1 of 36

N2W User Guide 4.5.0

1 Introduction to N2W

Welcome to the N2W Backup & Recovery User Guide. Here you will find all the documentation that you need to make the most of N2W.

N2W Backup & Recovery (CPM), known as N2W, is an enterprise-class backup, recovery, and disaster recovery solution for Amazon Web Services (AWS). Designed from the ground up to support AWS, N2W uses cloud-native technologies (e.g., EBS snapshots) to provide unmatched backup and, more importantly, restore capabilities in AWS.

N2W also supports backup and recovery for Microsoft Azure Virtual Machines, SQL Servers, and Disks (section 26).
N2W also supports using Wasabi Cloud Object Storage for Amazon S3 backups (section 27).

N2W is sold as a service. When you register to use the service, you get permission to launch a virtual Amazon Machine Image (AMI) of an EC2 instance. Once you launch the instance, and after a short configuration process, you can start backing up your data using N2W.

Using N2W, you can create backup policies, schedules, and import non-N2W backups to Amazon Simple Storage Service (S3). Backup policies define what you want to back up (i.e., Backup Targets) as well as other parameters, such as:

Frequency of backups
Number of backup generations to maintain, duration of retention periods, and lock application
Whether to copy the backup data to other AWS regions, etc.

Backup targets can be of several different types, for example:

EC2 instances (including some or all instance’s EBS volumes)
Independent EBS volumes (regardless of whether they are attached and to which instance)
Amazon Relational Database Service (RDS) databases - regular and custom

In addition to backup targets, you also define backup parameters, such as:

In Windows achieving application consistency using Microsoft Volume Shadow Copy Service (VSS)
Running backup scripts
Number of retries in case of a failure

Schedules are used to define how you want to time the backups. You can define the following:

A start and end time for the schedule, including time zone of data
Backup frequency, e.g. every 15 minutes, every 4 hours, every day, etc.
Days of the week to run the policy

A policy can have one or more schedules associated with it. A schedule can be associated with one or more policies. As soon as you have an active policy defined with a schedule, backups will start automatically.

N2W provides monitoring at multiple levels. The Dashboard displays key performance indicators for backups, disaster recoveries, volume usage, backups to S3, and other metrics. Operation-specific monitors allow you to view details. And support for additional monitoring using Datadog and Splunk is available.

Following is a summary of the supported services for AWS and Azure backup targets:

AWS Main Backup Targets

Service/Option

Cross Region DR

Cross Acct DR

Copy to Repository

Copy to S3 Glacier

*Cross-account DR to the original region incurs additional costs.

**Snapshots of EBS/RDS encrypted with default key cannot be copied cross account.

AWS FSx Backup Targets with Exceptions, Services, and Options

*Cross Account - FSx and Vaults must be encrypted with custom encryption key.

Azure Backup Targets

1.1 Purchasing N2W on the AWS Marketplace

N2W is available in several different editions that support different usage tiers of the solution, e.g. number of protected instances, number of AWS, Azure, and Wasabi accounts supported, etc. The price for using the N2W software is a fixed monthly price which varies between the different N2W editions.

To see the different features for each edition, along with pricing and details, go to the . Once you subscribe to one of the N2W editions, you can launch an N2W Server instance and begin protecting your AWS environment. Only one N2W Server per subscription will actually perform a backup. If you run additional instances, they will only perform recovery operations (section ).

1.1.1 Moving between N2W Editions

If you are already subscribed and using one N2W edition and want to move to another that better fits your needs, you need to perform the following steps:

Before proceeding, it is highly recommended that you create a snapshot of your CPM data volume. You can delete that snapshot once your new N2W Server is up and running. The data volume is typically named N2W – Data Volume.

Terminate your existing N2W instance. N2W recommends that you do so while no backup is running.
Unsubscribe from your current N2W edition. It is important since you will continue to be billed for that edition if you don’t cancel your subscription. You will only be able to unsubscribe if you don’t have any running instances of your old edition. You manage your subscriptions on the AWS Marketplace site on the page.
Subscribe to the new N2W Edition and launch an instance. You need to launch the instance in the same Availability Zone (AZ) as the old one. If you want to launch your new N2W Server in a different zone or region, you will need to create a snapshot of the data volume and either create the volume in another zone or copy the snapshot to another region and create the volume there.

Once configuration completes, continue to work with your existing configuration with the new N2W edition.

1.1.2 Downgrading

If you moved to a lower N2W edition, you may find yourself in a situation where you exceed the resources your new edition allows. For example, you used N2W Advanced Edition and you moved to N2W Standard Edition, which allows fewer instances. N2W will detect such a situation as a compliance issue, will cease to perform backups, display a message, and issue an alert detailing the problem.

To fix the problem:

Move back to an N2W edition that fits your current configuration, or
Remove the excessive resources, e.g., remove users, AWS accounts, or instances from policies.

Once the resources are back in line with the current edition, N2W will automatically resume normal operations.

1.2 N2W Architecture

The N2W Server is a Linux-based virtual appliance. It uses AWS APIs to access your AWS account. It allows managing snapshots of EBS volumes, RDS instances and clusters, Redshift clusters, DocumentDB, and DynamoDB tables. Except in cases where the user chooses to install our Thin Backup Agent for Windows Servers or use the AWS Simple System Manager (SSM) Remote Agent, N2W does not directly access your instances. Access is performed by the agent, or by a script that the user provides, which performs application quiescence.

N2W consists of the following parts, all of which reside on the N2W virtual server:

A database that holds your backup related metadata.
A Web/Management server that manages metadata.
A backup server that performs the backup operations. These components reside in the N2W server.

The N2W architecture is shown below. N2W Server is an EC2 instance inside the cloud, but it also connects to the AWS infrastructure to manage the backup of other instances. N2W does not need to communicate or interfere in any way with the operation of other instances. The only case where the N2W server communicates directly with and has software installed on an instance is when backing up Windows Servers for customers who want to use Microsoft VSS for application quiescing.

If you wish to have VSS or script support for application quiescence, you need to install the AWS SSM Agent or the N2W Thin Backup Agent. The agent gets its configuration from the N2W server, using the HTTPS protocol.
The SSM Agent doesn't require any inbound ports to be opened. All communication from the agent is outbound from HTTPS to the SSM and EC2 Message endpoints in the region where your instances are registered.

1.3. N2W Server Instance

The N2W instance is an EBS-based instance with two EBS volumes. One is the root device, and the other is the CPM data volume. All persistent data and configuration information reside on the data volume. From N2W’s perspective, the root device is dispensable. You can always terminate your N2W instance and launch a new one, then using a short configuration process continue working with your existing data volume.

1.3.1 Root Volume

Although you have access to the N2W Server instance via SSH, N2W Software expects the N2W Server instance will be used as a virtual appliance. N2W Software expects you not to change the OS and not to start running additional products or services on the instance. If you do so and it affects N2W, N2W Software will not be able to provide you with support. Our first requirement will be for you to launch a clean N2W server.

Remember that all your changes in the OS will be wiped out as soon as you upgrade to a new release of N2W, which will come in the form of a new image (AMI). If you need to install software to use with backup scripts (e.g., Oracle client) or you need to install a Linux OS security update, you can. N2W Software recommends that you consult before doing so.

1.3.2 Backing up the N2W Server

N2W server runs on an EBS-based instance. This means that you can stop and start it whenever you like. But if you create an image (AMI) of it and launch a new one with the system and data volume, you will find that the new server will not be fully functional. It will load and will allow you to perform recovery, but it will not continue performing backup as this is not the supported way to back up N2W servers. What you need to do, is to back up only the data volume, launch a fresh N2W server, and connect it to a recovered data volume. See section .

1.3.3 N2W Server with HTTP Proxy

N2W needs connectivity to AWS endpoints to be able to use AWS APIs. This requires Internet connectivity. If you need N2W to connect to the Internet via an HTTP Proxy, that is fully supported. During configuration, you will be able to enable proxy use and enter all the required details and credentials: proxy address, port, user, and password. User and password are optional and can be left empty if the proxy server does not require authentication. Once you configure proxy settings at the configuration stage, they will also be set for use in the main application.

The proxy setting can be modified at any time in the Proxy tab of N2W Server Settings > General Settings. Select or clear Enable Proxy. If enabled, enter the requested proxy information.

1.3.4 Multiple N2W Servers

If you are trying to launch multiple N2W servers of the same edition in the same account, you will find that from the second one on, no backup will be performed. Each such server will assume it is a temporary server for recovery purposes and will allow only recovery. Typically, one N2W server should be enough to back up your entire EC2 environment. If you need more resources, you should upgrade to a higher edition of N2W. If you do need to use more than one N2W server in your account, contact .

1.4 N2W Technology

As part of the cloud ecosystem, N2W relies on web technology. The management interface through which you manage backup and recovery operations is web-based. The APIs which N2W uses to communicate with AWS are web-based. All communication with the N2W server is performed using the HTTPS protocol, which means it is all encrypted. This is important since sensitive data will be JavaScript communicated to/from the N2W server, for example, AWS credentials, N2W credentials, object IDs of your AWS objects (instances, volumes, databases, images, snapshot IDs, etc.).

1.5 Browser Support

Most interactions with the N2W server are performed via a web browser.

Since N2W uses modern web technologies, you will need your browser to be enabled for JavaScript.
N2W supports Microsoft Chromium Edge, Mozilla Firefox, and Google Chrome.
Other browsers are not supported.

1.6 Viewing Tutorial and Free Installation

If you want to view a getting-started tutorial, or to try the fully-functional N2W free for 30 days, go to . Follow the instructions in the ‘Getting Started with N2W Backup & Recovery for AWS’ video.

It is not necessary to reinstall N2W after purchasing a license.

1.7 Customized Free Trial

It is now possible to have a free trial of N2W with the usage limitations customized for your specific AWS infrastructure. Contact to start your customized free trial. The N2W Software sales team may provide a reference code for your customized installation.

1.8 Support for AWS Outposts

N2W provides customers the ability to back up and recover on-premise workloads running on AWS Outposts as well as workloads on AWS. N2W can run the core backup application on the AWS cloud and protect workloads running either on regions outside of AWS Outposts or protect applications that need to be backed up on AWS Outposts.

N2W supports the following AWS services running on Outposts:

EC2/EBS/RDS/SES/S3/VPC
The services can be deployed in all AWS regions.

1.8.1 Deployment

N2W is available on AWS Marketplace with different editions ready to support any size environment:

You can launch N2W as an AMI directly from the AWS Marketplace or use a pre-configured CloudFormation (CF) template. Configuration takes a few minutes. Find our install videos here:

For further information regarding the AWS Outposts service, go to

1.8.2 Supported Use Cases

The prerequisite for support is complete installation of N2W Backup & Recovery. Use cases are:

Backup - N2W can either back up applications, such as a media server, that run on AWS Outposts by storing the backup data on Outposts, as well as protect applications running outside of AWS Outposts by storing backup data in the same AWS region.
Disaster Recovery (DR) - In the case of Disaster Recovery, N2W protects resources running on AWS Outposts and copies data to another AWS Region or AWS account.

2 Installing and Upgrading N2W

Be sure to review this entire section before starting an N2W installation (section ‎ or an upgrade (section ‎).

You might want to review the configuration options available in silent mode installation. See section ‎ for AWS, section ‎ for AWS with Secrets Manager, and section for Azure.

The primary differences between an installation and an upgrade are:·

1 Introduction to N2W

Welcome to the N2W Backup & Recovery User Guide. Here you will find all the documentation that you need to make the most of N2W.

N2W also supports backup and recovery for Microsoft Azure Virtual Machines, SQL Servers, and Disks (section 26).
N2W also supports using Wasabi Cloud Object Storage for Amazon S3 backups (section 27).

Frequency of backups
Number of backup generations to maintain, duration of retention periods, and lock application
Whether to copy the backup data to other AWS regions, etc.

Backup targets can be of several different types, for example:

EC2 instances (including some or all instance’s EBS volumes)
Independent EBS volumes (regardless of whether they are attached and to which instance)
Amazon Relational Database Service (RDS) databases - regular and custom

In addition to backup targets, you also define backup parameters, such as:

In Windows achieving application consistency using Microsoft Volume Shadow Copy Service (VSS)
Running backup scripts
Number of retries in case of a failure

Schedules are used to define how you want to time the backups. You can define the following:

A start and end time for the schedule, including time zone of data
Backup frequency, e.g. every 15 minutes, every 4 hours, every day, etc.
Days of the week to run the policy

Following is a summary of the supported services for AWS and Azure backup targets:

AWS Main Backup Targets

Service/Option

Cross Region DR

Cross Acct DR

Copy to Repository

Copy to S3 Glacier

*Cross-account DR to the original region incurs additional costs.

**Snapshots of EBS/RDS encrypted with default key cannot be copied cross account.

AWS FSx Backup Targets with Exceptions, Services, and Options

*Cross Account - FSx and Vaults must be encrypted with custom encryption key.

Azure Backup Targets

1.1 Purchasing N2W on the AWS Marketplace

1.1.1 Moving between N2W Editions

If you are already subscribed and using one N2W edition and want to move to another that better fits your needs, you need to perform the following steps:

Terminate your existing N2W instance. N2W recommends that you do so while no backup is running.
Unsubscribe from your current N2W edition. It is important since you will continue to be billed for that edition if you don’t cancel your subscription. You will only be able to unsubscribe if you don’t have any running instances of your old edition. You manage your subscriptions on the AWS Marketplace site on the page.
Subscribe to the new N2W Edition and launch an instance. You need to launch the instance in the same Availability Zone (AZ) as the old one. If you want to launch your new N2W Server in a different zone or region, you will need to create a snapshot of the data volume and either create the volume in another zone or copy the snapshot to another region and create the volume there.

Once configuration completes, continue to work with your existing configuration with the new N2W edition.

1.1.2 Downgrading

To fix the problem:

Move back to an N2W edition that fits your current configuration, or
Remove the excessive resources, e.g., remove users, AWS accounts, or instances from policies.

Once the resources are back in line with the current edition, N2W will automatically resume normal operations.

1.2 N2W Architecture

N2W consists of the following parts, all of which reside on the N2W virtual server:

A database that holds your backup related metadata.
A Web/Management server that manages metadata.
A backup server that performs the backup operations. These components reside in the N2W server.

If you wish to have VSS or script support for application quiescence, you need to install the AWS SSM Agent or the N2W Thin Backup Agent. The agent gets its configuration from the N2W server, using the HTTPS protocol.
The SSM Agent doesn't require any inbound ports to be opened. All communication from the agent is outbound from HTTPS to the SSM and EC2 Message endpoints in the region where your instances are registered.

1.3. N2W Server Instance

1.3.1 Root Volume

1.3.2 Backing up the N2W Server

1.3.3 N2W Server with HTTP Proxy

1.3.4 Multiple N2W Servers

1.4 N2W Technology

1.5 Browser Support

Most interactions with the N2W server are performed via a web browser.

Since N2W uses modern web technologies, you will need your browser to be enabled for JavaScript.
N2W supports Microsoft Chromium Edge, Mozilla Firefox, and Google Chrome.
Other browsers are not supported.

1.6 Viewing Tutorial and Free Installation

It is not necessary to reinstall N2W after purchasing a license.

1.7 Customized Free Trial

1.8 Support for AWS Outposts

N2W supports the following AWS services running on Outposts:

EC2/EBS/RDS/SES/S3/VPC
The services can be deployed in all AWS regions.

1.8.1 Deployment

N2W is available on AWS Marketplace with different editions ready to support any size environment:

You can launch N2W as an AMI directly from the AWS Marketplace or use a pre-configured CloudFormation (CF) template. Configuration takes a few minutes. Find our install videos here:

For further information regarding the AWS Outposts service, go to

1.8.2 Supported Use Cases

The prerequisite for support is complete installation of N2W Backup & Recovery. Use cases are:

Backup - N2W can either back up applications, such as a media server, that run on AWS Outposts by storing the backup data on Outposts, as well as protect applications running outside of AWS Outposts by storing backup data in the same AWS region.
Disaster Recovery (DR) - In the case of Disaster Recovery, N2W protects resources running on AWS Outposts and copies data to another AWS Region or AWS account.

7 Linux/Unix Instances Backup

When working with Linux/Unix, it is important to understand some of its basic features.

Making an application-consistent backup of Linux instances does not require any agent installation. Since the N2W server is Linux based, backup scripts will run on it. Typically, such a script would use SSH to connect to the backed-up instance and perform application quiescence. However, this can also be accomplished using custom client software.

