Backup and Recovery Procedures

Procedures for backing up and recovering VPC Provisioner configurations and deployed infrastructure.

Table of Contents

• What to Backup

• Backup Strategy

• Recovery Procedures

• VPC Infrastructure Recovery

• Testing Recovery

• Retention Policy

---

What to Backup

Critical Data

1. Configuration Files (vpc/configs/)

   • Client configuration YAML files

   • These define your entire VPC infrastructure — losing them means recreating from scratch

2. CloudFormation Templates (vpc/templates/)

   • Generated provisioning templates

   • Can be regenerated from configs, but useful to have as backup

3. IAM Policies (vpc/policies/)

   • Generated IAM policy files

   • Can be regenerated from configs

4. Reports and Logs (vpc/reports/)

   • Deployment logs and HTML reports

   • Audit trail for compliance

Priority Order

Priority	Data	Why
1 (Critical)	configs/	Cannot be regenerated — source of truth
2 (Important)	reports/	Audit trail, deployment history
3 (Regenerable)	templates/	Can regenerate from configs
4 (Regenerable)	policies/	Can regenerate from configs

Backup Strategy

Manual Backup

# Create dated backup of all VPC provisioner artifacts
DATE=$(date +%Y%m%d)
tar -czf vpc-provisioner-backup-$DATE.tar.gz \
  vpc/configs/ \
  vpc/templates/ \
  vpc/policies/ \
  vpc/reports/

Upload Backup to S3

# Upload to a separate backup bucket
aws s3 cp vpc-provisioner-backup-$DATE.tar.gz \
  s3://your-backup-bucket/vpc-provisioner/$DATE/ \
  --storage-class STANDARD_IA \
  --sse AES256

Automated Daily Backup

#!/bin/bash
# backup-vpc-provisioner.sh

set -e

DATE=$(date +%Y%m%d)
BACKUP_DIR="backups/vpc-provisioner"
BACKUP_BUCKET="your-backup-bucket"

mkdir -p "$BACKUP_DIR"

# Backup configs (critical)
tar -czf "$BACKUP_DIR/configs-$DATE.tar.gz" vpc/configs/

# Backup templates and policies (regenerable but convenient)
tar -czf "$BACKUP_DIR/templates-$DATE.tar.gz" vpc/templates/
tar -czf "$BACKUP_DIR/policies-$DATE.tar.gz" vpc/policies/

# Backup recent reports (last 7 days)
find vpc/reports/ -mtime -7 -name "*.log" -o -name "*.html" | \
  tar -czf "$BACKUP_DIR/reports-$DATE.tar.gz" -T -

# Upload to S3
aws s3 sync "$BACKUP_DIR/" "s3://$BACKUP_BUCKET/vpc-provisioner/$DATE/" \
  --storage-class STANDARD_IA --sse AES256

echo "Backup completed: $DATE"

Recovery Procedures

Restore Configuration Files

# Download backup
aws s3 cp s3://your-backup-bucket/vpc-provisioner/20260401/configs-20260401.tar.gz .

# Restore
tar -xzf configs-20260401.tar.gz

# Validate restored configs
docker run --rm \
  -v $(pwd)/vpc/configs:/app/configs:ro \
  -v $(pwd)/vpc/reports:/app/reports \
  vpc-provisioner:latest \
  --config edge-prod-b001-us-west-2-vpc.yaml \
  --action validate-config

Regenerate Templates and Policies

If templates or policies are lost but configs are intact:

# Regenerate IAM policy
docker run --rm \
  -v $(pwd)/vpc/configs:/app/configs:ro \
  -v $(pwd)/vpc/policies:/app/policies \
  -v $(pwd)/vpc/reports:/app/reports \
  vpc-provisioner:latest \
  --config edge-prod-b001-us-west-2-vpc.yaml \
  --action create-policy

# Regenerate CloudFormation template
docker run --rm \
  -v $(pwd)/vpc/configs:/app/configs:ro \
  -v $(pwd)/vpc/templates:/app/templates \
  -v $(pwd)/vpc/reports:/app/reports \
  vpc-provisioner:latest \
  --config edge-prod-b001-us-west-2-vpc.yaml \
  --action create-prov-template

VPC Infrastructure Recovery

Document Existing Infrastructure

Before any destructive operations, capture the current state:

