How to restore EC2 instance with multiple ENIs attached from AWS Backup
Goal of this post
Backup EC2 instances with multiple ENIs attached with AWS Backup
Restore EC2 instances with multiple ENIs attached, when restored from a recovery point
How?
Run the StartRestoreJob API, e.g., from the AWS CLI or SDK
Restore jobs launched from the console cannot customize the network i\nterface
EC2 instance backup with multiple ENIs attached
EC2 instances with multiple ENIs attached can also be backed up with AWS Backup. Backup data is stored as AMI, but AMI does not contain network interface information.
However, the metadata of the recovery point includes the network interface information. Recovery point metadata can be checked with the GetRecoveryPointRestoreMetadata API.
The following is an example of execution with the AWS CLI.
$ aws backup get-recovery-point-restore-metadata --backup-vault-name Default --recovery-point-arn arn:aws:ec2:us-west-2::image/ami-xxxxxxxxxxxxxxxxx
{
"BackupVaultArn": "arn:aws:backup:us-west-2:123456789012:backup-vault:Default",
"RecoveryPointArn": "arn:aws:ec2:us-west-2::image/ami-xxxxxxxxxxxxxxxxx",
"RestoreMetadata": {
"CapacityReservationSpecification": "{\"CapacityReservationPreference\":\"open\"}",
"CpuOptions": "{\"CoreCount\":2,\"ThreadsPerCore\":1}",
"CreditSpecification": "{\"CpuCredits\":\"unlimited\"}",
"DisableApiTermination": "false",
"EbsOptimized": "true",
"HibernationOptions": "{\"Configured\":false}",
"InstanceInitiatedShutdownBehavior": "stop",
"InstanceType": "t4g.micro",
"Monitoring": "{\"State\":\"disabled\"}",
"NetworkInterfaces": "[{\"AssociatePublicIpAddress\":true,\"DeleteOnTermination\":true,\"Description\":\"\",\"DeviceIndex\":0,\"Groups\":[\"sg-xxxxxxxxxxxxxxxxx\"],\"Ipv6AddressCount\":0,\"Ipv6Addresses\":[],\"NetworkInterfaceId\":\"eni-aaaaaaaaaaaaaaaaa\",\"PrivateIpAddress\":\"172.31.62.169\",\"PrivateIpAddresses\":[{\"Primary\":true,\"PrivateIpAddress\":\"172.31.62.169\"}],\"SecondaryPrivateIpAddressCount\":0,\"SubnetId\":\"subnet-xxxxxxxxxxxxxxxxx\",\"InterfaceType\":\"interface\",\"Ipv4Prefixes\":[],\"Ipv6Prefixes\":[]},{\"AssociatePublicIpAddress\":true,\"DeleteOnTermination\":false,\"Description\":\"\",\"DeviceIndex\":1,\"Groups\":[\"sg-xxxxxxxxxxxxxxxxx\"],\"Ipv6AddressCount\":0,\"Ipv6Addresses\":[],\"NetworkInterfaceId\":\"eni-bbbbbbbbbbbbbbbbb\",\"PrivateIpAddress\":\"172.31.54.130\",\"PrivateIpAddresses\":[{\"Primary\":true,\"PrivateIpAddress\":\"172.31.54.130\"}],\"SecondaryPrivateIpAddressCount\":0,\"SubnetId\":\"subnet-xxxxxxxxxxxxxxxxx\",\"InterfaceType\":\"interface\",\"Ipv4Prefixes\":[],\"Ipv6Prefixes\":[]}]",
"Placement": "{\"AvailabilityZone\":\"us-west-2d\",\"GroupName\":\"\",\"Tenancy\":\"default\"}",
"RequireIMDSv2": "false",
"SecurityGroupIds": "[\"sg-xxxxxxxxxxxxxxxxx\"]",
"SubnetId": "subnet-xxxxxxxxxxxxxxxxx",
"VpcId": "vpc-xxxxxxxxxxxxxxxxx",
"aws:backup:request-id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
}
}
In the above, you can see that eni-aaaaaaaaaaaaaaaaa
and eni-bbbbbbbbbbbbbbbbb
information is included.
How to restore from a recovery point
When launching a restore job in the AWS Backup console, it is not possible to restore an EC2 instance with multiple ENIs attached. This is because the console limits the customizable parameters to the following.
https://docs.aws.amazon.com/aws-backup/latest/devguide/restoring-ec2.html
The AWS Backup console allows you to restore Amazon EC2 recovery points with the following parameters and settings you can customize:
Instance type
Amazon VPC
Subnet
Security groups
IAM role
Shutdown behavior
Stop–hibernate behavior
Termination protection
T2/T3 unlimited
Placement group name
EBS-optimized instance
Tenancy
RAM disk ID
Kernel ID
User data
Deletion on termination
To restore an EC2 instance with other customized parameters, including the network interface, you must execute the StartRestoreJob API with metadata, e.g., from the AWS CLI or SDK.
