Using Resources from an Admin Account
You can configure a virtualization client (hypervisor) for Amazon Web Services (AWS) to use a separate Admin account for data protection operations.
This approach provides the following benefits:
- Reduces the impact of backup operations and restore operations on tenant production accounts.
- Minimizes the configuration required for tenant accounts.
- Eliminates the need for tenants to deploy proxies (access nodes) and MediaAgents in Amazon, reducing tenant costs.
- Hides backup infrastructure from tenants.
Note: This feature was previously called "cross-account operations."
By using this feature, tenants in a managed services environment can access resources that are provided by a managed service provider (MSP) to support data protection operations. Similarly, groups within an organization can access shared resources from an AWS Admin account that provides infrastructure for data protection.
You can configure access to an Admin account in the CommCell Console or in the Command Center. Production accounts can use an Admin account for streaming backup operations, IntelliSnap backup operations, backup copy operations, and restore operations.
After you configure access to an Admin account, you can initiate operations from the tenant account, but the operations use resources such as VSA proxies and MediaAgents that are deployed in the Admin account.
Operations can use Windows and Linux proxies, and can include Windows and Linux instances.
- For backups, the VSA proxy that is used by the Admin account must be in the same region as the guest instances.
For example, a proxy in Account1 and the us-east-1a region can back up instances in Account2 for any availability zones in the us-east-1 region.
- For restores, the VSA proxy that is used by the Admin account must be in the same availability zone as the availability zone that you specify for the restore.
For example, a proxy in Account1 and the us-east-1a availability zone can restore instances in Account2 to the us-east-1a availability zone.
- The admin account can use an access key and secret key for authentication, or an IAM role.
The tenant (user) account must use an access key and secret key for authentication.
- You cannot use replication/disaster recovery replication (from VMware to Amazon or from Amazon to Amazon) using resources that are in another account. For example, to replicate VMs to Account1, you must use the resources in Account1. You cannot use the resources in Account2.
- To perform a HotAdd cross-vendor conversion to an AWS account, you cannot use an access node that is in another AWS account. For example, to perform cross-vendor conversion to Account1, the access node must be in Account1. You cannot use an access node in Account2.
- When you perform a restore from a streaming backup or backup copy using a tenant account, volume tags are not restored.
To enable operations using an Admin account, perform the following configuration:
- Create a hypervisor for the Admin account (for example, for the MSP).
- Create a company for the tenant account.
- Create a role that includes the Global > Use Proxy permission.
- Go to the hypervisor for the Admin account and add the tenant admin user and role:
- In the Security section on the Configuration tab, click Edit.
- Add the tenant admin user, and then select the role that was defined in step 3.
- Click Add.
- Click Save.
- Log on as the tenant admin user, create a hypervisor for the tenant account, and select the Admin hypervisor using the Use admin account resources option.
Last modified: 5/21/2021 4:19:40 PM