Schedule a Call

Configuring CPM to backup Amazon EC2 instances


Some of our customers are successfully running Oracle Fusion Middleware on AWS for Production, Development, Test and CI environments.

When it comes to backing up EC2 instances, AWS allows you to create either AMIs or EBS Snapshots. You can use either the AWS console or use the AWS APIs.The AWS Console does not support EBS Snapshot scheduling, and also does not support backup policies/retention of backups.

Typically customers choose one of the following approaches:

  • Use a SaaS offering to schedule backups. This means that a third party service will access your AWS account, and invoke the AWS APIs to perform the backup / delete the old snapshots. Depending on your organisation’s security policy, this may or may not be a viable solution.

  • Write your own scripts to perform the backup, control retention period for Snapshots, and schedule these events, reports, etc.

  • Use a third party Backup solution deployed in your own VPC, which conforms to the organisation’s security and privacy policy.

This blog will focus on the third approach, and we have selected CPM as a backup manager. After reading this blog, you will be able to launch and configure CPM server instance to backup the EC2 instances, as well as define backup policies and schedule to perform backup of the backup targets.

1. About Cloud Protection Manager

Cloud Protection Manager (CPM)– is an enterprise-class backup, recovery & disaster recovery solution for the Amazon EC2 compute cloud.

Backup targets consist of five types :

  • EC2 instance.
  • Independent EBS volumes.
  • RDS databases.
  • RDS Aurora clusters.
  • Redshift Clusters.

Using CPM you can define the following, to schedule the backup of the backup targets:

  • Start and End time for the schedule.

  • Backup frequency.

  • Weekday schedule.

  • Special times to disable it.

      Note : CPM backup policy can have one or more schedules associated with it. A backup schedule can be associated with one or more policies. 


CPM software can be purchased on the AWS Marketplace, you need to select edition as per the business requirement and launch the CPM server instance and billing will be handled by AWS through your AWS account.

Only one EC2 CPM instance will perform backup and recovery operations. If you require additional EC2 CPM instances then they will only perform recovery operations.

For more information related to pricing and different editions, please check N2W software site.

2. CPM Architecture

CPM Server is a Linux based software appliance, which uses AWS APIs to access your AWS account to manage the backup targets. For Windows servers, if you install Thin Backup Agent then CPM accesses your backup target through the agent only.

CPM consists of three parts, which runs on a single EC2 instance :

  • Database that holds the metadata of the backup.
  • Web/Management Server that manages the metadata.
  • Backup Server that actually performs the backup operations.

CPM server is an EC2 instance within the AWS cloud, which connects to AWS infrastructure to manage backup of other Amazon EC2 instances. There are two EBS (Elastic Block Store) volumes :

  • Root volume.
  • Data volume, which stores all persistent data and configuration.

3. Launch CPM instance using AWS console

Before creating an AWS CPM instance, ensure that you verify the following checklist.

  • Select your AWS region as per your business requirement.
  • Define and create required VPC , Subnets , Route Tables , Security Groups , Internet Gateways , Elastic IPs etc., as required.
  • For security reasons, it is always recommended to create a IAM Role for CPM server instance, and assign appropriate permissions to it. So, that it will not be required to enter AWS Access key credentials.

Follow the steps below to launch AWS CPM Server:

  • Now, login to your AWS account and click on Services -> EC2 -> Launch Instance.
  • Choose your Amazon Machine Image (AMI) from AWS Marketplace.Type "CPM" keyword in the Search box and select appropriate CPM edition as per your requirement then click on select button.
  • Click Continue (Here, I choose CPM Free Trial & BYOL Edition).
  • Choose Instance Type and click Next:Configure Instance Details.
  • Select VPC, Subnet and IAM Role which you created before and click Next:Add Storage.
  • Add additional storage if required then click Next:Tag Instance.
  • Enter value " CPM Instance " to tag the instance and click Next:Configure Security Group.
  • Select the security group which you already created and make sure appropriate Inbound rules and Outbound rules were assigned to security group and click Review and Launch.
  • Review all the details and click Launch.

4. Configure CPM Server

Here you use the web interface to configure CPM server. Supported web browsers are Firefox, Safari, Google Chrome, and Microsoft explorer ( version 9 and above ). You must use HTTPS protocol, which means it is encrypted to configure and communicate to CPM server.

When launching CPM server using the web interface, the server will automatically create a new self-signed SSL certificate. Since it is not signed by an external authority, you need to approve an exception for your browser to start using CPM server.

Go to browser and enter the address (as below in the image) and click Advanced -> Proceed.


Provide Instance ID of the CPM Server and click next.

Select the check box and click next.

Configure CPM server with following details and click next.

  • License : For Free Trail & BYOL edition, in the license field choose " I'm starting a free trial ".
  • User name : User ( admin ) is a root user, responsible to control the operations of the CPM server.
  • Email : Enter email-id
  • Password : Enter password
  • Password (Again ) : Re-enter the same password

In the third step of the CPM configuration settings, define the options that are required and click on next.

