EBS Snapshot
1. Snapshot is a way to take point in time backup of EBS volume. As
this is point in time, so any data written on volume after process the Snapshot
will not part of that snapshot image.
2. One important point, Snapshot are
stored on S3 , but you cannot access these snapshots directly, you have to use EC2 API to access these snapshot.
3. Snapshot store
on S3(Simple storage service) Bucket.
4. Per AWS account you can create
maximum 10000 snapshot.
5. Snapshot is incremental. Now question what is incremental means here. So
suppose you have 1 GB EBS Volume data and you took snapshot-1 at 10.00 AM then it will create image of whole data
existing in the volume. you copied some more data on volume approx. 500 MB at
10:05 AM and took again snapshot-2,
then AWS will take a snapshot of 500 MB instead of 1.5 GB of data. So it increases
the speed of snapshot.
6. If you delete the snapshot-1, AWS
will copy Snapshot-1 data to next Snapshot,
i.e. Snapshot-2. So you will not lose data and create the whole volume from
incremental snapshot.
7. EBS is an availability zone specific
but snapshots are region specific. So if you want to migrate the availability zone
of volume, then snapshots are one of the solution. You just create the snapshot
of the volume and create the volume from this snapshot in different availability
zone.
8. You can create a volume from Snapshot
and volume size can be same or greater the original size of the volume from
which snapshot is created.
9. The Snapshot is created immediately
but go into pending state, and will
go to complete state once full
Snapshot is created. It takes time depend on size of the volume.
10. You can take snapshot of non-root EBS
volume while EC2 is in running state. So you can access the EBS volume while the
snapshot is in pending state but at this time I/O operation may be slow because
of snapshot activity.
11. If you want to take snapshot of an
EBS backed root volume, you have to stop the EC2 instance before taking the
snapshot.
EBS Encryption
1. EBS volume is connected to an EC2 instance
via the network. So when you encrypted
the EBS volume, Data is encrypted on EC2 and then transferred this data to EBS volume.
So Data is transmitted between EC2 and EBS volume is encrypted. In AWS Data in REST and Transit are encrypted when we use encryption features.
2. EBS encryption features are supported
with all EBS volume and EC2 instance type.
3. To access the encrypted volume is
exactly same as unencrypted volume, as the encryption is handled transparently
in AWS.
4. There are many ways to encrypt the
EBS volume at REST.
·
Using
third party EBS encryption Tools for SDD
·
Use encrypted EBS volume by AWS KMS
·
Encrypt
Data at Application level
·
Use
Encrypted file system on top of EBS volume
5. You can attach Encrypted and unencrypted
EBS volume with same EC2 Instance.
6. Snapshot of encrypted volume is also encrypted.
if you create the volume from encrypted snapshot the volume is also encrypted .
7. When you want to encrypt the EBS volume,
you need to provide encryption key. These keys are called CMKs (Customer
managed Keys) and managed by AWS KMS (Key Management service). KMS provided
AES256 encryption key.
8. You cannot change the encryption key
of encrypted volume, if you want to change it, Then Create the snapshot of the volume and create a copy of this snapshot and provide a new encryption key in snapshot
copy process. Once copy process is completed, you can create the volume from
the new copied snapshot.
9. If you want to change the encryption
state of volume (Encrypted to unencrypted), you have to use below ways.
·
Attached Encrypted and unencrypted volume to EC2
instance and Copy the data from an encrypted volume to unencrypted volume.
·
Via Snapshot. Create the Snapshot of volume and then
copy this snapshot to create unencrypted snapshot. Once the copy process is completed,
you can create the volume from new copied snapshot.
Snapshot Sharing
1. you can create the volume from the snapshot.
By default, the account owner can create the volume from the snapshot.
2. You can share the only unencrypted snapshot with AWS community
by making this public.
3. You can share the encrypted and unencrypted
snapshot with specific AWS account by making them private and provide the
access to specific account. For encrypted snapshot you have to also share the encryption
key with the account whom you want to provide the access. Otherwise other
account cannot copy the snapshot and nor create the volume from the snapshot.
4. You cannot share the encrypted snapshot
which is encrypted by default CMKs Because
we cannot share the Account KMS default key with other accounts.
5. Other account owner, first create
their copy of the snapshot and create the volume from copied snapshot. Also he/she
can change the encryption key while copied.
6. Your defined TAGs are not copied from
the original snapshot to copied snapshot
x
It was really a nice post and I was really impressed by reading this
ReplyDeleteDevOps Training
DevOps Online Training