There is no parallel to VSS in Linux, so the only method available is by running backup scripts.

7.1 Connecting to the N2W Server

To create, test, and install backup scripts, you will need to connect to the N2W server using SSH with cpmuser. The only way to authenticate cpmuser is by using the private key from the key pair you used when you launched the N2W server instance. If your key is not compromised, no unauthorized person will be able to connect to the N2W server.

With cpmuser, you will be able to copy (using secure copy), create, and test your scripts. cpmuser is the same user N2W will use to run the scripts. If you need to edit your scripts on the N2W Server, you can use Vim or nano editors. Nano is simpler to use.

7.2 Backup Scripts

Backup scripts should be placed in the path /cpmdata/scripts. If the policy belongs to an N2W user other than the root user, scripts will be in a subfolder named like the user (e.g., /cpmdata/scripts/cpm_user1). This path resides on the CPM data volume and will remain there even if you terminate the N2W server instance and wish to launch a new one. Backup scripts will remain on the data volume, together with all other configuration data. As cpmuser, you have read, write, and execute permissions in this folder.

All scripts should exit with the code zero 0 when they succeed and one 1 (or another non-zero code) when they fail.
All scripts have a base name (detailed for each script in the coming sections) and may have any addition after the base name. The delimiter between the base part of the name and the file extension is a period (.). For example,before_policy1.v11.5.bashwhere ‘before_policy1

Having more than one script with the same base name can result in unexpected behaviour. N2W does not guarantee which script it will run, and even to run the same script every backup.

There are three scripts for each policy:

Before
After
Complete

7.2.1 Before Script

The before_<policy-name>[.optional_addition].<ext> script runs before backup begins. Typically, this script is used to move applications to backup mode. The before script typically leaves the system in a frozen state for a short time until the snapshots of the policy are fired. One option is to issue a freeze command to a file system like XFS.

7.2.2 After Script

The after_<policy-name>[.optional_addition].<ext> script runs after all the snapshots of the policy fire. It runs within a few seconds after the before script. This script releases anything that may have been frozen or locked by the before script. This script accepts the success status of the before script. If the before script succeeded, the argument will be one 1. If it failed, crashed, or timed out, the argument will be zero 0.

This is the opposite of the exit status. Think of this as an argument that is true when the before script succeeds.

7.2.3 Complete Script

The complete_<policy-name>[.optional_addition].<ext> script runs after all snapshots are completed. Usually, it runs quickly since snapshots are incremental. This script can perform cleanup after the backup is complete and is typically used for transaction log truncation. The script accepts one argument. If the entire backup was successful and all the previous scripts were successful, it will be one 1. If any issues or failures happened, it will be zero 0. If this argument is one 1, truncate logs.

7.2.4 Capturing the Output of Backup Scripts

You can have the output of backup scripts collected and saved in the N2W Server, see section .

7.2.5 Troubleshooting and Debugging Backup Scripts

You can use the output collected by N2W to debug backup scripts. However, the recommended way is to run them independently of N2W, on the N2W Server machine using SSH. You can then view their outputs and fix what is needed. Once the scripts work correctly, you can start using them with N2W. Assuming these scripts are using SSH, during the first execution you will need to approve the SSH key by answering yes at the command line prompt. If you terminate your N2W Server and start a new one, you will need to run the scripts again from the command line and approve the SSH key.

7.2.6 Example Backup Scripts

Following is an example of a set of backup scripts that use SSH to connect to another instance and freeze a MySQL Database:

The before script will flush and freeze the database.
The after script will release it.
The complete script will truncate binary logs older than the backup.

These scripts are presented as examples without warranties. Test and make sure scripts work in your environment as expected before using them in your production environment.

The scripts are written in Bash:

before_MyPolicy.bash

This script connects to another instance using SSH and then runs a MySQL command. Another approach would be to use a MySQL client on the N2W Server, and then the SSH connection will not be necessary.

After that script is executed, the N2W server will start the snapshots, and then call the next script:

after_MyPolicy.bash

This script checks the status in the first argument and then does two things:

First, it saves an exact timestamp of the current backup of the frozen database to a file,
Then, it releases the lock on the MySQL table.

After that, when all snapshots succeed, N2W runs the complete script:

complete_MyPolicy.bash

It calls an inner script, complete_sql_inner:

These two scripts purge the binary logs only if the complete script receives one 1 as the argument. They purge logs earlier than the time in the timestamp files.

7.2.7 Scripts and SSH Access in a Multi-user Environment

If your N2W configuration requires multiple users, which are separated from each other, you may wish to allow users to access N2W using SSH to create and debug backup scripts:

Create additional Linux users in the N2W instance and allowing each user access to their own scripts folder only.
cpmuser will need to be able to access and execute the scripts of all users. This can be achieved by assigning the user cpmuser as the group of all user subfolders and scripts. Then, if given executable permissions for the group, cpmuser will be able to access and execute all scripts.

7.3 Using SSM Agent for Linux Backups

Some differences between the ‘old backup scripts’ and the new SSM scripts:

SSM scripts are per instance and run on the instance, which can give better granularity and don’t require SSH.
The old local scripts are per policy and can be good for a centralized approach or operations that function across instances.
The old local scripts require the use of SSH for connectivity, thereby requiring connectivity between the CPM and the target.

To use SSM for Linux backups:

Install an SSM Agent on the target machine. Some Linux AMI, such as AWS Linux AMI, come with SSM already installed. To install an agent, see
An IAM role with the core SSM policy (AmazonSSMManagedInstanceCore) attached to an instance should be sufficient for using the agent. To attach an IAM instance profile to an EC2 instance, see
Similar to using normal backup scripts, as mentioned in section , create before/after/complete scripts.

Appendix H - Velero Installation Guide

Follow this guide to install Velero on an EKS Cluster.

This guide explains how to install Velero on an EKS cluster using only the AWS plugin (without CSIsnapshots).

Installation approaches: Helm or Terraform.
Authentication options: IRSA or EKS Pod Identity.

Prerequisites

EKS Cluster Requirements
- EKS cluster with either IRSA or Pod Identity enabled
- Kubernetes version v1.16+

Authentication Methods

Option 1: IRSA (IAM Roles for Service Accounts)

Uses OIDC provider and IAM roles
More secure, recommended for production
Requires OIDC provider configuration

Option 2: EKS Pod Identity (pod identity agent)

Simpler setup (no OIDC provider; no SSO/Identity Center involved)
Requires the EKS Pod Identity Agent addon
Trust policy principal: Service: pods.eks.amazonaws.com

Approach 1: Helm Installation

Step 1: Create S3 Bucket

Create an S3 bucket through the AWS Console or CLI:

Step 2: Create IAM Role and Policy

Required IAM Permissions

Velero needs specific AWS permissions to perform backups and restores. When creating the IAM policy in the AWS Console, include these permissions:

S3 Permissions (scope to your Velero bucket only):

s3:ListBucket - on arn:aws:s3:::your-velero-backup-bucket
s3:GetObject - on arn:aws:s3:::your-velero-backup-bucket/*
s3:PutObject - on arn:aws:s3:::your-velero-backup-bucket/*

EC2 Permissions (for EBS snapshot management, resource: *):

ec2:DescribeVolumes
ec2:CreateSnapshot
ec2:DeleteSnapshot
ec2:DescribeSnapshots

Understanding Service Accounts and IRSA

What is IRSA?

IRSA (IAM Roles for Service Accounts) allows Kubernetes pods to securely use AWS services without storing static credentials. It's the recommended approach for EKS workloads.

How it works:

Your EKS cluster has an OIDC provider that acts as an identity issuer
You create an IAM role that trusts this OIDC provider
Velero's Kubernetes ServiceAccount ( velero-server ) gets annotated with the IAM role ARN

Creating the IAM Role (AWS Console)

Step 2.1: Create IAM Policy

Go to AWS Console → IAM → Policies → Create Policy
Click JSON tab and paste a policy with the permissions listed above
Name it VeleroBackupPolicy

Step 2.2: Create IAM Role with OIDC Trust

Go to IAM → Roles → Create Role
Select "Web Identity" as trusted entity type
Choose your EKS cluster's OIDC provider from the dropdown

The OIDC provider URL can be found in EKS Console → Your Cluster → Overview → OpenIDConnect provider URL

Step 3: Install Velero with Helm

Replace <YOUR_BUCKET> , <YOUR_REGION> , and <IAM_ROLE_ARN> with your actual values.

# Add Helm repository

# Install Velero with command-line flags

Step 4: Verify Installation

# Check pods are running

kubectl get pods -n velero

# Verify ServiceAccount annotation

kubectl get serviceaccount velero-server -n velero -o yaml

# Check Velero can authenticate to AWS

kubectl exec -n velero deployment/velero -- aws sts get-caller-identity

# Check backup storage location

kubectl get backupstoragelocation -n velero

Step 5: Install Velero CLI

Download the Velero CLI to manage backups from your machine:

# Linux

# macOS

brew install velero

# Verify

velero version

`Step 6: Test Backup`

#Create a test backup

velero backup create test-backup --include-namespaces default

# Check status

velero backup describe test-backup

# List backups

velero backup get

Approach 2: Terraform Bootstrapping

2.1 Choose authentication (IRSA or EKS Pod Identity)

IRSA (existing/standard)

Ensure an EKS OIDC provider exists.
Create an IAM role with trust for that OIDC provider and system:serviceaccount::<ns>:<sa> .
Annotate the ServiceAccount with the role ARN:

EKS Pod Identity

Install addon: eks-pod-identity-agent .
Create an IAM role with trust principal Service: pods.eks.amazonaws.com .
Create a Pod Identity Association mapping <namespace> /<serviceAccount>

2.2 Minimal Terraform for Velero (AWS plugin by default)

2.3 CSI prerequisites (only if enabling CSI)

Install the snapshot-controller (e.g., Piraeus snapshot-controller chart) and CRDs.
Create an EBS CSI VolumeSnapshotClass ( driver: ebs.csi.aws.com ).
Label the VSC so Velero detects it:

Tip: Run snapshot-controller with replicaCount: 2 .

2.4 Deploy

2.5 Verify

Verification

Check Installation

# Check Velero pods

kubectl get pods -n velero

# Test backup

kubectl exec -n velero deployment/velero -- velero backup create test-backup --include-namespaces default

Required IAM Permissions

S3: List, Get, Put, Delete objects in backup bucket

EC2: Describe volumes, create/delete snapshots, create tags

Troubleshooting

Common Issues

Authentication not working: Check IRSA or Pod Identity configuration
S3 access denied: Verify IAM role permissions
Plugin not found: Check plugin image

Debug Commands

# Check Velero logs

kubectl logs -n velero deployment/velero

# Test AWS credentials

kubectl exec -n velero deployment/velero -- aws sts get-caller-identity

Security Considerations

Least privilege: Only grant necessary permissions
Bucket encryption: Enable S3 bucket encryption
Access logging: Enable S3 access logging

Cost Optimization

Lifecycle policies: Set S3 lifecycle rules
Snapshot retention: Configure deletion policies
Storage classes: Use appropriate S3 storage classes

Comparison: Installation Methods

Aspect

Helm

Terraform

Support

For issues with this setup:

Check Velero documentation:
Review AWS EKS documentation:
Check Velero GitHub issues:

Additional Notes

To enable CSI snapshots, follow Section 2.3 (controller, VSC, label) and set configuration.features = "EnableCSI" in Terraform.
For file-system backups, enable deployNodeAgent = true and uploaderType = "kopia" ; opt-in per PVC with velero.io/fs-backup=true .

15 Resource Control

Learn how to control the state of resources for each account during the course of a week or in the future.

Resource Control allows users to stop and start Instances and RDS Databases for each Account during a week. It also allows users to stop the resources at a designated time in the future.

Supported Resources:

AWS - Resource Control allows users to stop and start instances and RDS databases.

AWS - RDS Aurora Clusters are not supported by Resource Control.

Azure - Resource Control allows users to stop and start Virtual Machines.

Basics:

A Group is the controlling entity for the stopping and starting of selected resources. Resource Control allows for stopping on one day of a week and starting on another day of the same week. Once an Off/On schedule is configured for a Group, N2W will automatically stop and start the selected resource targets.
Resources that are eligible and enabled for hibernation in AWS/Azure will be hibernated regardless of whether their current operation is On or Off if their controlling Resource Control Group is enabled for hibernation. Hibernated instances (AWS) or Virtual Machines (Azure) are restarted by an On operation.
For AWS: See

N2W recommends that you not execute a stop or start operation on critical servers.

Following are Resource Control tabs in the left panel of the N2W user interface:

Resource Control Monitor – Lists the current operational status of Groups under Resource Control. The Log lists the details of the most recent operation for a Group.

Resource Control Groups – Use the Cloud buttons to select AWS or Azure resources. You can add and configure a Group: the account, the days, and off/on times, which Resource Targets are subject to the Group control, and other features. You can also delete a group and activate Turn On Now / Turn Off Now controls.

After configuring a group, you can add resources in the Operation Targets tab. See sections and .

15.1 Adding a Resource Control Group

In the Resource Control Groups tab, select New and choose the required Cloud's Resource Control Group.

Complete the Group Details tab fields:

Name – Only alphanumeric characters and the underscore allowed (no spaces).
Account – Owner of the Group. Users are configured for a maximum number of Resource Control entities. See section .

A Group may belong to only one Account.

Subscription (Azure only) - The subscription from which to choose the controlled resources.
Enabled – Whether the Group is enabled to run.

Off/On operations are not allowed for Groups that are Disabled.

Operation Mode – Two options for controlling operation:
- Turn On/Off – Turn Group on and off according to schedule.
- Turn Off Only – Turn off for an undefined long period of time without having to ever have the Group turned on.

If an enabled Group contains mixed types of resources, only some of which are eligible for hibernation, then the Off operation will ‘hibernate’ only the eligible resources, while the remaining resources will ‘stop’.

Select the link to view current AWS/Azure limitations on hibernating instances (AWS)/Virtual Machines (Azure). During resource creation, hibernation would have been enabled and encryption configured. If the resource is eligible and the Group is enabled, resources that are ‘stopped’ move to ‘hibernation’ state.

Description – Optional description of the Resource Control Group function.

After adding a Group, select Next at the bottom of the screen, or select the Operation Targets tab to configure the Operation Targets. See section for AWS and section for Azure. After configuring the targets, schedule resource Off/On times (section ).

15.2 Adding Resource Targets to a Group in AWS

Instances and RDS Databases may be added to the Group.

A Resource Target (Instance or RDS Database) may belong to only one Group.

Eligible resources within a Group enabled for hibernation that have been stopped have a Status of ‘stopped-hibernation’.
The Status column shows whether a target is ‘running’ or ‘stopped’.

Select the Operation Targets tab. In the Add Backup Targets menu, select a resource type to add to the Group.

It is important to not configure a critical server as part of a Group.

If you selected Instances, the Add Instances screen opens.

The following instance types are omitted from Add Instances and not allowed to be part of a Group:

3. If you selected RDS Databases, the Add RDS Databases screen opens:

If an RDS database is stopped, a regularly scheduled backup will fail.

In the relevant screen:

Check the Status column to determine whether a resource is eligible for adding to the Group.
Select one or more resources, and then select Add Selected. Selected resources are removed from the table.
Continue until you are finished and select Close to return to the Operations Targets screen.

15.3 Adding Resource Targets to a Group in Azure

It is important not to configure a critical server as part of a Group.

A virtual machine may belong to only one Group.
Within a Group enabled for hibernation, eligible resources that have been stopped have a Status of ‘Hibernated (deallocated)’.
The Status column shows whether a target is ‘running’ or ‘stopped’.

To add an Azure resource target:

In the Operation Targets tab, select Virtual Machines in the Add Targets menu. The Add Virtual Machines screen opens.
Select a resource target.

15.4 Configuring Off/On Scheduler

Scheduling overlapping off and on time ranges is invalid. For example:

A resource is turned off at 20:00 on Wednesday and turned on at 23:00 the same day.
Then, an attempt to schedule the same resource to be turned off on Wednesday at 9:00 and turned off at 22:00 on Wednesday will result in an invalid input error.

Select Next to advance to the Schedules tab for the group.
Select New to open a default time range row ready for your changes.
In the time range row, select the Turn Off Day and Time and the Turn On Day and

There must be 60 minutes between each operation for them to work.

