About Phoenix AWS Proxy
Phoenix AWS proxy is an Elastic Compute Cloud (EC2) instance that runs the Phoenix disaster recovery service. It orchestrates copying data from the Phoenix Cloud to your AWS account and creates a DR copy at a frequency specified in the DR plan. The Phoenix AWS proxy runs in your AWS account. The Phoenix AWS proxy is launched in the same AWS region where the virtual machine backups are located. The EC2 instances are started in the same region for disaster recovery. Phoenix uses the AWS Cloud Formation template to deploy the Phoenix AWS Proxy.
Note: Druva recommends that you deploy at least two Phoenix AWS proxies ( also referred to as DR proxies) in separate availability zones for high availability. Each DR proxy can run three DR restore jobs concurrently. This means that three virtual machines can be copied from the Druva cloud to the customer AWS account simultaneously. The DR proxy deployment takes less than 10 minutes.
About AWS Cloud Formation template used to deploy the Phoenix AWS Proxy
You must first select the AWS storage region on the Phoenix Management Console and create an AWS Cloud Formation stack to define the AWS resources.
Phoenix uses AWS Cloud Formation to automates the deployment along with the prerequisites of proxy deployments, such as the creation of IAM policy and IAM role, creation of IAM instance profile, security group, and attaching the policy to the proxy, deploy proxy by registering and activating the proxy. When the Phoenix AWS Proxy is deployed, the cloud formation template identifies if an IAM role with the same name exists. If not, a new IAM role is automatically created and attached to the Phoenix AWS Proxy EC2 instance.
AWS Cloud Formation provides a simple JSON-based template to define all the AWS resources that you need to deploy your infrastructure for disaster recovery and a stack to create and manage the resources. For more information, see AWS CloudFormation Concepts.
Components deployed as part of CloudFormation template deployment
The following AWS services are deployed in your AWS account during the Phoenix AWS proxy deployment:
- The Amazon EC2 instance type (c5.2xlarge - recommended) used for the Phoenix AWS proxy.
- The following AWS VPC endpoints that are configured as part of proxy deployment:
- Druva Backup Service Endpoint
- Druva Node Service Endpoint
- S3 Endpoint
- SQS Endpoint
- EC2 Endpoint
- CloudFormation Endpoint
About secure communication using AWS PrivateLink
When you deploy the Phoenix AWS Proxy using the cloud formation stack, Druva deploys VPC endpoints for required services and deploys a Route 53 hosted zone for the VPC. This allows secure communication within the AWS network through the VPC endpoint services (AWS PrivateLink) without needing the internet gateway.
AWS PrivateLink provides private connectivity between VPCs and services hosted on AWS or on-premises, securely on the Amazon network. By providing a private endpoint to access the services, AWS PrivateLink ensures the traffic is not exposed to the public internet. It also makes it easy to connect services across different accounts and VPCs to significantly simplify your network architecture.
For more information, see VPC endpoint services (AWS PrivateLink) in the AWS documentation.
The following diagram illustrates the communication flow:
Required knowledge or experience
To deploy the Phoenix AWS proxy, we need you to have basic knowledge of or working experience on networking, AWS Identity Access Management (IAM), AWS CloudFormation, Amazon EC2 (Elastic Compute Cloud), Amazon PrivateLink, and Amazon S3 (Simple Storage Service).
Deploying the Phoenix AWS Proxy
Phoenix AWS Proxy deployment comprises of the following steps:
Step 3: View deployed proxy
- You must register the Phoenix AWS proxy in the same region as the server storage region.
- When you delete a stack, AWS does not delete resources attached to the stack. Ensure that you manually delete the resources attached to the AWS account. For more information, see AWS KB article.
All the endpoints require a security group attached to them. Phoenix creates the following security groups:
- For the DR proxy, Phoenix creates a security group called DruvaSGGroup. This security group has a rule allowing outbound connections on port 443.
- Phoenix creates a security group called DruvaSGGroupEndpoint for all the endpoints created as part of the Phoenix AWS proxy deployment. This security group has a rule allowing inbound and outbound connections on port 443.
- To login to the AWS proxy use "centos" as the username and use the key pair you provided while deploying the AWS proxy.
Step 1: Select an AWS region on the Phoenix Management Console
Deploy the Phoenix AWS proxy in the same region where the virtual machines that you intend to configure for disaster recovery are backed up in Phoenix. For example, if the virtual machines are backed up to a storage in Phoenix that is located in the US-East region, deploy the Phoenix AWS proxy in the US-East region.
The backup data from the Druva Cloud S3 bucket can be stored only to the S3 bucket of the customer account that belongs to same the region. Also, the optimum transfer rate can be ensured only within the same region.
- Log in to the Phoenix Management Console.
- On the menu bar, click All Organizations, and select the required organization from the drop-down list.
- On the menu bar, click Disaster Recovery.
- In the left pane, click the Phoenix AWS Proxies tab.
- On the Phoenix AWS Proxies page, click Register Phoenix AWS Proxy.
- On the Register Phoenix AWS Proxy page, from the AWS Region drop-down list, select the AWS region where you want to deploy the proxy. For example, us-west-2.
The Activation Token section displays an activation token that is used while creating the CloudFormation Stack.
Note: Phoenix lists the activation token under Manage > Activation Tokens.
