Direct from S3 Restore allows backup agents to download snapshot data directly from your S3 snapshot store instead of streaming data through Ops Manager application servers. This feature provides the following benefits:
Reduces load on Ops Manager during large restore operations
Improves restore times for deployments backed up to S3
Uses pre-signed URLs so backup agents do not need S3 credentials
중요
이 기능 사용하려면 Ops Manager 8.0.19 이상이 필요합니다.
Supported Use Cases
Direct from S3 Restore supports the following configurations:
Backup type: Continuous or scheduled backups that use an S3 snapshot store (managed or imported)
Restore type: Snapshot restores where the delivery method is Automation Agent (restores into a managed deployment)
제한 사항
Direct from S3 Restore does not apply to the following scenarios:
Manual download restores (HTTP download of snapshot data), which continue to stream data through Ops Manager
Backups that use filesystem or MongoDB blockstore snapshot stores
Ad-hoc
mongorestoreworkflows that run outside Ops Manager
If any of these scenarios are critical for your environment, continue using the standard restore path for those workflows.
How Direct from S3 Restore Works
After you enable Direct from S3 Restore:
Ops Manager plans the restore as usual.
Ops Manager generates pre-signed S3 URLs for each snapshot block using its configured S3 credentials.
Ops Manager instructs the backup agent to fetch snapshot data directly from S3 using those pre-signed URLs.
The backup agent downloads, decompresses, and writes snapshot data to disk.
Backup agents do not need S3 credentials. Ops Manager manages all S3 authentication through pre-signed URLs.
참고
Direct from S3 Restore applies only to snapshot data. Oplog handling follows the existing flow.
전제 조건
Before you enable Direct from S3 Restore, verify the following requirements.
Network and Security
Each backup agent host that performs restores must be able to:
Resolve the DNS name of the S3 or S3-compatible endpoint
Establish outbound HTTPS connections to that endpoint
Download data using S3 pre-signed URLs that Ops Manager generates
Backup agents do not require S3 access keys or IAM roles. Ops Manager generates pre-signed URLs using the S3 credentials configured for the snapshot store.
S3 Snapshot Store Compatibility
Direct from S3 Restore works with:
Managed S3 snapshot stores configured in Ops Manager
Imported S3 snapshot stores on Ops Manager 8.0.19 or later
Configure Direct from S3 Restore
To configure Direct from S3 Restore, complete the following tasks:
Enable the system-level feature flag.
Enable Direct from S3 Restore on an S3 snapshot store.
Enable the System-Level Feature Flag
Enable Direct from S3 Restore on an S3 Snapshot Store
중요
Enabling this option does not change existing restore jobs. New restore jobs can use Direct from S3 Restore only if the snapshot store has the option enabled when you create the job.
Use Direct from S3 Restore
After you enable the feature, use the standard restore workflow. The data path changes automatically.
Start a Restore Job
운영 고려 사항
Performance and Sizing
Consider the following performance characteristics:
Ops Manager load: Restores generate less network and CPU load on Ops Manager application servers.
Agent hosts: Restore throughput depends on CPU, disk I/O, and network capacity on the hosts that run backup agents.
Network path: Restore throughput depends on the network path from the backup agent to S3, not from Ops Manager to S3. For large clusters, confirm that your S3 endpoint, VPC endpoint, or proxy can handle the expected concurrency.
Security and IAM
Direct from S3 Restore uses the following permissions model:
Ops Manager permissions: Ops Manager backup application servers require S3 read access (and list access where required) to the buckets and prefixes configured on your S3 snapshot stores. Configure this access through the IAM role or access keys you specify for those stores in Ops Manager.
Backup agent permissions: Backup agents do not have S3 credentials. Ops Manager generates pre-signed S3 URLs for each snapshot block, and agents download blocks directly from S3 using those URLs.
Least privilege: Restrict the IAM role or access keys that Ops Manager uses to only the buckets and prefixes required for backup and restore.
Immutability: If you use S3 Object Lock, Direct from S3 Restore reads from immutable objects using pre-signed URLs. The feature does not bypass retention or delete protections.
Imported S3 Snapshot Stores
If you restore from imported S3 snapshot stores, such as immutable backup buckets, verify the following:
You run Ops Manager 8.0.19 or later, which includes Direct from S3 Restore support for imported snapshots.
You configured the imported snapshot store correctly under Admin, Backup, Snapshot Stores.
The S3 credentials configured for that store in Ops Manager have read access to the imported bucket and prefix.
Backup agents on target hosts have network connectivity to the S3 endpoint. Agents use pre-signed URLs that Ops Manager generates and do not require additional IAM roles or keys.