Creating an Amazon EC2 Client

The virtualization client manages data protection operations for an Amazon Web Services (AWS) account. If you have multiple AWS accounts, you must create a different virtualization client for each one. You must create Amazon clients on client computers installed with the Virtual Server Agent.

To perform backup operations, each virtualization client can identify multiple proxies where the Virtual Server Agent is installed. The virtualization client uses proxy teaming, enabling proxy failovers for fault tolerant backups. Using multiple proxies for each virtualization client makes it possible to perform backups for a large number of instances in a limited backup window.

When you create a virtualization client, the Commvault software automatically creates an instance, a backup set, and a default subclient that can be used to protect all instances. You can create additional subclients to perform separate protection operations for different groups of instances. For example, you can create a different subclient for each region or zone, or for different guest operating systems, and use the default subclient to protect any remaining instances that are not covered by user-defined subclients.

An Amazon virtualization client is also required to support conversion of virtual machines to Amazon and to create VM Lifecycle Policies.

Before You Begin

• Commvault does not support multi-factor authentication (MFA) for AWS accounts. If you create a virtualization client for an AWS account that uses multi-factor authentication, backups and restores for that account will fail. A backup job fails with the following error message:

  You are not authorized to perform this operation.

• Install the Virtual Server Agent (VSA) on at least one instance (access node) in each region. You can install the VSA on other instances to create additional VSA proxies for each region.

• Obtain an Amazon EC2 account. Amazon EC2 credentials are required to create an Amazon client.

• For accounts that use data protection resources from another account, you can specify an Admin account that provides the data protection resources. For more information, see Use Service Account Resources.

  First, create a virtualization client for the admin account (for example, for the MSP). After you create the admin client, create a virtualization client for the tenant account, and refer to the admin account using the Use admin account backup resources option.

  Note

  For deployments that use an Admin account, for authentication, the tenant account can use an access key and secret key, or an STS assume role with IAM policy. The admin account can use an access key and secret key, an IAM role, or an STS assume role with IAM policy for authentication.

• Choose one of the following methods for authentication:

  • IAM Role: In the AWS Console, create an IAM role and attach the IAM role to the instance that acts as a VSA access node. Then assign the access node instance to the client that you create in this procedure.

    Note

    • If IAM Role authentication is selected for the Amazon client, but an access node that is not associated with the IAM role is used for the backup or restore, the operation fails.

    • To use a different MediaAgent or File Recovery Enabler for Linux (FREL) for browsing data, attach the IAM role to the MediaAgent or FREL.

    The IAM role must have appropriate permissions, which can be any of the following:

    • Amazon EC2 Full Access

    • Amazon S3 Full Access

    • Administrator Access

    • Custom permissions to access AWS resources, which can be one of the following:

      Amazon Web Services User Permissions for Backups and Restores

      Amazon Web Services User Permissions for VM Conversion

      Creating a Role with Restricted Access

  • Access and Secret Key: Obtain the key pair (Access Key and Secret Key) from the Amazon EC2 Web site under Security Credentials.

    To apply an IAM policy for the virtualization client when you use this authentication method, you can attach an IAM policy to the user who is associated with the access and secret key.

    For instructions on obtaining Amazon access keys, see Amazon Elastic Compute Cloud Documentation.

  • STS Assume Role with IAM Policy: To use an (Security Token Service) STS assume role with IAM policy, obtain the STS (Amazon Resource Name) ARN from the Amazon EC2 website section on IAM roles.

Procedure

1. In the CommCell Browser, right click Client Computers, and then click New Client > Virtualization > Amazon.

2. In the Create Amazon Client dialog box, enter the client name, access key, and secret key, and then identify VSA access nodes to be used with the Amazon client:

   • Client Name: Type a name for the client that will appear in the CommCell Browser.

   • Regions: To restrict communication to specific regions, enter the regions as comma-separated values.

     In this list, you can include private region identifiers such as government region values. For examples, see the following pages:

     • AWS GovCloud (US) Endpoints

     • China (Beijing) Region Endpoints

     By default, the VSA access node tries to communicate with all regions.

   • Amazon Authentication: Choose one of the following methods for authentication:

     • IAM Role: To use an IAM role, select this option and then add one or more access nodes that have the IAM role attached.

     • Access and Secret Key: If you select this option, select the existing credential that contains the access key and the secret access key associated with your Amazon account from the drop down list. If one does not exist, you can select Add New to create a new one.

     • STS Assume Role with IAM Policy: If you select this option, select the saved credential that contains the role ARN from the drop down list, or you can select Add New to create a new one.

       To apply an IAM policy for the hypervisor when you use this authentication method, you can attach an IAM policy with sts:AssumeRole to the access node in the AWS Console. For more information about STS role authentication, see Configuring STS Role Authentication.

   • Use admin account backup resources: If you already configured a virtualization client for an Admin account, you can select this option and then select the Admin account from the Account list.

     This option applies only in environments where data protection resources are provided by a separate Admin account.

     If another Amazon virtualization client is not already configured, this field does not appear.

3. From the Storage Policy list, select a storage policy to associate with the virtualization client.

   The storage policy you select is also associated with the default subclient that is created automatically for the virtualization client.

4. Next to Access Nodes, click Add, and in the Select Clients/Client Groups dialog box, select the access nodes to be used for backups and restores, and then click OK.

   Note

   If you selected IAM Role as the authentication type, all of the access nodes you add must have the appropriate IAM role attached. If an access node that is not associated with the IAM role is used for a backup or restore, the operation fails.

5. Click OK to create the Amazon client.

Related Topics

To create or manage the credentials using the Credential Manager, see Creating a Credential Entity.