15.5 Overriding a Resource Control Schedule

After creating the Group, you can initiate a stop or start action outside of the scheduled times by selecting the Turn On Now or Turn OFF Now in the Resource Control Groups tab.

15.6 Using Scan Tags with Resource Control (AWS Only)

Scan tags for Resource Control can be used to:

Create a new Group based on an existing Group’s configuration.
Add a resource to a Group.
Remove a tagged or untagged resource from a Group.

The tag format isKey: cpm_resource_controlwith one of the following values:

Value:<group-name> or <group-name>:<based-on-group>
- If the value in <group-name> equals ‘g1’, the resource will be added to the g1 group.

15.7 Resource Control Reporting

Resource Control provides individual logs of off and on operations and a summary report of all operations.

The individual log contains timestamps for each step within the operation, from firing to completion, and is downloadable as a CSV file. To view individual logs, in the Resource Control Monitor tab, select a group and then select Log.

To download the individual log, select Download Log.

To generate the summary log:

Select the Reports tab in the left panel.
Select the Immediate Report Generation tab, and then select AWS Resource Control Operations or Azure Resource Control Operations in the Report Type list.
Complete the filter and time range boxes.

The Resource Control Operations Report contains information for all saved operations for all accounts.

In AWS, for each operation, the report contains:

Resource Control Operation ID – A sequential number.
User – User generating the report.
Account – The N2W AWS account owner of the Resource Control Group.

In Azure, for each operation, the report contains:

Resource Control Operation ID – A sequential number.
Account – The N2W Azure account owner of the Resource Control Group.
Azure Subscription ID – The subscription ID of the owner of the resources.

18 N2W User Management

In this section, you will learn about the different types of users and the variety of user-related reporting from N2W.

N2W is built for a multi-user environment. At the configuration stage, you define a user that is the root user. The root user can create additional users, depending on the edition of N2W you are subscribed to. Additional users are helpful if you are a managed service provider, in need of managing multiple customers from one N2W server or if you have different users or departments in your organization, each managing their own AWS resources. For instance, you may have a QA department, a Development Department, and an IT department, each with their own AWS accounts. Select Server Settings > Users.

The Accounts column reflects all account types, including:

Licensed accounts (AWS, Azure)
Non-licensed accounts (Wasabi)

The following are the types of users you can define. Delegate users are typed after users are created.

Independent
Managed
Delegate

18.1 Independent Users

Independent users are separate users. The root user can create such a user, reset its password, and delete it with all its data, but it does not manage this user’s policies and resources. Independent users can:

Log-in to N2W
Create their own accounts
Manage their backup

Independent users can have Managed users assigned to them by the root/admin in the Users management screen. An Independent user can log on, manage the backup environment of their assigned Managed users, and receive alerts and notifications on their behalf.

18.2 Managed Users

Managed Users are users who can log on and manage their backup environment, or the root/admin user or independent user can do it for them. The root user can perform all operations for managed users: add, remove, and edit accounts, manage backup policies, view backups, and perform recovery. Furthermore, the root user, or independent user, can receive alerts and notifications on behalf of managed users. The root/admin user can also configure notifications for any managed user and independent users can configure notifications for their managed users (section ) To create a managed user, select New and choose Managed as the User Type. If the root user does not want managed users to log in at all, they should not receive any credentials.

Managed users may be managed by Independent users. See section .

18.3 User Definitions

When editing a user, the root user can modify email, password, type of user, and resource limitations.

The username cannot be modified once a user is created.

Users who are created in N2W via IdP integration (section ) cannot be edited, only deleted.

To define a user:

If you are the root or admin user, in the toolbar, select Server Settings.
In the left panel, select the Users tab. The Users screen opens.
Select New.

If the resource limitation fields are left empty, there is no limitation on resources, except the system level limitations that are derived from the licensed N2W edition used.

18.4 Delegates

Delegates are a special kind of user, which is managed via a separate screen. Delegates are like IAM users in AWS:

They have credentials used to log on and access another user’s environment.
The access is given with specific permissions. By default, if no permissions are allowed, the delegate will only have permissions to view the settings and environment and to monitor backups.
Allowing all permissions will allow the non-root delegate the permissions of the original user except for notification settings.

Using IAM User credentials is not recommended as they are less secure than using IAM roles.

For each user, whether it is the root user, an independent user, or a managed user, the Manage Delegates command in the Users list screen that opens the Delegates screen for that user. Selecting an existing entry in the Delegates column also opens the Delegates screen for that user.

You can add as many delegates as needed for each user and edit any delegate’s settings.

To add a delegate:

Once a user is defined as a delegate, the name cannot be changed.

Select a user.
Select Manage Delegates and then select New.
In the Delegate Name box, type the name of the new delegate.

Perform Recovery – Can perform recovery operations.
Change Accounts and S3 Repositories – Can add and remove AWS accounts, edit accounts, and modify credentials, as well as add, edit, and remove S3 Repositories.
Change Backup - Can change policies: adding, removing, and editing policies and schedules, as well as adding and removing backup targets.

By default, the delegate will only have permissions to view the settings and environment and to monitor backups.

Allowing all permissions will grant the non-root delegate the permissions of the original user except for notification settings.

When in Edit mode, the root user can reset passwords for delegates.

18.5 Usage Reports

The root user can also use the user management screen to download CSV usage reports for each user, which can be used for accounting and billing. The usage report will state how many accounts this user is managing, and for each account, how many instances and non-instance storage is backed up.

Reporting is now available for daily tracking of resources that were configured as a backup target on each policy. The Reports tab contains two levels of detail for Usage Reports. Users can download the following Usage Reports, both of which are filterable by user and time frame. The report can be created as a Scheduled Report or for Immediate Report Generation. In each case, select Detailed for usage per account or Anonymized for aggregated account usage per user. See sections and .

Data saved to the reports is compliant with the EU’s General Data Protection Regulation (GDPR).

18.6 Audit Reports

N2W will record every operation initiated by users and delegates. This is important when the admin needs to track who performed an operation and when. By default, audit logs are kept for 30 days. The root user can:

Modify the audit log retention value in the Cleanup tab of the General Settings screen. See section .
Download audit reports for specific users or delegates. See section .

Included in the audit reports are:

A timestamp
The event type
A description of the exact operation.

18.7 Email Configuration

N2W uses the following email services to effortlessly distribute reports:

Amazon Simple Email Service (SES) is a cloud-based email sending service required for AWS accounts.
Simple Mail Transport Protocol (SMTP) is an Internet standard communication protocol for non-AWS accounts.

As of version 4.3.1, you can use SMTP as the email service without providing a password. Add a new configuration as follows:

1. Connect via SSH to CPM as cpmuser

2. Edit or create the file /cpmdata/conf/cpmserver.cfg

3. Add the parameters secure and authenticate, and set them to False. Secure=False

Currently, the only regions that are available for the AWS SES service are Asia Pacific (Mumbai), Asia Pacific (Sydney), EU (Frankfurt), EU (Ireland), US East (N. Virginia), US West (Oregon).

To allow N2W to configure the email parameters:

In the toolbar, select Server Settings > General Settings.
Select the Email Configuration tab.
Select Enable Email Configuration.

Sender Email Address – The ‘From’ e-mail address.
Verify Email Address – Select to verify address.
SES Region – Select the region for the SES service.

6. If you selected SMTP, complete the following:

SMTP requires a dedicated proxy server that supports SMTP sockets.

Sender Email Address – The ‘From’ e-mail address.
Password - A non-ASCII password results in an exception on update.
SMTP Server Address

7. When finished, select Save to confirm the parameters.

Amazon will respond with an Email Address Verification Request for the region to the defined address. The Amazon verification e-mail contains directions for completing the verification process, including the amount of time the confirmation link is valid.

Currently, the Scheduled Reports are sent using the defined email identity if the reports are run with Schedules or the Run Now option.

18.8 Multi-factor Authentication

Users and administrators can each manage their own Multi-factor Authentication (MFA) by using one of the following methods to provide an MFA token or secret code to supplement their password access.·

Email
Token generation by an Authenticator App

The Email account or Authenticator app should only be accessible to the user

Failure to enter the correct verification code or to not finish the setup correctly will result in MFA NOT BEING SETUP ON YOUR ACCOUNT.

The time in which the code is valid for entry into the logon screen is short.

To select the MFA method for your account:

On your User menu, select Settings, and then choose Multi Factor Authentication on the left panel.
Select Click here to configure MFA for this user. The method preference window opens.
Choose Email or Token Generator for an Authenticator App, and then select

To use an authenticator app:

Before MFA setup, install Google Authenticator or another alternative TOTP token authenticator on the same device where the app registration secret key will be stored, such as your cellphone.
On your device, open the authenticator app and choose to add a new device by scanning the displayed QR code or by entering the displayed TOTP secret code if the camera or scanner is not available.
Enter the code generated by the authenticator in the Token box.

4. In subsequent usage, scan the QR code or enter the TOTP secret, and then enter the generated code in the Token box.

To use email for sending authentication tokens:

With this method, only people with access to the user’s email can complete the MFA token login phase.

Verify that a working email address is registered for that user.
Verify that the SES or SMTP Email Method was enabled in the General Settings by the administrator. See section ‎.
No additional registration is required.

1. After choosing Email, a notification specifying the user’s registered email for the tokens opens. If the email address is correct, select Next. N2W will attempt to send email to the address shown.

2. If the email was successful, you will be forwarded to the next screen where you will be required to enter the code from the email in the Token box.

3. In subsequent usage, the login process will display the email address to use. Confirm by selecting Next, and then enter the confirmation email code in the Token box.

Once MFA is configured for email, the token login screen provides a ‘resend’ button that allows you to receive a new token 5 more times before the process is blocked.

To disable MFA:

Users: Select Multi Factor Authentication in User Settings, and select Disable MFA.
Administrators: To disable MFA for other users, go to the Users list in Server Settings, select a user, and then select Disable MFA.

Administrators who are accidentally locked out of the system can go to:

9 Additional Backup Topics

Here we cover some backup topics that haven't been addressed earlier.

9.1 N2W in a VPC Environment

The N2W server runs in a VPC, except in old environments utilizing EC2 Classic. For N2W to work correctly, it will need outbound connectivity to the Internet. To use AWS endpoints, see AWS Regions and Endpoints.

You will need to provide such connectivity using one of the following methods:
- Attaching an Elastic IP.
- Using a dynamic public IP, which is not recommended unless there is a dynamic DNS in place.
- Enabling a NAT configuration, or
You will need to access it using HTTPS to manage it and possibly SSH as well, so some inward access will need to be enabled.
If you will run Linux backup scripts on it, it will also need network access to the backed-up instances.
If N2W backup agents will need to connect, they will need access to it (HTTPS) as well.
If backup scripts are enabled for a Linux backed-up instance, it will need to be able to get an inbound connection from the N2W Server.
If a Thin Backup Agent is used in a Windows backed-up instance, the agent will need outbound connectivity to the N2W Server.

9.2 Backup when an Instance is Stopped

N2W continues to back up instances even if they are stopped. This may have important implications:

If the policy has backup scripts and they try to connect to the instance, they will fail, and the backup will have Backup Partially Successful status.
If the policy has no backup scripts and VSS is not configured, or if the policy’s options indicate that Backup Partially Successful is considered successful (section ), the backup can continue running, and automatic retention will delete older backups. Every new backup will be considered a valid backup generation.

N2W recommends that if you are aware of an instance that will be stopped for a while, you disable the policy by selecting its name and changing status to disabled.

Another way to proceed is to make sure the policy is not entirely successful when the instance is stopped by using backup scripts and to keep the default stricter option that treats script failure as a policy failure. This will make sure that the older generations of the policy, before it was stopped, will not be deleted.

If you disable a policy, you need to be aware that this policy will not perform backup until it is enabled again. If you disable it when an instance is stopped, make sure you enable it again when you need the backup to resume

9.3 The Freezer

Backups belonging to a policy eventually get deleted. Every policy has its number of generations, and the retention management process automatically deletes older backups.

To keep a backup indefinitely and make sure it is not deleted, move it to the Freezer. There can be several reasons to freeze a backup:

An important backup of an instance you already recovered from so you will be able to recover the same instance again if needed.
A backup of interest, such as the first backup after a major change in the system or after an important update.
You want to delete a policy and only keep one or two backups for future needs.

To move a backup to the Freezer:

Once a backup is moved to the freezer, you will not be able to move it back.

In the left panel, select the Backup Monitor tab.
Select the backup and then select Move to Freezer.
Type a unique name and an optional description for identification and as keywords for searching and filtering later.

After a backup is in the Freezer:

Frozen backups are identified by the frozen symbolin the Lifecycle Status column of the Backup Monitor tab.
It will only be deleted if you do so explicitly. Use Delete Frozen Item.
If you delete the whole policy, frozen backups from the policy will remain.

While in the Backup Monitor, you can switch between showing backup records 'in the Freezer' by turning on and off the toggle key and backup records 'not in the Freezer' by turning on and off the toggle key in the Show area on the far right of the filters line.

9.4 Running Automatic Cleanup

Automatic Cleanup allows you to manage the frequency of the cleanup process and the:

Number of days to keep backup records, even if the backup is deleted.
Number of days after which to rotate single AMIs.

Keeping backups for long periods of time can cause the N2W database to grow and therefore affect the size you need to allocate for the CPM data volume. N2W Software estimates that every GiB will accommodate the backup of 10 instances. N2W Software estimates that 10 instances are correct when every record is kept for around 30 days. If you want to keep records for 90 days, triple the estimate, i.e., for 10 instances make the estimate 3 GiB, for 20 make the estimate 6 GiB, etc.

To manage the number of generations saved:

In the toolbar, select Server Settings.
In the General Settings tab, select Cleanup.
In the Cleanup Interval list, select the number of hours between cleanup runs. Select Cleanup Now to start a cleanup immediately.

The number of days is counted since the backup was created and not deleted. If you want to make sure every backup record is saved for 90 days after creation, even if it was already deleted, select 90.

The S3 Cleanup runs independently according to the retention period configured for the policy in the backup copy settings. See section . The last S3 Cleanup log however is available in the Cleanup tab.

9.5 Backing up Independent Volumes

Backing up independent volumes in a policy is performed regardless of the volume's attachment state. A volume can be attached to any instance or not attached at all, and the policy will still back it up. Backup scripts can determine which instance is the active node of a cluster and perform application quiescence through it.

9.6 Excluding Volumes from Backup

If you enable the Exclude volumes option in the Tag Scan tab of the General Settings:

The Exclude volumes option overrides the exclusion of volumes performed through the UI.

Following are the ways to exclude volumes from backup:

Enabling the Exclude volumes option in General Settings:
- In the toolbar, select Server Settings > General Settings.
- In the

9.7 Regions Disabled by Default

To perform certain actions on Asia Pacific (Hong Kong) and Middle East (Bahrain) AWS regions, managing Session Token Services (STS) is required, as Session Tokens from the global endpoint () are only valid in AWS Regions that are enabled by default.

For AWS Regions not enabled by default, users must configure their AWS Account settings.

To configure AWS Account settings to enable Session Tokens for all regions:

Go to your AWS console and sign in at
In the navigation pane, select .
In the ‘Security Token Service (STS)’ section, select Change Global endpoint.

Session tokens that are valid in all AWS regions are larger. If you store session tokens, these larger tokens might affect your system.

For more information on how to manage your STS, see

9.8 Synchronizing S3 Buckets

You can automatically synchronize S3 buckets using the N2W S3 Bucket Sync feature. When the policy backup runs, N2W will copy the source bucket to the destination bucket, without creating a backup. The buckets are selected and configured in Backup Targets of the Policies tab.

Bucket versioning is not supported. The latest version is automatically selected.
If the source S3 bucket object is of the storage class Glacier or Deep Archive, it is not possible to synchronize the bucket. It is necessary to retrieve and restore the object before synchronizing the bucket.

There is a time limitation when syncing between 2 S3 buckets. N2W will continue performing the synchronization as long as the Maximum session duration for the AWS Role is not exceeded. In the AWS IAM Console, go to the Roles Summary of the CPM instance and select Edit to configure the parameter.

To synchronize S3 buckets:

In the Policies tab, select a policy and then select the Backup Targets tab.
In the Add Backup Targets menu, select S3 Bucket Sync. The Add S3 Bucket Sync screen opens.
Choose one or more buckets, and select Add selected. Selected buckets are removed from the table.

