Adding an Amazon Web Services Hypervisor

Updated

Add an AWS hypervisor to support data protection operations for all virtual machines that are hosted or managed by the hypervisor.

Before You Begin

  • The hypervisor represents an AWS account.

    Use one of the following authentication methods:

    • Configure a access node to use an IAM role for authentication.

    • To use an access key and secret key, obtain a key pair (access key and secret key) from the Amazon EC2 website section about Security Credentials.

    • To use an STS (Security Token Service) assume role with IAM policy, obtain the STS ARN (Amazon Resource Name) from the Amazon EC2 website section about IAM roles.

  • For accounts that use data protection resources from another account, you can specify an Admin account that provides the data protection resources. For more information, see Using Resources from an Admin Account.

    First, create a hypervisor for the admin account (for example, for the MSP). Then, create a hypervisor for the tenant account, and refer to the admin account using the Use service account resources option.

    Note

    • For deployments that use an Admin account, for authentication, the tenant account can use an access key and secret key, or an STS assume role with IAM policy. The admin account can use an access key and secret key, an IAM role, or an STS assume role with IAM policy for authentication.

    • When the hypervisor is configured to use an Admin account, some hypervisor configuration options are hidden.

Procedure

  1. From the navigation pane, go to Protect > Virtualization.

    The Virtual machines page appears.

  2. On the Hypervisors tab, click Add hypervisor.

  3. For Select vendor, select AWS.

  4. For Hypervisor name or Client name, enter a descriptive name for the hypervisor.

  5. Enter the host or account authentication information:

    • IAM role: If you select this option, select an access node that has an IAM role associated with it in the AWS Console.

      Note

      • If you select IAM role for the Amazon client, but an access node that is not associated with the IAM role is used for a backup or restore, the operation fails.

      • To use a different MediaAgent or File Recovery Enabler for Linux (FREL) for browsing data, associate the IAM role to the MediaAgent or FREL.

        The IAM role must have appropriate permissions, which can be any of the following:

    • Amazon EC2 Full Access

    • Amazon S3 Full Access

    • Administrator Access

    • Custom permissions to access AWS resources, which can be one of the following:

    • Access and secret key: If you select this option, select the existing credential that contains the access key and the secret access key associated with your Amazon account from the drop down list. If one does not exist, you can select Create New to create a new one.

    • STS assume role with IAM policy: If you select this option, select the saved credential that contains the role ARN from the drop down list, or you can select Create New to create a new one.

      • If you already configured a hypervisor for an Admin account, you can select the Use service account resources option and then select the Admin account from the Account list.

        This option applies only in environments where data protection resources are provided by a separate Admin account.

        If another Amazon hypervisor is not already configured, this field does not appear.

  6. From the Access nodes list, select a server from the list which will be used for the backup and restore operations.

  7. Click Save to close the Add cloud account dialog box.

To create or manage the credentials using the Credential Manager, see Creating a Credential Entity.