> Commvault SaaS > Cleanroom recovery > Setup > AWS cleanroom sites

Create an AWS cleanroom site

Create your AWS cleanroom site.

Start the cleanroom site wizard

  1. In the Command Center navigation pane, go to Security services > Cleanroom.

  2. On the Cleanroom sites tab, in the upper-right area of the page, click Add cleanroom.

  3. Select Amazon Web Services.

  4. Click Next.

General page

  1. Enter a descriptive name for the cleanroom site.

  2. For Destination, click the add button to create a hypervisor for the cleanroom site.

  3. Enter a descriptive name for the hypervisor.

  4. Click the Launch CloudFormation Stack link to open the AWS account in the AWS Management Console.

    Note

    If you don't have permission to create a role in the AWS account, copy the Launch CloudFormation Stack link and share it with your AWS IAM administrator.

  5. Log on to the AWS Management Console.

    The Quick create stack page appears.

  6. Under Capabilities, read the information about the template, and then select the acknowledgment check box.

  7. Click Create stack.

    Wait for the CloudFormation Stack to finish creating the CommvaultTenantRole IAM role.

    CloudFormation Stack policies for CommvaultTenantRole

    The CloudFormation Stack creates the following policies, and then attaches the policies to CommvaultTenantRole:

    • CommvaultDynamoDBPolicy
    • CommvaultDocDBPolicy
    • CommvaultEC2Policy
    • CommvaultFSPolicy
    • CommvaultRDSPolicy
    • CommvaultRedshiftPolicy
    • CommvaultS3Policy
    • CommvaultVPCPolicy

  8. After the stack is created, on the Outputs tab of the AWS Management Console, copy the ExternalID and IAMRole key values.

  9. Return to Commvault Cloud.

  10. For Credentials, select existing credentials or create new credentials.

    Requirements

    The credentials must have an external ID and an IAM role ARN—the values you copied from the Outputs tab of the AWS Management Console in a preceding step.

    If you select existing credentials, verify that the credentials have an external ID and an IAM role ARN by clicking the edit button.

    If you create a new IAM role (instead of using the CommvaultTenantRole IAM role) and you attach the new role to the Commvault Cloud backup gateway that handles your Amazon EC2 backups, you must update the credentials with the new external ID.

  11. Click Next.

  1. Enter a descriptive name for the cleanroom site.

  2. For Destination, click the add button to create a hypervisor for the cleanroom site.

  3. In Name, enter a descriptive name for the hypervisor.

  4. For Regional endpoints, do one of the following:

    • To connect with all available public regional endpoints, leave All public regions selected.

    • To limit connections to only some regions, select the regions.

  5. Select one of the following authentication methods:

    • IAM role: Select an access node that has an IAM role associated with it in the AWS Management Console.

    • Access and secret key: Enter the access key ID and the secret access key for your AWS account.

    • STS assume role with IAM policy: Enter the name of the STS (Amazon Resource Name) ARN in the Role ARN box.

  6. For Use service account resources, if you already configured a hypervisor for a service account, you can select this option, and then select the hypervisor.

  7. For Credentials, select existing credentials or create new credentials.

    Important

    The credentials must have an external ID and an IAM role ARN. If you select existing credentials, verify that the credentials have an external ID and an IAM role ARN by clicking the edit button.

  8. Click Save.

  9. For Access node, select the access nodes to use for the cleanroom site.

  10. For Security, you can enter users and/or user groups to give them access to the cleanroom site.

Recovery Options page

  1. For Availability zone, select the AZ for the recovered EC2 instances.

  2. For Instance type, select the instance type for the recovered EC2 instances.

    The Automatic option attempts to recover the EC2 instances as the same instance type as the source.

  3. Recommended: From the Key pair list, select the Amazon EC2 key pair to access the recovered EC2 instances.

  4. From the IAM role for Amazon EC2 list, select the role that you selected for authentication when you created the hypervisor for the cleanroom site.

  5. For Network, click the browse button, and then select a network interface for the subnets that you created in Create the AWS resources required for cleanroom.

    Important

    • You must be in the same availability zone as the network interface that you want to select.
    • The network interface can be isolated based on the virtual private cloud (VPC), subnet, and security group configuration.

  6. For Security groups, select one of the following:

    • Auto-assign: Assign the same security group that the source EC2 instances have.

    • Custom: Select a security group from the AWS account that you're recovering the EC2 instances to.

  7. For Volume type, the options are limited to only those that are supported for the volume size.

    Volume types that are not supported for the volume size are visible, but not available to select.

    To view the minimum and maximum volume sizes for a volume type that is not available, hover over that volume type.

  8. For KMS key, select Auto.

    If the identity that performs the recovery has the ec2:GetEbsDefaultKmsKeyId action, which is included in amazon_restricted_role_permissions.json, then the default KMS key for EBS encryption will have "Default EBS Key" tag.

  9. Click Submit.

×

Loading...