Cloud Assembly
Why do the snapshots of the deleted Cloud Assembly still exist in the cloud account?
Cloud Rewind retains the snapshot of the Assembly if a recovery is triggered for that timeline at any point in time.
In order to clear those snapshots, the recovery must be reset before deleting the Assembly or the snapshots can be deleted manually from the cloud console.
How to configure Cloud Rewind Cloud Assembly for a VPC with only Security Group rules and Subnets?
Cloud Rewind requires one of the Compute Component (EC2 or RDS) to be part of the Application environment for it to be protected part of Application resilience.
Cloud Rewind allows selection of only EC2 and RDS instance and all other Cloud Resource including Application Loadbalancers, EBS Volumes, Security Groups, Internet Gateway are automatically chosen for protection if it is associated with the EC2 instance or RDS instance chosen for protection part of the Cloud Assembly creation.
List of Supported Resources by Cloud Rewind can be found here: AWS Resources
What are the best practices when protecting AWS resources?
- Select a Virtual Private Cloud (VPC) to create an assembly, as Cloud Rewind automatically discovers the associated dependencies. Apply exclude tags to omit resources that do not need protection.
- Commvault recommends creating separate assemblies for each application in your AWS environment for shorter recovery times.
Cloud Connection
Is there a limit on creating cloud connections?
Cloud Rewind allows creating up to a maximum of 200 AWS cloud connections per user account.
Previously, Cloud Rewind used an AWS inline policy, but it limits only 20248 characters per user entity in the IAM. Therefore, it was not possible to create more than 20 cloud connections. To overcome this limitation, Cloud Rewind migrated from AWS inline policy to Managed IAM policy. A managed policy allows up to 6144 characters and 10 policies per user. As a result, each user can create up to 1000 ARN roles.
Does Cloud Rewind support AWS Lambda functions?
Yes. Cloud Rewind can discover and protect AWS Lambda functions.
Can Cloud Rewind protect AWS Multi-Attach disks?
Yes. Cloud Rewind captures the complex details of AWS Multi-Attach disk structure and its associated Amazon EC2 machines. This capability allows Cloud Rewind to protect AWS Multi-Attach disks.
How do I fix the AWS cloud connection issue associated with KMS Key permissions?
Any restrictions (custom key policies) applied to the KMS key will prevent the successful completion of a Cloud Connection.
If there are any issues in the Cloud Connection related to KMS key permissions, grant the necessary permissions for the required role and do a manual "SYNC NOW".
To fix the cloud connection permission issue, do the following:
-
In the AWS console Key Management Service, select the respective KMS key to edit the key policy.
-
You can find the role ARN when you go to the Edit option in a Cloud Connection.
-
Add the cloud connection role ARN in the specified location and save the changes.
-
Once you have completed the above step, click on Sync now in the cloud connection
When we add an AWS account to Cloud Rewind does it take into account the default resources of the AWS account as well?
No, only the dependent resources of the selected resource(EC2, RDS Instance).
While discovering assemblies, Cloud Rewind does show the VPC and its associated EC2(Compute resources) only?
-In the resource selection, it only provides the option to select EC2 and RDS instances. While discovering a Cloud Connection, it discovers all supported resources. When protecting an assembly, it discovers the dependency and protects them too.
For example, EC2/RDS will also cover, security group, subnet, VPC, Load Balancers.
But you can only choose EC2 or RDS instances the rest will be covered automatically.
When we create an assembly, the retention policy(count) shows global and region copies, I was able to see snapshot copies in both regions, where do the global copies reside?
The recovery region copies are mentioned here as global copies, this requires a text change in the user interface for better understanding
When we do recovery, does Cloud Rewind recover all the default Resources to the recovery region?
Referring to question 1 and its answer, the dependent resources of the selected resources are recovered. They do not default resources, because it may be user-created resources too.
If I already have a VPC set up in 2 Availability zones in one region, how does the recovery model work here?
The recovery region will support only 2 Availability zones maximum, if the primary has 3 or more zones, the recovery will only use 2.
What permissions do Cloud Rewind service account need to protect AWS resources?
Cloud Rewind service account requires the following permissions to successfully discover and protect your cloud infrastructure in AWS and recover it in the DR/Recovery regions.
The Roles and their use are explained in the table below.
Discovery - Permission required to discover the resources and its metadata.
Protection - Permission required to protect the resources and its metadata.