If you change the Storage Class of an S3 Bucket in the Policies tab, the Storage Class of an existing destination bucket will not automatically update during the next S3Sync run. In the Policies tab, select the S3 Bucket Sync object, and then select Configure.

After the Policy has run, view the backup log to see the S3Sync details.

9.8.1 Cross-Account S3 Bucket Sync

The destination S3 bucket policy must have two entries allowing the source account access to the bucket and the objects in the bucket.

If either entry under Resource is missing, the S3 Sync will fail.

For details, see:

For cross-account S3 Bucket Sync:

If using a custom KMS, allow the same in the destination bucket policy.
Cross-account S3 Bucket Sync is executed with the account of the policy, not the account of the destination S3 bucket, and requires cross-account access permissions to objects that are stored in the destination S3 bucket. For further information, see:

9.9 Backing up SAP HANA Databases

SAP HANA Database is an in-memory relational database that can run on an AWS EC2 instance.

N2W creates and stores both an EC2 instance and SAP HANA database snapshots as part of a policy backup. SAP HANA snapshots are stored to an AWS Storage Repository. Backups are always full to enable fast restores.

Currently, AWS only supports one backup of an SAP Hana database in parallel. For the time being, N2W allows adding an SAP Hana database to only one Policy.

9.9.1 Prerequisites for Creating an SAP HANA Policy

Complete the following prerequisites before creating SAP HANA policies:

AWS Command Line Interface (AWS CLI) Installation

The latest version of the AWS Command Line Interface (AWS CLI) must be installed and functional on the target instance.

To install or update, see l

SSM Agent Installation

SAP HANA policies require the installation of SSM agent on the EC2 instance before it is added to an N2W policy. AWS Backint agent configuration is performed by N2W at the time of policy configuration if the target instance is running. SAP HANA backup commands are sent to EC2 instances.

To install and run an SSM agent, see
To check the status of the SSM Agent, see

The Backint configuration and the backup will fail if the target EC2 instance is stopped.
N2W to SAP HANA EC2 instance communication is completed via an SSM agent. Therefore, assign an SSM IAM role with proper permissions to both N2W and the EC2 instance running SAP HANA. See section ‎.

9.9.2 Supporting Cross-Account Backups

To support cross-account backups, configure the S3 bucket policy with the following permissions:

9.9.3 Creating an SAP HANA Policy

An SAP Hana database may be added to only one policy. See note in section .

Before creating the policy, retrieve the Instance ID and Instance Number from the SYS.M_SYSTEM_OVERVIEW table in the SAP HANA SYSTEMDB database:

You can also check the following path: /hana/shared/<SID>/HDB<instance>/. In this case, the path is /hana/shared/HXE/HDB90/.

To back up an SAP HANA database:

Ensure that the target EC2 instance is running at the time of backup.

1. In the Policy tab, add the EC2 instance to the selected policy.

2. In the Backup Targets tab, select the instance, and then selectConfigure.

3. Select Enable SAP HANA Backup and complete the configuration:

SAP HANA SYSTEMDB User – SAP HANA System DB username.
Password – SAP HANA System DB password.
SAP HANA SID – SAP HANA System ID as shown in the SYS.M_SYSTEM_OVERVIEW table of the SYSTEMDB database.

4. Select Apply, and then select Save.

9.10 Additional Permissions for RDS Custom Backup and Restore

Additional permissions are required for RDS Custom backup and restore operations:

s3:CreateBucket
s3:PutBucketPolicy
s3:PutBucketObjectLockConfiguration

For full details about setting up your RDS Custom database for an SQL Server environment, see

23 Capturing and Cloning in Network Environments

In this section, you will learn how to use a Amazon Virtual Private Cloud (VPC) to launch AWS resources into a logically separate virtual network.

The capturing and cloning of Network Environments (VPCs, Transit Gateways, and Load Balancers (LBs)) is not available with the Free edition of N2W.

23.1 Overview of VPC and N2W

VPC is an AWS service that allows the definition of virtual networks in the AWS cloud. Users can define VPCs with a network range, define subnets under them, security groups, Internet Getaways, VPN connections, and more. One of the resources of the VPC service is also called ‘VPC’, which is the actual virtual, isolated network.

N2W can capture the VPC and Transit Gateway settings as root resources, including their related resources of user environments and clone those settings back to AWS:

In the same region and account, for example, if the original settings were lost.
To another region and/or account, such as in DR scenarios.
With VPC resource properties modified in template uploaded with CloudFormation, if required.

23.2 Overview of LBs and N2W

LBs are located under the EC2 AWS service. Users can define LBs with Listeners and Target Groups. Following are the types of LBs:

Classic
V2 which includes subtypes Application, Network and Gateway.

N2W can capture LBs of all types, including their related resources and clone those settings back to AWS:

In the same region and account, for example, if the original settings were lost.
To another region and/or account, such as in DR scenarios.
With LB resource properties modified in a template uploaded with CloudFormation, if required.

Once enabled from General Settings, N2W will automatically capture network environment settings at pre-defined intervals, such as for cleanup and tag scanning. The root/admin user can enable the feature in the Capture Network Environments tab of the General Settings screen and set the interval of captures. Capture settings are enabled at the account level, by default, same as tag scanning.

Because Network Environment configuration metadata is small, it does not consume a lot of resources during storage of the capture. Metadata is captured incrementally. If nothing changed since the last capture, the metadata will not be captured again. This is the most common case in an ongoing system, where defined networks do not change frequently.

Regions - N2W will only capture Network Environment settings in regions that include backed-up resources. If the customer is not backing up anything in a specific region, N2W will not try to capture the VPC settings there.
Retention - N2W will retain the Network Environment data if there are backups requiring it. If N2W still holds backups from a year ago, the capture version relevant for that time is still retained. Once there are no relevant backups, N2W will delete the old captured data.
CloudFormation - N2W will use the AWS CloudFormation service to clone a Network Environment’s root entities (VPCs, Transit Gateways, and LBs) to an AWS account and region. N2W will create a CloudFormation template with the definitions for the entities and use the template to launch a new stack and create all the settings of the root entities in one operation.

23.3 Features of Capturing and Cloning Network Environments

Limitations:

On Transit Gateways, attachments of type 'Direct Connect Gateways' are not supported.

The objective of Capture and Clone is to provide the ability to protect the root entities of Network Environment types (VPCs, Transit Gateways, and LBs) from disaster, by saving their configurations and allowing for recovery in any region.

Backed up VPC entities include:
- VPC resource configuration
- Subnets - N2W tries to match AZs with similar names and spread subnets in destinations in the same way as in source regions.

The Capture Log in the Capture Network Environments tab of General Settings reports the capture status of entities: captured, not captured, or only partially captured.

Backed up Transit Gateway entities include:
- Transit Gateway resource configuration
- Related VPCs and related resources to VPC - See above.

23.4 Updating Accounts for Capturing Network Environments

By default, Accounts are enabled to Capture Network Environment environment data. Configuration data is a automatically captured for all enabled Accounts according to the interval configured in the General Settings. To not Capture Network Environments for an Account, disable the feature in the Account.

To disable, or enable, an individual account for capturing Network Environments:

Select the Accounts tab, and then select an Account.
Select Edit.
Select Capture Network Environments to enable, or clear to disable.

23.5 Configuring Capture of Network Environment Entities

The root user can:

Enable or disable automatic capture of Network Environment entities for Accounts with the feature enabled.
Schedule automatic capture interval.
Initiate an ad hoc capture by selecting Capture Now for all Accounts with this feature enabled, even if Network Environments is disabled in General Settings.

Select Server Settings > General Settings.
In the Capture Network Environments tab, select Capture Network Environments to enable the feature.
To change the capture frequency from the default, select a new interval from the Capture Interval list. Valid choices are from every hour to every 24 hours.

23.6 Cloning VPCs, Transit Gateways, and LBs

Cloning Network Environment entities include the following features:

Both cross-region and cross-account cloning are supported for VPCs, Transit Gateways, and LBs.
The target clone can have a new name. The name will automatically include ‘Clone of ’ at the beginning.

23.6.1 Cloning VPCs

The following entities are not supported:

Inbound and Outbound Endpoint rules of Security Groups.
Inbound and Outbound rules of Security Groups that refer to a security group on a different VPC.
Route Table rules with NAT Instance as target.

Prerequisites, Conditions, and Limitations

Before cloning, verify that the destination region has sufficient quotas for all resources captured in the source region.
Cloning a VPN connection with an Authentication type other than 'Pre Shared Keys' is not supported. Attempting to clone this VPN connection requires manually replacing it after cloning.
When cloning a VPC Peering Connection, the accepter VPC must exist in the peer destination region. Download and edit the CloudFormation template.

An account with Capture Network Environments enabled must have at least one policy with a backup target to clone Network Environment entities. If no backup target is configured, the Network Environment entities will not be captured even if Enable Network Capture is enabled.

Cloning VPCs includes the following features:

The target clone can have a new name. The name will automatically include ‘Clone of’ at the beginning.
During instance recovery and DR, clones may be optionally created to replicate a particular VPC environment before the actual instance recovery proceeds. The new instance will have the environment of the cloned VPC and will subsequently appear at the top of the target region and account list. A typical scenario might be to capture the VPC, clone the VPC for the first instance, and then apply the cloned VPC to additional instances in the region/account.
Instances recovered into a cloned VPC destination environment will also have new default entities, such as the VPC’s subnet definition and 1 or more security groups attached to the instance, regardless of the original default entities. Security groups can be changed during recovery.

23.6.2 Cloning Transit Gateways

The following item is not supported:

Capturing and Cloning Transit Gateways on the following regions is not supported: Osaka, Jakarta, the Government regions, and China regions.

Instructions and limitations:

You can reuse the existing VPCs related to the Transit Gateway by selecting the relevant check box on the Clone page.
It is not possible to clone a Transit Gateway where the number of unique AZ references in the resources is greater than the number of AZs in the Clone region. Download and edit the CF template.
Transit Gateway peer attachment is not supported if cloned Transit Gateway is an Accepter and not a Requester.

An account with Capture Network Environments enabled must have at least one policy with a backup target for cloning Network Environment entities.

26.6.3 Cloning LBs

Instructions and limitations:

You can reuse the existing VPCs related to the LB by selecting the related check box on the Clone page. When selected, you can choose whether to attach the existing original instances to the cloned LB.
It is not possible to clone an LB where the number of unique AZ references in the resources is greater than the number of AZs in the Clone region. Download and edit the CF template.
If a related VPC is cloned (i.e., the existing VPCs were not reused) and the original includes VPN Connections, you will need to re-establish the connections using the new configuration for the VPN tunnels.

The 'lambda:InvokeFunction' permission will be added to the existing Lambda function during cloning.

On a Classic LB clone, the Policy may not have information such as Instance Ports or LB Ports that can’t be cloned due to CloudFormation limitations. The missing data is indicated in the clone’s Download Log.
On a V2 LB clone, the Listener’s tags are not cloned due to CloudFormation limitations. The missing data is indicated in the clone’s Download Log.

An account that has Capture Network Environments enabled must have at least one policy with a backup target to clone Network Environments entities.

23.6.4 The CloudFormation Template

When cloning Network Environment entities to an AWS account, N2W generates a JSON template for use with CloudFormation (CF).

If the size of the CF template generated is over 50 kB, N2W requires the use of an existing S3 Bucket in the target destination for storing the template. There should be an S3 bucket for each combination of accounts and regions in the destination clone. The template file in a S3 bucket will not be removed after cloning.
In addition to having a bucket in the target region in the presented settings, you must choose that bucket when defining where to Upload the CF template to S3.

To clone captured VPCs, Transit Gateways, or LBs:

Select the Accounts tab and then select an account.
Select Clone Network Entities.
In the Capture Source section Network Entity Type list, select VPC, Transit Gateway, or LB

When cloning VPCs. Transit Gateways, or LBs with resources not supported by N2W, you can download the CloudFormation template for the cloned entity, add or modify resource information, and upload the modified template to the AWS CloudFormation service manually.

To create a clone manually with CloudFormation:

In the Account Clone Network Entities screen, complete the fields as described above.
Select VPC/Transit Gateway/LB CloudFormation Template to download the CloudFormation JSON template.
Modify the template, as required. See the example in section .

23.6.5 Example of CloudFormation Template

14 Tag-based Backup Management

N2W's tag-based backup management allows you to automatically fine-tune functionality.

Cloud and specifically AWS, is an environment based largely on automation. Since all the functionality is available via an API, scripts can be used to deploy and manage applications, servers, and complete environments. There are very popular tools available to help with configuring and deploying these environments, like Chef and Puppet.

N2W allows configuring backup using automation tools by utilizing AWS tags. By tagging a resource, such as EC2 instance, EBS volume, EFS, DynamoDB, or RDS instance, N2W can be notified of what to do with this resource without using the UI.

To tag Aurora clusters, tag one of the cluster’s DB instances, and N2W will pick it up and back up the entire cluster.

Since tagging is a basic functionality of AWS, it can be easily performed via the API and scripts. For more information on using the API or scripts, see https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/USER_Tagging.html

N2W supports both cpm backup and cpm_backup tags (section ) and custom tags (section ).

For Azure, the following options are not currently supported:

Custom tag
Exclude disk
Application awareness

For information on using tags with Resource Control, see section .

14.1 The 'cpm backup' and 'cpm_backup' Tags

To automate backup management for a resource, you can add a tag to that resource named cpm backup (or cpm_backup).The tag is lower case with a space or an underscore. N2W will identify this tag and parse its content. In this tag you will be able to specify whether to:

Ignore the resource and remove it from all backup policies.
Add the resource to a policy or list of policies.
Create a new policy, based on an existing one (template), and then add the resource to it.

The policy name on the cpm backup or cpm_backup tag is case sensitive and should be aligned with the policy name create on CPM.

If an AWS resource has 2 AWS tags with the same tag name, differing only by the case of the letters (upper, lower), then N2W will back up just one tag. The tag name will be in the format of the first tag N2W scans, and the tag value may be from the second tag. Check that tag names are in the same case.

Following is a summary table of all cpm backup and cpm_backup tag values:

14.1.1 Adding to a Policy or Policies

To add a resource (e.g., an EC2 instance) to an existing backup policy, all you need to do is to create the tag for this resource and specify the policy name. For example:

policy1: key:cpm backup, value:policy1 or key:cpm_backup, value:policy1 or

policy1: key:cpm_backup, value:policy1 or key:cpm_backup, value:policy1

To add the resource to multiple policies all you need to do is to add a list of policy names, separated by spaces: policy1 policy2 policy3

You can add an RDS target using the tag scan, but the resource will be added without the connection parameters. After the tag scan, you will need to configure the Connection Details in the policy manually. See

14.1.2 Creating a Policy from a Template

To create a new policy and to add the resource to it, add a new policy name with a name of an existing policy which will serve as a template (separated by semicolon): tag value: new_policy1:existing_policy1

You can also add multiple policy name pairs to create additional policies or create a policy (or policies) and to add the resource to an existing policy or policies.

When a new policy is created out of a template, it will take the following properties from it:

Number of generations
Schedules
DR configuration

It will not inherit any backup targets, so you can use a real working policy as a template or an empty one.

For Script definitions:

If backup scripts are defined for the template policy, the new one will keep that definition but will not initially have any actual scripts. You are responsible to create those scripts. Since the N2W server is accessible via SSH you can automate script creation. In any case, since scripts are required, the backups will have a failure status and will send alerts, so you will not forget about the need to create new scripts.

For Windows instances with a backup agent configured:

If that was the configuration of the original policy, the new instance (assuming it is a Windows instance) will also be assigned as the policy agent. However, since it does not have an authentication key, and since the agent needs to be installed and configured on the instance, the backups will have a failure status. Setting the new authentication key and installing the agent needs to be made manually.

Auto Target Removal for the new policy will always be set to yes and alert, regardless of the setting of the template policy. The basic assumption is that a policy created by a tag will automatically remove resources that do not exist anymore, which is the equivalent as if their tag was deleted.

14.1.3 Setting Backup Options for EC2 Instances

When adding an instance to a policy, or creating a new policy from template, you may make a few decisions about the instance:

To create snapshots only for this instance.
To create snapshots with an initial AMI.
To schedule AMI creation only.

If this option is not set, N2W will assume the default:

Snapshots only for Linux.
Snapshots with initial AMI for Windows instances by adding a backup option after the policy name. The backup option can be one of the following values:
- only-snaps

The only-amis option will create AMIs without rebooting them. The option only-amis-reboot will create AMIs with reboot.

