Take Microsoft VSS-Enabled Snapshots Using Amazon EC2 Systems Manager
We are happy to announce the support for Microsoft Volume Shadow Copy Service (VSS) on Amazon EC2 instances running Windows AMIs. VSS is a popular volume backup technology in the Microsoft Windows ecosystem (compatible with most Microsoft applications, including SQL Server and Exchange Server). VSS manages disk operations, such as file writes, when a backup is in progress so that the resulting backups are application-consistent. Application-consistent backups are the backups of volumes attached to a machine or an instance, taken at the same time, along with capturing all data in memory and all transactions in progress.
VSS-enabled snapshots of Amazon EBS volumes are available through Amazon EC2 Systems Manager Run Command. The command AWSEC2-CreateVssSnapshot allows you to take application-consistent snapshots of all EBS volumes attached to your running EC2 Windows instances, without losing transactional data consistency between your EC2 instances and attached EBS volumes during the backup process. With this capability, you don’t need to use application-specific backup solutions, such as native SQL Backup, or develop and maintain custom scripts. In addition, you don’t need to run third-party tools for taking image-level backups that are application-consistent.
How to use AWSEC2-CreateVssSnapshot
You can take VSS-enabled EBS snapshots on EC2 instances running Windows by calling the command AWSEC2-CreateVssSnapshot through EC2 Systems Manager Run Command. You can use the AWS Management Console, the AWS CLI, or you can call it through a custom PowerShell script or a Lambda function. In this blog post, we’ll call the command using the EC2 console.
In the EC2 console, first select the Run command document AWSEC2-CreateVssSnapshot to take a VSS-enabled snapshot of your EBS volumes attached to an instance. Then select the instance, and specify the description and tags that you want to add to your resulting snapshots. You can also choose to exclude the boot volume from the snapshot process.
When initiated, the Run Command call makes the VSS components (More details to follow) on your instances coordinate all ongoing I/O operations on VSS-aware applications running on the EC2 Windows instances. This way the I/O buffers are flushed to the EBS volumes, and all I/O operations are frozen while snapshots are taken. This results in application consistency. After the snapshot is initiated, the freeze on I/O is lifted and normal operations are resumed.
The list of snapshots created through the Run Command or the script can be found under EBS snapshots in the left navigation pane in the EC2 console. All VSS-enabled EBS snapshots that are successfully created from this process are tagged as “AppConsistent:True”. To learn more about this capability, go to the documentation for AWSEC2-CreateVssSnapshot.
Setting up your EC2 instances to take VSS-enabled snapshots
- Snapshot permissions to instances: You need to open the IAM console, and use Policy generator to create new Policy for AWS service “Amazon EC2” and attach the following actions to this policy.
Now create an Amazon EC2 role in the IAM console and attach the actions we previously listed and AmazonEC2RoleForSSM policies to it. Attach this role directly to your EC2 Windows instances.
- Installing VSS components: All instances created using Microsoft Windows Server AMIs dated 2017.11.18 or later have the VSS components pre-installed. If your Windows instances are not updated with the latest packages, you need to perform additional steps to take VSS-enabled EBS snapshots.
- Update SSM agent: If your instances don’t have SSM agent 188.8.131.52 or later, you need to call the AWS-UpdateSSMAgent Run Command to update latest SSM agent. You can use Managed Instances under the Shared Systems Manager Resources in the left navigation pane to see the SSM agent version installed on your instances.
- Configure AWS package: You need to install the VSS components (AwsVssComponents) on them by calling the AWS-ConfigureAWSPackage command using Systems Manager Run Command.
For more information on how you can set up your EC2 instances to take VSS-enabled EBS snapshots, go to the Amazon EC2 documentation.
Using the command AWSEC2-CreateVssSnapshot requires you to provide IAM permissions to create and tag EBS snapshots to your EC2 instances. Alternatively, if you don’t want to provide additional IAM permissions to your instances for policy or compliance reasons, then you can use a customizable sample script. To read more about this script, refer to the documentation for AWSEC2-ManageVssIO.
The process for restoring the VSS-based EBS snapshots is the same process that you use to restore EBS snapshots. In addition, you can use a sample restore script that we provide. This restore script allows you to restore from specified EBS Snapshots to a given Windows instance on Amazon EC2.
About the Author
Purvi Goyal is a Senior Product Manager with the Amazon EC2 team, where she strives to enhance the cloud experience of AWS Enterprise customers. Outside of work, she enjoys outdoor activities like hiking and kayaking.