Overview of the Phoenix AWS Proxy
Phoenix AWS proxy is an Elastic Compute Cloud (EC2) instance that runs the Phoenix disaster recovery service. It orchestrates copying data from the Phoenix Cloud to your AWS account and creates a DR copy at a frequency specified in the DR plan. The Phoenix AWS proxy runs in your AWS account. The Phoenix AWS proxy is launched in the same AWS region where the virtual machine backups are located. The EC2 instances are started in the same region for disaster recovery. Phoenix uses the AWS Cloud Formation template to deploy the Phoenix AWS Proxy.
Note: Druva recommends that you deploy at least two Phoenix AWS proxies ( also referred to as DR proxies) in separate availability zones for high availability. Each DR proxy can run three DR restore jobs concurrently. This means that three virtual machines can be copied from the Druva cloud to the customer AWS account simultaneously. The DR proxy deployment takes less than 10 minutes.
About AWS Cloud Formation template used to deploy the Phoenix AWS Proxy
You must first select the AWS storage region on the Phoenix Management Console and create an AWS Cloud Formation stack to define the AWS resources.
Phoenix uses AWS Cloud Formation to automates the deployment along with the prerequisites of proxy deployments, such as the creation of IAM policy and IAM role, creation of IAM instance profile, security group, and attaching the policy to the proxy, deploy proxy by registering and activating the proxy. When the Phoenix AWS Proxy is deployed, the cloud formation template identifies if an IAM role with the same name exists. If not, a new IAM role is automatically created and attached to the Phoenix AWS Proxy EC2 instance.
AWS Cloud Formation provides a simple JSON-based template to define all the AWS resources that you need to deploy your infrastructure for disaster recovery and a stack to create and manage the resources. For more information, see AWS CloudFormation Concepts.
Components deployed as part of CloudFormation template deployment
The following AWS services are deployed in your AWS account during the Phoenix AWS proxy deployment:
- The Amazon EC2 instance type (c5.2xlarge - recommended) used for the Phoenix AWS proxy.
- The following AWS VPC endpoints that are configured as part of proxy deployment:
- Druva Backup Service Endpoint
- Druva Node Service Endpoint
- S3 Endpoint
- SQS Endpoint
- EC2 Endpoint
- CloudFormation Endpoint
Note: Since the IAM endpoint is not supported by AWS, the AWS proxy cannot access the IAM services using AWS private link. Due to this limitation, the IAM roles will not be listed on the Phoenix Management Console while updating the Failover settings and creating a DR plan.
About secure communication using AWS PrivateLink
When you deploy the Phoenix AWS Proxy using the cloud formation stack, Druva deploys VPC endpoints for required services and deploys a Route 53 hosted zone for the VPC. This allows secure communication within the AWS network through the VPC endpoint services (AWS PrivateLink) without needing the internet gateway.
AWS PrivateLink provides private connectivity between VPCs and services hosted on AWS or on-premises, securely on the Amazon network. By providing a private endpoint to access the services, AWS PrivateLink ensures the traffic is not exposed to the public internet. It also makes it easy to connect services across different accounts and VPCs to significantly simplify your network architecture.
For more information, see VPC endpoint services (AWS PrivateLink) in the AWS documentation.
The following diagram illustrates the communication flow:
Required knowledge or experience
To deploy the Phoenix AWS proxy, we need you to have basic knowledge of or working experience on networking, AWS Identity Access Management (IAM), AWS CloudFormation, Amazon EC2 (Elastic Compute Cloud), Amazon PrivateLink, and Amazon S3 (Simple Storage Service).
AWS component costs
The Phoenix AWS proxy deploys the following components as part of CloudFormation stack deployment:
- Amazon EC2 instance: The Phoenix AWS proxy, also referred to as DR proxy, is an EC2 instance that runs in the customer’s AWS account. The Phoenix AWS proxy runs the Phoenix Disaster Recovery service and is responsible for orchestrating the DR Restore, DR failback, and DR failover.
- VPC endpoints: A VPC endpoint enables private connections between the customer VPC and supported AWS services and VPC endpoint services using AWS PrivateLink.
- Hosted zone: Phoenix uses Amazon Route 53 to perform DNS resolution between the Phoenix AWS proxy and the various AWS components in the customer VPC via the Amazon PrivateLink service. To route traffic to the various AWS components, you create records, also known as resource record sets, in your hosted zone.
The AWS component pricing can vary depending upon the options you select. AWS can also change the component pricing at any time. We advise you to check the AWS website for the most current component costs.
Amazon EC2 instance pricing
The Amazon EC2 instance pricing depends upon how many Phoenix AWS proxies you choose to deploy, and what is the instance type per deployment. Refer to Amazon EC2 pricing for the costs depending upon the instance type you select.
For example, let's choose one Amazon EC2 instance of type c5.2xlarge. If we select an EC2 Instance Savings Plan, pick a 3-year reservation with no upfront payments, and select 30 GB of EBS volume storage (General Purpose SSB(gp2), the total monthly cost comes up to $112.65. Use the Amazon EC2 pricing calculator to calculate the EC2 instance costs as per your requirements.
VPC endpoint pricing
The VPC endpoint price varies from AWS region to region. Phoenix deploys 6 VPC endpoints in all regions except us-east-1 where Phoenix deploys 10 VPC endpoints. Phoenix deploys the following VPC endpoints:
- AWS S3 VPC Endpoint.
- AWS SQS VPC Endpoint
- AWS EC2 VPC Endpoint.
- AWS CloudFormation VPC Endpoint.
- Druva Service Endpoint
The example in the following screenshot uses the US East (Ohio) region (us-east-2) to compute VPC endpoint costs. It assumes that we deploy 6 VPC endpoints, 1 availability zone, and that the endpoints will process around 100 GB of data between the Phoenix AWS proxy and Phoenix services per month.
Total Cost: $49.8 / Month for all the endpoints.
Use the AWS PrivateLink pricing calculator to compute costs as per your requirements.
Hosted zone pricing
|What is chargeable||Cost|
|Cost per hosted zone / month||$0.50|
|Cost per million queries – first 1 Billion queries / month||$0.60|
|Total Cost: $1.1 per month for hosted zone resources.|
The total cost of deployment sums up to be:
Amazon EC2 instance cost + VPC endpoint cost + Hosted zone cost = $112.65 + $49.8 + $1.1= $163.55 per month