Amazon RDS Backup & Restore Using AWS Backup

Log in to the AWS Management Console, and open the AWS Backup console.

On the navigation pane on the left side of the AWS Backup console, under My account, choose Settings.

On the Service opt-in page, choose Configure resources.

On the Configure resources page, use the toggle switches to enable or disable the services used with AWS Backup. Choose Confirm when your services are configured.

• AWS resources that you're backing up should be in the Region you are using for this how-to guide, and resources must all be in the same AWS Region (however, see step 3.2 for information on cross-Region copy). This how-to guide uses the US East (N. Virginia) Region (us-east-1).

Back in the AWS Backup console, under My account on the left navigation pane, select Protected resources.

From the dashboard, select the Create on-demand backup button.

On the Create on-demand backup page, choose the following options:

Select the resource type that you want to back up; for example, choose RDS for Amazon RDS.

Choose the database name or ID of the resource that you want to protect; for example, analytics.

Ensure that Create backup now is selected. This initiates your backup job immediately and enables you to see your saved resource sooner on the Protected resources page.

Select the desired retention period. AWS Backup automatically deletes your backups at the end of this period to save storage costs for you.

Choose an existing backup vault. Choosing Create new Backup vault opens a new page to create a vault and then returns you to the Create on-demand backup page when you are finished.

Under IAM role, choose Default role.

Note: If the AWS Backup Default role is not present in your account, then an AWS Backup Default role is created with the correct permissions.

Select the Create on-demand backup button. This takes you to the Jobs page, where you will see a list of jobs.

Choose the Backup job ID for the resource that you chose to back up to see the details of that job.

On the Service opt-in page, choose Configure resources.

On the Configure resources page, use the toggle switches to enable or disable the services used with AWS Backup. Choose Confirm when your services are configured.

AWS resources that you're backing up should be in the Region you are using for this tutorial, and resources must all be in the same AWS Region (however, see step 3.2 for information on cross-Region copy). This tutorial uses the US East (N. Virginia) Region (us-east-1).

In the AWS Backup console, select Backup plans on the left navigation pane under My account, and then Create backup plan.

AWS Backup provides three ways to get started using the AWS Backup console but for this how-to guide, select Build a new plan:

• Start with a template — You can create a new backup plan based on a template provided by AWS Backup. Be aware that backup plans created by AWS Backup are based on backup best practices and common backup policy configurations. When you select an existing backup plan to start from, the configurations from that backup plan are automatically populated for your new backup plan. You can then change any of these configurations according to your backup requirements.

• Build a new plan — You can create a new backup plan by specifying each of the backup configuration details, as described in the next section. You can choose from the recommended default configurations.

• Define a plan using JSON - You can modify the JSON expression of an existing backup plan or create a new expression.

Backup plan name - You must provide a unique backup plan name. If you try to create a backup plan that is identical to an existing plan, you get an AlreadyExistsException error. For this how-to guide, enter RDS-webapp.

Backup rule name - Backup plans are composed of one or more backup rules. Backup rule names are case sensitive. They must contain from 1 to 63 alphanumeric characters or hyphens. For this how-to guide, enter RDS-Dailies.

Backup vault - A backup vault is a container to organize your backups in. Backups created by a backup rule are organized in the backup vault that you specify in the backup rule. You can use backup vaults to set the AWS Key Management Service (AWS KMS) encryption key that is used to encrypt backups in the backup vault and to control access to the backups in the backup vault. You can also add tags to backup vaults to help you organize them. If you don't want to use the default vault, you can create your own.

Create new backup vault - Instead of using the default backup vault that is automatically created for you in the AWS Backup console, you can create specific backup vaults to save and organize groups of backups in the same vault.

i)  To create a backup vault, choose Create new Backup vault.

ii)  Enter a name for your backup vault. You can name your vault to reflect what you will store in it, or to make it easier to search for the backups you need. For example, you could name it FinancialBackups.
iii)  Select an AWS KMS key. You can use either a key that you already created or select the default AWS Backup master key.
iv)  Optionally, add tags that will help you search for and identify your backup vault.
v)  Select Create Backup vault button.

Create new backup vault - Instead of using the default backup vault that is automatically created for you in the AWS Backup console, you can create specific backup vaults to save and organize groups of backups in the same vault.

1. To create a backup vault, choose Create new Backup vault.

2. Enter a name for your backup vault. You can name your vault to reflect what you will store in it, or to make it easier to search for the backups you need. For example, you could name it FinancialBackups.

3. Select an AWS KMS key. You can use either a key that you already created or select the default AWS Backup master key.

4. Optionally, add tags that will help you search for and identify your backup vault.

5. Select Create Backup vault button.

Backup frequency - The backup frequency determines how often a backup is created. You can choose a frequency of every 12 hours, daily, weekly, or monthly. When selecting weekly, you can specify which days of the week you want backups to be taken. When selecting monthly, you can choose a specific day of the month.

Enable continuous backups for point-in-time recovery - With continuous backups, you can perform point-in-time restores (PITR) by choosing when to restore, down to the second. The most time that can elapse between the current state of your workload and your most recent point-in-time restore is 5 minutes. You can store continuous backups for up to 35 days. If you do not enable continuous backups, AWS Backup takes snapshot backups for you.

Backup window - Backup windows consist of the time that the backup window begins and the duration of the window in hours. The default backup window is set to start at 5 AM UTC (Coordinated Universal Time) and lasts 8 hours.

