AWS Storage Blog

5 ways to simplify backup plans using AWS Backup resource assignment rules

Prior to the announcement of new resource assignment capabilities in AWS Backup, customers could assign resources to a backup plan in two ways. They could either select a specific resource using its resource ID or define a specific selection tag, which helps the service identify resources to be backed up by the backup plan. While this simplified resource assignment to backup plans, customers needed assignment rules that would provide flexibility and ease of use as they scaled the number of resources and services that they protect using AWS Backup.

With the announcement of new resource assignment capabilities in AWS Backup, customers can now schedule backups that span all their AWS-supported resources or specific AWS resource types using a simple checkbox. Customers can also narrow down their data protection to resources that are assigned to a particular tag, a combination of tags, or can be identified by a partial tag value. Customers can exclude AWS resource type, tag, or specific resource ID from their backup plans.

AWS Backup is a centralized backup service that provides a simple and cost-effective way to back up application data across many AWS services. The service monitors backup activities and automates backup scheduling and retention management, providing a centralized way to configure and audit which resources are backed up.

In this post, I will demonstrate the new resource assignment process capabilities and outline five common assignment scenarios and how these are enabled by the new assignment enhancements.

AWS Backup resource assignment walk through

When you back up resources using AWS Backup, you opt-in services you want to protect. Then, you create a plan, define the rules, and assign the resources that you want to apply these rules to.

Create a rule for daily backup upon creation of the plan.

Creating a backup rule

Figure 1: Creating a backup rule

A time-based rule sets a schedule and vault target for the resources selected.

Backup plan

Figure 2: Backup plan

When you select the Assign resources button, a dialog box will open with a default option to Include all resource types, and refine the selection using tags.

Default assignment

Figure 3: Default assignment

The new assignment capabilities enable you to refine the selection of what resources to back up with more conditional statements other than just a single tag equal value option.

With the default include all resource types, you can refine your selection using conditions on tags such as Begins with, Ends with, Equals, Does not equal, and so on. This fine-grain selection gives you power and flexibility to ensure that only the resources refined are included in the backup plan.

Conditional tag selection

Figure 4: Conditional tag selection

When you need to create fine-grained resource assignment, you select Include specific resource types, as seen in the following figure. You will be prompted to a more granular selection process that will incorporate the following steps:

  1. Select the resource types that you want to assign.
  2. Exclude specific resources by ID from each of the types (optional).
  3. Refine your selection using tags, similar to the all-resources option.

Selective assignment

Figure 5: Selective assignment

Following this walk through, you can dive deep into practice with some common customer use cases and see how those apply in the assignment engine.

Use case 1: Add all resources of the same type to a backup plan

Organizations and customers may need to create a plan that mandates that all resources of a certain type, such as Amazon Relational Database Service (Amazon RDS) or Amazon DynamoDB tables, be backed up. This capability is valuable as it is potentially possible that resources are not tagged and then not added to the backup plan, and create a potential risk of having data loss.

The following rule defines the assignment of all DynamoDB tables in the account to be backed up in a plan without needing to define a tag or a resource ID. This common usage pattern ensures that no DynamoDB table created in the account will be left out of the backup plan.

Select Include specific resource types, and under Select specific resources type, choose DynamoDB.

Select DynamoDB tables as resource to backup

Figure 6: Select DynamoDB as resource to backup

Once you have selected DynamoDB, by default, All tables(*) should be already selected.

All tables, selected by default

Figure 7: All tables, selected by default

The preceding example will apply the backup rules from the backup plan to all DynamoDB tables in the account.

Use case 2: Include all resources of the same type, but exclude a specific resource with ID

Customers may want to back up all resources of the same type, as shown in Use Case 1. However, they may have one or more specific resources that they want to exclude from the backup plan. For example, Example Corp. is looking to back up all Amazon RDS databases, excluding a specific database that contains Personal Identifiable Information (PII) sensitive data or a devtest database.

Select Include specific resource types. Under Select specific resource types, select RDS.

Select RDS resource type

Figure 8: Select RDS as the resource type

Once selected, by default, All databases (*) will be chosen, as the following figure shows.

All databases included in default selection

Figure 9: All databases included in default selection

Now you want to exclude a specific resource using its ID. You go to step 3, Exclude specific resource IDs from the selected resource types, which is an optional step.

You first choose RDS, of the resource types, where you want to have a specific exclusion by ID. Note that you can exclude multiple resources by IDs if you define more resource types in the assignment rule. In the following example, only RDS appears, as that is the only resource type you chose in the previous step.

Select RDS resource type for exclusion using ID

Figure 10: Select RDS resource type for the exclude using ID

Now that you have selected the resource type, you can choose from the Database names drop down list the specific resource ID you would like to exclude (in our example below, it is the devtest database).

Excluding a database by ID

Figure 11: Excluding a database by ID

The end result assignment rule will look like the one in the following figure, where you ensure the plan assigns any RDS instance in the account but exclude the devtest database.

Assignment rule - back up all RDS instances excluding the devtest database

Figure 12: Assignment rule – Back up all RDS instances excluding the devtest database

By implementing the preceding assignment rule instead of manually selecting all the RDS instances individually with the exception of this one database instance, the customer can add all the RDS databases and exclude the one that needs to be left out. Any new RDS database will automatically be backed up by the plan.

