AWS Storage Blog

Backup and restore Amazon FSx for OpenZFS with AWS Backup

On May 17, 2022, AWS Backup announced support for Amazon FSx for OpenZFS, adding to the supported AWS services across compute, storage, and databases. Amazon FSx for OpenZFS customers can now leverage centralized, policy-based management of their data protection and compliance across multiple AWS services to simplify and scale their operations.

FSx for OpenZFS snapshots make it easy and quick to create a development environment. Some customers need to backup their environments and then copy those backups for storage or development to a different AWS account. To access backed up data in the destination account, you need to restore it first.

In this post, we demonstrate how to use AWS Backup to backup an Amazon FSx for OpenZFS file system, make a copy of the backup to a different account, and restore the file system locally in that account. AWS Backup makes it easy to backup data, copy backups across accounts, and restore backups in the destination account, giving you flexibility to use your data while also helping you ensure compliance with data protection requirements and regulations.

Solution overview

Amazon FSx for OpenZFS is a high-performance, cost-effective shared file storage with hundreds of microseconds latency and 1 million input/output operations per second (IOPS) accessed via a Network File System (NFS) (v3, v4–4.2) protocol. It provides the familiar features, performance, and capabilities of OpenZFS file systems with the agility, scalability, and simplicity of a fully managed AWS service.

AWS Backup is a fully managed backup service that enables you to centralize and automate data protection of AWS services across compute, storage, and databases based on organizational best practices and regulatory standards. Moreover, using the AWS Backup Audit Manager feature helps you maintain and demonstrate compliance with your data protection policies.

This solution uses two AWS accounts, which are described in the following solution architecture diagram.

Account A (source account) is configured with the Amazon FSx for OpenZFS file system, which consists of volumes, snapshot volumes, and clone volumes. This Amazon FSx for OpenZFS file system is backed up periodically by AWS Backup.

The backup data is also copied to Account B (destination account). We then restore the latest backup from the copied snapshot and mount the restored volume to a Linux Amazon EC2 instance in Account B and confirm that the data can be accessed normally.

vC:\Users\shinjha\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\2143C12.tmpFigure 1: Backup and restore Amazon FSx for OpenZFS with AWS Backup

Prerequisites

  • AWS Accounts: Prepare a source account A and a destination account B.
  • AWS Organizations: The abovementioned AWS accounts should belong to the same organization in AWS Organizations. This is a mandatory requirement for cross-account copy.
  • VPCs: These two VPCs must be able to communicate with each other.
  • Customer managed keys (CMK) of AWS Key Management Service (KMS): in Account A, create CMK to encrypt FSx for OpenZFS file system. In Account B, create CMK to encrypt the destination Backup Vault.
  • FSx for OpenZFS file system: Must be encrypted by AWS KMS customer-managed key. We also have a snapshot volume and a clone volume. By the time this blog was published, the encryption key of the FSx for OpenZFS file system cannot be changed. If you used the default AWS managed key for FSx, please restore from the latest backup data and specify the customer managed key as the encryption key when restoring.

Walkthrough

The following is a high-level overview of the procedure:

1. Create and configure backup resources

a. Create backup vault in destination account
b. Enabling cross-account backup
c. Opt-in FSx for OpenZFS for backup
d. Grant CMK access permission to destination account
e. Create backup vault
f. Create backup plan
g. Create resource assignments

2. Confirm backup and copy job status

a. Confirm Backup jobs status
b. Confirm Copy jobs status

3. Restore

a. Create security group for Amazon FSx for OpenZFS
b. Restore from the snapshot
c. Check on the restore status

4. Mount the FSx for OpenZFS file system on Linux

a. Mount the volume

1. Create and configure backup resources

We will start with Account B in the AWS Management Console. Search for AWS Backup then go the AWS Backup management console. In the management console, we will create a backup vault to store the FSx for OpenZFS backups.

a. Creating backup vault in Account B

Create a Backup vault to store backup data copies of the Amazon FSx for OpenZFS file system.

  1. Select Backup vaults in the AWS Backup console. Select Create Backup vault.

Backup vaults selection

Figure 2: Backup vaults selection

  1. In Backup vault name, enter the name of the Backup Vault that will contain the backup data copies of the Amazon FSx for OpenZFS file system. For Encryption Key, select the AWS KMS customer-managed key. Select Create Backup vault.

Backup vault creation

Figure 3: Backup vault creation

  1. Open the created Backup vault and copy the Backup vault ARN. We will used in later this post.

Backup vault ARN confirmation

Figure 4: Backup vault ARN confirmation

  1. Select Edit in the Access policy

Edit access policy

Figure 5: Edit access policy

  1. Write a policy in JSON. Replace <Source account ID> with the AWS account ID of your source account (account A). Select Save policy once you’ve added it.
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Allow account to copy into backup vault",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<Source account ID>:root"
            },
            "Action": "backup:CopyIntoBackupVault",
            "Resource": "*"
        }
    ]
}

This access policy allows AWS Backup to copy the recovery points from Account A to the backup vault in Account B.

b. Enabling cross-account backup

Login to Account A, select Settings in the left pane of the AWS Backup console. Select on Enable for Cross-account backup in Figure 6.

