0
votes

Is it possible to copy across different regions RDS snapshot of SQL Server 2012?

This is the error message in AWS console:

Cross region snapshot copy is not supported for TDE encrypted snapshots (Service: AmazonRDS; Status Code: 400; Error Code: InvalidDBSnapshotState; Request ID: )

The database and snapshot are not TDE encrypted.

1

1 Answers

0
votes

If your RDS instance is multi-AZ, you won't be able to copy that snapshot across regions and unfortunately it gives the same error as if it were encrypted. I opened a case with AWS support and got a helpful reply below.

Please note the following from the 'Copying snapshots' RDS documentation [1]:

"You cannot copy a SQL Server DB snapshot across regions if the DB snapshot was created from an instance using Multi-AZ mirroring."

Due to this limitation, you will need to first disable the mirroring option (Multi-AZ) for the source DB instance. You can then take a snapshot and re-enable the mirroring option for the DB instance. You would then be able to copy that snapshot to the desired region. OR The other work around is to restore the snapshot in same region in Single AZ and then take a snapshot of that and try copy to the other region.

Sincere apologies for the confusion!

================================================

Also on a side note, even if this DB instance did have the TDE option enabled, you would still not be able to copy any snapshots taken from it to another region. Please note the following from the same documentation [1]:

"You cannot copy a DB snapshot across regions if it was created from a DB instance that is using Oracle Transparent Data Encryption (TDE) or Microsoft SQL Server TDE."

This is because the TDE encryption [2] is not the same as the 'encryption at rest' feature [3] that RDS provides which can be copied cross regions.

================================================

[1] http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_CopySnapshot.html#USER_CopySnapshot.Limitations [2] http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Appendix.SQLServer.Options.TDE.html [3] http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html

I did the second workaround of restoring the snapshot to a new instance in the same region, take a manual snapshot of it (can't use the automatic one), copy that snapshot to the new region, then delete the new/temporary instance.