About AWS proxy deployment
Overview of the AWS Proxy
Druva AWS proxy is an Elastic Compute Cloud (EC2) instance that runs the Disaster Recovery service. It orchestrates copying data from the Druva Cloud to your AWS account and creates a DR copy at a frequency specified in the DR plan. The Druva AWS proxy runs in your AWS account. The Druva AWS proxy is launched in the same AWS region where the virtual machine backups are located. The EC2 instances are started in the same region for disaster recovery. Druva uses the AWS Cloud Formation template to deploy the Druva AWS proxy.
Note: Druva recommends that you deploy at least two Druva AWS proxies ( also referred to as DR proxies) in separate availability zones for high availability. Each Druva AWS proxy can run three DR restore jobs concurrently. This means that three virtual machines can be copied from the Druva cloud to the customer AWS account simultaneously. The Druva AWS proxy deployment takes less than 10 minutes.
About AWS Cloud Formation template used to deploy the Druva AWS proxy
You must first select the AWS storage region on the Hybrid Workloads Management Console and create an AWS Cloud Formation stack to define the AWS resources.
Druva uses AWS Cloud Formation to automates the deployment along with the prerequisites of proxy deployments, such as the creation of IAM policy and IAM role, creation of IAM instance profile, security group, and attaching the policy to the proxy, deploy proxy by registering and activating the proxy. When the Druva AWS proxy is deployed, the cloud formation template identifies if an IAM role with the same name exists. If not, a new IAM role is automatically created and attached to the Druva AWS proxy EC2 instance.
AWS Cloud Formation provides a simple JSON-based template to define all the AWS resources that you need to deploy your infrastructure for disaster recovery and a stack to create and manage the resources. For more information, see AWS CloudFormation Concepts.
Components deployed as part of CloudFormation template deployment
The following AWS services are deployed in your AWS account during the Druva AWS proxy deployment:
- The Amazon EC2 instance type (c5.2xlarge - recommended) used for the Druva AWS proxy.
- The following AWS VPC endpoints that are configured as part of proxy deployment:
- Druva Backup Service Endpoint
- Druva Node Service Endpoint
- S3 Endpoint
- SQS Endpoint
- EC2 Endpoint
- CloudFormation Endpoint
Note: Since the IAM endpoint is not supported by AWS, the AWS proxy cannot access the IAM services using AWS private link. Due to this limitation, the IAM roles will not be listed on the Hybrid Workloads Management Console while updating the Failover settings and creating a DR plan.
Should you need to increase the limits for any of the services above, the service increase costs need to be paid to AWS. For more information, see Amazon EC2 service quotas and Amazon VPC quotas.
About secure communication using AWS PrivateLink
When you deploy the Druva AWS proxy using the cloud formation stack, Druva deploys VPC endpoints for required services and deploys a Route 53 hosted zone for the VPC. This allows secure communication within the AWS network through the VPC endpoint services (AWS PrivateLink) without needing the internet gateway.
AWS PrivateLink provides private connectivity between VPCs and services hosted on AWS or on-premises, securely on the Amazon network. By providing a private endpoint to access the services, AWS PrivateLink ensures the traffic is not exposed to the public internet. It also makes it easy to connect services across different accounts and VPCs to significantly simplify your network architecture.
For more information, see VPC endpoint services (AWS PrivateLink) in the AWS documentation.
The following diagram illustrates the communication flow:
Required knowledge or experience
To deploy the Druva AWS proxy, we need you to have basic knowledge of or working experience on networking, AWS Identity Access Management (IAM), AWS CloudFormation, Amazon EC2 (Elastic Compute Cloud), Amazon PrivateLink, and Amazon S3 (Simple Storage Service).
AWS component costs
The cost will depend on your usage of Druva Cloud DR and the AWS components used. It is recommended that you review the AWS pricing documentation and consult with Druva or AWS representatives for a more detailed cost analysis based on your component requirements.
Druva Cloud DR for VMware incurs the following types of AWS costs:
Fixed Costs: Fixed costs are for the AWS resources deployed as part of CloudFormation Deployment.
Variable Costs: Variable costs are for the AWS resources created and used as a part of DR operations like Update DR Copy, DR Failover, and DR Failback.
The Druva AWS proxy for Cloud DR deploys the following components as part of CloudFormation stack deployment:
- Amazon EC2 instance: The Druva AWS proxy, also referred to as DR proxy, is an EC2 instance that runs in the customer’s AWS account. The Druva AWS proxy runs the Druva Disaster Recovery service and is responsible for orchestrating the DR Restore, DR failback, and DR failover.
- VPC endpoints: A VPC endpoint enables private connections between the customer VPC and supported AWS services and VPC endpoint services using AWS PrivateLink.
- Route-53 Hosted zone: Druva uses Amazon Route 53 to perform DNS resolution between the Druva AWS proxy and the various AWS components in the customer VPC via the Amazon PrivateLink service. To route traffic to the various AWS components, you create records, also known as resource record sets, in your hosted zone.
The AWS component pricing can vary depending upon the options you select. AWS can also change the component pricing at any time. We advise you to check the AWS website for the most current component costs.