Before you go ahead with preparing your DR backup site, take a look at the following checklist for the CloudFormation template:
- A CIDR block: Ensure that you have an IP address block that can be divided into four subnets. The minimum size would be /26 but that would allow for only eight EC2 instances in the DR site. So you may want to use at least /25 block. It is important to remember that the block needs to be unique within the corporate network as the site will communicate with the intranet, so overlapping IP addresses will not work.
- The IP address of the on-premise router terminating the tunnel on the intranet side: You can use the dummy IP address and if you like, change it later. The advantage of providing an IP address is that the CloudFormation template will create AWS VPN components for you and provide an example configuration for the on-premise router.
- Does your intranet use private DNS zones or split-horizon DNS?: If you use private DNS zones or split-horizon DNS, you will need to provide two IP addresses of the corporate DNS servers.
- Have you ensured that the DNS entries for the protected servers have TTL less than RTO?: Don't forget to change the TTL of the DNS entries of the protected servers to less than the required RTO. It’s important to do this because the TTL on the DNS records can be set for a very long time (sometimes days) and that will extend your DR site RTO to the same value.
Before you begin
Before you create a disaster recovery site, ensure that you deployed the Phoenix AWS proxy in your AWS account. For more information, see Deploy Phoenix AWS proxy.
Create a DR site
You must create the DR backup site in the same region where your virtual machine backups reside (the same as storage region selected for backups). Without any further ado, let’s begin.
Watch the following video to know more about how to create a DR site.
- Go to AWS Management Console > Services > CloudFormation > Stacks.
- In the Stacks section, click Create Stack.
- You can use a pre-configured template that you can download here. For more information, see Selecting a Stack Template.
- Click Next and you will be navigated to the Specify stack details page. Give a name to your stack. For the sake of simplicity, let’s call our stack IntranetOnlyDR-Site.
VPC Network Configuration
The IP address for the VPC. This must be different from the networks used inside the corporate intranet. The netmask should be in the /16 to /26 range. In our example, we’re using the default block 10.1.0.0/16 for the failover VPC.
IP address range for the production subnet in the first availability zone. This must be within the VPC IP block and the netmask must be smaller than the VpcIpBlock.
IP address range for the production subnet in the second availability zone. This must be within the VPC IP block and the netmask must be smaller than the VpcIpBlock.
IP address range for the test subnet in the first availability zone. This must be within the VPC IP block. and the netmask must be smaller than the VpcIpBlock
IP address range for the test subnet in the second availability zone. This must be within the VPC IP block and the netmask must be smaller than the VpcIpBlock.
Corporate DNS Info
DNS domain to be added to the resolv.conf file on the failover EC2 instances. This is just the search domain used by the EC2 resolvers.
Corporate DNS servers used to resolve all DNS names besides the AWS ones. You may leave this field empty if you’re using only public DNS domains in your corporate network. Otherwise, you must provide two IP addresses of the corporate DNS servers separated by a comma.
VPN tunnel info
The IP address of the IPSec tunnel endpoint on the corporate side. If you don’t have any routers, use any private IP address just to create AWS components.
For more information about specifying the stack name and parameters, see Specifying Stack Name and Parameters.
- Click Next and you will now move on the Configure stack options page. For information about setting your stack options and reviewing the stack details before creating it, see Setting AWS CloudFormation Stack Options and Reviewing Your Stack and Estimating Stack Cost on the AWS CloudFormation Console. Click Create Stack. This process may take some time so grab a cup of tea or coffee.
- Let’s begin with the review of the CloudFormation stack parameters used to build the site. For information on reviewing your stack parameters, see Reviewing Your Stack and Estimating Stack Cost on the AWS CloudFormation Console.
- Ensure that the parameters are set. Here’s an example in the following screenshot:
- Next, let’s review the DR site infrastructure created by our template. Begin with reviewing the VPCs. You should have two VPCs created: one for AWS proxy and the other for failover. Ensure that the VPC created for failover should have a configured IP block along with a couple of other options configured.
- Verify the subnets.
- There should be at least four subnets in the failover VPC: two for production and two for testing. The two sets of subnets should be in two different availability zones as discussed previously. AZ2 subnets will be used only in the case of failure of AZ1.
- The EC2 instances deployed in these subnets need to only access the corporate intranet and the subnets should be configured as private and hence, the Auto-assign public IPv4 address flag should be disabled.
- Verify the route table. Each subnet has been assigned the same routing table, which has two entries: one for the S3 service and the other for the default route (VPN gateway). Click the link next to the default route entry and you are navigated to the Virtual Private Gateways page.
- Verify that the virtual private gateway has been deployed and attached to the Druva failover VPC. The VPC gateway serves as the AWS end of the tunnel. The other end is called the customer gateway, which is the router on the customer end. It needs to be configured separately.
- Click Customer Gateways on the left pane. You are navigated to the Customer Gateways page. Verify the details such as the state, IP address, encryption type, and the associated VPC.
- Lastly, verify the Site to Site VPN Connections between the VPN gateway and the customer gateway. The tunnel should be attached to the failover VPC and it uses static routing. You can also use BGP routing for advanced routing capabilities.
The corporate intranet routers need to be configured to route the traffic towards VPC over the tunnel.
In the Tunnel Details tab, you can see the tunnel details. The status would be DOWN if you haven’t configured the on-premise router.
The advantage of creating a tunnel is that it allows you to download an example configuration for the on-premise router from AWS. To do this, click Download Configuration at the top of the page.