Home > Storage > PowerFlex > White Papers > Dell PowerFlex with Data Domain Cloud Tier > Configure Cloud Tier for Amazon S3
The following section describes the steps to configure Data Domain Cloud Tier capabilities using DD CLI running on an on-premises PowerFlex system with Amazon S3.
Ensure that the following prerequisites are performed in the DD system before configuring the Cloud Tier:
Perform the following steps to add the IAM credentials:
a) Log in to the AWS console and search for the IAM service. From the IAM page, select Users from the left menu and then select Add User.
b) Type the IAM username as per the standards and ensure that the access type is Programmatic access and click Next.
c) Provide the required permissions by attaching the AmazonS3FullAccess policy to the IAM user created to use the S3 resources. The following figure shows the IAM user attached with S3 full access permission.
d) Review the details and click Create User.
e) Download the .csv file that contains the Access key ID and the Secret access key of the IAM user.
Perform the following steps to configure the storage for the Cloud Tier:
Note: The Cloud Tier storage is required for the DD system to support cloud units.
a) The minimum resource requirements that are supported for the Cloud Tier configuration for DDVE VM are 4 vCPUs and 32 GB memory. Run the following command to check the DDVE VM resource requirements for the Cloud Tier:
sysadmin@ddve# system vresource show requirements Active Tier Cloud Tier Cache Tier vCPU Memory Capacity (TB) Capacity (TB) Capacity (GB) Count (GiB) ------------- ------------- ------------- ----- ------ 8 n/a n/a 2 8 16 n/a 0 4 16 32 n/a 0 4 24 48 n/a 0 4 36 64 n/a 0 8 48 96 n/a 0 8 64 96 n/a 0 12 72 16 32 0 4 32 64 128 0 8 60 192 0 8 80 ------------- ------------- ------------- ----- ------ sysadmin@ddve# |
b) The DD OS file system must be disabled to configure the Cloud Tier. Run the following command to disable the file system:
sysadmin@ddve# filesys disable
This action will disable the file system. Applications may experience interruptions while the file system is disabled. Are you sure? (yes|no) [no]: yes
ok, proceeding.
Please wait....... The filesystem is now disabled. sysadmin@ddve# |
c) The Cloud Tier holds the metadata for the migrated files, while the actual data resides in the cloud. The DD system requires a 1 TB storage capacity for Cloud Tier metadata storage. We have created a1 TB PowerFlex volume and mapped it to the ESXi host. A VMFS datastore is created, and a 1 TB virtual disk is attached to a DDVE VM for Cloud Tier metadata storage. The following command shows 1000 GB virtual disk available for Cloud Tier metadata storage:
sysadmin@ddve# disk show hardware Disk Slot Manufacturer/Model Firmware Serial No. Capacity Type Part Number (pci/idx) ---- --------- ------------------------ -------- -------------------------------- ---------- ---- ----------- dev1 160:0 VMware Virtual_disk n/a 6000c29f40947d7df3534fe93682ab2b 250.0 GiB SAS n/a dev2 160:1 VMware Virtual_disk n/a 6000c29354b0823a67299cd9801d74e4 10.0 GiB SAS n/a dev4 160:2 VMware Virtual_disk n/a 6000c2983d0bf3b942c1089515070665 450.0 GiB SAS n/a dev5 160:3 VMware Virtual_disk n/a 6000c294a6dc52fc88f6d56374a6e64b 1000.0 GiB SAS n/a ---- --------- ------------------------ -------- -------------------------------- ---------- ---- ----------- 4 drives present. |
d) Run the following command to add the device for Cloud Tier metadata storage:
sysadmin@ddve# storage add tier cloud dev5 Checking storage requirements...done Adding dev5 to the Cloud Tier...done
Updating system information...done
dev5 successfully added to the Cloud Tier.
sysadmin@ddve# |
e) After the Cloud Tier metadata storage is added, run the following command to enable the Cloud Tier:
sysadmin@ddve# cloud enable Cloud feature requires that passphrase be set on the system. Enter new passphrase: Re-enter new passphrase: Passphrases matched. The passphrase is set. Encryption is recommended on the Cloud Tier. Do you want to enable encryption? (yes|no) [yes]: no Encryption feature is disabled on the Cloud Tier. Cloud feature is enabled. sysadmin@ddve# |
f) The Cloud Tier is enabled with designated storage. Now, run the following command to enable the DD OS file system:
sysadmin@ddve# filesys enable Please wait.......... The filesystem is now enabled. sysadmin@ddve# |
A cloud unit is a connector to an Amazon Web Services S3 provider. Perform the following steps to configure a cloud unit:
a) The following firewall ports 443 (HTTPS) or port 80 (HTTP) must be opened to the cloud provider network for the endpoint IP and the provider authentication I/O for bi-directional traffic.
