Starting or Stopping a Network Gateway to Create an Air Gap

The Airgap workflow allows you to start or stop network gateway proxies to create an air gap. This workflow can be scheduled to run at the beginning of the auxiliary copy blackout window to stop the gateway machines and at the end of the blackout window to start the gateway machines.

Supported Vendors

The Airgap workflow is supported for the following vendors:

Amazon
Azure Classic
VMware
Google Cloud

Before You Begin

Before you run the workflow, make sure that you have the following configuration set up.

Create a client computer group or a server group for MediaAgents that need to be air-gapped.
From the CommCell Console, configure a blackout window on the client computer group for air-gapping MediaAgent for auxiliary copy.

To configure a blackout window, see Configuring a Blackout Window for a Client Computer Group.
Create a client computer group or a server group for network gateway proxy machines of air-gapped MediaAgent.

Note

The above network gateway proxy machines must have the File System package installed.
Create a virtualization client or hypervisor to establish an access point between Commvault proxy server and hypervisor hosting the network gateway proxies. Choose a VSA proxy that is different from the network gateway proxies that are used to create the air gap.

For more information, see Virtualization.

Note

While creating a virtual client or hypervisor, provide the credentials with the following permissions to manage the gateways:
- For Azure, configure an Azure application ID that is assigned to the contributor role during the virtual client creation and configure a virtualization client or hypervisor that is within the same subscription as the cloud gateway.
- For Amazon, configure an Amazon user account with the following permissions:
  - ec2:StartInstances
  - ec2:StopInstances
  - ec2:DescribeRegions
  - ec2:DescribeAvailabilityZones
  - ec2:DescribeInstances
  - ec2: GetConsoleOutput
  If the virtual client uses IAM authentication method, the first VSA proxy should be on Amazon and have the corresponding IAM role associated. The VSA proxy must be online always to perform power management operation.
- For VMware vCenter Hypervisor, configure a user account with the Power On and the Power Off permissions during the virtual client creation.
  
  For more information about VMware vCenter user permissions, see Permissions for vSphere Custom User Accounts.
- For Google Cloud, configure a user account with the Compute Instance Admin (v1) permission during the virtual client creation.
  
  For more information, see Requirements for the Cloud Account (Cloud account refers to virtualization client or hypervisor).
Create either a Cascading or a One-Way Forwarding network topology.

To create a Cascading network topology, see Configuring Cascading Network Gateway Connections Using Predefined Network Topologies.

Procedure

From the CommCell Browser, go to Workflows.
Download the Airgap workflow from the Commvault Store.

For more information about downloading the workflow, see Downloading and Updating Workflows from Commvault Store.
Right-click Airgap, and then click All Tasks > Deploy to deploy the workflow.
Right-click Airgap again, and then click All Tasks > Execute to run the workflow.
Enter the following:
- Operation Type: Select the operation type where to perform power on or power off.
  - Power Off: Operation to stop the gateway. This should be selected at the beginning of the blackout window.
  - Power On: Operation to start the gateway. This should be selected at the end of the blackout window.
- Client Group to Airgap: Select the client group with network gateway proxies that you created from the dropdown list.
- Virtualization Client: Select the virtual client or hypervisor, that you created, from the dropdown list.
Click Advanced to schedule the workflow.

For more information on scheduling the workflow, Scheduling a Workflow.