DDVE running on AWS cloud allows the customer to backup and restore the operational data from S3 object store.
The high-level steps involved are as follows:
- Configure the network environment. For secure access to DDVE, it is recommended to use VPC architecture that AWS provides. Configure the following components:
- VPC
- Subnet
- Route tables
- Security groups
- Network access control list
- VPC Gateway endpoint for connectivity to S3
- Create an S3 bucket.
- Configure role-based access to the AWS object store.
- For secure login to DDVE, create an EC2 key access pair.
Creating an S3 bucket
Create a bucket in S3 and make note of the bucket name as it is used in further steps. The steps involved to create a bucket are as follows:
- Log in to the AWS console and select Services > S3.
- Click Create bucket, and then enter the bucket name and region.
- To access an S3 bucket, AWS recommends using hosted-style URLs (where the domain name includes the bucket name) instead of path-style URLs. For hosted-style URLs to work, do not use dots (".") in the bucket name.
- Create the bucket in the same region as the DDVE instance.
- Provide a bucket name that is no longer than 48 characters.
- Do not enable bucket versioning for the bucket that is associated with the DDVE. Versioning adds to storage costs because older versions of the objects are retained despite running the DDVE garbage collection process. Enabling versioning can also cause potential performance issues.
- Click Create Bucket.
Figure 2. Creating a bucket on AWS
Setting up a role-based access to the AWS object store
The object store in AWS uses role-based access for S3 access. To access the S3 bucket, create and attach the Identity and Access Management (IAM) role to DDVE.
Prerequisites: To create the IAM role and the policy that is associated with the role, the AWS user must have the necessary IAM privileges. The following IAM privileges and actions are required to create and attach the IAM role:
Figure 3. IAM privileges and actions
When the role is attached to DDVE, the S3 object store credentials are automatically fetched. The AWS infrastructure periodically rotates the access credentials. The DDVE automatically fetches the new credentials before the old credentials expire.
Use the following procedure to set up role-based access to the object store:
- Create the policy to attach with the IAM role:
- Sign into the AWS Management Console, and open the IAM Service Console.
- In the navigation pane of the IAM console, select Policies > Create policy.
- Create a policy for AWS Standard Cloud or AWS Gov Cloud:
- In the Create policy web page, select the JSON tab. Replace the text under the JSON tab with the following content.
Figure 4. Policy editor with JSON
- Verify this information and click Review policy.
- Provide a name and description for the policy and click Create policy.
- Create the role for S3 bucket access:
- In the navigation pane of the IAM console, select Roles > Create role.
- On the Create role page:
- Select AWS service to choose the type of trusted entity.
- Select EC2 to choose the service that will use this role, and then click Next Permissions.
- On the Attach permissions policies page, select the policy that is created in the previous section. Select Next Tags to create a tag for the role.
- Click Next: Review. In the Review section, provide a name for the role and click Create role.
Figure 5. Create role in AWS console
Attach the role to the DDVE instance before it can be configured. This task can be done during or after deployment.