Restrictions and Known Limitations for Protecting Amazon EC2 with Commvault

There are limitations and known issues for protecting Amazon EC2 instances, Amazon EBS volumes, Amazon VPC resources, and Amazon EBS io2 block express volumes with Commvault. Workarounds, if available, are included.

Amazon EC2

  • Amazon EC2 Spot Instances can be protected. But they can be restored only as non-Spot (that is, on-demand) instances.

  • Amazon Machine Images (AMIs) that are used to provision Amazon EC2 instances (public, private) are not protected.

  • Static IP addresses on protected EC2 instances are not restored. The Commvault software converts static IP addresses to DHCP as follows:

    • For restores using the Import method, static IPs are converted to DHCP.

    • For restores of Windows instances using the HotAdd method or the EBS Direct method, static IP addresses are converted to DHCP, unless the DHCP service is disabled.

    • For restores of Linux instances using the HotAdd method, static IP addresses are converted to DHCP during the driver injection process.

    • For restores of Linux instances using the EBS Direct method, static IP addresses are not automatically converted to DHCP. You must manually enable DHCP -- either on the source instance before the restore or on the restored instance after the restore.

  • Private primary IP addresses (IPv4) are collected during Amazon EC2 instance backups, but are re-created during full instance restores.

  • Custom primary private IP addresses are not restored (IPv6).

  • Custom CPU configurations on protected EC2 instances are not restored.

  • Full instance out-of-place restores of Amazon EC2 instances that were deployed from the AWS Marketplace do not restore AMI product codes.

  • User data is not protected or restored as part of EC2 instance protection.

  • For EC2 instances that have multiple network interface controllers (NICs), all the NICs are backed up. However, when the instance is restored, only one NIC is restored.

  • Because of an AWS limitation, when you perform a restore that reuses an existing Elastic Network Interface (ENI), the Commvault software cannot assign a new, custom IP address. Instead, the software reuses the selected ENI.

Amazon EBS

  • Customization of EBS volume settings is supported for full EC2 instance restores, but not for the following:

    • Volume attach restores

    • Autonomous recovery (for example, periodic repliation)

    • Restore operations performed by VM End User roles

  • Amazon EBS instance store volumes are not protected or restored as part of EC2 instance protection.

    Note

    To perform file system level backup and recovery of EC2 instance store data, you can install Commvault file system agents inside the EC2 instance.

Commvault Limitations Using io2 Volumes

  • If the Source EBS volume is greater than 16TB and the Access Node is of a Non-Nitro instance type, then the Hotadd transport mode is not feasible for backup and restore because volumes greater than 16TB cannot be attached to the Non-Nitro instances.

  • If the Source EBS volume is greater than 16TB, the EBS volumes are unencrypted, and the encryption by default is enabled on the account or region, then Live Browse from snap copy using the HotAdd transport mode is not feasible. This is because Commvault Cloud cannot create an encrypted snap copy for Live Browse at this time. Please try using EBS Direct mode instead.

  • If Source EBS volume is greater than 16TB, the EBS volumes are unencrypted, the encryption by default is enabled on the account or region, then Backup copy using the Hotadd transport mode is not feasible. This is because Commvault Cloud cannot create an encrypted snapshot copy required by HotAdd Backup Copy process today. Please try using EBS Direct mode instead.

Amazon VPC

Commvault protects and gathers the underlying AWS resources and configuration metadata for the following resources, but, if they are missing, Commvault does not re-create them during an Amazon EC2 full instance restore. Resources are listed as they appear in the Amazon VPC management console.

Resources That Are Recoverable, with Limitations

To recover flow logs with an out-of-place, cross-account restore, you must disable the Restore source network configuration setting.

Note

Resources are listed in the order they appear in the Amazon VPC management console.

Unrecoverable Resources

  • Subnet CIDR reservations (IPv4, IPv6)

  • Route tables (Main, Custom)

  • Internet gateways

  • Egress-only internet gateways

  • Carrier gateways (AWS Wavelength)

  • Elastic IPs (IPv4)

  • Managed prefix lists

  • Endpoints (Interface, Gateway)

  • Endpoint services

  • NAT gateways (Public, Private)

  • Peering connections

  • VPC Flow Logs

  • Transit gateways

    • Transit gateway policy tables

    • Transit gateway route tables

    • Transit gateway multicast

  • Virtual private networks: Customer gateways (site-to-site VPN connections), virtual private gateways (VPN gateways)

  • Network access control lists (Network ACLs)

    • AWS Verified Access

      • Verified Access instances

      • Verified Access trust providers

      • Verified Access groups

      • Verified Access endpoints

    • DNS firewall

      • Route 53 Resolver DNS firewalls (Rule groups, Domain lists)
    • Network firewalls

      • Network firewalls (firewalls, firewall policies, Network Firewall rule groups, TLS inspection configurations, Network Firewall resource groups)
    • Virtual private network

      • Site-to-Site VPN Connections (AWS Site-to-Site VPN, AWS Client VPN, AWS VPN CloudHub, third-party software VPN appliances)

      • AWS Client VPN endpoints

    • VPC Lattice

      • Service networks

      • Services

      • Target groups

    • Transit gateways

      • Transit gateway policy tables

      • Transit gateway route tables

      • Transit gateway multicast

    • Traffic Mirroring

      • Mirror sessions

      • Mirror targets

      • Mirror filters

    • Cloud WAN resources

    • Network Manager

      • IP Address Manager (IPAM) pools

      • Network Access Analyzer

      • Reachability Analyzer

    • AWS Direct Connect

      • Routers

Security

Unprotected Resources

  • Transit gateways

    • Transit gateway policy tables

    • Transit gateway route tables

    • Transit gateway multicast

    Enable encryption by default

Loading...