Traditional backup software works for on-premises workloads, but protecting the data for workloads running in the cloud is a new game. Backup windows may be non-existent, data may be scattered across geographies and platforms, and there may simply be too much to effectively traverse with traditional methods. Protecting cloud workload data requires some adjustments to your thinking. Join our storage experts to learn more about best practices for preventing loss, rolling back to recovery points, and fitting into backup windows. We will cover protection features and design considerations for protecting data with S3, Glacier, EBS and EFS. Learning Objectives: • Learn how to design for recovery points and recovery times using the native AWS storage tools for file, block and object storage

1. © 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
19 November 2016
Best Practices for Protecting
Cloud Workloads
Lee Kear– AWS Storage Specialist Solutions Architect

2. Agenda
 Traditional vs Cloud protection
 Amazon S3 - Object storage
 EC2 AMIs
 EBS
 RDS
 Third Party Tools
 Q&A

3. Traditional Datacenter
Servers
Hypervisor
OS
App
OS
App
OS
App
OS
App
Servers
Tier-1 SAN / NAS
AWS Cloud
App + OS
Management
& Infrastructure
Primary Storage
Region
Availability Zone 1 Availability Zone 2
AMI
(Amazon
Machine
Image)
Configuration Scripts
Cloud Formation
Templates
App
Data
Cloud
formation
Auto-
scaling
Amazon
S3
EC2
root
EC2
root
EC2
root
EC2
root
EC2
root
EC2
root
EC2
root
EC2
root
RDS
Requires Protection
*
Traditional protection vs Cloud protection

4. Amazon EFS
File
Amazon EBS
Amazon EC2
Instance Store
Block
Amazon S3 Amazon Glacier
Object
Storage is a platform: AWS Storage Maturity

5. Amazon S3 Amazon Glacier
Object
Object Storage is the Destination for Backups
RDS DynamoDB RedShift
Database
EMR Data Pipeline Kinesis
Analytics
LambdaEC2
Compute
CloudFront
Elastic
Transcoder
Content Delivery

6. What is Amazon S3
Highly durable object storage at cost effective prices
Internet-scale storage
Grow without limits
Low price per GB
per month
No commitment
No up-front cost
Built-in redundancy
Designed for
99.999999999%
durability
Benefit from AWS’s
massive security
investments

7. Key Features of Amazon S3
Data Management
 Cost monitoring and controls
 Lifecycle management
Ease of use
 Programmatic access using AWS SDKs
 REST APIs
 Management Console, AWS CLI
Event Notifications
 Delivered using SQS, SNS, or Lambda
 Enable you to trigger workflows, alerts or
other processing
Data protection
 Versioning
 Cross-region replication
Security
 Multi-factor authentication delete
 Flexible access control mechanisms
 Time-limited access to object
 Access logs
 Multiple client and server-side Encryption options

8. Active data Archive dataInfrequently accessed data
S3 - Standard S3 – Standard
Infrequent Access
Glacier
Choice of storage class on Amazon S3

9.  Preserve, retrieve, and restore every version of
every object stored in your bucket
 S3 automatically adds new versions and
preserves deleted objects with delete markers
 Easily control the number of versions kept by
using lifecycle expiration policies
 Easy to turn on in the AWS Management Console
Key = photo.gif
ID = 121212
Key = photo.gif
ID = 111111
Versioning
Enabled
PUT
Key = photo.gif
Amazon S3 Versioning

10. Versioning + lifecycle policies

11. Best Practice
Tip: Restricting deletes
 Bucket policies can restrict deletes
 For additional security, enable MFA (multi-factor
authentication) delete, which requires additional
authentication to:
 Change the versioning state of your bucket
 Permanently delete an object version
 MFA delete requires both your security credentials
and a code from an approved authentication device

12. Automated, fast, and reliable asynchronous replication of data across AWS regions
 Only replicates new PUTs. Once S3 is
configured, all new uploads into a source
bucket will be replicated
 Entire bucket or prefix based
 1:1 replication between any 2 regions
 Versioning required
Source
(Virginia)
Destination
(Oregon)
Use cases:
 Compliance—store data hundreds of miles apart
 Lower latency—distribute data to regional customers)
 Security—create remote replicas managed by separate AWS accounts
Amazon S3 Cross-region Replication

13. Client-side encryption use AWS SDKs
 You manage the encryption keys and never send them to AWS
Server-side encryption (SSE) with Amazon S3 managed keys
 “Check-the-box” to encrypt your data at rest. Keys managed by S3
SSE with customer provided keys
 You manage your encryption keys and provide them for PUTs and GETS
SSE with AWS Key Management Service managed keys
 Keys managed centrally in AWS KMS with permissions and auditing of usage
For more details – watch Encryption and Key Management in AWS:
https://www.youtube.com/watch?v=uhXalpNzPU4
Amazon S3 Data Encryption Options

14. Amazon Glacier
is optimized for
infrequent retrieval
Stop managing
physical media
Even lower cost than
Amazon S3;
Same high durability
3-5 hour retrieval latency
%5 free tier on retrievals
$0.007 per GB/month
$86 per TB/year
Replace tape libraries, VTLs
What is Amazon Glacier
Archival storage for infrequently accessed data

15. Key Features of Amazon Glacier
Vault Inventory
 Inventory all archives
 Available as JSON or CSV
Ease of use
 Programmatic access using AWS SDKs
 REST APIs
 Management Console, AWS CLI
Data Retrieval Policies
 Define data retrieval limits and cost ceiling
 Example: ”Free Tier Only”, “Max Retrieval Rate”
Access Controls
 Integrated with AWS IAM
 Supports MFA device access
Integrated Lifecycle Management
 Integrated with Amazon S3 Lifecycle policies
 Establish auto-archive rules for Amazon S3 objects
Tagging Support
 Tag vaults for cost management
 Filter cost reports based on tags

