Prerequisites for application consistency

The following sections provide information about the prerequisites that are required to successfully take application consistent snapshots in the AWS and Azure environments.

AWS

Cloud Snapshot Manager uses AWS Simple Systems Manager (SSM) and AWS Run Command interface to take application consistent snapshots of Windows instances. AWS SSM enables you to run commands inside eligible instances, without having to log in to the instances. The AWS Run Command interface helps Cloud Snapshot Manager to remotely and securely run application consistent snapshots in the SSM managed instances at scale.

For Cloud Snapshot Manager to successfully take an application consistent snapshot of the instance, the instance must:

  • Be in running state.
  • Be managed by SSM.
  • Have outbound Internet access.
  • Have an Identity Access Management (IAM) policy that is attached to the IAM role or IAM user used by Cloud Snapshot Manager when adding an AWS account to Cloud Snapshot Manager.
  • Have an IAM role that is attached to the protected instance with the AWS provided AmazonSSMManagedInstanceCore policy.
  • Have all data volumes mounted.

In addition to the application consistent snapshot prerequisites, for VSS snapshots, the instance must:

  • Run a supported version of Windows Server: Windows Server 2008 R2 or later.
  • Have an IAM role that is attached to the protected instance with the permissions, ec2:DescribeInstances, ec2:CreateTags, and ec2:CreateSnapshot in the IAM policy. In AWS, the permissions must be included in the JSON body in the following manner: 
    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "ec2:CreateTags",
            "Resource": "arn:aws:ec2:*::snapshot/*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeInstances",
                "ec2:CreateSnapshot"
            ],
            "Resource": "*"
        }
    ]
}
  • Have SSM agent version 2.2.58.0 or greater installed.
  • Have AWS VSS components installed. Instances that are created using Microsoft Windows Server AMIs dated November 18, 2017 or later have the VSS components preinstalled. If the Windows instances are not updated with the latest packages, you must perform additional steps to take VSS-enabled EBS snapshots.

For more information about the IAM policy and role for VSS-enabled snapshots, see the topic Create an IAM Role for VSS-Enabled Snapshots in AWS VSS Requirements.

In addition to the application consistent snapshot prerequisites, for custom scripts enabled snapshots, you require the following:

  • SSM document must have only one plugin.
  • SSM document must not accept any parameters.

For more information about SSM documents, see AWS SSM Prerequisites.

In the IAM policy that is attached to an IAM role or an IAM user used by Cloud Snapshot Manager, you can use any of the following properties to run documents with the names or naming convention that is specified:

  • arn:aws:ssm:*:*:document/CSM-* -- This property invokes documents with the document name prefixed with 'CSM-'.
    NOTE: For existing users, replace arn:aws:ssm:*:*:document/CSM-Mount* with arn:aws:ssm:*:*:document/CSM-*.
  • arn:aws:ssm:*:*:document/<Prefix-String>* -- This property invokes documents with the document name prefixed with the string you specify. For example, if arn:aws:ssm:*:*:document/MyOrg-* is used, the document name is prefixed with 'MyOrg-'.

You can also use arn:aws:ssm:*:*:document/<User's-SSM-Document-Name> where User's-SSM-Document-Name is any random name for your SSM document. However, for every document, you have to add an entry in the IAM policy. This is not recommended as it requires updating the permission policy every time a new document is added.

Azure

To create application consistent snapshots using custom scripts:

  • The Azure Virtual Machine Agent (VM Agent) must be present and in running state. The VM Agent manages interactions between an Azure VM and the Azure Fabric Controller and is responsible for many functional aspects of deploying and managing Azure VMs, including running VM extensions.

    The VM Agent is preinstalled on Azure Marketplace images, and can be installed manually on supported operating systems. The VM Agent for Windows is known as the Windows Guest Agent. For more information, see Azure extension documentation.

  • The custom scripts to be executed have to be uploaded to a Blob store location on your Azure subscription and accessible to Cloud Snapshot Manager through cloud account credentials.
  • The custom scripts must be executable scripts. For Linux, the scripts can be any executable Shell script. For Windows, the scripts must be PowerShell scripts.