VPC Cloning Process
CloudRanger performs the following steps to clone resources:
1. Discovers source AWS resources
CloudRanger identifies the servers' related network and security resources. For servers specified in the source environment, its network and security resources are captured by describing the instances. For each of the resources, its attributes are captured by further describing each of those resources.
Network and security resources that are captured
- VPC
- Subnets
- Route tables
- Internet gateways
- Egress only Internet gateways
- DHCP options sets
- NAT gateways
- Elastic IPs
- Network ACLs
- Security Groups
2. Generates CloudFormation Script
CloudRanger creates a CloudFormation script with the resources details for the target environment. A CloudFormation Script is generated to create resources in the target environment.
Details of resources clone settings
Resource | Clone settings |
VPC | CIDR range preserved |
Subnets | CIDR Ranges Preserved, AZs allocated in round robin |
Route tables | Routing preserved |
Internet gateways | Routing preserved |
Egress only Internet gateways | Routing preserved |
DHCP options sets | Options preserved |
NAT gateways | Routing preserved |
Elastic IPs | New addresses allocated and assigned to VPCs for NAT gateways and pre-allocated for instances with EIPs |
Network ACLs | Rules and associations preserved |
Security groups | Ingress and Egress rules preserved |
3. Creates resources in the target environment
CloudRanger executes the CloudFormation Script to create resources in the target environment.
Permissions Required
The following permissions are required as part of an account configuration. CloudRanger creates an IAM role within an account with these permissions.
Discover resources and generate a CloudFormation script
-
ec2.describeVpcs
-
ec2.describeSubnets
-
ec2.describeInternetGateways
-
ec2.describeEgressOnlyInternetGateways
-
ec2.describeNatGateways
-
ec2.describeSecurityGroups
-
ec2.describeNetworkAcls
-
ec2.describeRouteTables
-
ec2.describeDhcpOptions
-
ec2.describeAddresses (Elastic IPs)
Clone resources by executing Cloudformation script
-
ec2:describeKeyPairs
-
ec2:modifyVpcAttribute
-
ec2:modifySubnetAttribute
-
ec2:modifyNetworkInterfaceAttribute
-
ec2:createNetworkInterfacePermission
-
ec2:describeAddresses
-
ec2:describeDhcpOptions
-
ec2:describeInternetGateways
-
ec2:describeEgressOnlyInternetGateways
-
ec2:describeNatGateways
-
ec2:createVPC
-
ec2:deleteVPC
-
ec2:createSubnet
-
ec2:deleteSubnet
-
ec2:createRoute
-
ec2:deleteRoute
-
ec2:createNetworkAcl
-
ec2:createNetworkAclEntry
-
ec2:deleteNetworkAcl
-
ec2:deleteNetworkAclEntry
-
ec2:describeNetworkAcls
-
ec2:ReplaceNetworkAclAssociation
-
ec2:ReplaceNetworkAclEntry
-
ec2:AllocateAddress
-
ec2:RevokeSecurityGroupEgress
-
ec2:RevokeSecurityGroupIngress
-
ec2:AssociateAddress
-
ec2:ReleaseAddress
-
ec2:DisassociateAddress
-
ec2:createRouteTable
-
ec2:deleteRouteTable
-
ec2:AssociateRouteTable
-
ec2:DisassociateRouteTable
-
ec2:createInternetGateway
-
ec2:AttachInternetGateway
-
ec2:DetachInternetGateway
-
ec2:deleteInternetGateway
-
ec2:createNatGateway
-
ec2:deleteNatGateway
-
ec2:createEgressOnlyInternetGateway
-
ec2:deleteEgressOnlyInternetGateway
-
ec2:createDHCPOptions
-
ec2:deleteDHCPOptions
-
ec2:createSecurityGroup
-
ec2:deleteSecurityGroup
-
ec2:AuthorizeSecurityGroupIngress
-
ec2:AuthorizeSecurityGroupEgress
-
ec2:describeRouteTables
-
cloudFormation:createstack
-
cloudformation:describestacks
-
cloudformation:describestackevents
-
cloudformation:describeStackResource
-
cloudformation:describeStackResources
-
cloudformation:deleteStack