Use the AWS Backup API, CLI, or SDK to restore Amazon EC2 recovery points Use StartRestoreJob. This option allows you to restore all 38 parameters, including the 22 parameters that are not customizable on the console.
The following is an example of execution with the AWS CLI.
$ aws backup start-restore-job \
--recovery-point-arn "arn:aws:ec2:us-west-2::image/ami-xxxxxxxxxxxxxxxxx" \
--iam-role-arn "arn:aws:iam::123456789012:role/service-role/AWSBackupDefaultServiceRole" \
--metadata file://metadata.json
{
"RestoreJobId": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
}
You can specify parameters in metadata.json as follows.
Example of specifying a private IP address
Please note that if a backup source instance exists, the private IP address must be changed to avoid duplicate addresses.
{
"VpcId": "vpc-xxxxxxxxxxxxxxxxx",
"Monitoring": "{\"State\":\"disabled\"}",
"CapacityReservationSpecification": "{\"CapacityReservationPreference\":\"open\"}",
"InstanceInitiatedShutdownBehavior": "stop",
"DisableApiTermination": "false",
"CreditSpecification": "{\"CpuCredits\":\"unlimited\"}",
"HibernationOptions": "{\"Configured\":false}",
"EbsOptimized": "true",
"Placement": "{\"AvailabilityZone\":\"us-west-2d\",\"GroupName\":\"\",\"Tenancy\":\"default\"}",
"aws:backup:request-id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"InstanceType": "t4g.micro",
"NetworkInterfaces": "[{\"DeleteOnTermination\":true,\"Description\":\"\",\"DeviceIndex\":0,\"Groups\":[\"sg-xxxxxxxxxxxxxxxxx\"],\"Ipv6AddressCount\":0,\"Ipv6Addresses\":[],\"PrivateIpAddresses\":[{\"Primary\":true,\"PrivateIpAddress\":\"172.31.62.169\"}],\"SubnetId\":\"subnet-xxxxxxxxxxxxxxxxx\",\"InterfaceType\":\"interface\"},{\"DeleteOnTermination\":false,\"Description\":\"\",\"DeviceIndex\":1,\"Groups\":[\"sg-xxxxxxxxxxxxxxxxx\"],\"Ipv6AddressCount\":0,\"Ipv6Addresses\":[],\"PrivateIpAddresses\":[{\"Primary\":true,\"PrivateIpAddress\":\"172.31.54.130\"}],\"SubnetId\":\"subnet-xxxxxxxxxxxxxxxxx\",\"InterfaceType\":\"interface\"}]"
}
Example of specifying ENI-ID
Please note that the ENI must be detached from the instance and in Available status if the backup source ENI is to be used.
{
"VpcId": "vpc-xxxxxxxxxxxxxxxxx",
"Monitoring": "{\"State\":\"disabled\"}",
"CapacityReservationSpecification": "{\"CapacityReservationPreference\":\"open\"}",
"InstanceInitiatedShutdownBehavior": "stop",
"DisableApiTermination": "false",
"CreditSpecification": "{\"CpuCredits\":\"unlimited\"}",
"HibernationOptions": "{\"Configured\":false}",
"EbsOptimized": "true",
"Placement": "{\"AvailabilityZone\":\"us-west-2d\",\"GroupName\":\"\",\"Tenancy\":\"default\"}",
"aws:backup:request-id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"InstanceType": "t4g.micro",
"NetworkInterfaces": "[{\"DeleteOnTermination\":true,\"Description\":\"\",\"DeviceIndex\":0,\"Groups\":[\"sg-xxxxxxxxxxxxxxxxx\"],\"Ipv6AddressCount\":0,\"Ipv6Addresses\":[],\"PrivateIpAddresses\":[{\"Primary\":true,\"PrivateIpAddress\":\"172.31.62.169\"}],\"SubnetId\":\"subnet-xxxxxxxxxxxxxxxxx\",\"InterfaceType\":\"interface\"},{\"DeleteOnTermination\":false,\"Description\":\"\",\"DeviceIndex\":1,\"Ipv6AddressCount\":0,\"Ipv6Addresses\":[],\"NetworkInterfaceId\":\"eni-bbbbbbbbbbbbbbbbb\"}]"
}
Reference
https://aws.amazon.com/premiumsupport/knowledge-center/aws-backup-ec2-restore-cli/
I hope this will be of help to someone else.