This procedure must be performed in an AWS Organizations management account. In this environment, Account A is the management account.

Cross-account backup activation

Figure 6: Cross-account backup activation

c. Opt-in FSx for OpenZFS for backup

Check if FSx service has been opted in for backup.

Opt-in FSx service

Figure 7: Opt-in FSx service

d. Grant CMK access permission to Account B

Next, grant CMK access permission to destination account. In the AWS KMS console, select Customer managed keys, then choose the CMK for FSx encryption. In the Other AWS accounts section, select Add other AWS accounts and fill in the Account B’s ID. Select Save changes.

Grant CMK access permission to destination account

Figure 8: Grant CMK access permission to destination account

e. Create backup vault

Create a Backup vault to store backup data for the FSx for OpenZFS file system. Select Backup vaults in the AWS Backup console. Select Create Backup vault.

Backup vaults selection

Figure 9: Backup vaults selection

In Backup vault name, enter a name for the Backup Vault that will store the backup recovery points for the Amazon FSx for OpenZFS file system. Use an existing Backup Vault without creating a new one. For Encryption Key, select either the AWS KMS default AWS managed key (aws/backup) or a customer-managed key. In this post, we select a customer-managed key, and then, choose Create Backup vault to create the vault.

Backup vault creation

Figure 10: Backup vault creation

f. Create backup plan

Create a backup plan for the Amazon FSx for OpenZFS file system. Select Backup plans of the AWS Backup console. Select Create backup plan.

Backup plan selection

Figure 11: Backup plan selection

Select Build a new plan then enter a name for the backup plan in the Backup plan name field.

Backup plan creation 1

Figure 12: Backup plan creation 1

Enter a name for the backup rule in the Backup rule name field then select the backup vault created in the preceding step. We configure the backup to run every 12 hours. The backup window starts at 5AM in UTC time and the backup job should start within 1 hour after the backup window opens.

In this demo, we want to make sure the backup job will not continue after 4 hours of running so that the jobs are either in Completed state or being forcibly set to Expired state.

Once the backup completes, we want to keep them for 1 month so the Retention period is set to 1 month.

Backup Plan Creation 2

Figure 13: Backup Plan Creation 2

By default, the backup job can run 7 days before it must complete. For large file systems, particularly when a backup job runs its initial full backup, configure the Complete within window up to 30 days to allow the backup to complete.

For Copy to destination, specify the same region as the source account A. Enable Copy to another account’s vault and enter the ARN of the Backup vault created for account B during step 1 in the External vault ARN field. Other settings are optional. After setting all items, select Create plan to create a backup plan.

Backup Plan Creation 3

Figure 14: Backup Plan Creation 3

g. Assign resources selection

From the newly created backup plan, select on Assign resources in Resource assignments section to add in backup selections.

Figure 15: Assign resources selection

Figure 15: Assign resources selection

Enter a name in the Resource assignment name field then the rest settings are optional. In this example, we select the Default role as the IAM role to run the backup. In Assign Resources section, select Include specific resource types then specified FSx as Resource type. From File system and volume IDs drop down menu, chose the FSx ID. Select Assign resources to complete the backup resource configuration.

Assign resources setting

Figure 16: Assign resources setting

This completes the creation of the backup plan. Backups will now be performed in the time window we configured. Once the backup jobs are completed successfully, a copy of the recovery points will be replicated to the backup vault we specified in destination account.

2. Confirm backup and copy job status

Confirm that the FSx for OpenZFS backup and copy jobs have completed successfully.

a. Confirm Backup jobs status

In Account A, select Jobs from the left pane of the AWS Backup console. Select the Backup jobs tab. Confirm that the AWS backup job status shows Completed.

Backup jobs status check

Figure 17: Backup jobs status check

b. Confirm Copy jobs status

Select Copy jobs. A list of copy jobs is displayed. Confirm that the Resource type is FSx and the Destination Backup Vault is the target backup vault in Account B. Confirm that the Status is Completed.

The source configuration overrides its copy’s expiration setting. If you want to retain the copies with different expiry from the source, you can change the copy to expire based on your needs after the copy is created.

Copy jobs status check

Figure 18: Copy jobs status check

3. Restore

Restore the FSx for OpenZFS file system using the backup data copied to the Account B.

a. Create security group for Amazon FSx for OpenZFS

In Account B, create a security group for the Elastic Network Interface of the Amazon FSx for OpenZFS. (This post does not describe the detailed procedure for creating security groups. Please refer to Creating a VPC security group for more information.) Make sure the security group is created in the same VPC where the Amazon FSx for Open ZFS resides.

In order to mount the Amazon FSx for OpenZFS file system, inbound rule permissions for NFS server-related TCP and UDP ports 111, 2049, and 20001 to 20003 are required. It’s recommended to configure Source IP address in the security group to further strengthen access control.

