The virtualization client manages data protection operations for an AWS account. If you have multiple AWS accounts, you must create a different virtualization client for each one. You must create Amazon clients on client computers installed with the Virtual Server Agent.
An Amazon virtualization client is also required to support conversion of virtual machines to Amazon and to create VM Lifecycle Policies.
Before You Begin
General prerequisites:
-
Commvault does not support multi-factor authentication (MFA) for AWS accounts. If you create a virtualization client for an AWS account that uses multi-factor authentication, backups and restores for that account will fail. A backup job fails with the following error message:
You are not authorized to perform this operation.
-
Install the Virtual Server Agent (VSA) on at least one instance (proxy) in each region. You can install the VSA on other instances to create additional VSA proxies for each region.
-
Obtain an Amazon EC2 account. Amazon EC2 credentials are required to create an Amazon client.
-
For accounts that use data protection resources from another account, you can specify an Admin account that provides the data protection resources. For more information, see Cross-Account Operations.
First, create a virtualization client for the admin account (for example, for the MSP). After you create the admin client, create a virtualization client for the tenant account, and refer to the admin account using the Use admin account backup resources option.
Note
For deployments that use an Admin account, for authentication, the tenant account can use an access key and secret key, or an STS assume role with IAM policy. The admin account can use an access key and secret key, an IAM role, or an STS assume role with IAM policy for authentication.
-
Choose one of the following methods for authentication:
-
IAM Role: In the AWS Console, create an IAM role and attach the IAM role to the instance that acts as a VSA proxy. Then assign the proxy instance to the client you create in this procedure.
Note
If IAM Role authentication is selected for the Amazon client, but a proxy that is not associated with the IAM role is used for a backup or restore, the operation fails.
The IAM role must have appropriate permissions, which can be any of the following:
-
Amazon EC2 Full Access
-
Amazon S3 Full Access
-
Administrator Access
-
Custom permissions to access AWS resources, which can be one of the following:
-
-
Access and Secret Key: Obtain the key pair (Access Key and Secret Key) from the Amazon EC2 Web site under Security Credentials.
For instructions on obtaining Amazon access keys, see Amazon Elastic Compute Cloud Documentation.
-
Procedure
-
In the CommCell Browser, right click Client Computers, and then click New Client > Virtualization > Amazon.
-
In the Create Amazon Client dialog box, enter the client name, access key, and secret key, and then identify VSA proxies to be used with the Amazon client:
-
Client Name: Type a name for the client that will appear in the CommCell Browser.
-
Regions: To restrict communication to specific regions, enter the regions as comma-separated values.
By default, the VSA proxy tries to communicate with all regions.
-
Authentication: Choose one of the following methods for authentication:
-
IAM Role: To use an IAM role, select this option and then add one or more proxies that have the IAM role attached.
-
Access and Secret Key: Select this option to use a key pair obtained from the Amazon EC2 Web site, then enter the following information:
Access Key: Type the Access Key ID that is associated with your Amazon EC2 account.
Secret Key: Type the Secret Access Key that is associated with your Amazon EC2 account.
-
-
Use admin account backup resources: If you already configured a virtualization client for an Admin account, you can select this option and then select the Admin account from the Account list.
This option applies only in environments where data protection resources are provided by a separate Admin account.
If another Amazon virtualization client is not already configured, this field does not appear.
-
-
From the Storage Policy list, select a storage policy to associate with the virtualization client.
The storage policy you select is also associated with the default subclient that is created automatically for the virtualization client.
-
Next to Proxies, click Add, and in the Select Clients/Client Groups dialog box, select proxies to be used for backups and restores, and then click OK.
Note
If you selected IAM Role as the authentication type, all of the proxies you add must have the appropriate IAM role attached. If a proxy that is not associated with the IAM role is used for a backup or restore, the operation fails.
-
Click OK to create the Amazon client.
Result
For virtualization clients created in SP4 or later, creating the virtualization client automatically enables IntelliSnap and configures Amazon as a storage array for IntelliSnap. You must enable IntelliSnap on a subclient to perform IntelliSnap backups for that subclient.
For an Amazon client created prior to Service Pack 4, enabling IntelliSnap for the client triggers Amazon array configuration.