AWS Backup: Automate Database Backup and Cross Region Copy

AWS Backup is a fully-managed service that makes it easy to centralize and automate data protection across AWS services.

Some Key Features of AWS Backup:

1. Centralized backup management: — Using AWS Backup You can centrally manage backup of all supported resources
2. Policy-based backup: — You create backup policy known as backup plan to define your backup requirements
3. Tag-based backup policies: — You can filter your resource based on the tags applied on the resources
4. Lifecycle management policies: — You can configure lifecycle policies that automatically transition backups from warm storage to cold storage according to a schedule that you define
5. Cross-Region backup: — Using AWS Backup, you can copy backups to multiple different AWS Regions on demand or automatically as part of a scheduled backup plan
6. Incremental backups: — AWS Backup efficiently stores your periodic backups incrementally. The first backup of an AWS resource backs up a full copy of your data. For each successive incremental backup, only the changes to your AWS resources are backed up
7. Secure your data in backup vaults: — The content of each AWS Backup backup is immutable, meaning that no one can alter that content. AWS Backup further secures your backups in backup vaults, which separates them safely from their source instances

In this Blog Post I will explain how AWS Backup Service can help you to automate the backup of your database clusters / instances.

Architecture Diagram:

AWS Backup: Automate RDS Snapshot

1. AWS Backup Plan will run based on the schedule and it will take RDS Snapshot specified in Resource assignments
2. After the Job is complete it will store recovery point in Source Region’s Backup Vault
3. Once recovery point is stored in source region’s backup vault it will initiate a copy job and it will copy the recovery point in target region’s backup vault

Steps:

1. Go to AWS Backup Console and click on “Backup plans”
2. Click Create Backup plan
3. Start options

• Select Build a new plan
• Give name (e.g. my-db-backup-plan)

4. Backup rule configuration

• Give name (e.g. my-db-backup-rule)
• Backup vault -> default
• Backup frequency -> daily (You can change this based on your requirement. You can also have custom cron expression)
• Backup window
  a. Select customize backup window
  b. Enter your preferred Backup window start time
  c. Start within -> Select 1 hr
  d. Complete within -> leave default value
• Transition to cold storage -> Never (You can select based on your need)
• Retention period -> 3 days (You can select based on your need)
• Copy to destination -> Select your destination region (Optional, if you don’t select any region it will not copy your recovery point)
  If you have selected destination region then Expand Advanced settings and select Transition to cold storage, Retention period based on your requirements. You can add more regions if required
• Click on create plan

5. Assign resources

• Give name to group resources
• IAM role -> Select default Role, It has all the required permissions
• Resource selection
  a. Select Include specific resource types (since we want to backup only Aurora / RDS Databases)
  b. In Select specific resource types -> Select Aurora (if you have AWS Aurora Cluster) or Select RDS (if you have RDS Instance). You can also select both the options
  c. Once Resources are selected, based on it you can select if you want to include all Aurora / RDS databases OR you can also select specific Aurora / RDS databases
  d. If you want to select resources based on “tags” then you can add your Key / Value in Refine selection using tags section
• Click on assign resources

Once first job is completed you can view the snapshot in AWS RDS Console under Snapshots -> Backup service Tab

Congratulations!!! 🥳 You have successfully configured AWS Backup to take backup of your Aurora / RDS databases.

Important Points to Consider

1. If your database is encrypted using default KMS Key (aws/rds) than in the destination region(if configured) the snapshot will be encrypted with destination region’s default (aws/rds) KMS Key
2. If your database is encrypted using custom KMS Key than in the destination region(if configured) the snapshot will be encrypted with destination region’s default (aws/rds) KMS Key
3. AWS Backup doesn’t guarantee that Backup Job will start on the exact timing, depending on your “Start within” time configuration during rule configuration it will start the backup job.
   Example: — If your backup frequency is at 03:30 PM UTC every day and Start within is 1 hour than backup job will start anytime between 03:30 PM UTC to 04:30 PM UTC
4. Once the recovery point(snapshot) is stored in source region’s vault there is no fixed start time of Copy Job to store recovery point(snapshot) in destination region’s vault
5. If by mistake recovery point from backup vault is deleted from one region it will be available in another region

Thank You!!