For a Windows instance, you can also define backup with app-aware, i.e., a backup agent. It is used the same as the snapshots and AMI options.

When adding the app-aware option, the agent is set to the default: VSS is enabled and backup scripts are disabled.
- app-aware-vss - Enable application consistent with VSS.
- app-aware-script - Enable application consistent without VSS.

You can also combine the backup options: policy1#initial-ami#app-aware

14.1.4 Setting Backup Options for EFS Instances

EFS can be configured by creating the cpm backup (cpm_backup) tag with the following values. In this case, N2W will override the EFS configuration with the tag values:

Example:

N2W will back up EFS to the default vault, and set its expiration date to 1 day.

The max length for the cpm backup(cpm_backup) value is 256 characters.

14.1.5 Tagging a Resource to be Removed from All Policies

By creating the cpm backup(cpm_backup) tag with the value no-backup (lower case), you can tell N2W to ignore the resource and remove this resource from all policies. Also, see section 14.1.

14.1.6 Excluding Volumes from Backup

N2W can exclude a volume from an instance that is backed up on policy using the cpm backup(cpm_backup) tag with #exclude added to the end of the policy name value.

Add a tag to an instance that you want to back up:

Add a tag to volumes that you would like to exclude from being backed up:

For example, if instance1 has 3 volumes and has a cpm backup(cpm_backup) tag with the value policy1, adding the cpm backup(cpm_backup) tag with value policy1#exclude to a volume will remove it from the policy.

The instance with the excluded volume(s) will be added automatically as a backup target to the policy, after running Scan Tag.

Tagged instances are not included in the Exclude volumes option in the Tag Scan tab of General Settings and are excluded from backup only when tagged with #exclude for the policy.

14.2 Custom Tags

Custom Tags allow N2W users to easily backup resources using any tag of their choice.

You can define any number of Custom Tags on a Policy definition.
Custom tags take precedence over cpm backup(cpm_backup) tags if both exist on a server.

Custom Tags are case-sensitive.
If the cpm backup(

To see which resources were added to back up, open the Tag Scan log (Show Log), and look for a Custom Tags match.

To create Custom Tags:

In the Policies tab, select a policy.
Select the More Options tab.
Turn on the Custom Tags toggle.

14.3 Tag Scanning

Tag scanning can only be controlled by the admin/root user. When the scan is running, it will do so for all the users in the system but will only scan AWS accounts that have Scan Resources enabled. This setting is disabled by default. N2W will automatically scan resources in all AWS regions.

In the General Settings tab, select the Tag Scan tab.
Select Scan Resources.
In the Tag Scan interval list, set the interval in hours for automatic scans.

Even if scanning is disabled, selecting Scan Now will initiate a scan.

If you do want automated scans to run, keep scanning enabled and set the interval in hours between scans using the General Settings screen. You will also need to enable Scan Resources for the relevant N2W Accounts. See section .

14.4 Pitfalls and Troubleshooting

The following topics should help guide you when developing tags.

14.4.1 Pitfalls

There are potential issues you should try to avoid when managing your backup via tags:

The first is not to create contradictions between the tags content and manual configuration. If you tag a resource and it is added to a policy, and later you remove it from the policy manually, it may come back at the next tag scan. N2W tries to warn you from such mistakes.
Policy name changes can also affect tag scanning. If you rename a policy, the policy name in the tag can be wrong. When renaming a policy, correct any relevant tag values.
When you open a policy that was created by a tag scan to edit it, you will see a message at the top of the dialog window: “* This policy was automatically added by tag scan”.

Even if all the backup targets are removed, N2W will not delete any policy on its own, since deletion of a policy will also delete all its data. If you have a daily summary configured (section ), policies without backup targets will be listed.

If the same AWS account is added as multiple accounts in N2W, the same tags can be scanned multiple times, and the behaviour can become unpredictable. N2W Software generally discourages this practice. It is better to define an account once, and then allow delegates (section ) access to it. If you added the same AWS account multiple times (even for different users), make sure only one of the accounts in N2W has Scan Resources enabled in N2W.

14.4.2 Troubleshooting

Sometimes you need to understand what happened during a tag scan, especially if the tag scan did not behave as expected, such as a policy was not created. In the General Settings screen, you can view the log of the last tag scan and see what happened during this scan, as well as any other problems, such as a problem parsing the tag value, that were encountered. Also, if the daily summary is enabled, new scan results from the last day will be listed in the summary.

Ensure tag format is correct. Tips for ensuring correct tag formats are:

When listing multiple policy names, make sure they are separated by spaces.
When creating new policy, verify using a colon ‘:’ and not a semi-colon ‘;’. The syntax is new_policy1:existing_policy1.

24 Orchestrating Recovery Scenarios

Design a procedure to execute multiple recoveries within one recovery session.

Recovery Scenarios are available for:

AWS and Azure policies
Aurora Clusters
All Azure targets (Virtual Machines, Disks, and SQL Servers)
DocumentDB
DynamoDB
EFS
FSx (including Lustre, OpenZFS, AWS-Managed and Self-Managed Windows FSx, ONTAP)
Instance
RDS (including recovery from Repository)
RedShift
Volume

24.1 Overview

The Recovery Scenarios feature allows N2W Software users to design an object that will automatically coordinate a sequence of recoveries for several or all backup targets of a single policy during one recovery session.

A Recovery Scenario object is created with the saved configurations of successful backups for the policy.
Depending on the target type, the user can configure how to handle tags during a recovery scenario. The default is to preserve existing tags.
The user will save the recovery configuration for each selected backup target and add it to the Recovery Scenario object.

Following are the options for executing a Recovery Scenario:

Test the success of the Recovery Scenario configuration using the Dry Run command.
Execute an ad hoc run of the Recovery Scenario using the Run Scenario command.
Execute the Recovery Scenario on a schedule. The last successful backup is automatically selected as input. Assign or create a schedule in the Recovery Scenario Details tab.

Backups in the Freezer are not recoverable as part of a Recovery Scenario.

24.2 Conditions

During the Recovery Process:
- All Recovery Scenario targets share the same destination account and destination region, which are set as part of the Recovery Scenario parameters.
- Recovery Scenarios can have pre- and post-scripts which will run, respectively, before recovery execution and after recovery completion.

24.3 Creating a Recovery Scenario

Be sure to execute a successful Dry Run of the Recovery Scenario before assigning a schedule.

The configuration Auto assigned values may be different at run time than the values that are shown as grayed-out. To be sure about a value, switch its Auto-assigned toggle key to Custom, and enter the desired value.

To add the details for a recovery scenario:

Select the Recovery Scenarios tab.
On the New menu, select AWS Recovery Scenario or Azure Recovery Scenario.
In the Recovery Scenario Details tab, complete the fields as follows, and then select Save:

The AWS credentials are per Recovery Scenario and not per target. All targets within the Recovery Scenario will use the selected credentials.

Schedule - Optionally select a schedule from the list, or select New to create a new schedule, for running the Recovery Scenario. N2W highly recommends executing a Dry Run before assigning a schedule.
Recipients - Enter the email addresses of users to receive notification of Scenario Run Scenario / Dry Run status.

If SES is disabled, emails are not sent to recipients.

Enable Agent Scripts – Select if the Recovery Scenario will be run by a custom script. The default is not to run user scripts. See section .
- Select Agent Script Timeout in seconds from the list. When the timeout is reached, N2W will skip the script and continue with the recovery scenario.

Select Save.

To add the recovery targets:

Select the Recovery Targets tab. The available resources for each type from the policy are shown.
Select one or more Recovery Targets from each type to add to the scenario. Reminder: S3 Bucket Sync is not an option since it is not a backup action.

Every Recovery Scenario target has a number identifying the sequential Recovery Order of execution within the Recovery Scenario. The execution of the Recovery Source within the Recovery Scenario is sequenced using the target’s Recovery Order value. The recovery of the target with the lowest value runs first.

3. To change the Recovery Source or Recovery Order for a target, select a value from its list.

4. For each target, it is important to configure the recovery details. Follow the configuration instructions for the target:

For each target, the Auto assigned values may be different than the values shown as grayed-out in the Configuration screen at run time. To ensure a correct value, switch the Auto assigned toggle key to Custom, and assign the correct value.

For Instance targets, see section .
For Aurora Cluster targets, see section .
For Azure Virtual Machine targets, see section .

6. When all details are complete, select Save in the Create Recovery Scenario screen.

24.3.1 Configuring an Instance Recovery Target

See section for instructions on how to create a Recovery Scenario and Add Recovery Targets.

The Configuration screen opens with additional tabs:

Basic Options
A tab for the resource type, such as Volumes
Advanced Options

For each data item in a configuration tab, assign the appropriate value. Depending on the tab's data item:

Select a different value from a drop-down list when the Auto assigned toggle key is switched to Custom.
Enable or disable a feature.
Enter a new value.

When finished with each tab, select Close.

When selecting a Custom VPC and leaving the VPC Subnet toggle key on Auto assigned, you must ensure that this VPC has a subnet. If you leave the VPC Subnet toggle key on Auto assigned and the selected VPC does not have at least one subnet, the recovery scenario will fail.
If VPC

In the Basic Options tab, you can configure basic recovery actions, such as whether to launch from a snapshot or image, which key pair to use, and network placement.

Since not all instance types are available in all AWS regions, recovery of an instance type to a region where the type is unsupported may fail. Where the instance type is not supported yet in an AWS region, N2W recommends configuring a supported Instance Type in the Basic Options parameters. See section .

In the Volumes tab, you can configure device information, such as capacity, type, and whether to preserve tags and delete on termination. To expand the configuration section for a volume, select the right arrow.

In the Advanced Options tab for an instance, you can customize recovery target features, such as Tenancy, Shutdown Behaviour, API Termination, Auto-assign Public IP, Kernel, and RAM Disk, tags, and whether to Allow Monitoring, enable ENA, EBS Optimized, and User Data.

The Recover Tags default is to preserve the existing tags. To manage the recovery of tags, see section .

To make changes, switch the Auto assigned toggle key to Custom, enter a new value, and then select Close.

For complete details about performing an instance recovery, see section .

24.3.2 Configuring an Aurora Cluster Recovery Target

See section for instructions on how to create a Recovery Scenario and Add Recovery Targets.

In the Recovery Targets tab, select a cluster, and change the Recovery Source and Recovery Order as needed.
Expand the details for a cluster by selecting the right arrow () next to it. To make changes, switch the Auto assigned toggle key to Custom, and enter a new value.
Select Save.

24.3.3 Configuring an Azure Virtual Machine Recovery Target

See section for instructions on how to create a Recovery Scenario and Add Recovery Targets.

After adding the Recovery Targets, select a Virtual Machine target, and then select Configure.

When configuring a Virtual Machine target, the Configuration screen opens with tabs for Basic Options and Disks.

In the Basic Options tab, configure basic recovery actions by selecting a Resource Group, Availability Type, and Networking details.
The Preserve Tags default is to preserve the existing tags. To manage the recovery of tags, see section ‎.
Select Close.

2. In the Disks tab, configure disk information, such as Encryption Set.

3. To expand the configuration section for a disk, select the right arrow ().

1. Change Name to the desired name for the recovered disk.

2. The Preserve Tags default is to preserve the existing tags. To manage the recovery of tags, see section ‎.

4. Select Close.

24.3.4 Configuring an Azure SQL Server Recovery Target

See section for instructions on how to create a Recovery Scenario and Add Recovery Targets.

After adding the Recovery Targets, select an SQL Server target, and then select Configure.

When configuring an SQL Server target, the Configuration screen opens with tabs for Basic Options, Network, SQL Server's Databases, and Worker Options. See section .

24.3.5 Configuring an Azure Disk Recovery Target

See section for instructions on how to create a Recovery Scenario and Add Recovery Targets.

In the Recovery Targets tab, select a disk, and change the Recovery Source and Recovery Order as needed.
Expand the details for a disk by selecting the right arrow () next to it. Change Name to the desired name for the recovered disk. Update other fields as needed.
Select Save.

24.3.6 Configuring a DocumentDB Recovery Scenario

See section for instructions on how to create a Recovery Scenario and Add Recovery Targets.

In the DocumentDB section, select a cluster, and change the Recovery Source and Recovery Order as needed.
Expand the details for a cluster by selecting the right arrow () next to it. You can change Cluster ID, Instance Class, VPC, Security Groups, and Subnet Group.
Select

24.3.7 Configuring a DynamoDB Recovery Scenario

See section for instructions on how to create a Recovery Scenario and Add Recovery Targets.

In the DynamoDB Tables section, select a table and change the Recovery Source and Recovery Order as needed.
Expand the details for a table by selecting the right arrow () next to it. Change Name to the desired name for the recovered table. Update IAM Role as needed.
Select Save.

24.3.8 Configuring an EFS Recovery Scenario

See section for instructions on how to create a Recovery Scenario and Add Recovery Targets.

In the Elastic File Systems section, select an EFS, and change the Recovery Source and Recovery Order as needed.
Expand the details for an EFS by selecting the right arrow () next to it. You can change Encryption Key and tags. The Recover Tags default is to preserve the existing tags. To manage the recovery of tags, see section ‎.
Select Save.

24.3.9 Configuring an FSx Recovery Scenario

See section for instructions on how to create a Recovery Scenario and Add Recovery Targets.

Recovery Scenario is possible for the following types of FSx:

Lustre (section )
NetApp ONTAP (section )
OpenZFS (section )

Each FSx type has different configuration settings.

24.3.9.1 Lustre and OpenZFs FSx Recovery Scenario

In the FSx File Systems section, select an FSx, and change the Recovery Source and Recovery Order as needed.
Expand the details for an FSx by selecting the right arrow ( ) next to it. You can make changes as needed. The Recover Tags default is to preserve the existing tags. To manage the recovery of tags, see section ‎‎.
If there are Windows managed Active Directories, update as described below.

Customizing a target VPC allows for customizing and Subnets, as shown below.

24.3.9.2 Windows FSx Recovery Scenario

N2W supports the following types of Windows FSx file systems:

Windows with Self-Managed Active Directory
Windows with AWS-Managed Active Directory

AWS-Managed Active Directory

When selecting a Windows FSx with AWS-Managed Active Directory, you can select the Active Directory from the target’s AWS account and manage recovery tags.

The Recover Tags default is to preserve the existing values. To manage the recovery of tags, see section .

Self-Managed Active Directory

For Self-Managed Active Directory Windows FSx, user can manage recovery tags and add the self-managed Active Directory settings to the Recovery Scenario:

Domain Name
Admin Group
Service account username and password

24.3.9.3 ONTAP FSx Recovery Scenario

The ONTAP FSx Recovery Scenario has a configuration window. To open the configuration window, select an ONTAP FSx, and select the Configure button:

After selecting Configure, the Configure FSx File System box opens with 3 tabs.

The Common FSx Options tab includes Target VPC, Security Groups, Subnet ID, and Recover Tags options. The Recover Tags default is to preserve the existing tags. To manage the recovery of tags, see section .

The ONTAP Specific Options tab includes Original FSx Name and an option for a file system administrative password.

The SVMs and Volumes tab currently allows only Support Vector Machines (SVMs). All volumes will be selected with default settings.

To change the name of the SVM, switch the toggle key to Custom, and enter a new Recovered SVM Name. Select Specify SVM password to enter a password.

24.3.10 Configuring an RDS Recovery Scenario

See section for instructions on how to create a Recovery Scenario and Add Recovery Targets.

In the Recovery Targets tab, select an RDS cluster, and change the Recovery Source and Recovery Order as needed.
Select the right arrow () to show the details for a resource.
Make changes as necessary, and then select Save.

24.3.11 Configuring an RDS Recovery from a Repository

See section for instructions on how to create a Recovery Scenario and Add Recovery Targets.

After configuring the RDS Recovery Scenario in the Recovery Scenario Details tab, select the Recovery Targets tab.
In the Recovery Source drop-down list, choose the repository to recover from.
Select Configure.

4. In the Basic Options tab, set additional parameters related to the recovery of RDS from the repository. Use the RDS Admin credentials for Username and Password.

5. In the Worker Configuration tab, set the parameters for the worker that will be launched for the recovery.

24.3.12 Configuring a RedShift Recovery Scenario

See section for instructions on how to create a Recovery Scenario and Add Recovery Targets.

