Restrictions and Known Limitations for Protecting Amazon EC2 with Commvault

There are limitations and known issues for protecting Amazon EC2 instances, Amazon EBS volumes, and Amazon VPC resources with Commvault. Workarounds, if available, are included.

Amazon EC2

• Amazon EC2 Spot Instances can be protected but can be restored only as non-Spot (that is, on-demand) instances.

• Amazon Machine Images (AMIs) used to provision Amazon EC2 instances (public, private) are not protected.

• Private primary IP addresses (IPv4) are collected during Amazon EC2 instance backups, but are re-created only during in-place restores.

• Commvault protects (backs up) Amazon EC2 instances that have custom CPU counts but restores them as the standard Amazon EC2 instance family and size. Custom CPU configurations are not restored.

• Full instance out-of-place restores of Amazon EC2 instances that were deployed from the AWS Marketplace do not restore AMI product codes.

• Static IP addresses on protected EC2 instances are not restored. The Commvault software converts static IP addresses to DHCP as follows:

  • For restores using the Import method, static IPs are converted to DHCP.

  • For restores of Windows instances using the HotAdd method or the EBS Direct method, static IP addresses are converted to DHCP, unless the DHCP service is disabled.

  • For restores of Linux instances using the HotAdd method, static IP addresses are converted to DHCP during the driver injection process.

  • For restores of Linux instances using the EBS Direct method, static IP addresses are not automatically converted to DHCP. You must manually enable DHCP -- either on the source instance before the restore or on the restored instance after the restore.

Amazon EBS

• Amazon EBS gp3 volume throughput settings are not retained during a full instance restores (in-place with overwrite, out of place).

• Amazon EBS io2 block express volumes are not protected or recoverable.

Amazon VPC

Commvault protects and gathers the underlying AWS resources and configuration metadata for the following resources, but, if they are missing, Commvault does not re-create them during an Amazon EC2 full instance restore. Resources are listed as they appear in the Amazon VPC management console.

Virtual Private Cloud

• Subnet CIDR reservations (IPv4, IPv6)

• Route tables (Main, Custom)

• Internet gateways

• Egress-only internet gateways

• Carrier gateways (AWS Wavelength)

• DHCP option sets

• Elastic IPs (IPv4)

  • Public IPv4 addresses

• Managed prefix lists

• Endpoints (Interface, Gateway)

• Endpoint services

• NAT gateways (Public, Private)

• Peering connections

• VPC Flow Logs

• Transit gateways and transit gateway attachments

• Virtual private networks: Customer gateways (site-to-site VPN connections), virtual private gateways (VPN gateways)

Security

• Network access control lists (Network ACLs)

• Out-of-place recovery of Amazon EC2 instance with dependant VPC resources (VPCs, Public subnets, Private subnets, Security Groups, Elastic Network Interfaces) to the same Regions or to alternate Regions or AWS accounts is not supported.

  Workaround: Before restoring Amazon EC2 instances to new Regions or AWS accounts, manually pre-create the destination VPC, Subnets, and related network configuration.

• Network resources created during a failed restore are not removed.

  Workaround: You can use the tags set on the network entities to identify the resources that are created as part of restore and to perform manual cleanup if needed.

  Commvault adds the following set of tags on the resources we create:

  • ‘GX_BACKUP’ tag with a value that contains information about which restore job created it.

  • ‘CV_SourceId’ tag with a value that is the corresponding source entity ID.

  All tags that were set on the source network entity are also restored.

• For out-of-place restores, custom primary private IP addresses are not restored (IPv4, IPv6)

• Default VPCs are restored as non-default VPCs.

• Default VPC security group is restored only when the source VM has the corresponding default security group associated.

• Other network and content delivery AWS resources that visible in the Amazon VPC management console and that are not protected or recovered include the following:

  • DNS firewall

    • Route 53 Resolver DNS firewalls (Rule groups, Domain lists)

  • Network Firewalls

    • Network Firewalls (firewalls, firewall policies, Network Firewall rule groups, TLS inspection configurations, Network Firewall resource groups)

  • Virtual private network

    • Site-to-Site VPN Connections (AWS Site-to-Site VPN, AWS Client VPN, AWS VPN CloudHub, third-party software VPN appliances)

    • AWS Client VPN endpoints

  • VPC Lattice

    • Service networks

    • Services

    • Target groups

  • Transit gateways

    • Transit gateway policy tables

    • Transit gateway route tables

    • Transit gateway multicast

  • Traffic Mirroring

    • Mirror sessions

    • Mirror targets

    • Mirror filters

  • Cloud WAN resources

  • Network Manager

    • IP Address Manager (IPAM) pools

    • Network Access Analyzer

    • Reachability Analyzer

  • AWS Direct Connect

    • Routers