How Amazon Backup works with supported Amazon services - Amazon Backup
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

How Amazon Backup works with supported Amazon services

Some Amazon Backup-supported Amazon services offer their own, stand-alone backup features. Those features are available to you independent of whether you use Amazon Backup. However, the backups other Amazon services create are not available for central governance through Amazon Backup.

To configure Amazon Backup to centrally manage data protection for all your supported services, you must opt in to managing that service with Amazon Backup, create an on-demand backup or schedule backups using a backup plan, and store your backups in backup vaults.

Opt in to managing services with Amazon Backup

When new Amazon services become available, you must enable Amazon Backup to use those services. If you try to create an on-demand backup or backup plan using resources from a service that is not enabled, you receive an error message and cannot complete the process.

The Amazon Backup console has two ways to include resource types in a backup plan: explicitly assign the resource type in a backup plan or include all resources. See the points below to understand how these selections work with service opt ins.

  • If resource assignments are only based on tags, then service opt-in settings are applied.

  • If a resource type is explicitly assigned to a backup plan, it will be included in the backup even if the opt-in is not enabled for that particular service. This does not apply to Aurora, Neptune, and Amazon DocumentDB. For these services to be included, the opt-in must be enabled.

  • If both resource type and tags are specified in a resource assignment, the specified resource types are filtered first, then tags further filter those resources.

    Service opt-in settings are ignored for most resource types. However Aurora, Neptune, and Amazon DocumentDB require service opt-in.

  • For Amazon FSx for NetApp ONTAP, when using tag-based resource selection, apply tags to individual volumes instead of the whole file system.

Service opt-in settings are specific to a Region. When an account uses Amazon Backup (creates a backup vault or backup plan) in a Region, the account automatically is opted into all resource types supported by Amazon Backup in the Region at that time. Supported services added to that Region at a later date will not be automatically included in a backup plan. You can choose to opt into those resource types once they become supported.

To configure the services used with Amazon Backup
  1. Open the Amazon Backup console at https://console.amazonaws.cn/backup.

  2. In the navigation pane, choose Settings.

  3. On the Service opt-in page, choose Configure resources.

  4. Use the toggle switches to enable or disable the services used with Amazon Backup.

    Important

    RDS, Aurora, Neptune, and DocumentDB share the same Amazon Resource Name (ARN). Opting in to manage one of these resource types with Amazon Backup opts in to all of them when assigning it to a backup plan. Regardless, we recommend you opt in all of them to accurately represent your opt-in status.

  5. Choose Confirm.

Working with Amazon S3 data

Amazon Backup offers fully-managed backup and restore for Amazon S3 backups. To learn more, see Amazon S3 backups.

For detailed information about S3 data, see the Amazon S3 documentation.

Working with VMware virtual machines

Amazon Backup supports centralized and automated data protection for on-premises VMware virtual machines (VMs) along with VMs in the VMware Cloud™ (VMC) on Amazon. You can back up from your on premises and VMC virtual machines to Amazon Backup. Then, you can restore from Amazon Backup to either on premises or VMC.

Backup gateway is downloadable Amazon Backup software that you deploy to your VMware VMs to connect them to Amazon Backup. The gateway connects to your VM management server to discover VMs, discovers your VMs, encrypts data, and efficiently transfers data to Amazon Backup. The following diagram illustrates how Backup gateway connects to your VMs:

A backup gateway is an OVF template the connects your VMware environment to Amazon Backup.

Working with Amazon DynamoDB

Amazon Backup supports backing up and restoring Amazon DynamoDB tables. DynamoDB is a fully-managed NoSQL database service that provides fast and predictable performance with seamless scalability.

Since its launch, Amazon Backup has always supported DynamoDB. Starting November 2021, Amazon Backup also introduced advanced features for DynamoDB backups. Those advanced features include copying your backups across Amazon Web Services Regions and accounts, tiering backups to cold storage, and using tags for permissions and cost management.

New Amazon Backup customers onboarding after November 2021 will have advanced DynamoDB backup features enabled by default.

We recommend all existing Amazon Backup customers enable advanced features for DynamoDB. There is no difference in warm backup storage pricing after you enable advanced features, and you can save money by tiering backups to cold storage and optimize your costs by using cost allocation tags.

For a full list of advanced features and how to enable them, see Advanced DynamoDB backup.

For detailed information about DynamoDB, see What is Amazon DynamoDB? in the Amazon DynamoDB Developer Guide.

Working with Amazon FSx file systems

Amazon Backup supports backing up and restoring Amazon FSx file systems. Amazon FSx provides fully managed third-party file systems with the native compatibility and feature sets for workloads. Amazon Backup uses the built-in backup functionality of Amazon FSx. So backups taken from the Amazon Backup console have the same level of file system consistency and performance, and the same restore options as backups that are taken through the Amazon FSx console.

If you use Amazon Backup to manage these backups, you gain additional functionality, such as unlimited retention options, and the ability to create scheduled backups as frequently as every hour. In addition, Amazon Backup retains your backups even after the source file system is deleted. This protects against accidental or malicious deletion.

Use Amazon Backup to protect Amazon FSx file systems if you want to configure backup policies and monitor backup tasks from a central backup console that also extends support for other Amazon services.

For detailed information about Amazon FSx file systems, see the Amazon FSx documentation.

Working with Amazon EC2

Amazon Backup supports Amazon EC2 instances.

You can schedule or perform on-demand backup jobs that include entire EC2 instances, including its Amazon EBS volumes. Therefore, you can restore an entire Amazon EC2 instance from a single recovery point, including the root volume, data volumes, and some instance configuration settings, such as the instance type and key pair.