Recovery - Permission required to recover the protected data from the Primary region to the secondary/DR region.
| Roles | Discovery | Protection | Recovery |
|---|---|---|---|
| iam:PassRole | TRUE | TRUE | TRUE |
| Ec2FullAccess | TRUE | TRUE | TRUE |
| ELBFullAccess | TRUE | TRUE | TRUE |
| RDSFullAccess | TRUE | TRUE | TRUE |
| CloudFormationFullAccess | FALSE | FALSE | TRUE |
| KMSDescribe | TRUE | FALSE | TRUE |
| KMSEncryptAndDecrypt | TRUE | TRUE | TRUE |
| KMSCreateGrant | TRUE | TRUE | TRUE |
| ACMReadAccess | TRUE | FALSE | TRUE |
| IAMPassRole | TRUE | TRUE | TRUE |
How is the encryption taken care of when the backups are moved to a new region?
Cloud Rewind uses cloud-native data encryption along with replication, so customers can choose the flexibility to encrypt using their native keys stored in their KMS. They can change the keys as per their usual practices. They can also encrypt using one set of keys in one region and have a different set of keys in a recovery region to have more protection against ransomware.
For information about how to enable KMS key mapping, see AWS KMS Key Mapping
How is AWS certificate in ACM be maintained in recovery region for Load balancer by Cloud Rewind ?
AWS Certificate Manager is a service that makes it easier to enable, manage, and deploy public and private SSL/TLS certificates for use with AWS services. Use ACM or IAM to manage certificate.
For more information, AWS KMS Key Mapping
Application Load Balancer
Does Cloud Rewind support all the target type in an AWS Application Loadbalancer?
Yes, Cloud Rewind supports Application Loadbalancer end to end irrespective of its target type configuration.
AWS Application Loadbalancer has three target types in the target group:
- Instance ID
- IP Address
- Lambda
Does Cloud Rewind support additional rules specified in Listener?
Yes.
Does Cloud Rewind support targets that can register with multiple target groups?
Yes.
Does Cloud Rewind support Host-Based, Path-Based Routing, and Routing based on fields in the request?
Content-based routing on the Application Load Balancer now supports both Host-based and Path-based rules.
Does Cloud Rewind support registering instance ID as targets?
Yes.
Does Cloud Rewind support registering instance IP address as targets?
Cloud Rewind is yet to support this feature.
Does Cloud Rewind support registering Lambda functions as targets?
Cloud Rewind is yet to support this feature.
Does Cloud Rewind provide support for the load balancer to authenticate the users to their applications with corporate or social identities before routing requests?
Cloud Rewind is yet to support this feature.
Does Cloud Rewind support attach a target group to an Auto Scaling group?
Cloud Rewind is yet to support this feature.
Does Cloud Rewind support Access logs that contain additional information that gets stored in a compressed format?
Cloud Rewind is yet to support this feature.
How does Cloud Rewind handle SSL certificate management in the load balancer during recovery?
If the user has added certificates to the load balancer in the primary region, they must add the same certificate in all the recovery regions. Along with the certificates, an AWS resource tag must be added for Cloud Rewind to identify the primary and the recovery regions. During recovery, Cloud Rewind attaches the certificates in the recovery regions automatically using these tags.
Note
This setting is to be made even before the protection so that the metadata information is properly captured for recovery to be successful.
Network Load Balancer
Does Cloud Rewind support Network Load Balancer with TCP and UDP traffic?
Yes.
Does Cloud Rewind maintain TCP load balancer properties, including the protocol, source IP address, source port, destination IP address, destination port, and TCP sequence number during recovery?
Yes.
Does Cloud Rewind automatically pick up the nodes created in each of the Availability Zones created for load balancing purpose and recover it back to the recovery region?
- Same Region with New VPC: Works as expected.
- Other Region with New VPC: Recovers in the top two Availability Zones.
Does Cloud Rewind work well with Cross Zone load balancer ?
- Same Region with New VPC: Works as expected.
- Other Region with New VPC: Recovers in the top two Availability Zones.
Does Cloud Rewind take care of Network Interfaces for each Availability Zone associated with the Network Load Balancer?
Yes.
How is the Elastic IP address associated with the Subnet handled during the recovery process?
Cloud Rewind is yet to support the Elastic IP address association.
Does Cloud Rewind support targets that are registered by both instance ID and IP address?
Cloud Rewind supports only targets registered by the instance ID. Targets registered by the IP address are yet to be supported.