Use case 3: Back up all resources with an exclusion tag

There are common scenarios where customers may need to back up all resources of a certain type but refine explicit exclusion based on a tag to mark the resources that should not be backed up by the plan.

For example, a customer may wish to back up virtual machines (VMs) from their VMware environment. The virtual machines are tagged with a key named “Application,” and the value is the name of the application the VM is part of. When developers spin up virtual machines for testing, they put the value “Test” in the tag.

The system administrator would like to back up all the virtual machines, excluding those that are test VMs. You can do that using assignment rules.

Select Include specific resource types, then select the VirtualMachine resource type under Select specific resource types.

Select VirtualMachine resource type

Figure 13: Select VirtualMachine resource type

After selecting the resources, refine the selection using tags.

Create the instructions to assign the resource only when the key, Application, does not equal test. Under Refine selection using tags, in the Key field, enter Application. Under Condition for value, enter Does not equal. Under Value, enter Test.

Refine selection using tag to exclude VMs with Application not equal to Test

Figure 14: Refine Selection using tag to exclude VMs with Application=Test

Following this assignment rule, AWS Backup will ensure virtual machine resources that don’t have “Test” in their application tag will be backed up according to the policy.

Use case 4: Refine resource selection based on on a tag combination

Many customers, who adopted AWS Backup, already have a tagging policy in place. Other customers are designing new tagging policies that are beyond the dimensions of defining a single tag to a resource as an identifier for a backup plan.

For example, you may have a combination of environment tags (prod, dev, test) along with a role tag (application, frontend, backend, worker). You then want to create an assignment policy to a plan that will select all the resources that apply to a combination of these pairs, as each resource has different backup needs that also may change over time

You want to protect all the production resources that are part of his backend architecture under the same backup plan. The following example shows an assignment policy that addresses this requirement.

First, select Include all resource types.

Include all resource type with a refined AND tags combination

Figure 15: Include all resources type with a refined AND tags combination

In order to ensure the back up of all the production backend, you go to Refine the selection using tags. Under Key, enter Environment. Under Condition for value, enter Equals. Under Value, enter Prod. Then, under Key, add Role. Under Condition for value, add Equals. Under Value, add Backend.

As a result of this refinement, AWS Backup will perform a backup only to supported, opt-in resources that have the above tag combination with the appropriate value.

Use case 5: Refine resource selection based on tag(s) prefix value

You might have a situation where a backup plan would need to pick up all the resources that follow the semantics of a logical group of tagged resources, which all start with the same prefix. The new selection capability of defining “start with” based selection enables you to select those resources.

For example, your organization might have old tagging schema that changed over time.

  • Old production resources tags: “Environment=production”
    • (where Environment is the key, and production is the value)
  • New production resources tags: “Environment=prod”
    • (where Environment is the key, and prod is the value)

You now want to ensure that all resources starting with “pr*” will be assigned to the backup plan and have full coverage, regardless of whether old or new tags have been used.

The following assignment rule enables this selection and ensures that the resources starting with “pr*” will be backed up by the plan.

In the following figure, apply the following assignment:

  • Include all resource types that are opt-in.
  • Refine selection using tags that, if the resource in question begins with “pr,” include it in the plan.

AWS Backup will perform a backup for each of the supported AWS resources that has the Environment key tag, where the value is starting with “pr,” ensuring that you don’t miss any production service out of the plan.

Selection by prefix of a tag

Figure 16: Selection by prefix of a tag

Cleaning up

If, while reading this blog post, you have created assignment rules in your backup plans for the purpose of practice, please ensure you remove them to avoid incurring unwanted charges.

Conclusion

In this post, I demonstrated the new resource assignment process capabilities and outlined five common assignment scenarios and how these are enabled by the new assignment enhancements.

The new assignment capabilities simplify your backup policies. Furthermore, they enable organizations to create fewer backup plans and provide tools to comply with policies and regulations across scaling resources that need to be protected, using simple logical assignment rules.

While this blog post demonstrated console configuration, the same assignment capabilities can be used when making backup selection through API calls to the AWS Backup service. The new assignment capabilities are designed to give you the flexibility to ensure you can define the right assignment policies and be sure that AWS Backup will pick up only those resources that you intended it to protect. You can get more information on other methods of defining resources via Amazon CloudFormation, and CLI/API in the AWS Backup Documentation.

Thank you for reading this blog post. If you have any comments or questions, please leave them in the comment section.

TAGS: , , ,
Ran Pergamin

Ran Pergamin

Ran is a Senior Solution architect Specialist in the Data & AI pillar at AWS. He likes helping customer solve data and storage challenges at scale, with special passion for large data pipelines. When not working, you’ll find him at the local gym, lifting heavy weights.

Rolland Miller

Rolland Miller

Rolland Miller is a lifetime member of the Veterans of Foreign Wars after serving overseas in the United States Marine Corps. He cannot help himself but to helicopter-parent his teenage children (which they really appreciate). Rolland is also a 20-year storage and data protection veteran that has helped launch a number of products and innovations in the data protection space while working at startups. At AWS, Rolland is the Global SA lead for AWS Backup.