Access Node Requirements for AWS


Verify that the access nodes that you use for backups of content in AWS meet the requirements. Access nodes run backups and other operations.

Deploying a Cloud Access Node from AWS Marketplace

Commvault provides the following AWS Marketplace products to simplify the deployment of cloud access nodes within AWS:

Supported Restores

When you use a 64-bit ARM-based Amazon EC2 instance (AWS Graviton), you can restore only full instances, not individual files and folders.

If you need to restore individual files and folders, deploy a 64-bit x86 instance.

AWS Identity and Access Management Requirements

The access node backs up and restores the following AWS services:

  • Amazon Elastic Compute Cloud (Amazon EC2)

  • Amazon Elastic Block Store (Amazon EBS)

For information about the IAM roles and policies that are required for the access node to perform its role, see Amazon Web Services User Permissions for Backups and Restores.

The access node also performs cross-hypervisor restores (also called) VM conversion. For more information about AWS user permissions, see Amazon Web Services User Permissions for VM Conversion.

Cross-Account Protection

For streaming backups and backup copies, the access node can reside in the account being protected, or a shared service account, For more information, see Use Service Account Resources.

Access Node Placement

For optimal performance, deploy the access node in the same region as the workload and within AWS. The access node must reside in the same region as the workload being protected for optimal data transfer. Commvault recommends deploying access nodes within AWS for optimal backup and restore transfer throughput.

Access nodes can reside in other areas that include the following:

  • Amazon EBS direct API protection allows for the access node to reside anywhere (in region, cross region, on-premises) as long as access to the EBS direct service endpoint is accessible. Optimal performance and cost is achieved when locating the access node within the same region and using a VPC endpoint.

  • Commvault HotAdd backup and recovery mode requires that the access node to reside in the same region as the workload being protected.

  • Access nodes can reside on-premises for both snapshot (IntelliSnap) and streaming backups. Access nodes can be shared to protect multiple accounts, see Using Resources from and Admin Account.

Network Requirements

  • Commvault supports any Layer 3 network technology both within and between cloud and on-premises. The technology includes Amazon Direct Connect, AWS Site-to-Site VPN, AWS Client VPN.

  • Commvault supports AWS VPC, AWS Transit Gateway, and AWS Privatelink to control and direct traffic between AWS and on-premises networks.

  • The access node requires Layer 3 network connectivity to the following AWS service endpoints. For information about service endpoints that are required to support backup and restore operations, see Requirements for Connectivity to AWS Service Endpoints.

    Note: The connectivity requirements include global endpoints that do not support Amazon VPC endpoints. Commvault can tunnel command and control communication to endpoints using a HTTP Proxy.

  • Commvault recommends the use of VPC endpoints whenever data transfer will occur to or from the endpoint. Endpoints include Amazon EBS direct APIs backup and restores, and Amazon S3 backup, recovery and Cloud Libraries.

  • The Virtual Server Agent requires Layer 3 network connectivity to the Commvault MediaAgent on port 8403. You can restrict communication to one-way communication using Commvault Network Topologies.

  • If the MediaAgent and the access node are in AWS different accounts or in different Virtual Private Clouds (VPCs), you can configure Amazon VPC peering, as described in the AWS article VPC peering basics.

Firewall Requirements

In an environment with firewalls, the flow of communication must be permitted by configuring the Amazon EC2 security group on the CommServe, MediaAgent, and access node.

  • The CommServe, MediaAgent, and access node must be able to communicate with each other on TCP: 8400, 8403. Communication may be limited to occur one-way or two-way.

  • The Commvault CommServe must be able to contact the access node on TCP: 8400, 8403 to perform initial installation and client registration and ongoing backup and recovery.

  • The Commvault access node must be able to contact the Commvault MediaAgent on TCP: 8400, 8403 or vice versa.

  • The Commvault MediaAgent must be able to contact the CommServe and access node on TCP: 8400, 8403 or vice versa.