Does Cloud Rewind handle health checks during recovery?
Yes.
AWS Network Load Balancer assigns one Elastic IP address per Subnet enabled for the load balancer. Will Cloud Rewind retain that IP address in the recovery region?
Cloud Rewind is yet to support this feature.
Network Load Balancer supports registering targets by IP address, including targets outside the VPC for the load balancer. How does Cloud Rewind handle this scenario of targets outside of the VPC?
Cloud Rewind supports the target outside the VPC registered to the Load Balancer by IP address.
Network Load Balancer provides support for routing requests to multiple applications on a single EC2 instance. You can register each instance or IP address with the same target group using multiple ports. Does Cloud Rewind bring up all the applications?
Cloud Rewind is yet to support this feature.
Attaching a target group to an Auto Scaling group enables you to scale each service dynamically based on demand. Does Cloud Rewind recover the Auto Scaling Group configuration as well?
Cloud Rewind is yet to support this feature.
Does Cloud Rewind recover the Tags of the Load Balancer?
Yes.
How does Cloud Rewind handle SSL certificate management in the load balancer during recovery?
If the user has added certificates to the load balancer in the primary region, they must add the same certificate in all the recovery regions. Along with the certificates, an AWS resource tag must be added for Cloud Rewind to identify the primary and the recovery regions. During recovery, Cloud Rewind attaches the certificates in the recovery regions automatically using these tags.
NOTE
This setting has to be done before protection so that the metadata information is correctly captured for the recovery to be successful.
How to update DNS post recovery webhook?
You can use the Cloud Rewind extension for updating the DNS post recovery using the link given below. This can be configured in your AWS account as a lambda function and configured to be triggered by Cloud Rewind post-recovery web-hook.
https://github.com/appranix/WebhookScripts/blob/master/AWS/ROUTE53/lambda/dnsupdate.py
Note
This script updates all the value on the source to equivalent values of target. But does not reset to original state after the testing. So, we highly recommend this to be first used in a development account and modify it based on your environment needs.
EC2 Instance
Cloud Rewind supports AWS EC2 instance protection as part of the Application Resiliency. If the user selects an EC2 instance for protection in the Cloud Assembly, all the dependent resources get automatically selected for protection. The Dependent resources include VPC, Subnet, Security Groups, Load Balancers, Network Interface, EBS Volumes, Route Tables, Internet Gateways, and so on. Cloud Rewind also provides complete recovery of the EC2 instances and its dependencies in the same region or to a different region.
Does Cloud Rewind support protecting the root disk alone?
Yes, Cloud Rewind allows its users to choose to protect only the root disk by selecting the Protect boot disk only option from Protection Options in Create Cloud Assembly.
What other AWS resources does Cloud Rewind handle along with EC2 instances during protection?
- Network Interface
- EBS Volume
- DHCP Options
- Subnet
- Security Group
- Route Table
- Internet Gateway
- Load Balancer
What happens when CPU credits and baseline utilization reaches a maximum limit during the recovery process?
Cloud Rewind aborts recovery with a quota exceeded error message, and the AWS administrator has to take appropriate action.
Does Cloud Rewind support the Tags associated with the EC2 instances?
Yes.
What happens to the private IPv4 addresses, Elastic IP addresses, or IPv6 addresses during EC2 instance recovery?
IPv4 addresses are supported. IPv6 and Elastic IP addresses are not yet supported.
What happens when you recover an EC2 instance that is present inside a cluster placement group?
Cloud Rewind is yet to provide support for an EC2 instance in the cluster placement group.
If an EC2 instance is enabled with monitoring in the primary region, will Cloud Rewind take care of it in the recovery region?
Cloud Rewind is yet to provide support for protecting the monitoring resources associated with the EC2 instance.
Does Cloud Rewind handle the EC2 instances of size type available in the primary protection region and not available in the recovery region?
Cloud Rewind is yet to support this. Cloud Rewind would provide an option to select the nearest matching instance size type in the recovery regions in the future.
RDS Instances
Which of the RDS instances are supported by Cloud Rewind?
Cloud Rewind supports the following RDS database instances:
- MySQL
- PostgreSQL
- SQL Server
- Oracle
RDS Clusters
Which of the RDS cluster types are supported by Cloud Rewind?
Cloud Rewind supports the following RDS cluster types:
- Aurora
- Aurora MySQL
- Aurora PostgreSQL