In the Redshift Clusters section, select a cluster, and change the Recovery Source and Recovery Order as needed.
Select the right arrow () to show the details for resource, and make changes as necessary.
Select Save.

The RedShift Recovery Scenario has basic options to configure: Cluster ID, Zone, Port, and Subnet Group.

24.3.13 Configuring a Volumes Recovery Scenario

See section ‎ for instructions on how to create a Recovery Scenario and Add Recovery Targets.

The Volumes Recovery Scenario screen has only the Basic Options tab.

The Recover Tags default is to preserve the existing tags. To manage the recovery of tags, see section .

24.3.14 Managing Tag Recovery

You have the option to change tags and tag values. In the Recover Tags section, switch the Auto assigned toggle key to Custom, and select a tag option:

No Tags – Do not recover tags.
Preserve (and Add/Override) – You can preserve (default), add to, or override the tags on the version of the resource selected for the recovery.
Fixed Tags – Initial display is current list of tags on resource. Set the tags to be used during recovery even if the user has subsequently changed the tags on the resource.

24.4 Testing a Recovery Scenario

The Dry Run option allows you to determine whether the input parameters, such as key pair, security groups, and VPC, are correct for the recovery.

To test a Recovery Scenario:

In the Recovery Scenarios tab, select a Recovery Scenario and then select Dry Run.
In the list of successful backups, select one backup to perform the test with, and then select Dry Run.
Open the Recovery Scenario Monitor.

24.5 Managing Recovery Scenarios and Targets

To manage a Recovery Scenario object:

In the Recovery Scenarios tab, select a scenario.
Select Edit, Delete, Run Scenario, or Dry Run, as needed.

To manage targets in the scenario:

In the Recovery Scenarios tab, select a scenario, and then select Edit.
To delete a target, select the Recovery Targets tab, select a target, and then select Remove from List.

24.6 Running and Monitoring a Recovery Scenario

A Recovery Scenario can also be run on a schedule using the last successful backup. To assign or create a schedule, see section .

In the Recovery Scenarios tab, select a Recovery Scenario and then select Run Scenario. A list of backups, successful and unsuccessful, opens.

2. Select one successful backup to recover from and then select Recover. The started message opens in the top right corner:

3. To open the Recovery Scenario Monitor, select the link, or select the Recovery Scenario Monitor tab.

A Status of ‘Recovery succeeded’ with a test tube symbol next to it indicates that the recovery was a Dry Run.

4. To view details of the recovery in the Run Log, select a Recovery Scenario and then select Log.

5. To delete a run record, select a scenario, and then select Delete Record.

Deleting a run record will trigger the deletion of all its target recovery records.

6. To view a live recovery, in the Recovery Scenario Monitor, select a scenario, and then select Recoveries. The Recovery Monitor opens.

24.7 Recovery Scenario User Scripts

When Enable Agent Scripts is set in the Recovery Scenario Details tab, N2W will run two scripts, one before and one after the recovery run:

before_<recovery-scenario-name>
after_<recovery-scenario-name>

A file extension is optional and, if added, may be for any interpreter.

This is somewhat like the Linux Backup Scripts feature described in the Before Script and After Script topics, sections and .

These scripts must be located on the N2W server in the following folders:

For root user: /cpmdata/scripts/scenario
For non-root user: /cpmdata/scripts/scenario/user_names

24.7.1 Before Script

The before script passes the following parameters, in the following order:

24.7.2 After Script

The after script passes the same parameters as the before with the addition of parameters for the scenario’s recovery targets:

Following is an example of an after_ script for a Recovery Scenario that was defined with 2 targets: an EC2-instance and an EC2-volume. The after_ script passes 6 parameters, 2 of which are for the targets. In the following example, the instance recovery target was not recovered:

4 Defining Backup Policies

In this section, you will learn how to build the foundations for your backup and recovery management program.

The backbone of the N2W solution is the backup policy. A backup policy defines everything about a logical group of backed-up objects. A policy defines:

What will be backed up - Backup Targets.
How many generations of backup data to keep.
When to back up – Schedules.
Whether to use backup scripts.
Whether VSS is activated (Windows Servers 2016, 2019, 2022, and 2025 only).
Whether backup is performed via a backup agent (Windows only).
The retry policy in case of failure.
DR settings for the policy.
Lifecycle events: Number of backup generations, retention duration, lock application, Copy to Storage Repository (AWS S3, Azure Storage Repository, Wasabi Storage Repository), Transition to Cold Storage (Glacier)

The following sections explain the stages for defining an N2W policy and its schedule. Schedule definition is addressed first as it one of the attributes of a policy and Scheduled Reports.

For Azure account and policy definition, backup and recovery, see section .

4.1 Schedules

Schedules are the objects defining when to perform a backup

Schedules are defined separately from policies and Scheduled Reports.
One or more schedules can be assigned to both policies and Scheduled Reports.

Schedules can be managed in the Schedules tab found in the left panel. They can be added also during the creation of a new Policy.

Or, added when creating a new scheduled report in the Scheduled Reports tab of the Reports tab in the left panel.

Both interfaces include all defined schedules and the same definition options.

You can define schedules to:

Run for the first time at a date and time in the future.
Run forever or have a specific date and time to stop.
Repeat every ‘n’ minutes, hours, days, weeks, months.

For the root/admin user, if you have created additional managed users, you can select the user to whom the schedule belongs.

For weekly or monthly backups and report generation, the start time will determine the day of the week of the schedule and not the days of week check boxes.

4.1.1 Defining Schedules

The same schedule can be used in the following:

Policy backup operations.
Recovery Scenarios for policies with schedules.
Generating Scheduled Reports.

You can add a schedule from several places:

In the Schedules tab, select New.
While creating or editing a policy in the Policies tab, in the Policy Details tab, select New above the Schedules list.

All start times are derived from the First Run time. The time set in First Run becomes the regular start time for the defined schedule.

To define a schedule:

Type a name for the schedule and an optional description.
In the First Run box, if the First Run is other than immediately, select Calendar to choose the date and time to first run this schedule.
1. If you want a daily backup to run at 10:00 AM, set Repeats Every

4.1.2 Overriding Schedules

You can override existing schedules and run backups and Scheduled Reports immediately:

Ad hoc backups are initiated by the Run ASAP command in the Policies tab. See section .
Ad hoc generation of Scheduled Reports is initiated by the Run Now command in the Reports tab. See section .

4.1.3 Scheduling and Time Zones

When you configure an N2W server, its time zone is set. See section . In the N2W management application, all time values are in the time zone of the N2W server. Schedule times, however, may be set and executed according to a specific time zone. A policy’s Backup Times will be according to the time zone.

Even when you are backing up instances that are in different time zones, the backup time that is shown on the monitor and Backup Log is always according to the N2W server’s local time.

In the N2W database, times are saved in UTC time zone (Greenwich). So, if, at a later stage, you start a new N2W server instance, configure it to a different time zone, and use the same CPM data volume as before, it will still perform backup at the same times as before.

4.1.4 Disabled Times

While or after defining a schedule, you can set specific times when the schedule should not start a backup or generate a Scheduled Report. For example, you want a backup or report to run every hour, but not on Tuesdays between 01:00 PM and 3:00 PM. You can define that on Tuesdays, between these hours, the schedule is disabled.

You can define a disabled time where the finish time is earlier than the start time. The meaning of disabling the schedule on Monday between 17:00 and 8:00 is that it will be disabled every Monday at 17:00 until the next day at 8:00. The meaning of disabling the schedule for All days between 18:00 and 6:00 will be that every day the schedule will be disabled after 18:00 until 6:00.

Be careful not to create contradictions within a schedule’s definition:

It is possible to define a schedule that will never start backups or generate a report.

4.1.4.1 Defining Disabled Times

For each schedule, you can define as many excluded time ranges as you need.

To define disabled times:

In the New Schedule screen, turn on the Exclude Time Ranges toggle.
In the Day list, select a day of the week to exclude from the schedule.
In the Start Time and End Time lists, select the start and end time of the exclusion.

4.2 AWS Policies

Policies are the main objects defining backups. A policy defines:

What to back up
How to back it up
When to perform the backup by assigning schedules to the policy

Policy definitions are spread among the following tabs:

Policy Details – Basic policy details: name, user, account, enabled, schedules, auto-target removal, and description.
Backup Targets – Choose and configure backup targets. Application consistency is applied at the instance level.
More Options – Backup options, such as activate Linux backup scripts, define successful backup, retry parameters, and number of failures to trigger an alert

A policy named cpmdata must exist for backing up Windows instances and the N2W server, DR, and Copy to S3. For the cpmdata policy, the relevant tabs are Policy Details and DR.

4.2.1 Creating an AWS Policy

The cpmdata policy does not use scripts as the default. Users can enable application-consistent scripts for cpm data by selecting Application Consistent for the cpmdata policy in the Policy Details tab.

To define a new policy:

To avoid a Policy creation error, if the Account does not exist yet, select New to create the account and then return to the Policy creation.

In the left panel, select Policies.
In the New menu, select AWS. The Policy Details tab opens.
In the Name box, type a name for the policy.

4.2.2 Adding AWS Backup Targets

N2W recommends that you NOT place all your backup targets under a single policy, as a failure in one instance can impact the overall success of the policy. Instead, we advise that you divide a large policy into several smaller ones.

Backup targets define what a policy is going to back up. You define backup targets by selecting the Backup Targets tab of the Create Policy screen.

Following are the types of backup targets:

Instances – This is the most common type. You can choose as many instances as you wish for a policy up to your license limit. For each instance, allowed under your license, define:
- Whether to back up all its attached volumes, some, or none.
- Whether to take snapshots (default for Linux), take snapshots with one initial AMI (default for Windows), or just create AMIs.

AWS automatically copies all tags set on resources to the RDS snapshots and does not allow recovering these resources without the tags.

RDS Custom Databases - With Amazon RDS Custom, you can customize the database, OS, and infrastructure.
- When creating an RDS Custom instance, AWS also creates automatically an EC2 instance with the data volume associated with this RDS instance.
- When creating an RDS Custom snapshot, AWS creates automatically an EBS volume snapshot from this data volume.

See section for information on the additional permissions that are required for backup and restore of RDS Custom databases.
AWS automatically copies all tags set on resources to the RDS snapshots and does not allow recovering these resources without the tags.

Aurora Clusters – Even though Aurora is part of the RDS service, Aurora is defined in clusters rather than in instances. Use this type of backup target for your Aurora clusters and Aurora Serverless.
- Aurora cluster storage is calculated in increments of 10 GiB with the respect to the license. For example, if you have over 10 GiB of data but less than 20 GiB, your data is computed as 20 GiB.
- Keep in mind that clusters can grow dynamically and may reach the storage limits of your license. If the total storage is approaching your license limit, N2W will issue a warning.

AWS automatically copies all tags set on resources to the Aurora snapshots and does not allow recovering these resources without the tags.

Redshift Clusters – You can use N2W to back up Redshift clusters. Similar to RDS, there is an automatic backup function available, but using snapshots can give an extra layer of protection.

License capacity metrics for Redshift are only updated if the cluster is in an 'available' state. Use Amazon CloudWatch metrics.

DynamoDB Tables – You can use N2W to back up DynamoDB tables. The recommended best practice is a backup limit of 10 DynamoDB tables per policy.
- When defining your backup targets, keep in mind that DynamoDB table storage is calculated in increments of 10 GiB with the respect to the license. For example, if you have over 10 GiB of data but less than 20 GiB, your data is computed as 20 GiB.
- Tables can grow dynamically and may reach the storage limits of your license. If the total storage is approaching your license limit, N2W will issue a warning.

In the Add Backup Targets drop-down menu, select the relevant resource type. A window containing a list of the available resources for the selected type and region opens. To view additional columns and rows, move the scroll bars as needed.

When adding backup targets of the resource type to the policy:

You will see all the backup targets of the requested type that reside in the current region, except the ones already in the policy.
You can select targets in another region by choosing from the region drop-down list.
If there are many targets, you can:

To add a backup target to the policy:

Select a region in the drop-down list. The resources in the selected region are shown.
To filter the resources in the region, enter all or part of a resource name in the Search resources box and select Search.
Select the check box of the desired target resources.

4.2.3 Instance Configuration

With N2W you can now create multi-volume snapshots, which are point-in-time snapshots for all EBS volumes attached to a single EC2 instance. After it's created, a multi-volume snapshot behaves like any other snapshot. You can perform all operations, such as restore, delete, and copy across Regions and Accounts. After creating your snapshots, they appear in your EC2 console created at the exact point-in-time.

In the case of EC2 instances, you can set options for any instance.

By default, Copy to S3 is performed incrementally. To ensure the correctness of your data, you can force a copy of the full data for a single iteration to your AWS Storage Repository. While defining the Backup Targets for a policy with Copy to S3, select Force a single full copy to S3.

To configure an instance:

Select a policy, select the Backup Targets tab, and then select an instance.
Select Configure. The Policy Instance and Volume Configuration screen opens.
In the Which Volumes list, choose whether to back up All Volumes attached to this instance, or include or exclude some of them. By default, N2W will back up all the attached storage of the instance, including volumes that are added over time.

4.2.3.1. AMI Creation

If you choose to just create AMIs:

N2W will create AMIs for that instance instead of taking direct snapshots. App-aware backup per agent does not apply for AMI creation.
You can choose whether to reboot the instance during AMI creation or not to reboot, which leaves a risk of data corruption. As opposed to AMI creation in the EC2 console, the default in N2W is no reboot.

Try not to schedule AMI creations of an instance in one policy, while another policy running at the same time backs up the same instance using snapshots. This will cause the AMI creation to fail. N2W will overcome this issue by scheduling a retry, which will usually succeed. However, N2W recommends that you avoid such scheduling conflicts.

4.2.3.2. Initial/Single AMI

Single or Initial AMIs are meant to be used mainly for Windows instance recovery.

N2W will keep a single AMI for each instance with this setting. A single AMI will contain only the root device (boot disk).
N2W will rotate single AMIs from time to time. It will create a new AMI and delete the old one. N2W aims to optimize costs by not leaving very old snapshots in your AWS account.
By default, N2W will rotate single AMIs every 90 days. That value can be configured in the Server Settings > General Settings >

4.2.3.3. Limitations with AMI creation

AMIs will be copied across regions and accounts for DR.

If you use cross-account backup, be aware that if you need to recover the instance at the remote account, you need to make sure you have an AMI ready in that account.

4.2.4 More Options

To see more policy options, select the More Options tab for a policy in the Policies tab. The options consist of:

Activating Linux backup scripts and defining script timeout and output. Backup scripts refer to those running on the N2W server. See section .
Defining backup success, retries, and failures for alerting.

Activate Linux Backup Scripts – This option is turned off by default. If you select Activate Linux Backup Scripts, the following options appear:
- Scripts Timeout – Timeout (in seconds) to let each script run. When a backup script runs, after the timeout period, it will be killed, and a failure will be assumed. The default is 30 seconds.

The output of a script is typically a few lines. However, if it gets big (MBs), it can affect the performance of N2W. If it gets even larger, it can cause crashes in N2W processes. To avoid the risk of too much data going to stderr, redirect the output elsewhere.

Backup Successful when - This indicates whether a backup needs its scripts/VSS to complete, to be considered a valid backup. This has a double effect:
- For retries, a successful backup will not result in a retry;
- For the automatic retention management process, a backup that is considered successful is counted as a valid generation of data.

Retry information - The next options deal with what to do when a backup fails:

Backup Retry Policy – Select one of the retry policy options:
- Full –
  - Perform retry on all policy targets even if only some of them have failed (as in previous version).

N2W versions 4.4.0 doesn’t support partial retry for S3 Sync targets.

Number of Retries – The maximal number of retries that can be run for each failed backup. The default is three. After the retries, the backup will run again at the next scheduled time.
Wait Between Retries (minutes) – Determines how much time N2W will wait after a failure before retrying. Backup scripts and VSS may sometimes fail or timeout because the system is busy. In this case, it makes sense to substantially extend the waiting time until the next retry when the system may be more responsive.
Alert Trigger Failures – The minimum number of failures to trigger an alert.

4.2.5 Enabling Disaster Recovery

If the DR To Account does not exist yet, select New to create the account and then return to the policy creation.

To enable Disaster Recovery for the policy:

Select the DR tab for a policy in the Policies tab screen.
Select Enable DR.
Select the DR Frequency for backups, DR Backup Timeout, and Target Regions.

