8 Using Elastic File System (EFS)

Configuring EFS on N2WS allows you to determine backup:

  • Schedule and frequency

  • Retention

  • Lifecycle policy, including moving backups to cold storage, defining expiration options, and deleting them at end of life.

With AWS Backup, you pay only for the amount of backup storage you use and the amount of backup data you restore in the month. There is no minimum fee and there are no set-up charges.

EFS Backup and Restore is performed by AWS Backup Service. When adding an EFS target for the first time in a region, you must create the default backup vault in AWS. Go to the AWS Backup console and choose Backup vaults. For more information regarding the AWS Backup Service, refer to https://docs.aws.amazon.com/efs/latest/ug/awsbackup.html

Before continuing, consider the following:

  • Currently, AWS Backup service doesn’t support cross-account DR for EFS resources.

  • Check AWS for regions that are available for EFS backup on the AWS Backup service. Currently, regions EU (Milan) and Africa (Cape Town) are not supported by AWS for cross-region DR.

  • AWS Backup is not available for EFS in the following regions: Asia Pacific (Hong Kong), Europe (Stockholm), South America (Sao Paulo), and Middle East (Bahrain).

  • Backup transitions and expirations are performed automatically according to the configured lifecycle.

  • A default or custom IAM role must exist in AWS to create and manage backups on behalf of N2WS. The IAM identity contains the backup and restore policies allowing operations on EFS. If a default was not automatically created, or you prefer to use a custom IAM role, see section 8.2.

8.1 Configuring EFS

  1. In the AWS Console, create the EFS in one of the available regions. See section 8 for regions not supported for EFS.

  2. In N2WS, in the Backup Targets tab of a Policy, select Elastic File Systems in the Add Backup Targets menu.

  3. In the Add Elastic File System screen list, select one or more EFS targets and then select Add selected.

  4. In the Backup Targets tab, select an EFS target and then select Configure.

  5. Configure the EFS backup and restore options described in section 8.1.1, and select Apply.

  6. Select Save in the Backup Targets screen to save the configuration to the policy.

8.1.1 EFS Backup and Restore Options

  • Backup Vault – A logical backup container for your recovery points (your EFS snapshots) that allows you to organize your backups.

Default Backup vaults are created in AWS: AWS Backup > Backup vaults.

  • IAM Role – An IAM identity that has specific permissions for all supported AWS backup services. The following AWS backup permissions should be attached to your IAM role:

    • AWSBackupServiceRolePolicyForBackup - Create backups on your behalf across AWS services.

    • AWSBackupServiceRolePolicyForRestores - Perform restores on your behalf across AWS services.

    If a default IAM role was not automatically created by AWS, or you require a custom IAM role, see section 8.2. Selecting the preferred IAM role is only required during the EFS policy configuration.

If adding or removing IAM Role permissions for immediate use, reboot the instance to have the change take effect quickly.

  • Transition to cold storage– Select the transition lifecycle of a recovery point (your EFS snapshots). The default is Never.

  • Expire – When does a protected resource expire. The default is Policy Generations.

Moving a backup to the Freezer will set Expire to Never.

8.2 Creating IAM Roles in AWS

A default or custom IAM role is necessary for AWS to perform EFS operations on behalf of N2WS.

If adding or removing IAM Role permissions for immediate use, reboot the instance to have the change take effect promptly.

To create a default IAM Role:

  1. Go to the AWS Backup Service: https://us-east-1.console.aws.amazon.com/backup/

  2. Select Create an on-demand backup.

  3. For Resource type, select EBS.

  4. For Volume ID, select any EBS volume to backup.

  5. Select Default IAM Role.

  6. Select Create on-demand backup. Ignore the error provided by AWS.

  7. Verify that the following role was created on AWS IAM Service:

To create a custom IAM Role:

  1. Select Create role.

  2. Select AWS Backup and then select Next: Permissions.

  3. Search for BackupService.

  4. Select the following AWS managed policies:

    1. AWSBackupServiceRolePolicyForBackup

    2. AWSBackupServiceRolePolicyForRestores

  5. Select Next: Tags and then select Next: Review.

  6. Enter a Role name and select Create role.

8.3 Backup Options for EFS Instances

EFS can be configured by creating the cpm backup tag. In this case, N2WS will override the EFS configuration with the tag values. See section 14.1.4 for keys and values.