Amazon VPC Resources That Commvault Protects

You can recover full Amazon EC2 instances and related Amazon VPC resources and EC2 network configuration and security posture settings (JSON format).

You can do the following:

Back up EC2 instances with supported VPC resources in all supported regions and AWS accounts
Recover full Amazon EC2 instances, re-creating any missing VPC resources
Recover known, good Amazon EC2 and Amazon VPC network configuration and security settings for forensic investigation (JSON format)

Required Permissions

Before using this capability, verify that the amazon_restricted_role_permissions.json policy is assigned to the IAM user or IAM role that is used to authenticate to the Amazon EC2 hypervisor that contains the VPC resources that you want to protect. For more information, see Requirements and Usage for AWS IAM Policies and Permissions.

Commvault recommends controlling access to AWS resources using tags or TagKeys to further restrict the scope of access for Commvault data protection operations.

The blocks in amazon_restricted_role_permissions.json that are absolutely required for VPC protection are as follows:

 {
         "Sid":"VPCBackupPermissions",
         "Effect":"Allow",
         "Action":[
            "ec2:GetManagedPrefixListEntries",
            "ec2:DescribeVpnConnections",
            "ec2:DescribeVpcPeeringConnections",
            "ec2:DescribeFlowLogs",
            "ec2:DescribeDhcpOptions",
            "ec2:DescribeTransitGateways",
            "ec2:DescribeNatGateways",
            "ec2:GetSubnetCidrReservations",
            "ec2:DescribeCustomerGateways",
            "ec2:DescribeVpcAttribute",
            "ec2:DescribeInternetGateways",
            "ec2:DescribeTransitGatewayAttachments",
            "ec2:DescribeManagedPrefixLists",
            "ec2:DescribeNetworkAcls",
            "ec2:DescribeRouteTables",
            "ec2:DescribeVpnGateways",
            "ec2:DescribeCarrierGateways",
            "ec2:DescribeEgressOnlyInternetGateways"
         ],
         "Resource":"*"
      },
      {
         "Sid":"VPCRestorePermissions",
         "Effect":"Allow",
         "Action":[
            "ec2:CreateVpc",
            "ec2:DeleteVpc",
            "ec2:AssociateVpcCidrBlock",
            "ec2:AssociateDhcpOptions",
            "ec2:CreateSubnet",
            "ec2:ModifySubnetAttribute",
            "ec2:ModifyVpcAttribute",
            "ec2:CreateSecurityGroup",
            "ec2:DescribeSecurityGroupRules",
            "ec2:RevokeSecurityGroupIngress",
            "ec2:RevokeSecurityGroupEgress",
            "ec2:AuthorizeSecurityGroupIngress",
            "ec2:AuthorizeSecurityGroupEgress",
            "ec2:DeleteSecurityGroup",
            "ec2:AssignPrivateIpAddresses",
            "ec2:CreateDhcpOptions",
            "ec2:DeleteSubnet",
            "ec2:DeleteDhcpOptions",
            "s3:PutObjectTagging"
         ],
         "Resource":"*"
      },

Amazon S3 Bucket for VPC Restores

During restores of VPC resources, the Commvault software creates an Amazon S3 bucket in the AWS account and region that a full instance restore with VPC resources restored, to support cleanup of Commvault-created VPC resources during failed restores. The default name of the bucket is gx-restore-<regionId>-<accountId>.

Configuring Customer-Managed KMS

By default, AWS enables server-side encryption on Amazon S3 buckets using Amazon S3 managed keys (SSE-S3). You can change the encryption method to either of the following:

Amazon S3 managed key encryption: To use this encryption method, on the access nodes that are used for EC2 backups and restores, add the AWSS3ServerSideEncryptionMethod entity setting with a value of "AES256".
AWS KMS key encryption: To use this encryption method, on the access nodes that are used for EC2 backups and restores, add the AWSS3ServerSideEncryptionMethod entity setting with a value of "aws:kms" and the AWSS3ServerSideEncryptionKMSKeyId entity setting with a value of the KMS key ID.

VPC Resources That Are Protected

Commvault protects the following VPC resources and all associated attributes (unless noted) when performing Amazon EC2 instance backups:

DHCP option sets
DNS attributes
Egress-only internet gateways
Elastic network interfaces (Linux, Windows)
Internet gateways
Managed prefix lists (customer-managed, AWS-managed)
NAT gateways
Network ACLs (default, custom)
Route tables (main, custom)
Security groups (VPC, instance)
Subnets (public, private, VPN only, isolated)
Subnet IP address ranges (IPv4 only, dual stack, IPv6 only)
VPCs (default, additional)
VPC Flow Logs
VPC peering connections

Commvault protects the following AWS PrivateLink resources:

VPC endpoints (interface, gateway, endpoint services)

Commvault protects the following AWS Site-to-Site VPN resources:

VPN gateways
VPN connections
Customer gateways

Commvault protects the following AWS Transit Gateway resources:

Transit gateways (gateways, attachments)

Commvault protects the following AWS Wavelength resources:

Carrier gateways

VPC Resources That Are Restored by a Full Amazon EC2 Instance Restore

To restore supported VPC resources and attributes, run a full restore of one or more Amazon EC2 instances in place or out of place.

A full restore either re-creates missing VPC resources or uses existing resources in the target AWS account and region as follows:

Resource	Re-created	Re-used (if existing)
DHCP option sets	Yes	Yes
Elastic Fabric Adapters	--	Yes
Elastic IPs (public IPs)	--	Yes
Elastic network interfaces (Linux, Windows)	Yes	Yes
Nested security group rules	--	Yes
Network ACLs	--	Yes
Route tables (main, custom)	--	Yes
Security groups (VPC, instance)	Yes	Yes
Subnet CIDR reservations	--	Yes
Subnets (public, private, VPN only, isolated)	Yes	Yes
VPCs (default, additional)	Yes	Yes