Recovering a VMware Cloud on AWS VM backup to EC2 using AWS Backup
This article demonstrates restoring a vSphere-based virtual machine to EC2
AWS Backup is a well-known service providing backups for dozens of AWS services. Recently, AWS Backup added support for VMC on AWS (and on-prem VMware) workloads - now you can use it to backup your VMware workloads as well, getting single pane of glass to manage backups of native AWS services and VMware workloads.
There is nothing special about restoring VMware VMs backup back to on-prem or to VMC on AWS or even to VMC AWS Outpost (and vise versa - just be aware of Virtual Hardware compatibility for different vSphere versions). A lesser-known feature of AWS Backup is restoring a vSphere VM into an EC2 instance. That's right - AWS Backup can convert your VM into native EC2 instance with no extra steps required from you (however, you can't restore EC2 backup into VMC on AWS - you need to use vCenter Converter). The most commonly recommended way to convert your workloads into EC2 is by using AWS Application Migration Service. Why might you use AWS Backup instead?
- Near-zero risks for experiments - I already have a valid backup of my VM and restore process has no impact on original VM. It happens completely outside of my production environment
- I don't need to make changes to my original VM or guest OS (for example, installing migration agent)
- I have a technical capability to do such thing
- I'm a curious engineer!
Let's see how it would work!
A note on my lab environment - I have a tiny VM (CentOS 7) inside VMC on AWS, running Apache web server. My goal is to restore its backup as EC2 and be able to reach the HTTP and SSH ports
1. Prep step. Restored backup (EC2 instance) will be running inside VPC – lets check that i have a proper configuration in place – subnets and security groups:
I created new security group, allowing inbound traffic on ports 22 and 80 from any source inside my VPC network – 10.102.28.0/24. After restore is complete, I can use my bastion host (EC2 instance I use to manage my workloads) to login and test my web service.
The security configuration looks good, now I can proceed with restore task. You must have VPC and subnets pre-configured in advance before restoring VM, security group – you can create and associate it later. I found it easier to prepare everything in advance to avoid any surprises.
2. Restoring backup. Go to the AWS Backup console and select your protected resources. Here I have backups of my EC2 and VMC on AWS VMs. AWS Backup is a single pane of glass to manage your backups for multiple services, including databases, storage, and compute resources:
I want to restore VM ‘apylnev-ab3-web01’ – it is a VMware virtual machine, running inside VMC on AWS. I have already backed it up with AWS Backup. First, I need to select a recovery point I want to use for my restore job. In this example I’m going to use my latest copy:
After clicking the ‘Restore’ button, the restore backup wizard window will pop up. Here you have options how to perform restore. I’m going to proceed with ‘Full restore’ option. It is also possible to restore only specific VMs disks. I select ‘Amazon EC2’ as my location - this will convert my vSphere VM into an EC2 instance:
One thing to notice - AWS Backup gives you a list of many-many EC2 instances to choose from. In my experiments I found that restore might not work for every EC2 type, and unfortunately if restore failed you would need to start it all over again with new instance type. I was successful with restore into T3 type - please write in comments what worked for you!
The restore process takes time – it depends on the size of the backup and backup storage tiering – warm and cold. Older backups can move to cold storage if you configure this in your backup plan. It costs less compared to warm (default) setup. When restore is done (Restore job status is ‘Complete’) you can see your EC2 instance ID in yellow. You can’t define tags/name for EC2 restore in AWS Backup UI, but the instance ID is enough to find it:
3. Checking restored backup
My EC2 is running exactly where I needed it. Notice the VPC, subnet and security groups are as I configured them in restore wizard screen.
Note – unlike a native EC2 instance (deployed from IAM image) , you cannot use the ‘Connect’ options to get access to your restored EC2. Because it was restored from a VMware virtual machine image, it is missing the package for ‘Session Manager’. You must install the package before being able to use the
Connect options. However, the instance has a private IP address – so I can use it to login (SSH) from my bastion host and take care of ‘Session manager’ component.
My original VM was configured according to VMware’s recommendations – with Paravirtual SCSI adapter and VMXNET3 NIC, it had the open-vmtools package installed:
Notice name of my NIC inside the vSphere guest OS – it is ens192. You might wonder whether you need to uninstall VMware tools, and whether that will have an impact on NIC drivers or SCSI devices. And how did my restored instance get new private IP address – original VM was configured with DHCP – did I get lucky here? How would it work with static setup?
This is what my restored instance looks like:
There is no VMware tools service – the AWS Backup restore process removed it from my guest OS. Second – it removed my VMXNET3 adapter and gave me a new NIC – ens5 – that’s how I got a new private IP address. Even if my original VM was running with static IP, the restore process would remove the original NIC (and if you have VM with multiple NICs - restore process removes them all, giving you EC2 with only one NIC) and replace it with a new one with DHCP setup. It also took care of virtual hardware – my NIC is Amazon Elastic Network Adapter (ENA) now:
The restored instance is configured, looks and works exactly the same way as it would be native EC2 and can be expected to perform the same as a natively-deployed instance.