Adding an Amazon Hypervisor

Add an Amazon hypervisor to support data protection operations for all virtual machines that are hosted or managed by the hypervisor.

Before You Begin

• The hypervisor represents an Amazon Web Services (AWS) account.

  Use one of the following authentication methods:

  • Configure a proxy to use an IAM role for authentication.

  • To use an access key and secret key, obtain a key pair (access key and secret key) from the Amazon EC2 website section about Security Credentials.

  • To use an STS (Security Token Service) assume role with IAM policy, obtain the STS ARN (Amazon Resource Name) from the Amazon EC2 website section about IAM roles.

• For accounts that use data protection resources from another account, you can specify an Admin account that provides the data protection resources. For more information, see Using Resources from an Admin Account.

  First, create a hypervisor for the admin account (for example, for the MSP). Then, create a hypervisor for the tenant account, and refer to the admin account using the Use service account resources option.

  Note

  • For deployments that use an Admin account, for authentication, the tenant account can use an access key and secret key, or an STS assume role with IAM policy. The admin account can use an access key and secret key, an IAM role, or an STS assume role with IAM policy for authentication.

  • When the hypervisor is configured to use an Admin account, some hypervisor configuration options are hidden.

Procedure

1. From the navigation pane, go to Protect > Virtualization.

   The Virtual machines page appears.

2. On the Hypervisors tab, click Add hypervisor.

3. For Select vendor, select AWS.

4. For Hypervisor name or Client name, enter a descriptive name for the hypervisor.

5. Enter the host or account authentication information:

   • IAM role: If you select this option, select an access node that has an IAM role associated with it in the AWS Console.

     Note

     • If you select IAM role for the Amazon EC2 hypervisor, but a proxy that is not associated with the IAM role is used for a backup or restore, the operation fails.

     • To use a different MediaAgent or File Recovery Enabler for Linux (FREL) for browsing data, associate the IAM role to the MediaAgent or FREL.

   The IAM role must have appropriate permissions, which can be any of the following:

   • Amazon EC2 Full Access

   • Amazon S3 Full Access

   • Administrator Access

   • Custom permissions to access AWS resources, which can be one of the following:

     • Amazon Web Services User Permissions for Backups and Restores

     • Amazon Web Services User Permissions for VM Conversion

     • Creating a Role with Restricted Access

   • Access and secret key: If you select this option, enter the access key and the secret access key for your Amazon account.

   To apply an IAM policy for the hypervisor when you use this authentication method, you can attach an IAM policy to the user who is associated with the access key and secret key.

   • If you already configured a hypervisor for an Admin account, you can select the Use service account resources option, and then select the Admin account from the Account list.

     This option applies only in environments where data protection resources are provided by a separate Admin account. If another Amazon hypervisor is not already configured, this box does not appear.

   • STS assume role with IAM policy: If you select this option, enter the role ARN.

     To apply an IAM policy for the hypervisor when you use this authentication method, you can attach an IAM policy with sts:AssumeRole to the access node in the AWS Console. For information about STS role authentication, see Configuring STS Role Authentication.

6. From the Access nodes list, select a proxy or a server to use for backups and restores.

7. Click Save.