4.2.6 Managing Lifecycles

EBS Immutable Backup

While EBS supports different types of immutability, N2W is focusing on compliance locking which is impervious to ransomware.
Besides setting the mandatory generations retention, it is required that you set a time retention period before you can select Apply compliance lock for the specified duration.

The Lifecycle Management tab for a policy allows you to do the following:

For native snapshots:

Set multiple retention periods for snapshots: Backup (Original snapshots) Retention.
For DR snapshots, you can set a different number of generations and multiple retention periods.
Optionally, for both original and backup snapshots, you can set the retention time in terms of duration in addition to the required number of generations

After applying a compliance lock on a snapshot, it can’t be deleted until the lock expires.

The number of successful backups after cleanup will be at least the number of generations.

For Storage Repository:

Use Storage Repository – Enable, set copy and retention policies, choose storage options, and optionally delete backup snapshots after a backup to S3. See section .
Transition to Cold Storage - Enable, set copy and retention policies, and choose the Glacier Archive Storage Class. See section .

Transition to Cold Storage requires that the Use Storage Repository option is enabled first.

Storage settings - Enable the Use Storage Repository, define the Target repository, and Transition to Cold Storage, if relevant. See section .

4.2.7 FSx for NetApp ONTAP

FSx for NetApp ONTAP can be configured to back up only part of volumes, for example an EC2 instance, regardless of the owner Storage Virtual Machine (SVM).

The root volume of the SVM is not backed up.

To configure a file system:

Select a policy and then select the Backup Targets tab.
In the Add Backup Targets menu, select FSx File Systems.
Select an ONTAP policy.

4. SelectConfigure. The ONTAP FSx and Volume Configuration screen opens.

5. In the Which Volumes list, choose whether to back up All Volumes attached to this instance, or include or exclude individual volumes.

6. Select Apply and then Save.

A remote agent is not required.

4.2.8 AWS Backup Limitations to FSx

FSx is not currently supported in AWS GovCloud (US) regions.

Following are limitations on backups of FSx for Lustre:

Backups are not supported on scratch file systems because these file systems are designed for temporary storage and shorter-term processing of data.
Backups are not supported on file systems linked to an Amazon S3 bucket because the S3 bucket serves as the primary data repository, and the Lustre file system does not necessarily contain the full data set at any given time. For further information, see

4.2.9 Using Multiple Retentions for Specific Backups

Multiple-Retention allows you to automatically retain specific backups for longer periods based on when the backup occurs. This backup rotation allows you to easily comply with retention requirements.

A key feature is that three backup types have completely independent retention settings:

Native Cloud Snapshots - The original backups in AWS/Azure
DR (Disaster Recovery) Copies - Cross-region snapshot copies
Repository Copies - Backups stored in S3/Azure Blob storage

This means you can configure:

Snapshots: 7 days daily, 4 weeks weekly, 12 months monthly
DR Copies: 14 days daily, 8 weeks weekly, 24 months monthly
Repository: 30 days daily, 12 weeks weekly, 36 months monthly

Selection Logic

Weekly Selection: The first successful backup on or after your selected day of the week becomes the weekly backup for that week
Monthly Selection: The weekly backup from your selected week of the month becomes the monthly backup
One backup per period: Only ONE backup per week is marked weekly, and only ONE per month is marked monthly

Backup type

Description

Typical Use

In the Lifecycle Management tab, enable Multi-Retentions.
For all backup types, in the Select your Weekly/Monthly backups section, choose from the Day of the Week and Week of Month lists to trigger backup selection.

Day of Week - Which day triggers weekly selection (e.g., Sunday)
Week of Month - Which week triggers monthly selection (e.g., First week, or Last week)

3. For each of the backup types, there is a different additional section that addresses each backup type. Configure Retention Periods for each backup type and choose relevant options.

Weekly Schedule Enabled - Turn on weekly retention
Keep Weekly Backups For - Duration (e.g., 12 weeks)
Monthly Schedule Enabled - Turn on monthly retention

Configure native retention:

Set compliance lock:

Select Apply compliance lock.

Configure Multi-Retention for DR:

Select Choose different retention for DR snapshots.

Configure Storage Repository:

Enable Use Storage Repository.

4.3 Managing Policies

The following actions are available for both AWS and Azure policies.

4.3.1 Viewing Policy Backup Times

In the Policies tab, select a policy, and then select Backup Times to open the Planned Backups window, which is ordered by Time Zone. You can change the Time Period from the default ‘Next Day’ to several days, weeks, or the next month.

Backup Times are relevant to the schedules of the selected policy.

4.3.2 Running an Ad Hoc Backup

An ad hoc backup will execute the selected Policy and create backups of all its targets.

An ad hoc backup counts as another generation if it completes successfully.

To run a backup immediately:

In the left panel, select the Policies tab and then select a policy in the list.
To start the backup, select Run ASAP.
To follow the progress of the backup, select the Open Backup Monitor link in the ‘Backup started’ message at the top right corner, or select the Backup Monitor tab.

To delete a particular snapshot in AWS or to delete all AWS snapshots after a successful run:

Select View Snapshots.
Select one or more backups, and then select Delete.

4.3.3 Deleting a Policy

When deleting a policy, all related snapshots and data are deleted.

To delete a policy, select it in the Policies table, and then select Delete. In the Delete Policy confirmation dialog box, type ‘delete all’ and then select Delete.

10 Performing Recovery

Now that you have created some backups, it is time to perform a recovery.

N2W offers several options for data recovery. Since all N2W backup is based on AWS’s snapshot technology, N2W can offer rapid recovery of instances, volumes, and databases. Since a backup is not created for S3 Bucket Sync targets, recovery is neither needed nor possible.

For the cross-region and account recovery of regular resources, such as Instances and RDS, N2W uses the FSx service so there is no need for specific IAM rolls, as with EFS.

N2W Software strongly recommends that you perform recovery drills occasionally to make sure your recovery scenarios work. It is not recommended that you try it for the first time when your servers are down. Each policy on the policy screen shows the last time recovery was performed on it. Use the last recovery time data to track recovery drills.

10.1 Searching for Backups to Recover From

N2W provides an enhanced search box to quickly find backup snapshots to recover from.

In the Backup Monitor, you can search for snapshots based on the Backup Target type or policy, including frozen images.

To search for all backup snapshots:

Select Backup Monitor.
Select the relevant Cloud button (AWS, Azure, Wasabi)
In the Search backups box, enter a string to search by. The string can be part of the resource ID or part of the resource tag value.

When you select Recover for a certain backup, you are directed to the Backup Monitor Recover screen. You can Search by Resource using the resource ID or name.

For backups with multiple resource types as targets, the Recover screen will have a separate tab for each type. Select a backup. The Recover screen opens.

To restore from an AWS Storage Repository, select the repository in the Restore From list. For other considerations when recovering from an S3 Repository, see section .

Depending on the specifics of the backup, the Recover screen includes:

A search box for locating a resource by ID or name.
Tabs for recovering the backed-up instances, independent volumes, databases, etc.
Outputs of any backup scripts and VSS if it exists. These reference outputs may be important during a recovery operation.

All the choices about regions and accounts you make in the recover screen apply to all the recovery operations that you initiate from this screen.

Choose the backups to recover and then select the Recover resource type button.

10.2 Recovery AWS Credentials

All recovery screens have a drop-down list at the bottom labelled AWS Credentials. By default, the account AWS credentials used for backup are also used for recovery operations. Depending on the backup, you can select Provide Alternate AWS Credentials and fill in different credentials for recovery. This can be useful if you want to use IAM-created backup credentials that do not have permissions for recovery. See section . When using custom credentials, N2W verifies that these credentials belong to the recovery account.

To use custom credentials:

Select Provide Alternate AWS Credentials in the list. The custom credential boxes appear.
In the AWS Access Key box, enter your access key.
In the AWS Secret Key box, enter your secret key.

10.3 Recovery Tags

The default Preserve/Recover Tags action during recovery is Preserve Original tags associated with the recovery target. You can manage the recovery tags by selecting one of the options in the list or section:

Preserve Original (default) - Preserve the existing tags associated with the recovery target.
Clear / No Tags- Do not recover any tags.
Custom - You can add tags or override tags on the version of the resource selected for the recovery.

To make changes in the Recover Tags sections, switch the Auto assigned toggle key to Custom.

10.4 Instance Recovery

With Instance recovery, you can recover a complete instance with its data for purposes, such as:

An instance crashed or is corrupted and you need to create a new one
Creating an instance in a different AZ
Creating an instance in a different region. See section .

When you recover an instance, by default, you recover it with its configuration, tags, and data, as they were at the time of the backup. However, you can change these elements:

Instance type
Placement
Number of CPU cores and threads

You can also choose how to recover the system itself:

For Linux EBS-based instances: if you have a snapshot of the boot device, you will, by default, use this snapshot to create the boot device of the new instance. You can, however, choose to create the new instance from its original image or a different one.
For instance-store-based: you will only have the image option. This means you cannot use the snapshot of the instance’s root device to launch a new instance.
Your data EBS volumes will be recovered by default to create a similar instance as the source. However, you can choose:

N2W knows how to overcome this limitation. You can recover an instance from a snapshot, but you also need an AMI for the recovery process. By default, N2W will create an initial AMI for any Windows instance it backs up and use that AMI for the recovery process. Usually, you do not need to change anything to recover a Windows instance.

The instance recovery screen has tabs for Basic Options, Volumes, and Advanced Options.

At the bottom of each screen, there is an option to change AWS Credentials.

10.4.1 Basic Options

The Basic Options tab is divided into the general section and the Networking section:

AMI Assistant – Select to view the details of the AMI used to launch your instance and find similar AMIs.
Launch from – Whether to launch the boot device (Image) from an existing image, a snapshot, or whether to launch the device using the original root volume configuration (Image (Replace root volume)) which will contain the billing code, if available.

Launching from a snapshot is not available on Windows.

AMI Handling – This option is relevant only if Launch from is set to Snapshot. If this instance is launched from a snapshot, a new AMI image will be registered and defined as follows:
- De-Register after Recovery – This is the default. The image will only be used for this recovery operation and will be automatically de-registered at the end. This option will not leave any images behind after the recovery is complete.

Since not all instance types are available in all AWS regions, recovery of an unsupported instance type in a certain region might fail. Where the instance type is not yet supported by AWS, N2W recommends that you configure a supported instance type.

Instance Profile ARN – The ARN of the instance role (IAM Role) for the instance. To find the ARN, select the Role name in the IAM Management Console and then select the Summary tab. The default will be the instance role of the backed-up instance if it had one.
Instances to Launch – Specifies how many instances to launch from the image. The default is one, which is the sensible choice for production servers. However, in a clustered environment you may want to launch more than one. It is not guaranteed that all the requested instances will launch. Check the message at the end of the recovery operation to see how many instances were launched, and their IDs.

Keys cannot be used to decrypt the Windows password of a restored instance.

10.4.1.1 Networking Section

The main purpose of the Networking section is to define what will be the placement of the instance. By default, it will be the same placement as the backed-up instance. An instance can be placed using three methods which are not all necessarily available.

By VPC – Default placement if you have VPC subnets defined in your account.
By Availability Zone – This is the most basic type and the only one which is always available. You can choose in which AZ to launch the instance. Additional options are:
- You can choose a different AZ from the backed-up instance.

For Placement by VPC and Availability Zone, you are asked to select a security group. Learn about AWS Security Groups and settings at

If you chose By VPC in Placement, the following fields are available:

VPC –You can choose the VPC the instance is to be recovered to. By default, it will contain the VPC of the original instance.
Clone VPC - Option to recover to a clone of the selected VPC environment. Control switches to the Account’s Clone VPC screen. Choose the date of the source VPC capture for the clone and an optional new destination name. See section . After the cloning process is completed, the name of the newly cloned VPC will appear in the VPC box.
VPC Subnet

Security groups for VPC instances are different than groups of non-VPC instances. This list has a filter to help you find the security group that you need.

VPC Assign IP – If the backed-up instance was in a VPC subnet, the default value will be the IP assigned to the original instance.
- If the assigned IP is still taken, it can fail the recovery operation. You can type a different IP here. When you begin recovery, N2W will verify the IP belongs to the chosen subnet.
- If this box is empty, an IP address from the subnet will be automatically allocated for the new instance.

If you chose By Availability Zone in Placement:

Availability Zone - By default, if the backed-up instance was not in a VPC, it will have the same zone as the backed-up instance. However, you can choose a different one from the list.
Security Group - Choose security groups to be applied to the new instance. This is a multiple-choice field. By default, the security groups of the backed-up instance will be chosen.

If you chose By Placement Group:

Placement Group - Choose the placement group from the list.

For all Placement options, the following boxes are also available:

Additional NICs - If you want to add additional NICs.
AWS Credentials - You can choose to use different AWS credentials for the recovery operation.

10.4.2 Volumes

If the policy contains an instance target that has a volume, the volume is also defined as a volume target:

The volume will not be available under the Independent Volumes tab.

Select the Volumes tab to choose which volumes to recover and how.

All data volumes in the policy except the boot device are listed here. Their default configuration is the same as it was in the backed-up instance at the time of the backup.

Select a volume to include it in the recovery. You can adjust the volume recovery parameters, as follows:

The default Recover Tags action during recovery is Preserve Original for the volumes associated with the instance. To manage tags, see section .
Enlarge capacity of the volume.
Change the device and device type.

10.4.3 Advanced Options

It is possible to recover to a different account and region by recovering to a clone of an original VPC environment. See the Clone VPC options in section .

Advanced options include the following:

Architecture – The default will be the architecture of the backed-up instance. Options are:
- i386 – which is X86 – 32-bit
- x86_64 – which is X86 – 64-bit

Changing the architecture may result in an error if the image is incompatible with the requested architecture. For example, if your image is a native 64-bit image and you choose i386, the recovery operation will fail.

Tenancy – Choose the tenancy option for this instance.
Shutdown Behaviour – The value of the original instance is the default. If the recovered instance is instance-store-based, this option is not used. The choices are:
- stop – If the instance is shut down, it will not be terminated and will just move to

Advanced Options include different additional choices depending on whether Placement is By VPC, By Availability Zone or By Placement Group.

To complete the recovery operation, select Recover Instance and then confirm. If there are errors that N2W detects in your choices, you will return to the Recover instance screen with error messages. Otherwise, you will be redirected back to the recovery panel screen, and a message will be displayed regarding the success or failure of the operation.

10.4.4 AMI Assistant

The AMI Assistant is a feature that lets you view the details of the AMI used to launch your instance, as well as find similar AMIs. N2W will record the details of the AMI when you start backing up the instance. If the AMI is deleted sometime after the instance started backing up, N2W will remember the details of the original AMI.

After selecting AMI Assistant in the instance recovery screen, you will see these details:

AMI ID
Region
Image Name

To find AMIs with properties that are exactly like the original, select the Exact Matches tab. If the Exact Matches search does not find matches, select the Partial Matches tab which will search for AMIs similar to the original.

AMI Assistant searches can be useful in the following scenarios:

You want to recover an instance by launching it from an image, but the original AMI is no longer available.
You want to recover an instance by launching it from an image, but you want to find a newer version of the image. The fuzzy search will help you.
You are using DR (section ) and you need to recover the instance in a different region. You may want to find the matching AMI in the target region to use it to launch the instance, or you may need its kernel ID or ramdisk ID to launch the instance from a snapshot.

10.4.5 Recovering to a Cloned VPC

When you select Clone VPC in the Basic Options tab, the Clone VPC screen opens.

N2W will have pre-set the following fields according to the selections made in the Advanced Options section:

Capture Source:
- Region and VPC
- Captured at date and time – You can select a different date and time to clone in the drop-down list of captures.

As part of the cloning process, N2W uses CloudFormation. If the CloudFormation template is over 50 kB, select Cloud Formation Template. It requires an existing S3 bucket for uploading. See section .

When finished, select Clone VPC. If you changed the suggested VPC Name, it will appear in the VPC box.

To view the cloning progress and status, select Background Tasks in the toolbar. Background Tasks only appears after the first Clone VPC or Check Secured DR Account operation.

To view the results of the Clone VPC operation in case manual changes are required, select Download Log.

10.5 Volume Recovery

Volume recovery means creating EBS volumes out of snapshots. In N2W, you can recover volumes that were part of an instance’s backup or recover EBS volumes that were added to a policy as an independent volume. The recovery process is basically the same.

