When you use certain cleanroom options, resources are automatically created in your AWS and/or Commvault account.
Create new options for cleanroom sites
Resources deployed in your cleanroom recovery AWS account
VPC
- Created in the region that's specified in the runbook
- Name:
[runbook]-[region]-VPC - Default VPC CIDR:
10.0.0.0/16(unless overridden in the runbook configuration)
Subnets
The following subnets are created in the VPC:
| Subnet type | Purpose | Name | Default CIDR |
|---|---|---|---|
| Workload | Subnet that recovered Amazon EC2 instances are deployed to | [runbook]-[region]-Workload-Subnet |
10.0.0.0/17 |
| Endpoint | Hosts VPC endpoints and network interfaces used to communicate with AWS services | [runbook]-[region]-Endpoint-Subnet |
10.0.192.0/19 |
Security groups
The following security groups are created in the VPC:
- Workload security group:
[runbook]-[region]-Workload-SG - Endpoint security group:
[runbook]-[region]-Endpoint-SG
Workload security group
The following inbound and outbound rules are applied to the workload security group. These rules control traffic within the VPC and allow secure communication between the workload subnet and the endpoint subnet.
| Direction | Name | Rule ID (example) | IP version | Type | Protocol | Port range | Source (Inbound) / Destination (Outbound) |
|---|---|---|---|---|---|---|---|
| Inbound | AllowWithinSubnetInbound | sgr-0b931203a21dfee00 |
IPv4 | All traffic | All | All | 10.0.0.0/17 |
| Outbound | AllowWithinSubnetOutbound | sgr-0b40ac33e4e3168f2 |
IPv4 | All traffic | All | All | 10.0.0.0/17 |
| Outbound | AllowEndpointSubnetOutboundRule | sgr-0778a974d41df5771 |
IPv4 | HTTPS | TCP | 443 |
10.0.192.0/19 |
Endpoint security group
The following inbound and outbound rules are applied to the endpoint security group. These rules control traffic within the VPC and allow secure communication between the workload subnet and the endpoint subnet.
| Direction | Name | Rule ID (example) | IP version | Type | Protocol | Port range | Source (Inbound) / Destination (Outbound) |
|---|---|---|---|---|---|---|---|
| Inbound | AllowInboundFromVPC | sgr-0d0df5110159d2589 |
IPv4 | HTTPS | TCP | 443 |
10.0.0.0/16 |
| Outbound | AllowAllOutboundFromEndpointSubnet | sgr-01905394087f35bc5 |
IPv4 | All traffic | All | All | 0.0.0.0/0 |
Endpoints
Endpoints associated with the VPC, endpoint subnet, workload endpoint/gateway endpoint, and endpoint security group are deployed. These endpoints are used for SSM access to workload instances and for log uploads.
Workload route table
- Name:
[runbook]-[region]-Workload-Route-Table - Destination:
pl-63a5400a(AWS-managed prefix list), Target:vpce-010ae917bd7b7c164(VPC endpoint) - Destination:
10.0.0.0/16(VPC CIDR block), Target:local
S3 bucket
- Name:
[runbook]-[region]-Bucket
IAM role for the recovered resources (workload role)
- Role name:
[runbook]-Workload-Role - Associated with recovered EC2 instances
- Attached permission policy:
AmazonSSMManagedInstanceCore - Trust policy allows the role to be assumed by the EC2 service (
ec2.amazonaws.com). - Post-recovery access: Connect to recovered EC2 instances using AWS Systems Manager Session Manager in the AWS Console (no direct SSH required)
Created in Commvault control plane
The control plane components and supporting infrastructure are created in your Commvault subscription.
| Resource (control plane) | Purpose | Details |
|---|---|---|
| Control plane server group | Provides recovery control components | Contains MediaAgents, auto-scaled access nodes, and the control plane |
| Auto Proxies server group | Provides temporary access capacity | Runs auto-scaled access nodes deployed during cleanroom recovery |
| Network topology | Provides recovery communication | One-way connection from the Auto Proxies server group to the control plane server group to support secure communication between the control plane and auto-scaled access nodes |
Default auto-scaling
When you use default auto-scaling in Commvault, which is recommended in most cases, the following resources are created.