- In the AWS CloudFormation Stack section, click Create CloudFormation Stack to register the Phoenix AWS proxy.
If you are logged in to the AWS Management Console, you are directed to the Quick Create Stack page. Else, you are directed to the login page of the AWS Management Console. Use your credentials to login and view the Quick Create Stack page.
Step 2: Create a CloudFormation Stack on the AWS Management Console
The Quick create stack page on the AWS Management Console uses a proxy deployment template depending on your first-time proxy deployment or the subsequent deployments. In the Quick create stack page configure parameters for your AWS resources defined in the template.
Verify the stack details and click Next.
Field Description Template URL Displays the URL of the Druva deployment template used for your proxy deployment. Stack description The description of the Druva deployment template used. Stack name Displays the name generated by Phoenix for your stack.
Enter the parameters and click Next.
Field Description Phoenix Configuration parameters PhoenixActivationToken Displays the Phoenix activation token generated based on the selected AWS storage region on the Phoenix Management Console. InstanceCount Specify the number of proxy instances that you want to launch. You can specify up to 5 instances. The default value is 1. Network Configuration parameters VPC
Select a Virtual Private Cloud (VPC) network specific to the AWS account to launch the Phoenix AWS proxies. For more information, see Supported AWS regions.
Note: Ensure that the DNS hostnames option is enabled for the VPC. For more information, see AWS documentation.
Subnet Select a subnet to launch the Phoenix AWS proxies in the specific network in your VPC. Amazon EC2 Configuration parameters InstanceType
Select the instance type for the Phoenix AWS proxy. For more information, see Supported AWS instance types.
Note: It is recommended to select the instances based on the following configuration: 8 CPUs, 16 GB memory, 3500 Mbps bandwidth, 10,000 IOPS.
KeyPair Select an EC2 key-pair to enable SSH access to the proxy instance.
Optionally, update the stack options and click Next.
Review the configurations and in the Capabilities section, select the check boxes acknowledging that AWS CloudFormation might create IAM resources with custom names and that AWS CloudFormation might require the following capability: CAPABILITY_AUTO_EXPAND.
Click Create stack.
Verify the status of stack creation on the Stacks page on the AWS Management Console. If the status is:
CREATE_COMPLETE: Phoenix lists the registered Phoenix AWS proxy on the Phoenix AWS Proxies tab on the Phoenix Management Console.
- You can view the deployed AWS resources, such as EC2 instance IDs and security groups, on the Resources tab on the Stacks page.
The following VPC endpoints are deployed. These VPC endpoint services (AWS PrivateLink) are used for secure communication.
S3 Endpoint: Used for log upload, job resume functionality, etc.
SQS Endpoint: Used for failover instances to communicate with the Phoenix AWS proxy.
EC2 Endpoint: Used for operations on EBS volumes and snapshots.
Cloud Formation Endpoint: Used for activation of Phoenix AWS proxy.
Custom Druva Endpoints:
Druva Backup Service Endpoint: Used for metadata transfer.
Druva Node Service Endpoint: Used for data transfer.
Note : All the endpoints require a security group attached to it with inbound port 443 enabled.
A new Route 53 hosted zone is added for the VPC.
Note: The AWS resources deployed as part of the Phoenix AWS proxy deployment are only accessible within your AWS account. None of these resources are accessible publicly.
Step 3: View deployed proxy
After the registration completes successfully, the Phoenix AWS proxy appears on the Phoenix AWS Proxies page. From this page, you can also deploy additional Phoenix AWS proxies.
Note: To login to the AWS proxy use "centos" as the username and use the key pair you provided while deploying the AWS proxy.
Deploying a Phoenix AWS Proxy in another availability zone
To deploy another Phoenix AWS proxy in a different availability zone, perform the steps outlined under Deploying the Phoenix AWS proxy. Ensure that the subnet and VPC you select belong to the availability zone you deploy the proxy in.
Re-deploying a Phoenix AWS proxy
The Phoenix AWS proxy (DR Proxy) is stateless. Stateless means that if you lose the DR proxy instance for any reason, you can always redeploy another DR proxy instance and it can continue functioning like the previous instance. Any available DR proxy can handle DR jobs for VMs. The DR jobs aren't tied to specific DR proxies.
To re-deploy a Phoenix AWS proxy, perform the steps outlined under Deploying the Phoenix AWS proxy. The Phoenix AWS CloudFormation template takes less than 10 minutes to deploy.
Verify the health of the Phoenix AWS proxy
To check the health of the Phoenix AWS proxy, perform the following tasks:
- Log in to the Phoenix Management Console.
- Click the dropdown next to All Organizations, and select the organization that has your Phoenix AWS proxies.
- In the menu bar, click Disaster Recovery.
- In the navigation pane on the left, click Phoenix AWS Proxies.
- On the Phoenix AWS Proxies page, the Connection Status column:
- Displays a green tick if your Phoenix AWS proxy is connected to Druva Cloud.
- Displays a red cross if your Phoenix AWS proxy is not connected to the Druva Cloud. To re-establish a connection between the two:
- Ensure that the Phoenix AWS proxy EC2 instance is up and running.
- If you are unable to get the Phoenix AWS proxy EC2 instance to start, deploy another Phoenix AWS proxy. The proxy deployment should complete in less than ten minutes. For any further assistance, contact Support.