  • Choose Time: Choose the time zone of the CPM server.
  • Choose new or existing : Choose " Create New Data Volume "
  • AWS Credentials : Either provide AWS Secret and Access key or create an IAM role with necessary permissions, to create a new EBS data volume or attach the existing volume to the CPM server instance. For security reasons, it is recommended to choose "Use Instance's IAM Role".
  • Connect via web proxy : By default, the option is disabled.If you want to connect to the internet through HTTP port then enable it and define proxy address, port , user and password.

Below screenshot, if you are using IAM Role.

Below screenshot, if you are using AWS credentials.

In the fourth step of CPM configuration, you need to choose to create a new data volume and define the capacity of the data volume. The data volume contains the database of CPM's data, backup scripts etc.

By default the size of the data volume is 5 GB, which can be enough to manage 50 instances.For bigger environment, make the data volume bigger at about the ratio of 1GB per 10 backed-up instances.

CPM uses by default PORT 443 for HTTPS port. You can change it to different port and make sure this port is open in the CPM instance security group.

Once done, please click on next.

  • Capacity : Please enter required capacity (in GB) as per number instances you need to backup. I choose here as 10 GB.
  • Listen Port for the Web Server : 443 ( default one).
  • SSL Server Certificate File : Leave blank.
  • SSL Server Private Key : Leave blank.
  • Allow Anonymous Usage Reports : Allow.

In the fifth step of CPM configuration, you need to fill the all the details and click on Configure System.

You will see below image and confirm that CPM was configured correctly.Now, click on the "here" link to redirect to login page of the CPM application.

Login to CPM application with user credentials, which you created during configuration in step2.

Associate your AWS account by creating a new account to backup the backup targets. Now, click on Manage AWS Account -> Add New Account.

Enter below details to create new account and click Add.

  • Account Type : Backup ( default option to perform backup ).

  • Name : Give appropriate name ( Specify environment type, like Prod, Dev, Test , CI etc,.).

  • Access Key ID : Enter access key credentials.

  • Secret Access Key: Enter secret access key credentials.

  • Scan Resources : Set to " Enabled " option.

  • Scan Regions : Choose a region to scan resources ( By default CPM will scan all the regions).

      Note: Make sure to add as many as accounts, as per your CPM edition permits.


5. Schedule the backups

Define a schedule to perform backup of the backup targets.
Click on Main -> Schedules -> New Schedule.
Now, enter below details to define a schedule and click Apply.

  • Name : Enter appropriate schedule name (Daily, Weekly , Adhoc , Long).
  • Repeats Every : Define the frequency of the backups (Minutes, Hours, Days, Weeks, Months).
  • Start Time : When the schedule will start ( default value is current day ).
  • End Time : By default it set to never.
  • Enabled : Select the week days the schedule will be enabled on.
  • Description : Enter proper description of the backup schedule.


Create a policy to define what to backup, how to back it up, and by associating schedules, when to perform backup.

Click on Main -> Policies -> New Policy.

Enter below details to create a policy and click Apply.

  • Name : Enter appropriate policy name ( Prod, Dev, Test, CI ).
  • Account : Associate account which got created before to this new policy.
  • Auto Target Removal : Automatically remove the resources if no longer exists. If you terminate the AWS instance or EBS volume deleted then the next backup will detect that and remove it from the policy.Choose the option " Yes and alert " will update the backup log a warning message about the removal.
  • Generations to Save : Here I set to value 5, so backups older than 5 days will be deleted by CPM.
  • Status : Select " Enabled " option.
  • Schedules : Select the schedule, you want this policy to be applied.
  • Description : Enter proper description of the policy.


Once the policy is created, now include the backup targets by clicking the " Backup Targets " button of the policy you created in the " Policies " tab.

Click on Main -> Policies -> Backup Targets of your policy -> Add Instances / Add Volumes / Add RDS Databases / Add Aurora Clusters / Add Redshift Clusters to add backup targets to the policy.

Select the " Add " checkbox of the instance to be part of the policy and then click " Add Selected ". Once done, just click " Close ".

As per the backup schedule window, it will automatically perform the backup of the backup targets. However, by clicking " run ASAP ", you can manually start the backups.

Click Backup Monitor button to see the progress of the backup, by seeing status tab and to view the backup log file, you click on the " Open " button on Log tab.

You can crosscheck the backup of the snapshots in AWS console by clicking EC2 -> Snapshots.

5. Conclusion

In this blog post, we explored below following:

  • About Cloud Protection Manager and Architecture.
  • How to Launch and configure CPM instance.
  • Define backup scheudles and policies.
  • How to kick-off manual backup and monitor backups.

I hope that you'll find it as useful and reliable as I have.