Elastio deployment prerequisites
Table of Contents
- Permissions for deploying the Elastio CloudFormation stack
- How to add a new user
- The principle of least-privilege used for operating the Elastio service
- Elastio service AWS resources
- VPC configurations for Cloud Connector deployment
The process of deploying Elastio is performed in two steps: deploying the Elastio CloudFormation stack and deploying the Cloud Connector. Before starting the deploy, make sure that you have all the required permissions enabled in your AWS account, as well as VPC configurations set up.
To deploy the Elastio CloudFormation stack, certain permissions are required to create the resources necessary for the Elastio service. These permissions are not used to operate the service, they are used only for the deployment of the service.
- Why do I need to deploy this CloudFormation template?
- Why do I need to grant
CAPABILITY_NAMED_IAMwhen deploying Elastio’s CloudFormation template?
- What kind of access to my AWS account does Elastio require?
- How can I audit Elastio’s activity in my account?
- What are the specific Elastio IAM Policies that we use?
- What are the Elastio resources created by the Elastio CFN?
To deploy, a user with the following policies attached are needed:
In case the current user lacks any of the permissions, the Elastio CloudFormation deploy might fail, so we recommend extending the permissions or creating a dedicated user to deploy the CFN. The flow of adding a new user and enabling the required permissions is described in the How to add a new user section of this page.
The flow of adding a new user and enabling the required permissions is described below:
- Navigate to the Identity and Access Management (IAM) console of your AWS account and press the “Add users” button.
Figure 1: Add users
- Add a user’s name and select password as AWS credential type.
Figure 2: Add users’ credentials
- Press the “Next: Permissions” button. A newly opened page will allow you to set permissions. Select “Attach existing policies directly” and choose the following permissions form the drop-down list:
Figure 3: Setting permissions
- Review the user details and press the “Create user” button.
Figure 4: Create user
- A “Success” notification will be displayed.
Figure 5: Success notification
Note: The added user is required for the CFN deployment and updates only and can be deleted after the completion of the process.
The permissions required to operate the service use the principle of least-privilege for all resources, the permissions are described here.
Elastio uses AWS resources to implement it’s service. All resources are described here.
To deploy the Cloud Connector, select the VPC(s) you want to deploy it to. When choosing the VPC(s), note that different configurations may affect the process of deployment. Below you will find possible configurations to be used when deploying the Cloud Connector.
- If the default VPC is used, then it should have a public subnet in every Availability Zone. Such configuration will work fine. If the default VPC is modified so it doesn’t consist entirely of public subnets with access to the Internet, backup operations with Elastio will fail.
Note: In case any other VPC is used, the modifications and/or deletion of the public VPC won’t affect the Elastio backups.
Public subnets with an IGW require “auto-assign public IPv4 address”.
Private subnets with a NAT gateway don’t require “auto-assign public IPv4 address”. (The instructions on how to configure a private subnet with a NAT gateway are here).
Using a public subnet with an IGW or a private subnet with a NAT depends on the need to access the vault from outside of the VPC, such as from a development workstation, a CI/CD pipeline, an on-prem server, etc.
Deploying the vault entirely in public subnets will allow the vault to be accessible over the Internet. So, performing backups, restores and mounts from outside of AWS (either from other clouds or from on-prem workstations) will become available. This is the most flexible configuration, but it might not be permitted depending upon each organization’s security policies.
If the vault is deployed in private subnets, it will be accessed only from within the private subnets. Performing backups and mounts from systems outside of the subnets will be possible only after setting up a VPN tunnel into the VPC with a network path from the VPN tunnel to the private subnets, where the vault is running.