Back Up and Restore Amazon RDS for SQL Server Databases

Commvault provides a solution that you can use to perform backup and restore operations on Amazon RDS SQL Server databases. Only full and differential backups are supported for Amazon RDS SQL instances.

The Amazon Relational Database Service (RDS) provides configuration and scaling resources to host relational databases in the Amazon Web Services (AWS) cloud.

Note

You can also protect SQL Server databases using Amazon RDS Custom for SQL Server. For more information, see Amazon RDS Custom for SQL Server.

Configuration Prerequisites

The solution includes the following components:

A Windows SQL client that meets the following requirements:
- Has port 1433 open so that it can communicate with the Amazon RDS instance
- If AWS STS assume role with IAM role policy authentication mode is in use, open port 443 so that it can communicate with the AWS Security Token Service (AWS STS).
- The SQL agent must be installed
An Amazon RDS SQL instance
A dedicated Amazon S3 bucket for staging backups
Master account credentials for the Amazon RDS SQL instance

If you cannot use a master account for the backup and restore operations, create a non-master user account with required permissions. For more information, see Creating a Non-Master User Account for Amazon RDS SQL Database Backups.
To protect Amazon RDS for SQL Server using STS assume role authentication, do one of the following:
- Provide access to the global endpoint for AWS STS to the access node for Amazon RDS for SQL Server.
- If you cannot provide direct access to the global endpoint for AWS STS from the access nodes, then provide access to the global endpoint for AWS STS to a different machine and use that machine as an HTTP proxy for the access nodes for Amazon RDS for SQL Server. For instructions about how to configure an HTTP proxy for an access node, see System Requirements for Amazon RDS for SQL Server.

Configuration

Note

If you upgraded from Service Pack 9 or Service Pack 10, then you can continue to use your existing client for backup and restore operations. You must create pseudo-clients for any additional Amazon RDS instances that you want to protect.

Configure the Amazon database instance to have the native backup and restore option. For more information, see the Amazon article, Microsoft SQL Server Native Backup and Restore Support.

When configuring the backup and restore support, verify that the IAM role associated to the option group has the AWS permission policy to the S3 bucket or object with the following permissions:

List (ListBucket)
Read (GetBucketLocation, GetObject, ListMultipartUploadParts)
Write (AbortMultipartUpload, PutObject)

The following sample script assigns the permissions policy to the IAM role:

"Statement":[
    {
        "Effect":"Allow",
        "Action":[
        "s3:ListBucket",
        "s3:GetBucketLocation"
        ],
        "Resource":[
            "arn:aws:s3:::bucket_name"
        ]       
    },
    {
        "Effect":"Allow",
        "Action":[
            "s3:ListBucket",
            "s3:GetBucketLocation",
            "s3:GetObject",
            "s3:PutObject",
            "s3:ListMultipartUploadParts",
            "s3:AbortMultipartUpload"
        ],
        "Resource":[
            "arn:aws:s3:::bucket_name/*"
        ]
    }
]
}

For a non-root user, use the following script to create the policy and assign the permissions to the IAM role.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Resource": [
                "arn:aws:s3:::bucketname"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObjectMetaData",
                "s3:GetObject",
                "s3:PutObject",
                "s3:DeleteObject",
                "s3:ListMultipartUploadParts",
                "s3:AbortMultipartUpload"
            ],
            "Resource": [
                "arn:aws:s3:::bucketname/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": "rds:*",
            "Resource": "*"
        }
    ]
}

For instructions on obtaining Amazon access keys, see Amazon Elastic Compute Cloud Documentation.

Add a pseudo-client for the Amazon account. For more information, see Creating a Pseudo-Client for an Amazon RDS Account.

An account can contain multiple RDS SQL instances.
Add a SQL server to the pseudo-client for each Amazon RDS instance that you want to protect. For more information, see Adding Amazon RDS SQL instances to the Pseudo-client.

Backups

Perform a backup operation. For more information, see Backing Up Amazon RDS SQL Databases.

Restores

Determine your restore source and destination, and then perform one of the following tasks:

Restore the Amazon SQL RDS backup to an Amazon RDS instance. For more information, see Restoring from an Amazon RDS Instance to Another Amazon RDS Instance.
Restore an on-premises instance to an Amazon RDS instance. For more information see Restoring from an On-Premises SQL Instance to an Amazon RDS Instance.
Restore an Amazon SQL RDS instance to an on-premises database. For more information see Restoring from an Amazon RDS Instance to an On-Premises SQL Database.