Attach an Amazon EC2 key pair to an AWS Backup restore of a VMware virtual machine

Customers run thousands of VMware virtual machines on premises, in VMware Cloud on AWS, and VMware Cloud on AWS Outposts. They use AWS Backup to centrally manage data protection of these VMware environments. Customers, who initiate an Amazon EC2 restore from an AWS Backup for VMware recovery point, encounter a situation where there is no key pair that is automatically attached to the restored instance. Moreover, the restored instance cannot be accessed until a key pair is created and attached.

In this post, we walk you through the process of restoring an Amazon EC2 instance using AWS Backup and attaching an Amazon EC2 key pair to the restored EC2 instance.

Solution overview

This deployment involves initiating an Amazon EC2 restore from the VMware recovery point created by AWS Backup. When the Amazon EC2 restore is completed, no key pair is automatically attached to the restored instance. The restored instance cannot be accessed until a key pair is created and attached.

Prerequisites

The following prerequisites are necessary to continue with this post:

• The AWS Identity Access and Management (IAM) identity (user, role) selected for the restore must have the AWSBackupServiceRolePolicyForRestores managed policy applied to the IAM identity used to perform restores.
• The IAM identity (user, role) used to directly interact with AWS services must have create key pair permission applied to the IAM identity used to create a new key pair.

Walkthrough

For this walkthrough, you are conducting an EC2 instance restore from the VMware recovery point. Furthermore, you are creating a new key pair and attaching it to the restored EC2 instance.

Perform an EC2 instance restore

In the AWS Backup console, navigate to Protected Resources. Select the Protected Resource ID that you want to restore. On the Resource details page, select the Recovery point ID from which you want to perform the VM restore, and then select the Restore button. Select Full restore and provide the restore parameters such as the restore location, Instance Type, Virtual Private Cloud (VPC), Subnet, and Security Group. Choose the default role for the restore and select Restore backup, as shown in Figure 1.0.

Figure 1.0 AWS Backup restore backup wizard

To see the restore job, navigate to Jobs on the left menu and select the Restore jobs tab. The restore job is triggered, and the restore status changes from Pending to Running. Once the VM has been successfully restored to the ESXi Host, the restore status changes to Completed, as shown in Figure 1.1.

Figure 1.1: Showing the completed restore job

Note: There is no key pair attached to the EC2 instance created by the restore job. The restored EC2 instance is not accessible until a key pair is attached, as shown in Figure 1.2.

Figure 1.2: Showing newly created instance with no key pair

A new key pair must be created and attached to the EC2 instance to connect to the instance. To attach a new key pair to your instance, follow these steps

Attaching a key pair to the restored EC2 instance

1. Log in to the AWS Management Console. Search for and select Amazon EC2 from the available services.

Figure 2: Navigating to Amazon EC2 Service

2. On the Amazon EC2 dashboard, scroll down, and from the left menu select Key Pairs and then select Create Key Pair.

Figure 2.1: Showing how to navigate to Create key pair

3. On the create key pair page, follow the instructions to configure your key pair as desired. The private key must be in the .ppk or .pem format. .ppk files are specific to PuTTY and use a proprietary format, and .pem files use the widely used ASCII text format and can store various types of keys. I chose the .pem because the same key pair would be associated to both Windows and Linux instances, and I am not accessing the restored instance through PuTTY.

A pop-up should appear, save the key on your local system securely.

Figure 2.2: Create key pair wizard

Note: RSA keys support both Windows and Linux instances on the Amazon EC2 platform, while ED25519 keys are not supported for Windows instances on Amazon EC2. If you intend to use SSH key pairs to access Windows-based EC2 instances, then you should use RSA key pairs instead. RSA keys are supported for both Windows and Linux instances on the Amazon EC2 platform.

4. Next, you use the newly-created private key to retrieve its public key. This can be done from a Command prompt on Windows, or the Terminal on Linux systems.

Set the permissions of your private key file so that only you can read it. 

Figure 2.3: Setting permission of the private key file

Use the following syntax: 

Figure 2.4: Syntax to generate public key from key pair

For example:

Figure 2.5: Sample command to generate public key from key pair

Now, copy and save the generated Public Key from your newly created key pair on a text editor. 

Figure 2.6: Showing generated public key

5. To Connect to your EC2 instance, follow these steps:

a. First, create an instance profile in IAM. Navigate to the IAM console, create an IAM instance profile, and attach AmazonSSMManagedInstanceCore and AmazonEC2RoleforSSM to the IAM instance role. See more information on Configuring instance permissions for Systems Manager.

Figure 2.7: Showing the instance profile IAM permissions

b. Attach the Instance Profile created to the restore EC2 instance. On the Amazon EC2 console, select the restored instance, select the Action button, scroll down and select Security, then select Modify IAM role.

Figure 2.8: Showing how to navigate to Modify IAM role

c. Select the IAM instance profile role that was created in Step 5a, and select the Update IAM role button.

Fig 2.9: Associating IAM instance profile to newly created instance

d. Reboot the instance.

Figure 2.10: Rebooting newly created instance

e. Navigate to the Amazon EC2 dashboard, select the Instances option given on the left side panel, and then select the newly created instance to attach the new key pair.

Figure 2.11: Showing how to attach new key pair to newly created instance

f. On the Session Manager Tab select the Connect button.

Figure 2.12: Session Manager wizard

 g. Switch from the instance profile back to the root profile.

Figure 2.13: Showing how to switch to root profile

6. Register your new private key to the instance.

A command line interface (CLI) of your EC2 instance is displayed. To register your private key to the restored EC2 instance, use the following example code to paste your public key into the Instance Authorization key file.

Figure 2.14: Showing how to edit the Authorization key file

7. Copy the public key generated in Step 4 and paste it into the Instance Authorization key file. You can use ESC+I to insert and ESC+V to paste. Save the changes to the Instance Authorization key file by pressing ESC and type “wq!”.

Figure 2.15: Showing how to save changes to the Instance Authorization key file

8. To log in through Secure Shell (SSH) remotely using the key, stop and start the instance. Finally, you can optionally connect to your instance using PuTTY, Terminal, Command prompt, or other SSH clients using the Instance Public IP-address and the new Private key registered to the restored EC2 instance.

Figure 2.16: Showing how to stop the newly created instance

Figure 2.17: Connecting to the EC2 instance using the attached key pair

Cleaning up

To clean up your account after deploying the solution outlined in this post, refer to the AWS Backup Developer Guide for Deleting backups, Deleting a backup vault, and Deleting a backup plan. To delete the restored EC2 instance, refer to Terminate an instance.

Conclusion

In this post, we demonstrated the following:

1. How you can restore an EC2 instance from a VMware recovery point.
2. How to add a key pair to the restored EC2 instance.

Using the features described in this post, you can now use AWS Backup to restore VMware VMs to Amazon EC2. Thanks for reading this post! If you have comments or questions, don’t hesitate to leave them in the comments section. To learn more about AWS Backup, read our documentation.