical S3 storage class. After successfully importing your snapshots with the AnySnap Archiver feature, you can then safely delete the original snapshots.

Currently, the Import to S3 feature supports only EBS snapshots.

Importing consists of the following steps:

  1. In AWS, apply custom tags to backups to import.

  2. In N2WS, create an S3 Repository. See section 21.1.

  3. In the Policies tab, create an Importer Policy with identical custom tags. The maximum number of custom tags per policy is 20.

  4. Verify a scan of the snapshots to import by executing Import Dry Run.

  5. Start the import. Review the progress in the Policies tab.

  6. Pause the import if necessary to change the S3 configuration or to postpone the migration process. See section 21.2.1.

  7. Review the import process with Show Imported Backups or Show Import Log for snapshots imported to S3.

  8. After the import process, N2WS attaches an import_policy_name tag with the name of the policy to the snapshot. The tag excludes the snapshot from additional importing.

    1. If necessary to restart the import, remove the import_policy_name tag using the AWS Snapshot console.

    2. For bulk tag removals, use the AWS Resource Group service. Verify that you have the correct tag key/value pair.

The Import Dry Run scans all AWS snapshots defined in the Importer Policy and marks for import those meeting the following criteria:

  • Snapshot date is within the Start/End Time Range.

  • AWS tag values equal the Import by Tags values defined in the Policy.

  • Snapshot date is the latest within the Record Duration. N2WS marks for import the last backup made within the number of hours defined as record duration. If the duration is set for 2 and there are 3 snapshots with import tags within a 2-hour period, only the last snapshot will be imported.

3.5.1 Creating an Importer Policy

Expiration of storage for S3 snapshots is computed from their EBS snapshot creation date. The S3 storage retention period is determined by the Keep backups in S3 for at least configuration value. If the retention period is set for 12 months and there are 2 imported snapshots, one 11 months old and the other 10 months old, the 11 month old snapshot will be deleted from S3 in 1 month and the other in 2 months.

  1. In the Policies tab, select New Importer Policy.

  2. In the Policy Details tab:

    1. Enter the policy Name, and select the User and Account.

    2. The optional Description box would be an excellent place to identify details of the import.

  3. In the Import Parameters tab:

    1. Select the Start/End Source Data Time Range. End Time defaults to Up to Import Start.

    2. In the Backup Record Interval (Hours) list, select the number of hours from which to select the latest snapshot. For example, if you select 6 and there are 4 snapshots within a period of 6 hours, only the last one of the 4 snapshots is imported.

    3. Enter at least 1 Import by Tags. All regions in the specified account will be scanned.

  4. In the S3 Storage Configuration tab, there must be at least 1 retention condition:

    1. In the Keep backups in S3 for at least lists, select a minimum retention period.

    2. To move S3 backups for archival in Glacier, turn on the Archive to Glacier toggle and select the archiving frequency and retention period.

    3. In the Target repository list, select the repository to import to.

    4. In the S3 Storage class list, select the storage type for this import. Default is Standard.

    5. If Archive to Glacier is enabled, select an Archive Storage Class.

  5. Select Save. After saving, the Import Dry Run and Start Import buttons are enabled, and the import status in the far-right column is Not Started.

3.5.2 Testing Import with Dry Run

After creating the Importer policy, select the policy, and then select Import Dry Run. In the upper right corner, the Dry Run Started message appears. Shortly after the Dry Run completes and the Started message has automatically closed, the Import Snapshots Dry Run [policy name] yyyy mm dd hh mn.CSV file downloads. The report contains the list of the snapshots scanned and whether they meet the criteria for import. Fields include Backup Record number, CPM Account number, AWS Account number, Import (Yes or No), Region, Type (Resource), Volume, Snapshot ID, Start Time, Volume Size in GB, and the Dry Run Parameters.

Review and make adjustments to the Import policy or tags as needed.

3.5.3 Running the Migration

To perform the actual import:

  1. Select the policy, and then select Start Import. The Import policy started message appears.

  2. To view progress details of the import process:

    1. Select Show Import Log.

    2. In the far-right column, view the migration status symbol. Refer to the table of status symbols in section 3.5.4.

  3. If it is necessary to pause the import to S3, in the Policies tab, select Pause Import. To resume, select Resume Import, and the process will restart the copy of the paused snapshot from scratch.

  4. If it is necessary to stop the import to S3, in the Backup Monitor, when the Lifecycle Status is 'Storing in S3 ...', select Abort Copy to S3. To resume, in the Policies tab, select Resume Import, and the process will restart the copy of the snapshot from scratch.

  5. In the Backup Monitor, you can view the final status of the import in the Lifecycle Status column. For statuses other than Stored in S3, hover over the symbol for a description of the status.

  6. In the Policy tab, when the import is finished:

    1. Select Show Imported Snapshots.

    2. To lower costs, you can Delete EBS Snapshots. The icon is active only if the import was 100% successful.

Before deleting any snapshots, it is recommended that you perform a test recovery for each region/account that you imported from to verify that everything is working as expected.

Snapshots imported to S3 are included in the Backup and Snapshot reports. See section 17.7.

3.5.4 Migration Progress and Status Symbols

During the actual migration, you can monitor the progress in the Policies tab by viewing the following migration status symbols in the far-right column. A symbol indicates that the policy is an importer policy, and its color and design indicate its migration status. Following is a summary of the symbol colors:

  • Yellow: Not started, paused, pausing, no items found

  • Green: Scanning, running, deleting EBS snapshots (with some yellow)

  • Blue: Copy complete, moved to S3

  • Red: Copy failed

To view status details, hover over the symbol.

Symbol

Importer Policy Migration Status

Next Actions

Not started

Start Import

Scanning for custom tags, import criteria

Show Import Log

Copying

Show Import Log

Completed without finding snapshots

Reconfigure; Import Dry Run

Copy completed

Show Imported Snapshots

If needed, Delete EBS Snapshots

Deleting EBS snapshots

Show Import Log

Moved to S3

Show Imported Snapshots

Pausing

If needed, Abort Copy to S3

Paused

Resume Import to continue,

orAbort Copy to S3 to stop

Failed

Show Import Log

[No symbol]

Indicates a backup policy

3.6 N2WS Help and Support

You can email support issues to N2W Software support.

For online help and support, select Help & Support in the upper right toolbar.

You can view your current privileges on the N2WS licensed server or activation key by selecting About and then selecting Show license and server details.

For self-service support using the N2WS knowledge base, documentation, how-to guides, and tutorial videos go to the N2WS Support Center by selecting Support.

To go directly to the docs and guides, select Documentation.

To collect and download support logs, select Download Logs. In the Download Support Logs dialog box, select the relevant logs and time frame, and then select Download Logs.

  • Check AWS permissions – Against the required permissions for AWS services and resources.

  • Collect S3 Worker Logs – When S3 support is needed.

  • Collect System Logs – For comprehensive system debugging.

  • Collect Backup Logs from Last - Select Day, Week, or Month in the list.

N2WS support covers all N2W Software users including AWS Outposts.