Amazon VPC Resources That Commvault Protects

You can recover full Amazon EC2 instances and related Amazon VPC resources and EC2 network configuration and security settings in AWS CloudFormation format.

You can do the following:

  • Back up EC2 instances with supported VPC resources in all supported AWS Regions and AWS accounts

  • Recover full Amazon EC2 instances, re-creating missing VPC resources

  • Recover known, good Amazon EC2 and Amazon VPC network configuration and security settings (network ACLs, Security groups) for forensic investigation in AWS CloudFormation format

Supported for Backup

The Commvault software protects the following VPC resources and all associated attributes (unless noted) when performing Amazon EC2 instance backups.


Resources are listed in the order they appear in the Amazon VPC management console.

Virtual Private Cloud

  • Your VPCs

  • Subnets

  • Route tables

  • Internet gateways

  • Egress-only internet gateways

  • Carrier gateways

  • DHCP options sets

  • Elastic IPs

  • Managed prefix lists

  • Endpoints

  • NAT gateways

  • Peering connections


  • Network ACLs

  • Security groups

Virtual Private Network (VPN)

  • Customer gateways

  • Virtual private gateways

  • Site-to-Site VPN connections

Transit Gateways

  • Transit gateways

  • Transit gateway attachments


  • VPC Flow logs

Supported for Restores with Re-Creation or Re-Use

Restores of Amazon EC2 instances re-create the following resources or re-use them if they exist in the destination AWS account at restore runtime.


Resources are listed in the order they appear in the Amazon VPC management console.

Virtual Private Cloud

  • Your VPCs (default, additional)

  • Subnets (public, private, VPN only, isolated, CIDR reservations)

  • Internet gateways

  • Egress-only internet gateways

  • DHCP option sets

  • Managed prefix lists

  • NAT gateways


Virtual Private Network (VPN)

  • Virtual private gateways

Transit Gateways

  • Transit gateways

  • Transit gateway attachments


  • VPC Flow logs

Supported for Restores without Re-Creation

Some resources associated with protected Amazon EC2 instances are not re-created if they are missing from the destination AWS account and restore runtime. For in-place restores, the Commvault software attempts to re-use these resources. If the resources are not available, you must perform an out-of-place restore, and then manually reconfigure the missing resources in the Amazon VPC management console.

For information about which resources are not re-created, see Restrictions and Known Limitations for Protecting Amazon EC2 with Commvault.

IAM Permissions Policy

To protect Amazon VPC resources, you must grant an IAM permissions policy to the IAM user or role that is used to protect the AWS account containing the VPC resources that you want to protect. For information, see Amazon VPC Resources That Commvault Protects.

Amazon S3 Bucket for VPC Restores

During restores of VPC resources, the Commvault software creates an Amazon S3 bucket in the AWS account and Region that you are restoring the EC2 instance to. The S3 bucket supports the cleanup of Commvault-created VPC resources during failed restores.

The name of the bucket is as follows:



  • accountID: The AWS account that is represented by the Amazon EC2 hypervisor

  • regionID: The AWS region that the bucket is created in

For example, the bucket might be named gx-restore-us-east-1-45367689749.


The software creates the S3 bucket on the first EC2 instance restore, and does not clean up or remove the bucket.