Security Group for FSx for OpenZFS

Figure 19: Security Group for FSx for OpenZFS

b. Restore from the snapshot

Select Protected resources from the left pane of the AWS Backup console. Choose the FSx type resource.

Protected resources

Figure 20: Protected resources

From the available recovery points, select the recovery point to restore and choose Restore.

Restore Target Selection

Figure 21: Restore Target Selection

In the restore options, select Standard restore. With Standard restore, we have the flexibility to choose which VPC and Subnet the OpenZFS file system is to be restored. We associated the VPC security group created in the previous step, specified a customer-managed key as the encryption key for the new file system, and select Default role to allow AWS Backup to assume for the restore. After completing the restore settings, select Restore backup to launch the restore job.

Restore Execution

Figure 22: Restore backup

c. Check on the restore status

Select Jobs from the AWS Backup console. Select the Restore jobs tab to list the restoration jobs that have completed. From the Restore jobs section, verify that the Amazon FSx for Open ZFS restore job has completed successfully.

Confirmation of restore results

Figure 23: Confirmation of restore results

Go to the Amazon FSx console and select File systems. Confirm that File systems type is OpenZFS. Confirm the Status is Available for the FSx for OpenZFS file system ID specified in File system ID.

FSx for OpenZFS file system confirmation

Figure 24: FSx for OpenZFS file system confirmation

Select Volumes from the left pane. Confirm that all the volumes (including clone volumes) are displayed and their status are shown as Available.

FSx for OpenZFS volume confirmation

Figure 25: FSx for OpenZFS volume confirmation

Select Snapshots. Confirm that the snapshot volume is displayed and the Status is Available.

FSx for OpenZFS snapshot volume confirmation

Figure 26: FSx for OpenZFS snapshot volume confirmation

We confirm that have confirmed that all the Amazon FSx for OpenZFS volumes, clone volumes and snapshot volumes have been restored successfully.

4. Mount the FSx for OpenZFS file system on Linux

Mount the restored FSx for OpenZFS file system volume on a Linux EC2 instance running in Account B.

a. Mount the volume

Log in to the Linux EC2, perform a NFS mount, confirm that the mount is successful and verify the restored data on the volumes. Detailed instruction on how to mount the Amazon FSx for OpenZFS is here.

NFS mount verification

Figure 27: NFS mount verification

Cleaning up

After the walkthrough is complete, confirm if the configured backup or restored FSx for OpenZFS file system is no longer needed. If so, you can delete the resources to prevent further charges.

Account B

  1. Delete the Amazon FSx for OpenZFS file system restored to Account B.

Select File systems in the Amazon FSx console, select the file system to be deleted, and then select Action Delete file system from the Action menu.

Select the box to delete the file system, enter the File system ID and click Delete file system.

Deleting FSx for OpenZFS file system

Figure 28: Deleting FSx for OpenZFS file system

  1. Delete AWS Backup recovery points

Go to the AWS Backup console and select Backup vaults. Open the Backup vault where a copy of the backup data is stored.

Backup vault selection

Figure 29: Backup vault selection

Select all backups from Backups and select Delete from Actions. Enter delete in the To confirm deletion, type delete in the field. and select Delete recovery points. Then choose Delete and select Delete Backup vault to delete the backup vault.

Backup vault selection

Figure 30: Backup vault selection

Account A

  1. Go to the AWS Backup console and select Backup vaults. Select the Backup vault where the backup data is stored. Delete the backup data and the backup vault by performing the same operations as previous steps.
  1. Select Backup plans and open the backup plan created in this walkthrough.

Backup plan selection

Figure 31: Backup plan selection

  1. Select Delete. Fill in the backup plan name and select Delete plan.

Backup plan deleted

Figure 32: Backup plan deleted

This completes the cleanup process.

Conclusion

In this post, we showed how to backup and restore, enable cross-account copy, and confirm backup job status on Amazon FSx for OpenZFS by using AWS Backup. We also verified the restored file system by mounting the file system to a Linux Amazon EC2 instance in the destination account.

AWS Backup’s cross-account backup feature allows you to easily restore FSx for OpenZFS file system to a different account. This allows you to resotre backup data from the production environment to the development environment quickly and without complications, making it easy it to put data to use while maintaining compliance with all data protection requirements and regulations.

For additional guidance, the following resources to help you get started with Amazon FSx for OpenZFS and AWS Backup:

Thank you for reading this post. Please leave your feedback in the comments section.

TAGS: , , ,
Michael Zhang

Michael Zhang

Michael Zhang is a Solutions Architect at AWS based in Sydney Australia. He works with customers from various industries to build solutions for their business needs. Before AWS, Michael has over 15 years’ experience in solution design and implementation and was a lead consultant in high availability, disaster recovery and data protection domains. Outside of work, Michael is a 4th degree blackbelt head instructor in sword martial arts.

Shinji Hayama

Shinji Hayama

Shinji Hayama is a Cloud Infrastructure Architect consultant at AWS Professional Service. He has more than a decade of experience in designing and building infrastructure architectures, with particular knowledge and experience in storage and backup. Recently, he likes FSx series.