To recover volumes belonging to an instance:

In the left panel, select the Backup Monitor.
In the Backup Monitor tab, select a backup, and then select Recover.
Select an instance, and then select Recover Volumes Only.

Attach Behaviour – This applies to all the volumes you are recovering if you choose to attach them to an instance:
- Attach Only if Device is Free – If the requested device is already taken in the target instance, the attach operation will fail. You will get a message saying the new volume was created but was not attached.
- Switch Attached Volumes

If you choose Switch Attached Volumes and Delete Old Ones, make sure you do not need the old volumes. N2W will delete them after detaching them from the target instance.

Recover – Enabled by default. Clear Recover if you do not want that volume recovered.
Zone – AZ. The default is the original zone of the backed-up volume.
Original Volume ID – ID of the original volume.

After selecting Recover Volumes and confirming, if there was an error in a field that N2W detected, you will be returned to the screen with an error notification.

To follow the progress of the recovery, select the Open Recovery Monitor link in the ‘Recovery started’ message at the top right corner, or select the Recovery Monitor tab.

To recover independent volumes:

Select a backup, and then select Recover. The recover volumes screen opens.
In the Independent Volumes tab, select a volume or Search by Resource
Complete the From/To options as available.

10.6 RDS Database Recovery

For RDS Custom database recovery, see section for the required additional permissions.
When backing up Aurora, AWS automatically copies all tags set on resources to the snapshots and does not allow recovering these resources without recovering their tags as well.

When a backup includes snapshots of RDS databases, selecting Recover to bring you to the RDS Databases tab. You will see a list of all RDS databases in the current backup. You can change the following options:

Recover – Clear Recover to not recover the current database.
Zone – The AZ of the database. By default, it will be the zone of the backed-up database, but this can be changed. Currently, recovering a database into a VPC subnet is not supported by N2W. You can recover from the snapshot using AWS Management Console.
DB Instance ID – The default is the ID of the original database. If the original database still exists, the recovery operation will fail. To recover a new database, type a new ID.

10.6.1 RDS Database Recovery from S3

As of version 4.4.0, N2W creates the users in a recovered RDS database by calling an SQL command (CREATE USER) instead of rewriting data into the User table of the recovered RDS database server. As a result, some metadata that relates to a MySQL database user may not be recovered.

N2W recovers user and all granted permissions. The properties that are not recovered are typically private properties maintained by RDS that likely will not affect the recovered database usage.
N2W recovery of PostgreSQL RDS database from S3 does not recover the passwords of recovered database users due to the limitation imposed by AWS. The database is recovered with the RDS Admin username and password. The Admin can then set the other users' passwords manually. See

10.7 Aurora Cluster Recovery

When backing up Aurora, AWS automatically copies all tags set on resources to the snapshots and does not allow recovering these resources without recovering their tags as well.

Aurora recovery is similar to RDS recovery, with a few important differences.

Aurora introduces the concept of clusters to RDS. You no longer launch and manage a DB instance, but rather a DB cluster that contains DB instances.
An Aurora cluster may be created in a single AZ deployment, and the cluster will contain one instance.
Or, as in production deployments, the cluster will be created in a multi-AZ deployment, and the cluster will have reader and writer DB instances.

After selecting a backup with Aurora Clusters, select Recover. The Aurora Clusters Recover screen opens. In this screen, all Aurora clusters that were backed up are listed. You can change the following options:

Recover – Clear to not recover the current Aurora cluster.
RDS Cluster ID – The default will be the ID of the original cluster. If the original cluster still exists, the recovery operation will fail, unless you change the ID.
RDS Instance ID – The default will the ID of the original instance.

Select Recover Aurora Clusters when finished.

10.8 Aurora Serverless Recovery

When backing up Aurora, AWS automatically copies all tags set on resources to the snapshots and does not allow recovering these resources without recovering their tags as well.

Recovery of Aurora Serverless is somewhat different than for an Aurora Cluster. As part of the recovery, you can define actions for setting capacity:

Force scaling the capacity to the specified values in Minimum/Maximum Aurora capacity unit when the Timeout for force scaling is reached. When you change the capacity, Aurora Serverless tries to find a scaling point for the change.
- Enable to force capacity scaling as soon as possible.

After selecting a backup with Aurora Serverless in the Backup Monitor, selectRecover. The Recover screen opens.

2. In the Aurora Clusters tab, select the recovery target. Aurora Serverless can be identified by the value 'Serverless' in the Role column. 3. SelectRecover. The Recovery Aurora Cluster screen opens.

4. Change the default field values as needed. See section for Instance ID and Subnet Group. 5. If you select Force scaling the capacity to the specified values when the timeout is reached or Pause compute capacity after consecutive minutes of inactivity, the Timeout for force scaling list appears. Change the timeout seconds as needed. 6. Select Recover Aurora Cluster when finished.

10.9 Redshift Cluster Recovery

When a backup to recover includes snapshots of Redshift clusters, the Redshift Clusters tab opens. All Redshift clusters in the current backup are listed. You can change the following options:

Recover – Clear Recover to not recover the current cluster.
Zone – The AZ of the cluster. By default, it will be the zone of the backed-up cluster, but this can be changed.

Currently, recovering a cluster into a VPC subnet is not supported by N2W. You can always recover from the snapshot using AWS Management Console.

Cluster ID – The default will the ID of the original cluster. If the original cluster still exists, the recovery operation will fail. To recover a new cluster, type a new ID.
Cluster Snapshot ID– Displays the snapshot ID.
Node Type and Nodes – For information only. Changing these fields is not supported by AWS.

10.10 DynamoDB Table Recovery

When a backup to recover includes DynamoDB Table backups, the DynamoDB Tables tab opens.

If you reach the limit of the number of tables that can be recovered at one time, you will need to wait until they have completed before starting the recovery of additional tables.

All DynamoDB tables in the current backup are listed. You can change the following options:

Recover – Clear Recover to not recover a table.
Region – The Region where the table will be recovered, which is the same region as the backup.
Table Name – The default will be the Name of the original table. However, if the original table still exists, the recovery operation will fail. To recover to a new table, type a new Table Name.

During backup, N2W retains the DynamoDB tags at the table level and the Time To Live (TTL) metadata and enables these attributes on recovery.

During the recovery process, a confirmation message appears with a reminder to recreate the following settings on the restored DynamoDB tables MANUALLY: Auto Scaling policies, IAM policies, CloudWatch metrics, and alarms.

10.11 EFS Recovery

When a backup includes EFS backups, the Recover EFS tab is available.

For DR and cross accounts, only recoveries to a new EFS are supported.

The AWS role “AWSBackupDefaultServiceRole” is required for recovery.

In the Backup Monitor screen, select an EFS backup. To search backups, you can enter either the EFS name or AWS ID in the search box, select By Elastic File System in the list, and then select the Search icon.

2. Select Recover.

3. In the Target EFS list, select the target to restore to:

New - Recover to a separate EFS
Original - Recover to the same EFS

Regular recoveries to original and new EFSs are supported. For DR, Target EFS must be 'New'.
When recovering an EFS to the original target, a new folder is created with the the format aws-backup-restore_[date-time].

4. In cases where EFS DR was performed, select the Restore to Region.

5. For a cross-account recovery:

Target EFS must be 'New'.
In the Cross Account Copy IAM Role list of roles from the source account, select the IAM role needed for copying the recovery point to the target account.

To not miss matching an EFS vault name in the target region during a snapshot backup or a copy, in the AWS console, go to AWS Backup > Backup vaults and select the region you would like to back up or copy EFS snapshots to. This action is to be performed only once before running an EFS backup or DR.

6. Select Recover Volumes.

For file-level recovery, see section .

To view the progress of the recovery:

In N2W, select the Recovery Monitor tab.
To view details of the recovery process, select the recovery record, and select Log. Select Refresh as needed.

10.12 FSx Recovery

For Lustre and OpenZFs recovery, see section .
For ONTAP recovery, see section .

To view the contents of a backup for recovery, in the Backup Monitor, select a backup and then selectView Snapshots.

In the Backup Monitor, select an FSx backup for the recovery. Select Recover. The FSx File Systems tab will show the Original FSx Name and ID, Region, and File System Type.

Select an FSx File System, and then select Recover. Parameters are shown depending on whether they are relevant for the type of FSx.

All following parameters are optional except for the password of Win-SMAD, where the original password is the default.

10.12.1 AWS-managed Active Directory

When selecting a Windows FSx with AWS-Managed Active Directory, you can select the Active Directory from the target’s AWS account:

10.12.2 Self-managed Active Recovery Options

For Self-managed Active Directory, the connection to Active Directory is on the SVM level, not the file system level as in FSx Windows.

Select the SVM tab.
Select an Original SVM ID, and enter an SVM Name.
Select a Volume ID, and enter a Name.

10.13 FSx for Lustre and OpenZFs Recovery

In the Backup Monitor, under the FSx File Systems section, select a backup with the File System Type of ‘LUSTRE’ or ‘OPENZFS’.
Select Recover.
In the Recovery screen, make changes as necessary.

10.14 FSx for NetApp ONTAP Recovery

Following are the types of ONTAP recoveries:

To recover all or some volumes to a new ONTAP FSx, select Recover.
To recover selected volumes and attach them to an existing SVM, select Recover Volumes Only.
To view the contents of a snapshot for recovery, useView Snapshots in the Backup Monitor.

To recover an ONTAP backup:

In the Backup Monitor, under the FSx File Systems section, select a backup with the File System Type of 'ONTAP'.
Select Recover. The FSx File System Recovery screen opens.
In the Basic Options tab, modify the options as required for the recovery.

4. In the Subnet ID field, select a single Availability Zone for recovery.

5. The default Recover Tags action during recovery is Preserve Original tags. To manage tags on SVMs and their volumes during recovery, see section ‎‎.

6. In the Volumes tab, select the volumes to recover and update the volume Name as necessary.

7. In the ONTAP FSx Options tab:

a. Update the Recovered File Name as necessary.

b. If required, enable, and specify a password.

8. Select Recover FSx File System.

To recover ONTAP volumes only and attach to an existing SVM:

In the Backup Monitor, select an FSx backup for the recovery. Select Recover. The FSx File Systems tab will show the Original FSx Name and ID, Region, and File System Type.
Select the ONTAP file system to recover and then select Recover Volumes Only.

3. In the Volume Recovery from FSx File System screen, select the volumes to recover. For each volume, type the Name of the volume and select the SVM to attach the volume to.

4. Select the Recover Volumes Only button.

For managed active directory recovery options, also see sections and .

10.15 SAP HANA Database Recovery

If a backup holds an instance with an SAP HANA configuration and snapshots, the SAP HANA recovery is available. You can recover SAP HANA snapshots to the original EC2 instance or to a new instance created from the EC2 snapshot.

Following are the recovery options:

Recover – EC2 instance recovery with SAP HANA native recovery performed on a newly recovered instance. Cross–region recovery is supported when selecting another region in the Restore to Region list.
Recover SAP HANA Internal DBs only - Recovering an SAP HANA backup to the original EC2 instance.

Some SAP HANA installations require changing the/etc/hosts file in order to communicate with the database. As part of backup and recovery, the user data attached to the instance changes from the original IP address to 127.0.0.1 to enable communication to the database on localhost.

Cross-account recovery is not currently supported on N2W. It’s possible to run cross-account backup and then perform a cross-account recovery for the EC2 instance only.

In the Backup Monitor, select the SAP HANA backup with the instance for recovery. Select Recover.
In the SAP HANA Instances tab, select an instance and then select a recovery option:

3. Except for SAP HANA Internal DBs, set all tab options as you would for regular EC2 instance recovery. See section .

4. If the Recover option is selected, also select the SAP HANA Internal DBs tab, select all or individual DBs, and then select Recover Instance.

5. If Recover SAP HANA Internal DBs Only is selected, select the internal DBs for recovery, and then select Recover Instance.

6. If Recover Volumes Only is selected, configure as for a regular EC2 volumes only recovery. See section ‎.

10.16 Virtual Machine Recovery

With Virtual Machine recovery, you can recover a complete virtual machine with its data for variety of purposes, such as:

A virtual machine crashed or is corrupted and you need to create a new one.
Creating a virtual machine in a different zone.
Creating a virtual machine in a different location.

When you recover a virtual machine, you can change the following elements:

Name
Resource group
Size
Availability

Your data disks will be recovered by default to create a similar virtual machine as the source. However, you can choose:

To recover some or none of the disks.
To enlarge disk size.
To manage tags related to the disks.

The instance recovery screen has tabs for Basic Options and Disks.

10.16.1 Basic Options

The Basic Options tab is divided into the general section, the Availability section and the Networking section:

Name and Resource Group – Enter a name for the recovered virtual machine.

The virtual machine’s name must be unique within the selected resource group.

Preserve Tags - The default action during recovery is Preserve Original for the volumes associated with the virtual machine. To manage tags, see section ‎‎.

10.16.1.1 Availability Section

Size - Choose the virtual machine’s size. If the Availability Zone option is selected in the Availability Type list, The virtual machine size determines which Availability Zones are available since some virtual machine sizes are available only in certain zones.·
Availability Type – Choose between No Infrastructure Redundancy Required, Availability Zone, and Availability Set options.

10.16.1.2 Network Interface Section

Network Interface Name – Set a name for the Network Interface Name will be created and assigned to the recovered virtual machine.
- If the toggle key is set to Auto assigned, a unique name will be generated by N2W for the network interface.
- To manually choose a name, switch the toggle key to Custom, and enter a name in the text box.

10.16.2 Disks

This section allows configuring the recovered virtual machine disks.

Encryption Set – Choose to keep the same encryption as the backed-up virtual machine or select a different encryption set.
In the Name list, select the disks to be recovered. The OS disk will always be recovered but data disk selections can be cleared.
For each disk, the name and size can be configured, as well as whether to preserve the original virtual machine tags or make changes.

The disk Name must be unique among all resources under the same resource group.

Preserve Tags - The default action during recovery is Preserve Original for the target. To manage tags, see section ‎.

10.17 SQL Server Recovery

You can recover an SQL Server or only its databases.

To view the recovery progress, select Recovery Monitor. Use the Cloud buttons to display the Azure () recoveries.

To recover an SQL Server:

In the Backup Monitor, select the backup to recover from, and then select Recover.
In the Recover screen, select the SQL Server snapshot that you want to recover from, and then select Recover.
In the SQL Server tab of the Recover screen, select 1 SQL Server, and then select Recover. The Basic Options

To recover only SQL databases:

Select Recover SQL Databases Only.
In the SQL Databases tab, enter a new Name for each database. Similar names will cause the recovery to fail. Change other settings as needed.
Select Recover SQL Database.

10.18 DocumentDB Cluster Recovery

To recover a DocumentDB Cluster:

In the Backup Monitor, select the Cluster ID that you want to recover from, and then select Recover.
In the Recover screen, makes changes as necessary.
Select Recover DocumentDB Cluster.

10.19 S3 Bucket Recovery

When a backup includes S3 Bucket backups, the Recover S3 Bucket tab is available.

For DR and cross accounts only, recoveries to a new S3 Bucket are supported.

The AWS role “AWSBackupDefaultServiceRole” is required for recovery.

In the Backup Monitor screen, select an S3 Bucket backup. To search backups, you can enter either the S3 Bucket name or AWS ID in the search box, select By S3 Bucket in the list, and then select the Search icon.
Select Recover.
In the Target S3 Bucket list, select the target to restore to:

New - Recover to a separate S3 Bucket
Original - Recover to the same S3 Bucket

Regular recoveries to original and new S3 Buckets are supported. For DR, Target S3 Bucket must be ‘New’.

When recovering an S3 Bucket to the original target, a new folder is created with the format aws-backup-restore_[date-time].

4. In cases where S3 Bucket DR was performed, select the Restore to Region.

To not miss matching an S3 Bucket vault name in the target region during a snapshot backup or a copy, in the AWS console, go to AWS Backup > Backup vaults and select the region you would like to back up or copy S3 Bucket snapshots to. This action is to be performed only once before running an S3 Bucket backup or DR.

For cross-account recovery:

Target S3 Bucket must be ‘New’.
In the Cross Account Copy IAM Role list of roles from the source account, select the IAM role needed for copying the recovery point to the target account.
Select Recover Bucket

For item-level recovery:

To recover files and folders, see section ‎.

To view the progress of the recovery:

In N2W, select the Recovery Monitor tab.
To view details of the recovery process, select the recovery record, and select Log. Select Refresh as needed.