b) Import the CA certificate to enable the communication between Data Domain and Amazon S3. For an AWS cloud provider, download the Baltimore Cyber Trust root certificate and the Starfield Class 2 Certification Authority. The root CA certificates can be downloaded from https://www.digicert.com/digicertroot-certificates.htm
c) Configure the cloud profile using the cloud provider credentials. The prompts and variables may vary by cloud provider. The following example shows the configuration of a cloud profile called ‘aws_1’ using the credentials for an AWS instance based in the us-east-1 region that uses the standard storage class:
sysadmin@ddve# cloud profile add aws_1 Enter provider name (alibabacloud|aws|azure|ecs|google|s3_flexible): aws Enter the access key: Enter the secret key: Enter the storage class (STANDARD|STANDARD_IA|ONEZONE_IA) [STANDARD]: Enter the region (us-east-1|us-west-1|us-west-2|eu-west-1|ap-northeast-1|ap-southeast-1|ap-southeast-2|sa-east-1|ap-south-1|ap-northeast-2|eu-central-1|eu-west-2|us-gov-east-1|us-gov-west-1|ca-central-1|eu-south-1|me-south-1): us-east-1 Do you want to enter proxy details? (yes|no) [no]:
SSL communication with aws requires the Baltimore CyberTrust Root certificate with the following fingerprint: D4:DE:20:D0:5E:66:FC:53:FE:1A:50:88:2C:78:DB:28:52:CA:E4:74 Do you want to import it? (yes|no) [yes]: Cloud profile 'aws_1' added successfully. sysadmin@ddve# |
d) Verify the cloud profile configuration by issuing the following command:
sysadmin@ddve# cloud profile show Profile name: aws_1 Provider: aws Region : us-east-1 Storage Class : STANDARD Proxy host: Proxy port: 0 Proxy username: sysadmin@ddve# |
e) Configure the cloud unit, using the cloud profile created in step 3 above:
sysadmin@ddve# cloud unit add aws_unit_1 profile aws_1 Please confirm that the cloud user account configured for this cloud profile has only the minimal required access permissions for S3 operations. For viewing the minimal required access permissions, please refer the Security Configuration Guide. Do you want to continue? (yes|no) [yes]: Cloud unit 'aws_unit_1' created successfully sysadmin@ddve# |
f) Ensure that the cloud provider verify command runs without any errors and provider verification message is received to confirm that everything has been configured correctly as shown in the following example:
sysadmin@ddve# cloud provider verify This operation will perform test data movement after creating a temporary profile and bucket. Do you want to continue? (yes|no) [yes]: Enter provider name (alibabacloud|aws|azure|ecs|google|s3_flexible): aws Enter the access key: Enter the secret key: Enter the storage class (STANDARD|STANDARD_IA|ONEZONE_IA) [STANDARD]: Enter the region (us-east-1|us-west-1|us-west-2|eu-west-1|ap-northeast-1| ap-southeast-1|ap-southeast-2|sa-east-1|ap-south-1|ap-northeast-2|eu-central-1|eu-west-2|us-gov-east-1|us-gov-west-1|ca-central-1|eu-south-1|me-south-1): us-east-1 Do you want to enter proxy details? (yes|no) [no]: Verifying cloud provider ... This process may take a few minutes. Cloud Enablement Check: Checking Cloud feature enabled: PASSED Checking Cloud volume: PASSED Connectivity Check: Validating certificate: PASSED Checking network access: PASSED Account Validation: Creating temporary profile: PASSED Creating temporary bucket: PASSED S3 API Validation: Validating Put Bucket: PASSED Validating List Bucket: PASSED Validating Put Object: PASSED Validating Get Object: PASSED Validating List Object: PASSED Validating Delete Object: PASSED Validating Bulk Delete: PASSED Cleaning Up: Deleting temporary bucket: PASSED Deleting temporary profile: PASSED Provider verification passed. sysadmin@ddve# |
g) The cloud unit details are now displayed on the DD system manager as shown in the following figure:
h) The following figure from the Amazon S3 console shows that the DD system created an Amazon S3 bucket for the cloud unit.