For doing a Cross-tenant recovery the user should have two Cloud Connections, one pointing to the primary AWS account and another one pointing to the recovery AWS account.
Add a New AWS Cloud Connection
-
Navigate to "Cloud Connections" and click "Add Cloud Connection"
-
Fill the Name and Description for the connection, choose AWS as the cloud provider
-
Select the primary and recovery regions
-
Enable the services required
-
Launch the CloudFormation template in your AWS console
-
After the execution, copy the ARN number from the output section of the CloudFormation screen
-
Register the cloud and wait for the progress of the connection to see the discovered resources
-
Once the required Cloud Connection is created, the recovery AWS account's Cloud Connection need to be shared with the primary AWS account's Cloud Connection.
Add a Shared Cloud Connection
-
Choose the primary AWS Cloud Connection. Click on “Actions” button and select “Shared Cloud Connection”
-
In the Shared Accounts dashboard, click on “SHARE TO CLOUD CONNECTION” and select the recovery AWS account's Cloud Connection. Save the chosen Cloud Connection.
A discovery sync will be triggered immediately after adding the shared Cloud Connection. Proceed with the Cloud Assembly creation once the sync gets completed.
Create a Cloud Assembly for AWS
General Information
-
Enter the Cloud Assembly name and description
-
Select the primary AWS account Cloud Connection for which the resources have to be protected
-
Select the desired recovery regions
-
Turn on the “Allow cross-account protection” toggle for enabling cross account protection.
Resources
-
For AWS, select the VPC that has to be protected in this Cloud Assembly
-
The resource can be chosen by the entire VPC or from the selected resources or using the Tags
-
Selection using tags can be made by matching all the tags or matching at least one tag
Note
If "Entire VPC" is selected during this step, option to edit the resources after the assembly creation will not be available.
Protection Policy
-
Select a protection policy to protect the resources
-
Protection policy can be used to define the time at which the snapshot has to be taken and the number of snapshots to be retained using a retention count
A policy template can be created to fit the protection needs best
- To create a new protection policy template, click here
The policy can be activated as by the scheduled policy, immediately triggering one policy or by delaying to the specific time
Review
-
Review the general information, resource information, and the protection policy details provided
-
Edit the details if required and proceed to finish and create a Cloud Assembly
AWS Recovery
-
Navigate to "Cloud Assemblies" and click one assembly you want to recover
-
Select the timeline tab then select a protected timeline
-
From timeline view, in the header section click "RECOVER"
-
Fill the name and select the recovery type
-
Select the recovery type as Cross Account for performing a Cross-tenant recovery
-
Choose the resources to recover
-
Click "Recover" to create a new recovery.
Note
-
RDS encrypted DB instances, RDS cluster and EFS are yet to be supported.
-
EBS volume with default AWS encryption key cannot be recovered. We do support the ones with custom keys.
-
For cross-account replication, it is mandatory to share the Encryption KMS key from the primary AWS account to the Recovery AWS account.
-
To share the KMS key,
- Login to your primary AWS account.
- Open the KMS dashboard and select the KMS key which is used for encrypting the EBS volume.
- Share it by entering the recovery AWS account ID.
- Cross region replication can't be done if the EBS volume is encrypted using the default AWS encryption key.