# Export VPC configuration
aws ec2 describe-vpcs \
  --filters "Name=tag:Name,Values=edge-prod-b001-us-west-2-vpc" \
  --region us-west-2 > vpc-backup.json

aws ec2 describe-subnets \
  --filters "Name=tag:Name,Values=edge-prod-b001-us-west-2-*" \
  --region us-west-2 > subnets-backup.json

aws ec2 describe-route-tables \
  --filters "Name=tag:Name,Values=edge-prod-b001-us-west-2-*" \
  --region us-west-2 > route-tables-backup.json

# Export CloudFormation stack
aws cloudformation get-template \
  --stack-name edge-prod-b001-us-west-2-vpc-stack \
  --region us-west-2 > stack-template-backup.json

# Check stack status
aws cloudformation describe-stacks \
  --stack-name edge-prod-b001-us-west-2-vpc-stack \
  --region us-west-2

Recreate VPC Infrastructure from Config

If the VPC and stack were deleted but you have the config file:

# Validate config
docker run --rm \
  -v $(pwd)/vpc/configs:/app/configs:ro \
  -v $(pwd)/vpc/reports:/app/reports \
  vpc-provisioner:latest \
  --config edge-prod-b001-us-west-2-vpc.yaml \
  --action validate-config

# Regenerate template
docker run --rm \
  -v $(pwd)/vpc/configs:/app/configs:ro \
  -v $(pwd)/vpc/templates:/app/templates \
  -v $(pwd)/vpc/reports:/app/reports \
  vpc-provisioner:latest \
  --config edge-prod-b001-us-west-2-vpc.yaml \
  --action create-prov-template

# Redeploy
docker run --rm \
  -v ~/.aws:/home/vpcuser/.aws:ro \
  -v $(pwd)/vpc/configs:/app/configs:ro \
  -v $(pwd)/vpc/templates:/app/templates \
  -v $(pwd)/vpc/reports:/app/reports \
  vpc-provisioner:latest \
  --config edge-prod-b001-us-west-2-vpc.yaml \
  --action create-vpc \
  --force

Note: This recreates the VPC infrastructure but does not restore any resources running inside the VPC (EC2 instances, RDS databases, etc.). Those must be recovered separately.

Verify Recovery

# Check VPC exists
aws ec2 describe-vpcs \
  --filters "Name=tag:Name,Values=edge-prod-b001-us-west-2-vpc" \
  --region us-west-2

# Check subnets
aws ec2 describe-subnets \
  --filters "Name=tag:Name,Values=edge-prod-b001-us-west-2-*" \
  --region us-west-2 \
  --query 'Subnets[].{Name:Tags[?Key==`Name`].Value|[0],CIDR:CidrBlock,AZ:AvailabilityZone}'

# Check CloudFormation stack
aws cloudformation describe-stacks \
  --stack-name edge-prod-b001-us-west-2-vpc-stack \
  --region us-west-2 \
  --query 'Stacks[0].StackStatus'

# Run drift detection
docker run --rm \
  -v ~/.aws:/home/vpcuser/.aws:ro \
  -v $(pwd)/vpc/configs:/app/configs:ro \
  -v $(pwd)/vpc/reports:/app/reports \
  vpc-provisioner:latest \
  --config edge-prod-b001-us-west-2-vpc.yaml \
  --action check-drift

Testing Recovery

Run a recovery test periodically to verify your backups are usable:

# 1. Create backup
tar -czf /tmp/vpc-recovery-test.tar.gz vpc/configs/

# 2. Restore to temp location
mkdir -p /tmp/vpc-recovery-test
tar -xzf /tmp/vpc-recovery-test.tar.gz -C /tmp/vpc-recovery-test

# 3. Validate restored configs
docker run --rm \
  -v /tmp/vpc-recovery-test/vpc/configs:/app/configs:ro \
  -v $(pwd)/vpc/reports:/app/reports \
  vpc-provisioner:latest \
  --config edge-prod-b001-us-west-2-vpc.yaml \
  --action validate-config

# 4. Cleanup
rm -rf /tmp/vpc-recovery-test /tmp/vpc-recovery-test.tar.gz

Retention Policy

Backup Type	Retention	Storage Class
Daily	7 days	S3 Standard-IA
Weekly	4 weeks	S3 Standard-IA
Monthly	12 months	S3 Glacier
Yearly	Indefinite	S3 Glacier Deep Archive

---

Copyright © 2025 Axon Tech Labs All rights reserved.

See LICENSE.txt for terms and conditions.