Home > Data Protection > PowerProtect Data Manager > White Papers > Dell PowerProtect Cloud Snapshot Manager: Architecture and Security > Copy Snapshots to APEX Protection Storage in AWS and Azure to reduce storage costs
CSM supports replicating and storing snapshots on an existing APEX Protection Storage running on the user’s AWS account or Azure subscription. This feature enables saving copies of snapshots to an S3 or Azure Storage account for a longer duration. By leveraging the high-speed, variable length industry-leading deduplication capability of the Data Domain series, the snapshot storage costs are highly reduced. Additional permissions must be added to the CSM minimal permissions of the AWS IAM role/user and Azure CSM-Contributor custom role.
Note: APEX Protection Storage deployment, licensing and management is the user’s responsibility and not handled by CSM.
This solution uses CSM Proxy to enable data transfer to and from the APEX Protection Storage on AWS and Azure. CSM Proxy acts as a data mover that enables:
Using CSM, you can copy snapshots to APEX Protection Storage if you have APEX Protection Storage deployed in your AWS cloud environment. CSM Proxy is a container instance created by CSM using AWS Fargate. CSM Proxy is created on-demand by CSM during data transfer and is cleaned by CSM after use, thereby minimizing costs.
CSM uses AWS CloudFormation Stack to orchestrate the creation of the container instance (CSM Proxy). CSM uses the AWS ECS for the container. The container is created from a Docker image that is hosted on docker.io.
CSM also uses AWS Simple Queue Service (SQS), to communicate with the CSM services hosted in the Dell Data Center. AWS SDK interfaces are used to create/delete the queues and send/receive messages. The communication with AWS SQS service happens over the HTTPS protocol. CSM internally uses 2 queues:
The two queues are created by the CSM copy engine and are associated with the CSM Proxy that has been created. The queues are removed as soon as the data movement is completed and the CSM Proxy is removed. The AWS Fargate container is granted permission to access the queues through the role assigned to it during its creation.
To enable the communication between the Proxy and CSM services, the subnet should either be public or private with Network Address Translation (NAT) for access to the internet.
An IAM role is attached to the container. Through this role, the container is granted minimum permissions required to access the EBS volumes to list and gather snapshot blocks, and the SQS to send and receive messages. With the IAM role, the container does not require AWS credentials to perform the necessary operations.
For the permissions required to enable integration between CSM and APEX Protection Storage, refer to AWS Permission Policy and PowerProtect Cloud Snapshot Manager Online Help.
For replication to APEX Protection Storage, the CSM Proxy is created in the cloud account and region where the snapshot to be copied is present.
Likewise, the proxy is created in the cloud account and the region where data is to be restored, in case of a recovery scenario.
The CSM proxy requires the VPC and subnet details for its configuration during creation. So, it is required that a VPC and Subnet is configured per region for each AWS cloud account.
Topologies supported:
For topologies with the Proxy and APEX Protection Storage in different VPCs, VPC peering, if required, should be setup by the customer. CSM uses secure VPC peering to transfer data to/from APEX Protection Storage.
Replicating snapshot copies to APEX Protection Storage can be scheduled in CSM. CSM allows the user to specify the frequency at which snapshots are to be copied to DDVE and the retention time for these copies. APEX Protection Storage snapshots can be restored to the same cloud account and region or a different cloud account and region.
Using CSM, you can copy snapshots to APEX Protection Storage if you have APEX Protection Storage deployed in your Azure cloud environment. CSM Proxy is an Azure Container Instance (ACI) that is created on-demand to transfer data to and from APEX Protection Storage and terminated after use. CSM Proxy must be configured in every region of the protected/restored VMs (configured in the CSM portal). Configuring CSM Proxy from the private repository for Azure is supported.
CSM Proxy can perform the following tasks:
Topologies supported:
APEX Protection Storage details required by CSM:
The APEX Protection Storage admin user is used to collect the APEX Protection Storage metadata required for this integration. The Storage Unit credentials are used to read and write data into the STU. These credentials are kept secure by encryption with the AES256 algorithm.