AWS Cloud Operations & Migrations Blog

Take Microsoft VSS-Enabled Snapshots Using Amazon EC2 Systems Manager

We are happy to announce the support for Microsoft Volume Shadow Copy Service (VSS) on Amazon EC2 instances running Windows AMIs. VSS is a popular volume backup technology in the Microsoft Windows ecosystem (compatible with most Microsoft applications, including SQL Server and Exchange Server). VSS manages disk operations, such as file writes, when a backup is in progress so that the resulting backups are application-consistent. Application-consistent backups are the backups of volumes attached to a machine or an instance, taken at the same time, along with capturing all data in memory and all transactions in progress.

VSS-enabled snapshots of Amazon EBS volumes are available through Amazon EC2 Systems Manager Run Command. The command AWSEC2-CreateVssSnapshot allows you to take application-consistent snapshots of all EBS volumes attached to your running EC2 Windows instances, without losing transactional data consistency between your EC2 instances and attached EBS volumes during the backup process. With this capability, you don’t need to use application-specific backup solutions, such as native SQL Backup, or develop and maintain custom scripts. In addition, you don’t need to run third-party tools for taking image-level backups that are application-consistent.

How to use AWSEC2-CreateVssSnapshot

You can take VSS-enabled EBS snapshots on EC2 instances running Windows by calling the command AWSEC2-CreateVssSnapshot through EC2 Systems Manager Run Command. You can use the AWS Management Console, the AWS CLI, or you can call it through a custom PowerShell script or a Lambda function. In this blog post, we’ll call the command using the EC2 console.

AWSEC2-CreateVssSnapshot Run Command

In the EC2 console, first select the Run command document AWSEC2-CreateVssSnapshot to take a VSS-enabled snapshot of your EBS volumes attached to an instance. Then select the instance, and specify the description and tags that you want to add to your resulting snapshots. You can also choose to exclude the boot volume from the snapshot process.

Calling AWSEC2-CreataeVssSnapshot Run Command

When initiated, the Run Command call makes the VSS components (More details to follow) on your instances coordinate all ongoing I/O operations on VSS-aware applications running on the EC2 Windows instances. This way the I/O buffers are flushed to the EBS volumes, and all I/O operations are frozen while snapshots are taken. This results in application consistency. After the snapshot is initiated, the freeze on I/O is lifted and normal operations are resumed.

The list of snapshots created through the Run Command or the script can be found under EBS snapshots in the left navigation pane in the EC2 console. All VSS-enabled EBS snapshots that are successfully created from this process are tagged as “AppConsistent:True”. To learn more about this capability, go to the documentation for AWSEC2-CreateVssSnapshot.

Setting up your EC2 instances to take VSS-enabled snapshots

  • Snapshot permissions to instances: You need to open the IAM console, and use Policy generator to create new Policy for AWS service “Amazon EC2” and attach the following actions to this policy.

    1. DescribeInstances
    2. CreateTags
    3. CreateSnapshot

Now create an Amazon EC2 role in the IAM console and attach the actions we previously listed and AmazonEC2RoleForSSM policies to it. Attach this role directly to your EC2 Windows instances.

IAM permissions

  • Installing VSS components: If your Windows instances are not updated with the latest packages, you need to perform additional steps to take VSS-enabled EBS snapshots.

    • Update SSM agent: If your instances don’t have SSM agent or later, you need to call the AWS-UpdateSSMAgent Run Command to update latest SSM agent. You can use Managed Instances under the Shared Systems Manager Resources in the left navigation pane to see the SSM agent version installed on your instances. SSM agent number under "Managed Instances"
    • Configure AWS package: You need to install the VSS components (AwsVssComponents) on them by calling the AWS-ConfigureAWSPackage command using Systems Manager Run Command.

AWS-ConfigureAwsPackage to install VSS components

For more information on how you can set up your EC2 instances to take VSS-enabled EBS snapshots, go to the Amazon EC2 documentation.

Installing VSS components on EC2 instances

Using the command AWSEC2-CreateVssSnapshot requires you to provide IAM permissions to create and tag EBS snapshots to your EC2 instances. Alternatively, if you don’t want to provide additional IAM permissions to your instances for policy or compliance reasons, then you can use a customizable sample script. To read more about this script, refer to the documentation for AWSEC2-ManageVssIO.

The process for restoring the VSS-based EBS snapshots is the same process that you use to restore EBS snapshots. In addition, you can use a sample restore script that we provide. This restore script allows you to restore from specified EBS Snapshots to a given Windows instance on Amazon EC2.

About the Author

Purvi Goyal is a Senior Product Manager with the Amazon EC2 team, where she strives to enhance the cloud experience of AWS Enterprise customers. Outside of work, she enjoys outdoor activities like hiking and kayaking.