Skip to main content



How can we help you?


Druva Documentation

VPC Cloning Process

Heads up!

We've transitioned to a new documentation portal to serve you better. Access the latest content by clicking here.

CloudRanger performs the following steps to clone resources:



1. Discovers source AWS resources

CloudRanger identifies the servers' related network and security resources. For servers specified in the source environment, its network and security resources are captured by describing the instances. For each of the resources, its attributes are captured by further describing each of those resources.

Network and security resources that are captured

  • VPC
  • Subnets
  • Route tables
  • Internet gateways
  • Egress only Internet gateways
  • DHCP options sets
  • NAT gateways
  • Elastic IPs
  • Network ACLs
  • Security Groups

2. Generates CloudFormation Script

CloudRanger creates a CloudFormation script with the resources details for the target environment. A CloudFormation Script is generated to create resources in the target environment.

Details of resources clone settings

Resource Clone settings
VPC CIDR range preserved
Subnets CIDR Ranges Preserved, AZs allocated in round robin
Route tables Routing preserved
Internet gateways Routing preserved
Egress only Internet gateways Routing preserved
DHCP options sets Options preserved
NAT gateways Routing preserved
Elastic IPs New addresses allocated and assigned to VPCs for NAT gateways and pre-allocated for instances with EIPs
Network ACLs Rules and associations preserved
Security groups Ingress and Egress rules preserved

3. Creates resources in the target environment  

CloudRanger executes the CloudFormation Script to create resources in the target environment.

Permissions Required

The following permissions are required as part of an account configuration. CloudRanger creates an IAM role within an account with these permissions.

Discover resources and generate a CloudFormation script

  • ec2.describeVpcs

  • ec2.describeSubnets

  • ec2.describeInternetGateways

  • ec2.describeEgressOnlyInternetGateways

  • ec2.describeNatGateways

  • ec2.describeSecurityGroups

  • ec2.describeNetworkAcls

  • ec2.describeRouteTables

  • ec2.describeDhcpOptions

  • ec2.describeAddresses (Elastic IPs)

Clone resources by executing Cloudformation script

  • ec2:describeKeyPairs

  • ec2:modifyVpcAttribute

  • ec2:modifySubnetAttribute

  • ec2:modifyNetworkInterfaceAttribute

  • ec2:createNetworkInterfacePermission

  • ec2:describeAddresses

  • ec2:describeDhcpOptions

  • ec2:describeInternetGateways

  • ec2:describeEgressOnlyInternetGateways

  • ec2:describeNatGateways

  • ec2:createVPC

  • ec2:deleteVPC

  • ec2:createSubnet

  • ec2:deleteSubnet

  • ec2:createRoute

  • ec2:deleteRoute

  • ec2:createNetworkAcl

  • ec2:createNetworkAclEntry

  • ec2:deleteNetworkAcl

  • ec2:deleteNetworkAclEntry

  • ec2:describeNetworkAcls

  • ec2:ReplaceNetworkAclAssociation

  • ec2:ReplaceNetworkAclEntry

  • ec2:AllocateAddress

  • ec2:RevokeSecurityGroupEgress

  • ec2:RevokeSecurityGroupIngress

  • ec2:AssociateAddress

  • ec2:ReleaseAddress

  • ec2:DisassociateAddress

  • ec2:createRouteTable

  • ec2:deleteRouteTable

  • ec2:AssociateRouteTable

  • ec2:DisassociateRouteTable

  • ec2:createInternetGateway

  • ec2:AttachInternetGateway

  • ec2:DetachInternetGateway

  • ec2:deleteInternetGateway

  • ec2:createNatGateway

  • ec2:deleteNatGateway

  • ec2:createEgressOnlyInternetGateway

  • ec2:deleteEgressOnlyInternetGateway

  • ec2:createDHCPOptions

  • ec2:deleteDHCPOptions

  • ec2:createSecurityGroup

  • ec2:deleteSecurityGroup

  • ec2:AuthorizeSecurityGroupIngress

  • ec2:AuthorizeSecurityGroupEgress

  • ec2:describeRouteTables

  • cloudFormation:createstack

  • cloudformation:describestacks

  • cloudformation:describestackevents

  • cloudformation:describeStackResource

  • cloudformation:describeStackResources

  • cloudformation:deleteStack

  • Was this article helpful?