IAM role and permission policies (only with secret access key authentication)
If you use secret access key authentication for a hypervisor, the following role is created in your cleanroom recovery AWS account:
- IAM role:
[runbook]-Infra-Role
The role has the following permission policies:
- AmazonSSMManagedInstanceCore
- AmazonSSMPatchAssociation
- S3Policy
Subnets (environment dependent)
The following subnets are created in the VPC according to the environment type:
| Subnet type | Purpose | Name | Default CIDR |
|---|---|---|---|
| Infra | Hosts auto-scaled infrastructure nodes | [runbook]-[region]-Infra-Subnet |
10.0.128.0/18 |
| Public | Hosts the NAT gateway (recovered control plane or environments with a gateway machine only) | [runbook]-[region]-Public-Subnet |
10.0.224.0/19 |
Route tables (environment dependent)
Route tables are created according to the environment configuration.
Infra route table
- Name:
[runbook]-[region]-Infra-Route-Table - Associated with the Infra subnet (explicit subnet association)
- Routes:
- Destination:
0.0.0.0/0, Target: NAT gateway - Destination:
10.0.0.0/16(VPC CIDR block), Target:local
- Destination:
Public route table
- Name:
[runbook]-[region]-Public-Route-Table - Routes:
- Destination:
0.0.0.0/0, Target: Internet gateway - Destination:
10.0.0.0/16(VPC CIDR block), Target:local
- Destination:
Internet gateway and NAT gateway
The following are created in the VPC when required by the environment:
- Internet gateway name:
[runbook]-[region]-Infra-IGW - NAT gateway name:
[runbook]-[region]-Infra-NAT
The NAT gateway is created with public connectivity and associated with the Public subnet.
Infra security group (environment dependent)
The following security group is created in the VPC for Infra resources:
- Name:
[runbook]-[region]-Infra-SG
Security group rules are created according to the environment type.
Security group rules for dev/test
| Direction | Name | Rule ID (example) | Protocol | Port | Source / Destination |
|---|---|---|---|---|---|
| Inbound | AllowAIVCTrafficInbound-190 | sg-07bdf66dfc103d91c |
TCP | 8403 | 0.0.0.0/0 |
| Inbound | AllowWithinSubnetInbound | sg-0c0cd7848b66a6af5 |
All | All | 10.0.128.0/18 |
| Outbound | AllowWithinSubnetOutbound | sg-07685e89f1cf1219 |
All | All | 10.0.128.0/18 |
| Outbound | AllowS3AccessForLogCollection | sg-03a7c7261c80be757 |
TCP | 443 | pl-63a5400a (S3 prefix list) |
| Outbound | AllowEndpointSubnetOutboundRule | sg-014473456689ed88 |
TCP | 443 | 10.0.192.0/19 |
| Outbound | AllowAIVCTrafficOutbound-190 | sg-00be5b5710f358bda |
TCP | 8403 | 0.0.0.0/0 |
Security group rules for Commvault SaaS / Gateway
| Direction | Name | Rule ID (example) | Type | Protocol | Port | Source / Destination |
|---|---|---|---|---|---|---|
| Inbound | AllowWithinSubnetInbound | sgr-01c6216679759e702 |
All traffic | All | All | 10.0.128.0/18 |
| Outbound | AllowWithinSubnetOutbound | sgr-0cbee667fdea804d |
All traffic | All | All | 10.0.128.0/18 |
| Outbound | AllowEndpointSubnetOutboundRule | sgr-0136785abd40dc7a3 |
HTTPS | TCP | 443 | 10.0.192.0/19 |
| Outbound | NetworkTopologyRule-190 | sgr-0031ee7be186ece18 |
HTTPS | TCP | 443 | Gateway IP |
| Outbound | AllowS3AccessForLogCollection | sgr-03940368e3da4de54 |
HTTPS | TCP | 443 | pl-63a5400a (S3 prefix list) |
| Outbound | AllowAllOutboundTemporary | sgr-07f1e17a5ac530973 |
HTTPS | TCP | 443 | 0.0.0.0/0 |
Security group rules for recovered control plane
| Direction | Name | Rule ID (example) | Type | Protocol | Port | Source / Destination |
|---|---|---|---|---|---|---|
| Inbound | AllowWithinSubnetInbound | sgr-0d968eb375102f795 |
All traffic | All | All | 10.0.128.0/18 |
| Outbound | NetworkTopologyRule-190 | sgr-02d5834aa0dfbfe31 |
Custom TCP | TCP | 8403 | Rescued CS IP |
| Outbound | AllowWithinSubnetOutbound | sgr-0b4856c01f195f5d |
All traffic | All | All | 10.0.128.0/18 |
| Outbound | AllowEndpointSubnetOutboundRule | sgr-05e003253098e82e |
HTTPS | TCP | 443 | 10.0.192.0/19 |
| Outbound | AllowS3AccessForLogCollection | sgr-06e0e1992b3c23ded |
HTTPS | TCP | 443 | pl-63a5400a (S3 prefix list) |