You can also back up and restore your VSS-enabled Microsoft Windows applications. You can schedule application-consistent backups, define lifecycle policies, and perform consistent restores as part of an on-demand backup or a scheduled backup plan. For more information, see Creating Windows VSS backups.

Amazon Backup does not reboot your EC2 instances at any time.

Images and snapshots

When backing up an Amazon EC2 instance, Amazon Backup takes a snapshot of the root Amazon EBS storage volume, the launch configurations, and all associated EBS volumes. Amazon Backup stores certain configuration parameters of the EC2 instance, including instance type, security groups, Amazon VPC, monitoring configuration, and tags. The backup data is stored as an Amazon EBS volume-backed Amazon Machine Image (AMI).

If you delete an Amazon Machine Image (AMI) or Amazon EBS snapshot that is managed by Amazon Backup using Amazon Backup and you have the Amazon EC2 recycle bin configured, the image or snapshot might incur charges per the Amazon EC2 recycle bin policy. Snapshots and images in the Amazon EC2 recycle bin are no longer managed by Amazon Backup and will not be managed by Amazon Backup policies if you restore them from the recycle bin.

Amazon Backup managed Amazon EBS snapshots and snapshots associated with a Amazon Backup managed Amazon EC2 AMI which have Amazon EBS Snapshot Lock applied may not be deleted as part of the recovery point lifecycle if the snapshot lock duration exceeds the backup lifecycle. Instead, these recovery points will have the status of EXPIRED. These recovery points can be deleted manually if you choose to first remove the Amazon EBS snapshot lock.

Amazon Backup can encrypt EBS snapshots associated with an Amazon EC2 backup. This is similar to how it encrypts EBS snapshots. Amazon Backup uses the same encryption applied on the underlying EBS volumes when creating a snapshot of the Amazon EC2 AMI, and the configuration parameters of the original instance are persisted in the restore metadata.

A snapshot derives its encryption from the volume, and the same encryption is applied to the corresponding snapshots. EBS snapshots of a copied AMI are always encrypted. If you specify a KMS key during the copy, the specified key is applied. If you don't specify a KMS key, a default KMS key is applied.

For more information, see Amazon EC2 instances in the Amazon EC2 User Guide and Amazon EBS encryption in the Amazon EBS User Guide.

Working with Amazon EFS

Amazon Backup supports Amazon Elastic File System (Amazon EFS).

For detailed information about Amazon EFS file systems, see What is Amazon Elastic File System? in the Amazon Elastic File System User Guide.

Working with Amazon EBS

Amazon Backup supports Amazon Elastic Block Store (Amazon EBS) volumes.

Amazon Backup managed Amazon EBS snapshots and snapshots associated with a Amazon Backup managed Amazon EC2 AMI which have Amazon EBS Snapshot Lock applied may not be deleted as part of the recovery point lifecycle if the snapshot lock duration exceeds the backup lifecycle. Instead, these recovery points will have the status of EXPIRED. These recovery points can be deleted manually if you choose to first remove the Amazon EBS snapshot lock.

You can also learn more using the following tutorial: Amazon EBS Backup and Restore Using Amazon Backup.

For more information, see Amazon EBS volumes in the Amazon EBS User Guide.

Working with Amazon RDS and Aurora

Amazon Backup supports Amazon RDS database engines and Aurora clusters.

You can also learn by trying the following how-to guide: Amazon RDS Backup and Restore Using Amazon Backup.

For more information about Amazon RDS, see What is Amazon Relational Database Service? in the Amazon RDS User Guide.

For detailed information about Aurora, see What is Amazon Aurora? in the Amazon Aurora User Guide.

If you initiate a backup job from the Amazon RDS console, this can conflict with an Aurora clusters backup job, causing the error Backup job expired before completion. If this occurs, configure a longer backup window in Amazon Backup.

RDS Custom for SQL Server and RDS Custom for Oracle are not currently supported by Amazon Backup.

Amazon Backup does not support backup and restore of RDS on Outposts.

Amazon does not charge for Aurora snapshots stored inside a backup vault as long as Aurora has automated backups enabled and the retention period for Aurora automated backups is more than the retention period of Aurora snapshots. Any snapshots within the backup vault will be charged if the snapshots’ database is deleted (deletions may occur accidentally or during blue/green deployment).

Large snapshots and frequent backups from a deleted database could result in significant storage charges. Visit the Amazon Backup calculator to estimate potential Amazon Backup charges.

Working with Amazon Storage Gateway

Amazon Backup supports Storage Gateway Volume Gateway. You can also restore Amazon EBS snapshots as Storage Gateway volumes.

Working with Amazon DocumentDB

Amazon Backup supports Amazon DocumentDB clusters.

Working with Amazon Neptune

Amazon Backup supports Amazon Neptune clusters.

Working with Amazon Timestream

Amazon Backup supports Amazon Timestream tables.

Working with Amazon Organizations

Amazon Backup works with Amazon Organizations to simplify cross-account monitoring and management

Working with Amazon CloudFormation

Amazon Backup support Amazon CloudFormation templates and application stacks

Working with Amazon BackInt, Amazon Systems Manager for SAP, and SAP HANA

Amazon Backup works with Amazon BackInt and with SSM for SAP to support SAP HANA backup and restore functions.

How Amazon services back up their own resources

You might refer to the technical documentation for a specific Amazon service's backup and restore process, particularly when, during a restore, you need to configure a new instance of that Amazon service. The following is a list of documenation: