hayao-k.dev

How to restore EC2 instance with multiple ENIs attached from AWS Backup

hayao_k's photo
hayao_k
·

3 min read

Goal of this post

  • Backup EC2 instances with multiple ENIs attached with AWS Backup

  • Restore EC2 instances with multiple ENIs attached, when restored from a recovery point

How?

  • Run the StartRestoreJob API, e.g., from the AWS CLI or SDK

  • Restore jobs launched from the console cannot customize the network i\nterface

EC2 instance backup with multiple ENIs attached

EC2 instances with multiple ENIs attached can also be backed up with AWS Backup. Backup data is stored as AMI, but AMI does not contain network interface information.

However, the metadata of the recovery point includes the network interface information. Recovery point metadata can be checked with the GetRecoveryPointRestoreMetadata API.

The following is an example of execution with the AWS CLI.

$ aws backup get-recovery-point-restore-metadata --backup-vault-name Default --recovery-point-arn arn:aws:ec2:us-west-2::image/ami-xxxxxxxxxxxxxxxxx
{
    "BackupVaultArn": "arn:aws:backup:us-west-2:123456789012:backup-vault:Default",
    "RecoveryPointArn": "arn:aws:ec2:us-west-2::image/ami-xxxxxxxxxxxxxxxxx",
    "RestoreMetadata": {
        "CapacityReservationSpecification": "{\"CapacityReservationPreference\":\"open\"}",
        "CpuOptions": "{\"CoreCount\":2,\"ThreadsPerCore\":1}",
        "CreditSpecification": "{\"CpuCredits\":\"unlimited\"}",
        "DisableApiTermination": "false",
        "EbsOptimized": "true",
        "HibernationOptions": "{\"Configured\":false}",
        "InstanceInitiatedShutdownBehavior": "stop",
        "InstanceType": "t4g.micro",
        "Monitoring": "{\"State\":\"disabled\"}",
        "NetworkInterfaces": "[{\"AssociatePublicIpAddress\":true,\"DeleteOnTermination\":true,\"Description\":\"\",\"DeviceIndex\":0,\"Groups\":[\"sg-xxxxxxxxxxxxxxxxx\"],\"Ipv6AddressCount\":0,\"Ipv6Addresses\":[],\"NetworkInterfaceId\":\"eni-aaaaaaaaaaaaaaaaa\",\"PrivateIpAddress\":\"172.31.62.169\",\"PrivateIpAddresses\":[{\"Primary\":true,\"PrivateIpAddress\":\"172.31.62.169\"}],\"SecondaryPrivateIpAddressCount\":0,\"SubnetId\":\"subnet-xxxxxxxxxxxxxxxxx\",\"InterfaceType\":\"interface\",\"Ipv4Prefixes\":[],\"Ipv6Prefixes\":[]},{\"AssociatePublicIpAddress\":true,\"DeleteOnTermination\":false,\"Description\":\"\",\"DeviceIndex\":1,\"Groups\":[\"sg-xxxxxxxxxxxxxxxxx\"],\"Ipv6AddressCount\":0,\"Ipv6Addresses\":[],\"NetworkInterfaceId\":\"eni-bbbbbbbbbbbbbbbbb\",\"PrivateIpAddress\":\"172.31.54.130\",\"PrivateIpAddresses\":[{\"Primary\":true,\"PrivateIpAddress\":\"172.31.54.130\"}],\"SecondaryPrivateIpAddressCount\":0,\"SubnetId\":\"subnet-xxxxxxxxxxxxxxxxx\",\"InterfaceType\":\"interface\",\"Ipv4Prefixes\":[],\"Ipv6Prefixes\":[]}]",
        "Placement": "{\"AvailabilityZone\":\"us-west-2d\",\"GroupName\":\"\",\"Tenancy\":\"default\"}",
        "RequireIMDSv2": "false",
        "SecurityGroupIds": "[\"sg-xxxxxxxxxxxxxxxxx\"]",
        "SubnetId": "subnet-xxxxxxxxxxxxxxxxx",
        "VpcId": "vpc-xxxxxxxxxxxxxxxxx",
        "aws:backup:request-id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
    }
}

In the above, you can see that eni-aaaaaaaaaaaaaaaaa and eni-bbbbbbbbbbbbbbbbb information is included.

How to restore from a recovery point

When launching a restore job in the AWS Backup console, it is not possible to restore an EC2 instance with multiple ENIs attached. This is because the console limits the customizable parameters to the following.

https://docs.aws.amazon.com/aws-backup/latest/devguide/restoring-ec2.html

The AWS Backup console allows you to restore Amazon EC2 recovery points with the following parameters and settings you can customize:

  • Instance type

  • Amazon VPC

  • Subnet

  • Security groups

  • IAM role

  • Shutdown behavior

  • Stop–hibernate behavior

  • Termination protection

  • T2/T3 unlimited

  • Placement group name

  • EBS-optimized instance

  • Tenancy

  • RAM disk ID

  • Kernel ID

  • User data

  • Deletion on termination

To restore an EC2 instance with other customized parameters, including the network interface, you must execute the StartRestoreJob API with metadata, e.g., from the AWS CLI or SDK.

Use the AWS Backup API, CLI, or SDK to restore Amazon EC2 recovery points Use StartRestoreJob. This option allows you to restore all 38 parameters, including the 22 parameters that are not customizable on the console.

The following is an example of execution with the AWS CLI.

$ aws backup start-restore-job \
  --recovery-point-arn "arn:aws:ec2:us-west-2::image/ami-xxxxxxxxxxxxxxxxx" \
  --iam-role-arn "arn:aws:iam::123456789012:role/service-role/AWSBackupDefaultServiceRole" \
  --metadata file://metadata.json  
{
    "RestoreJobId": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
}

You can specify parameters in metadata.json as follows.

Example of specifying a private IP address

Please note that if a backup source instance exists, the private IP address must be changed to avoid duplicate addresses.

{
    "VpcId": "vpc-xxxxxxxxxxxxxxxxx",
    "Monitoring": "{\"State\":\"disabled\"}",
    "CapacityReservationSpecification": "{\"CapacityReservationPreference\":\"open\"}",
    "InstanceInitiatedShutdownBehavior": "stop",
    "DisableApiTermination": "false",
    "CreditSpecification": "{\"CpuCredits\":\"unlimited\"}",
    "HibernationOptions": "{\"Configured\":false}",
    "EbsOptimized": "true",
    "Placement": "{\"AvailabilityZone\":\"us-west-2d\",\"GroupName\":\"\",\"Tenancy\":\"default\"}",
    "aws:backup:request-id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
    "InstanceType": "t4g.micro",
    "NetworkInterfaces": "[{\"DeleteOnTermination\":true,\"Description\":\"\",\"DeviceIndex\":0,\"Groups\":[\"sg-xxxxxxxxxxxxxxxxx\"],\"Ipv6AddressCount\":0,\"Ipv6Addresses\":[],\"PrivateIpAddresses\":[{\"Primary\":true,\"PrivateIpAddress\":\"172.31.62.169\"}],\"SubnetId\":\"subnet-xxxxxxxxxxxxxxxxx\",\"InterfaceType\":\"interface\"},{\"DeleteOnTermination\":false,\"Description\":\"\",\"DeviceIndex\":1,\"Groups\":[\"sg-xxxxxxxxxxxxxxxxx\"],\"Ipv6AddressCount\":0,\"Ipv6Addresses\":[],\"PrivateIpAddresses\":[{\"Primary\":true,\"PrivateIpAddress\":\"172.31.54.130\"}],\"SubnetId\":\"subnet-xxxxxxxxxxxxxxxxx\",\"InterfaceType\":\"interface\"}]"
}

Example of specifying ENI-ID

Please note that the ENI must be detached from the instance and in Available status if the backup source ENI is to be used.

{
    "VpcId": "vpc-xxxxxxxxxxxxxxxxx",
    "Monitoring": "{\"State\":\"disabled\"}",
    "CapacityReservationSpecification": "{\"CapacityReservationPreference\":\"open\"}",
    "InstanceInitiatedShutdownBehavior": "stop",
    "DisableApiTermination": "false",
    "CreditSpecification": "{\"CpuCredits\":\"unlimited\"}",
    "HibernationOptions": "{\"Configured\":false}",
    "EbsOptimized": "true",
    "Placement": "{\"AvailabilityZone\":\"us-west-2d\",\"GroupName\":\"\",\"Tenancy\":\"default\"}",
    "aws:backup:request-id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
    "InstanceType": "t4g.micro",
    "NetworkInterfaces": "[{\"DeleteOnTermination\":true,\"Description\":\"\",\"DeviceIndex\":0,\"Groups\":[\"sg-xxxxxxxxxxxxxxxxx\"],\"Ipv6AddressCount\":0,\"Ipv6Addresses\":[],\"PrivateIpAddresses\":[{\"Primary\":true,\"PrivateIpAddress\":\"172.31.62.169\"}],\"SubnetId\":\"subnet-xxxxxxxxxxxxxxxxx\",\"InterfaceType\":\"interface\"},{\"DeleteOnTermination\":false,\"Description\":\"\",\"DeviceIndex\":1,\"Ipv6AddressCount\":0,\"Ipv6Addresses\":[],\"NetworkInterfaceId\":\"eni-bbbbbbbbbbbbbbbbb\"}]"
}

Reference

https://aws.amazon.com/premiumsupport/knowledge-center/aws-backup-ec2-restore-cli/

I hope this will be of help to someone else.

AWSec2Backup