Transition to cold storage - Currently only Amazon EFS file system backups can be transitioned to cold storage. The cold storage expression is ignored for the backups of Amazon Elastic Block Store (Amazon EBS), Amazon Relational Database Service (Amazon RDS), Amazon Aurora, Amazon DynamoDB, and AWS Storage Gateway.

Retention period - AWS Backup automatically deletes your backups at the end of this period to save storage costs for you. AWS Backup can retain snapshots between 1 day and 100 years (or indefinitely, if you do not enter a retention period), and continuous backups between 1 and 35 days.

Copy to destination - As part of your backup plan, you can optionally create a backup copy in another AWS Region. Using AWS Backup, you can copy backups to multiple AWS Regions on-demand, or automatically as part of a scheduled backup plan. Cross-Region Replication (CRR) is particularly valuable if you have business continuity or compliance requirements to store backups a minimum distance away from your production data. When you define a backup copy, you configure the following options:

• Copy to destination - The destination Region for the backup copy.

• Destination backup vault - The destination backup vault for the copy.

• (Advanced Settings) Transition to cold storage

• (Advanced Settings) Retention period

• Note: Cross-Region Copy incurs additional data transfer costs. You can refer to the AWS Backup pricing page for more information.

Tags added to recovery points - The tags that you list here are automatically added to backups when they are created.

Advanced backup settings - Enables application-consistent backups for third-party applications that are running on Amazon EC2 instances. Currently, AWS Backup supports Windows VSS backups. This is only applicable for Windows EC2 Instances running SQL Server or Exchange databases.

Choose Create plan.

When you assign a resource to a backup plan, that resource is backed up automatically according to the backup plan. The backups for that resource are managed according to the backup plan. You can assign resources using tags or resource IDs. Using tags to assign resources is a simple and scalable way to back up multiple resources.

Select the created backup plan, and select the Assign resources button.

Resource assignment name - Provide a resource assignment name.

IAM role - When creating a tag-based backup plan, if you choose a role other than Default role, make sure that it has the necessary permissions to back up all tagged resources. AWS Backup tries to process all resources with the selected tags. If it encounters a resource that it doesn't have permission to access, the backup plan fails.

Define resource selection - You can choose to include all resource types or specific resource types.

For resource ID-based assignment, select Resource type and the name of the resource.

To exclude specific resource IDs, select Resource type and the name of the resource.

For tags-based resource assignment, provide the key-value pair of the Amazon RDS database.

Select Assign resources and the backup plan has the resources assigned to it.

Navigate to the AWS Backup console and the backup jobs will be seen under Jobs.

A backup, or recovery point, represents the content of a resource, such as an Amazon Elastic Block Store (Amazon EBS) volume or Amazon RDS database, at a specified time. Recovery point is a term that refers generally to the different backups in AWS services, such as Amazon EBS snapshots and Amazon RDS backups. In AWS Backup, recovery points are saved in backup vaults, which you can organize according to your business needs. Each recovery point has a unique ID.

Navigate to the backup vault that was selected in the backup plan and select the latest completed backup.

To restore the database, click on the recovery point ARN and select Restore.

The restore of the ARN will bring you to a Restore backup screen that will have Instance specifications and configurations for the Amazon RDS database. Select the DB engine, License Model, and DB instance class.

• Multi AZ - Using a Multi-AZ deployment will automatically provision and maintain a synchronous standby replica in a different Availability Zone. Note that you will have to pay for Multi-AZ deployment.

• Storage type - Select Provisioned IOPS (SSD).

• Provisioned IOPS - The requested number of I/O operations per second that the DB instance can support. Enter 3000.

DB Instance Identifier - Type a name for the DB instance that is unique for your account in the Region that you selected. If you're restoring from a DB instance that you deleted after you made the DB snapshot, you can use the name of that DB instance.

Select the appropriate network and security settings:

• VPC - Select the VPC where the database needs to be restored to.

• Subnet group - Select the subnet group in the VPC where the database needs to be restored to.

• Public accessibility - You can choose if you need the DB Instances to have a public address or not. If you choose Yes, this will allocate an IP address for your database instance so that you can directly connect to the database from your own device.

• Availability zone - Choose No Preference.

Select the appropriate database options.

• Database port - Leave the default value of 3306.

• DB parameter group - Leave the default value.

• Option Group - Leave the default value. Amazon RDS uses option groups to enable and configure additional features.

• IAM DB Authentication Enabled - You can authenticate to your DB instance using AWS Identity and Access Management (IAM) database authentication. Select Enable IAM DB authentication.

Copy Tags to Snapshots - Tags can be set on the database instances to be automatically copied to any automated or manual database snapshots that are created from your instances.

Encryption - This is the master key that will be used to protect the key that is used to encrypt the database volume. You can choose from master keys in your AWS account or enter the Amazon Resource Name (ARN) of a key from a different account.

Log exports - Select the log types to publish to Amazon CloudWatch logs. 

Maintenance - Select Yes if the DB instance should receive automatic engine version upgrades.

Restore role - Select the Default role or Choose an IAM role. 

Select Restore backup.

• Your job will then appear under the Jobs section in the Restore jobs tab in the AWS Backup console.

• Once the restore job is completed, you can navigate to the Amazon RDS console and use the endpoint to connect to the database.

Your job will then appear under the Jobs section in the Restore jobs tab in the AWS Backup console.

Once the restore job is completed, you can navigate to the Amazon RDS console and use the endpoint to connect to the database.

Open the Amazon RDS console.

In the navigation pane, choose Databases.

Select the restored RDS database, and choose Actions, Delete.

To confirm deletion, type delete me into the field.

Note: This process can take several seconds to complete.