Deployment Stacks
The Elastio service deployment process involves two stages: deploying an account-level Elastio CloudFormation stack and a regional Elastio Cloud Connector Stack.
Account level CloudFormation Stack
The account level CloudFormation stack provides access from the Elastio Tenant to your AWS account, and creates ElastioInstaller
and ElastioTenant
roles which are necessary for installation, updates, and communication between the Elastio Cloud Connector and the Elastio Tenant.
During the deployment, Elastio creates various account level resources within your AWS account to set up the ScaleZ vault service, Elastio creates the following IAM policies for the convenience of its customers.
ElastioAgentlessBackupAndRestore
ElastioBackupAdmin
ElastioFullAdmin
ElastioJobsAdmin
ElastioLocalBackup
ElastioMountAndRestore
These policies can be attached to customer-created IAM roles, users or groups to grant minimal permissions required to perform certain Elastio operations.
See example CloudFormation stack here.
Regional CloudConnector Stack
The Cloud Connector is a component of Elastio’s platform that provides the infrastructure for performing Elastio operations. It communicates with your Elastio tenant, manages backup and restore operations, scans recovery points for security threats, monitors job progress, and secures backups. The service is deployed in your AWS account and the data never leaves your control.
It uses a lightweight command-and-control channel between the SaaS tenant and customer AWS accounts, built on AWS SQS queues and Lambda functions. The service requires access to specific AWS APIs but this can be accomplished via PrivateLink if the VPC is isolated from the internet.
The Cloud Connector is deployed in the specified region and a vault is also deployed in your AWS account within a selected VPC and subnet. Currently, Elastio supports the regions listed below. Additional regions will be added based on customer requests.
- us-east-1
- us-east-2
- us-west-1
- us-west-2
- eu-west-1
- eu-west-2
- eu-west-3
- eu-central-1
- ap-south-1
- ap-southeast-1
- ap-southeast-2
- ca-central-1
AWS resources such as S3 bucket, AWS Batch, DynamoDB tables, ECS clusters, and KMS keys are required for vault creation.
The Cloud Connector allows for the deployment of one or multiple vaults, providing logical isolation of backed up data with an isolated deduplicated namespace for each vault. Note that currently, the maximum number of vaults allowed per region is 4. The infrastructure of the Cloud Connector includes the following services:
- Catalog, which manages recovery point storage and DynamoDB tables.
- Provisioner, which initiates the ScaleZ server and ECS tasks creation.
- Job status, which monitors the progress of jobs.
- Background jobs, which initiates background jobs for backup, restore, and integrity scan operations using AWS Batch.
- Integrity Checks, which generates reports related to technical issues in your AWS account.
- Inventory, which sends messages about changes in the state of AWS EC2, AWS EBS, and AWS snapshot assets using AWS Eventbridge.
The Cloud Connector uses AWS Lambda functions to implement the application logic and DynamoDB tables to store data related to vaults, recovery points, and information about protected assets. A KMS key is used for encryption and access to the S3 bucket where protected data is stored. See Security and compliance section for more details.
Elastio Service Costs
The Elastio service has a low cost of operation, with a minimum cost of $3 per month for zero activity. The cost of using Elastio is generally 50-80% lower than using EBS snapshots or AWS backups, and it varies depending on factors such as retention period, change rates, and deduplication rates.
For example, longer retention periods provide more savings over native snapshots when using Elastio. Highly compressed image data will produce lower global deduplication rates than unstructured data. High change rates will also result in higher savings rates over native snapshots.