Skip to main content


 

 

druva_logo.pngDruva
|
Documentation

How can we help you?

Trending articles:

 

Druva Documentation

Failing over in a VPC with no internet connectivity

  1. Last updated
  2. Save as PDF
Heads up!

We've transitioned to a new documentation portal to serve you better. Access the latest content by clicking here.

Enterprise Workloads Editions
❌ Business| ✅ Enterprise (Purchase Separately) | ✅ Elite

 

Overview

Consider a scenario where your AWS account has two VPCs. The first VPC has the Druva AWS proxy. This VPC has access to the Amazon services via the AWS PrivateLink. The second VPC does not have access to the internet. You want to failover the VMs to this second VPC which is our destination VPC. The following article describes how to failover VMs in the second VPC with no internet connectivity and a private subnet.

Connectivity between two VPCs.png

For failovers, Disaster Recovery needs the destination VPC to have access to three Amazon services - Amazon EC2, Amazon SQS, and Amazon S3. The destination VPC can access these services if the subnet in the destination VPC has an Internet Gateway (IGW). If the subnet in the destination VPC does not have an Internet Gateway (IGW) and is a private VPC, Druva needs to create VPC endpoints to access these services.

Determine if the subnet has an Internet Gateway (IGW)

  1. Login to AWS Management Console.
  2. Search for and go to the VPC service.
  3. In the left pane, under Virtual Private Cloud, click Subnets.
  4. From the list of subnets, select the subnet that you want to use for the failover.
  5. With the subnet selected, click the Route table tab in the pane below Subnets.

    subnet has IGW.png

    If the Route table has 0.0.0.0/0 under Destination and igw-<ID> in the Target column, then the selected subnet has an attached Internet Gateway (IGW). Since it has an IGW, it can connect to the three Amazon services (EC2, SQS, and S3). If the Route table does not have this entry, then it is a private subnet with no IGW.

Create VPC endpoints in a private subnet without an IGW

If the destination VPC does not have internet access, then we need to create VPC endpoints so that the failover instance can access the three AWS services.

Delete these endpoints once the failover is successful since the VPC endpoints are chargeable.

 Prerequisite

Before creating VPC endpoints in the destination VPC, ensure that support for DNS hostnames and DNS resolution is Enabled.

DNS hostname and resolution enabled.png

Creating endpoints involves four steps:

  1. Creating a security group that would be attached to three endpoints
  2. Creating an SQS endpoint
  3. Creating an EC2 endpoint
  4. Creating an S3 endpoint
Step 1: Create a security group
  1. Login to AWS Management Console.
  2. Search for and go to the EC2 service.
  3. In the EC2 Dashboard, click Security Groups under Network & Security.
  4. In the Security Groups page, click Create security group on the right. Enter the following details:
    1. Basic details
      1. Security group name: Enter a name for the security group. 
      2. Description: Enter a description that will help identify the security group.
      3. VPC: Select the failover VPC in which you want to create this security group.
    2. Inbound rules
      1. Click Add Rule, and then enter:
        • Type: HTTPS
        • Protocol: TCP
        • Port range: 443
        • Source: Custom  0.0.0.0/0
      2. Add a Tag if required.

  5. Click Create security group.

  1. Login to AWS Management Console.
  2. Search for and go to the VPC service.
  3. In the left pane, under Virtual Private Cloud, click Endpoints.
  4. In the right pane, click Create Endpoint.
  5. In the Create Endpoint dialog box, perform the following tasks:
    1. In the Service category field ensure that AWS services are selected.
    2. In the Service Name field, in the search bar, type sqs and press enter. From the search results, select com.amazonaws.us-east-1.sqs
    3. In the VPC dropdown, select the VPC where you will be failing over. 
    4. Select the subnets.
    5. Ensure that Enable DNS name is enabled for the endpoint.
    6. Select the Security group that you created in Step 1 above. 
    7. In the Policy field, retain the default setting of Full Access.

  6. Click Create endpoint.

  1. Login to AWS Management Console.
  2. Search for and go to the VPC service.
  3. In the left pane, under Virtual Private Cloud, click Endpoints.
  4. In the right pane, click Create Endpoint.
  5. In the Create Endpoint dialog box, perform the following tasks:
    1. In the Service category field ensure that AWS services are selected.
    2. In the Service Name field, in the search bar, type ec2 and press enter. From the search results, select com.amazonaws.us-east-1.ec2.
    3. In the VPC dropdown, select the VPC where you will be failing over. 
    4. Select the subnets.
    5. Ensure that Enable DNS name is enabled for the endpoint.
    6. Select the Security group that you created in Step 1 above. 
    7. In the Policy field, retain the default setting of Full Access.
  6. Click Create endpoint.
Step 4: Create an S3 endpoint
  1. Login to AWS Management Console.
  2. Search for and go to the VPC service.
  3. In the left pane, under Virtual Private Cloud, click Endpoints.
  4. In the right pane, click Create Endpoint.
  5. In the Create Endpoint dialog box, perform the following tasks:
    1. In the Service category field ensure that AWS services are selected.
    2. In the Service Name field, in the search bar, type s3 and press enter. From the search results, select com.amazonaws.us-east-1.s3 where the Type is Gateway.
    3. In the VPC dropdown, select the VPC where you will be failing over.
    4. In the Configure route tables section, select the same route table that was associated with the subnet.
    5. In the Policy field, retain the default setting of Full Access.
  6. Click Create endpoint.

Once the S3 endpoint is created, select the endpoint, and in the Route Tables tab in the pane below, click Manage Route Tables. Add a route with destination pl-63a5400a and target Gateway LoadBalancer endpoint. 

Note: The destination pl-63a5400a is region specific and applies to the us-east-1 region. 

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    Topic
  2. Tags
    This page has no tags.