16. Working with AMI (Amazon Machine Images)
AZ1
AZ2 AZ3
Region
S3
Linux
Windows
EC2
root
Custom
EC2
root
EC2
root
Region
S3
Linux
Windows
Custom
Sydney
Oregon

17. Protecting data in EBS (Elastic Block Store)
AZ1
AZ2 AZ3
Region
S3
EC2
Instance
Store Elastic Block Store (EBS)
/data
Snap 1
Snap 2
Snap 3
EC2
Instance
Store
Elastic Block Store (EBS)
/data

18. Amazon RDS engines
Commercial Open source Amazon Aurora

19. RDS Backups
MySQL, PostgreSQL, MariaDB, Oracle, SQL Server
 Scheduled daily backup of entire instance in user defined 30 minute backup window
 Archive database change logs
 35 day max retention for backups
 Stored in S3
 Latest restorable time is typically within 5 minutes of current time
Aurora
 Automatic, continuous, incremental backups
 Point-in-time restore
 No impact on database performance
 35 day retention

20. RDS Snapshots
 Full copies of your Amazon RDS database that
are separate from your scheduled backups
 User initiated
 Backed by Amazon S3
 Used to create a new RDS instance
 Remain encrypted if using encryption
 Can be shared with other accounts
 Can be copied to other regions

21. Use cases:
 Resolve production issues
 Nonproduction environments
 Point-in-time restore
 Final copy before terminating a database
 Disaster recovery
 Cross-region copy
 Copy between accounts
RDS Snapshots

22.  Restoring creates an entire new database instance
 You define all the instance configuration just like a new instance
Restoring

23. Redshift
 Automatic, continuous, incremental backups
 Point-in-time restore
 By default - 1 day retention
 Can be extended to 35 days
 Can create final snapshot before deleting
a Redshift cluster

24.  Automated Backup and instant recovery of EC2 environments
 Brings Enterprise-class backup to Amazon EC2
 Enables EC2 Disaster Recovery across AWS Accounts and Regions
Cloud Protection Manager
 Easy and simple backup of VMs
 Flexible, automated scheduling
 Policy-based asset management
 Application-consistent backup
 Secure, reliable, scalable
 Instant recovery of full VMs
 Extensive Alerts and reporting
 Point in time block-level incremental
snapshots
 Snapshot data stored in S3
 Instant recovery of volumes
 Available across availability zones
 Multi-region copy
Enterprise-class Backup Software AWS Native Snapshots
CPM Brings Backup to Amazon EC2

25. Commvault Ties Together On Premise and
Cloud Data Strategies
AWS and Commvault together combine to minimize
networking, storage and infrastructure costs, while
providing the business a sound data protection and
disaster recovery strategy.
Commvault Orchestrates the Enterprise
 Back up in the Cloud: Keep backups of cloud
workloads internal to the cloud.
 Back up to the Cloud: Allow on premise workloads
the ability to leverage AWS. For large data sets, seed
the cloud with snowball.
 Disaster Recovery in the Cloud: Provide DRaaS,
recover workloads for on premise solutions and in
cloud workloads.
 Workload Portability: Portability to and from the cloud.
For large data sets, seed the cloud with snowball.
 Archiving to the Cloud: Moving legacy data to tier 2
storage in the cloud for long term archive.

26. IntelliSnap
Snapshot integration to
collapse backup windows
Discover and categorize Instances
By Region, Zone, OS, Name, etc
Recover entire VM, parts of a VM
or individual items from any copy
target
Discover
Restore
EC2
Policy driven retention of snap, object
storage, onsite disk and tape copies
Snapshot
Leverage
Copy
1
Live Browse Replicate Migrate
2 3 3
Automatically discover newly created
EC2 instances which fall outside
defined categories
Leverage AWS Snap engine for
• Agent-less Instance Protection
• Oracle Agent
• Linux FS Agent
EC2
EC2
Oracle
EC2
FS
EC2
S3
EC2
Glacier
S3-IA

27. Strategies for Cloud Data Protection – S3
 Take advantage of S3
 (maximize durability, scalability and costs efficiency)
 Use Versioning to Create Recycle Bin
 Use MFA Delete to prevent deletion
 Use Cross Region Replication to Another Account for the most critical data

28. Strategies for Cloud Data Protection – EC2
 Keep EC2 Instances stateless (less to protect)
 Use AMIs + Scripts + Automation
 (Cloud Formation, Auto-scaling or 3rd party tools)
 Leverage AMIs to keep durable copies of pre-configured operating
systems and apps

29. Strategies for Cloud Data Protection - EBS
 When using EBS, snapshots can create durable
copies of whole volumes
 Third Party solutions can make managing your
EBS snapshots easier

30. Strategies for Cloud Data Protection - RDS
 Leverage managed services for database workloads
 Backups are done for you!
 Easy to restore!
 RDS Snaphots give you flexibility to point in time copy of your
database that can be copied to another region or another account.

31. What’s next?
Getting started with S3 and Glacier:
http://aws.amazon.com/s3/getting-started/
http://aws.amazon.com/glacier/getting-started/
Getting started with EC2 and EBS:
https://aws.amazon.com/ec2/getting-started/
https://aws.amazon.com/ebs/getting-started/
Getting started with RDS:
https://aws.amazon.com/rds/getting-started/
AWS Youtube channel:
https://www.youtube.com/user/AmazonWebServices/playlists

32. Q&A
Learn more at:
http://aws.amazon.com/s3/
http://aws.amazon.com/ebs/
http://aws.amazon.com/rds/
leke@amazon.com