You can configure a virtualization client (hypervisor) for Amazon EC2 to use a separate admin account for data protection operations.
This approach provides the following benefits:
-
Reduces the impact of backup operations and restore operations on tenant production accounts.
-
Minimizes the configuration required for tenant accounts
-
Eliminates the need for tenants to deploy proxies (access nodes) and MediaAgents in AWS, reducing tenant costs
-
Hides backup infrastructure from tenants
Note
This feature was previously called "cross-account operations."
By using this feature, tenants in a managed services environment can access resources that are provided by a managed service provider (MSP) to support data protection operations. Similarly, groups within an organization can access shared resources from an AWS admin account that provides infrastructure for data protection.
You can configure access to an admin account in the CommCell Console or in the Command Center. Production accounts can use an admin account for streaming backup operations, IntelliSnap backup operations, backup copy operations, and restore operations.
After you configure access to an admin account, you can initiate operations from the tenant account, but the operations use resources such as VSA proxies and MediaAgents that are deployed in the admin account.
Operations can use Windows and Linux proxies, and can include Windows and Linux instances.
Requirements
-
For backups, the VSA proxy that is used by the Admin account must be in the same region as the guest instances.
For example, a proxy in Account1 and the us-east-1a region can back up instances in Account2 for any availability zones in the us-east-1 region.
-
For restores, the VSA proxy that is used by the Admin account must be in the same availability zone as the availability zone that you specify for the restore.
For example, a proxy in Account1 and the us-east-1a availability zone can restore instances in Account2 to the us-east-1a availability zone.
-
The admin account can use an access key and secret key for authentication, or an IAM role.
The tenant (user) account must use an access key and secret key for authentication.
Considerations
-
You cannot use replication/disaster recovery replication (from VMware to Amazon EC2 or from Amazon EC2 to Amazon EC2) using resources that are in another account. For example, to replicate VMs to Account1, you must use the resources in Account1. You cannot use the resources in Account2.
-
To perform a HotAdd cross-vendor conversion to an AWS account, you cannot use an access node that is in another AWS account. For example, to perform cross-vendor conversion to Account1, the access node must be in Account1. You cannot use an access node in Account2.
-
When you perform a restore from a streaming backup or backup copy using a tenant account, volume tags are not restored.
Configuration Process
To enable cross-account operations, perform the following configuration:
-
Create a virtualization client for the admin account (for example, for the MSP).
-
Create a virtualization client for the tenant account, and refer to the admin client using the Use admin account backup resources option.