About AWS proxy deployment



Overview of the AWS Proxy
Druva AWS proxy is an Elastic Compute Cloud (EC2) instance that runs the Disaster Recovery service. It orchestrates copying data from the Druva Cloud to your AWS account and creates a DR copy at a frequency specified in the DR plan. The Druva AWS proxy runs in your AWS account. The Druva AWS proxy is launched in the same AWS region where the virtual machine backups are located. The EC2 instances are started in the same region for disaster recovery. Druva uses the AWS Cloud Formation template to deploy the Druva AWS proxy.
Note: Druva recommends that you deploy at least two Druva AWS proxies ( also referred to as DR proxies) in separate availability zones for high availability. Each Druva AWS proxy can run three DR restore jobs concurrently. This means that three virtual machines can be copied from the Druva cloud to the customer AWS account simultaneously. The Druva AWS proxy deployment takes less than 10 minutes.
About AWS Cloud Formation template used to deploy the Druva AWS proxy
You must first select the AWS storage region on the Management Console and create an AWS Cloud Formation stack to define the AWS resources.
Druva uses AWS Cloud Formation to automates the deployment along with the prerequisites of proxy deployments, such as the creation of IAM policy and IAM role, creation of IAM instance profile, security group, and attaching the policy to the proxy, deploy proxy by registering and activating the proxy. When the Druva AWS proxy is deployed, the cloud formation template identifies if an IAM role with the same name exists. If not, a new IAM role is automatically created and attached to the Druva AWS proxy EC2 instance.
AWS Cloud Formation provides a simple JSON-based template to define all the AWS resources that you need to deploy your infrastructure for disaster recovery and a stack to create and manage the resources. For more information, see AWS CloudFormation Concepts.
Components deployed as part of CloudFormation template deployment
The following AWS services are deployed in your AWS account during the Druva AWS proxy deployment:
- The Amazon EC2 instance type (c5.2xlarge - recommended) used for the Druva AWS proxy.
- The following AWS VPC endpoints that are configured as part of proxy deployment:
- Druva Backup Service Endpoint
- Druva Node Service Endpoint
- S3 Endpoint
- SQS Endpoint
- EC2 Endpoint
- CloudFormation Endpoint
- EBS Endpoint
- Lambda Endpoint
- Logs Endpoint
Note: Since the IAM endpoint is not supported by AWS, the AWS proxy cannot access the IAM services using AWS private link. Due to this limitation, the IAM roles will not be listed on the Management Console while updating the Failover settings and creating a DR plan.
Should you need to increase the limits for any of the services above, the service increase costs need to be paid to AWS. For more information, see Amazon EC2 service quotas and Amazon VPC quotas.
About secure communication using AWS PrivateLink
When you deploy the Druva AWS proxy using the cloud formation stack, Druva deploys VPC endpoints for required services and deploys a Route 53 hosted zone for the VPC. This allows secure communication within the AWS network through the VPC endpoint services (AWS PrivateLink) without needing the internet gateway.
AWS PrivateLink provides private connectivity between VPCs and services hosted on AWS or on-premises, securely on the Amazon network. By providing a private endpoint to access the services, AWS PrivateLink ensures the traffic is not exposed to the public internet. It also makes it easy to connect services across different accounts and VPCs to significantly simplify your network architecture.
For more information, see VPC endpoint services (AWS PrivateLink) in the AWS documentation.
The following diagram illustrates the communication flow:
Required knowledge or experience
To deploy the Druva AWS proxy, we need you to have basic knowledge of or working experience on networking, AWS Identity Access Management (IAM), AWS CloudFormation, Amazon EC2 (Elastic Compute Cloud), Amazon PrivateLink, and Amazon S3 (Simple Storage Service).
AWS component costs
The AWS component pricing can vary depending upon the options you select. AWS can also change the component pricing at any time. We advise you to check the AWS website for the most current component costs.