Amazon EBS Direct API Restores for AWS

Amazon EBS Direct API restores run faster full instances restores and attach volume restores across regions, availability zones (AZ), and accounts. You can write data to the Amazon EBS snapshots directly without the need to create and attach volumes to the access node.

Amazon EBS Direct API restores leverage the Amazon EBS direct APIs to create an Amazon EBS snapshot with data stored in the Commvault ContentStore. After the snapshot is created, you can restore an Amazon EC2 instance or an Amazon EBS volume. EBS direct APIs simplify the recovery process, can be performed from on-premises or from remote regions, and reduce the cost of restore operations.

Key Benefits

Write Amazon EBS snapshot blocks (PutSnapshotBlock) without creating or attaching a volume.
Quick disaster recovery.

Supported Configurations

Streaming restores and restores from IntelliSnap backup copies

Required Amazon IAM Permissions

Amazon EBS direct API restores use the Amazon EBS service, and requires the following AWS permissions:

ec2:GetEbsEncryptionByDefault
ec2:CreateTags
ec2:GetEbsDefaultKmsKeyId
ebs:StartSnapshot
ebs:PutSnapshotBlock
ebs:CompleteSnapshot
kms:GenerateDataKey

AWS Reference Topics

AWS launches Amazon EBS direct APIs that provide write access to the Amazon EBS snapshot data, enabling restore providers to achieve faster restores of Amazon EBS volumes at lower costs. See AWS What's New.
Amazon Elastic Block Store (EBS) direct APIs. See Amazon Elastic Block API reference.
Amazon Elastic Block Store (EBS) Pricing, go to Amazon EBS direct APIs for Snapshots.

User Considerations

Access nodes can reside outside of AWS. However, for the best throughput for backups and restores, use access nodes that are in the same AWS region where the guest instances are getting backed up.
The security group applied to the VPC endpoint must allow incoming HTTPS (port 443) connections from any and all Commvault Access Nodes to communicate with the endpoint network interface. See, AWS service using an interface VPC endpoint - Amazon Virtual Private Cloud.
The Amazon EBS service endpoint must be accessible from the VSA access node directly, without a HTTP proxy. The HTTP proxy setting is not honored for Amazon EBS direct API requests.

For more information about Amazon EBS endpoints for different regions, see Amazon Elastic Block Store endpoints and quotas on the AWS documentation site.
The VSA access nodes can reside outside of Amazon, but it is recommended to use the VSA access nodes on Amazon, for better throughput.
For maximum throughput, use an 'interface VPC endpoint' for the Amazon EBS service.

For example, in the AWS console, create an interface endpoint in your VPC for the service 'com.amazonaws.us-east-1.ebs'. Ensure that the 'ebs.us-east-1.amazonaws.com' service is resolving to the private IP address of the interface endpoint. If not, add a host file entry to enforce IP address resolution.
Since the Amazon EBS direct API backup operation is CPU intensive, the instance type of the access node is a limiting factor for throughput.
The service quota for GetSnapshotBlock requests per account per Region is 1,000 per second by default. To increase the service quota limit, you must open a ticket with AWS.
If the Amazon EBS VPC endpoint is configured in the access node's VPC settings, but the Amazon EBS endpoint does not resolve to the VPC endpoint’s IP, the software adds a host file entry for the Amazon EBS endpoint name to the internal IP of the Amazon EBS VPC endpoint to avoid egress charges or slow backups and restores.

How It Works

Create empty snapshots in the destination zone, region, or account using the StartSnapshot API.
Write data using the PutSnapshotBlock API.
Complete the snapshots using the CompleteSnapshot API.
Create volumes from snapshots.
Create an instance and attach the new volumes.
Delete the snapshots created.