Prerequisites for Elastio Deployment
Table of Contents
The process of deploying Elastio is performed in two steps: deploying the Elastio CloudFormation stack and deploying the Cloud Connector. Before starting the deploy, make sure that you have all the required permissions enabled in your AWS account, as well as VPC configurations set up.
To deploy the Elastio CloudFormation stack, a user with the following policies attached is needed:
AWSLambda_FullAccess. In case the current user lacks any of the permissions, the Elastio CloudFormation deploy might fail, so we recommend extending the permissions or creating a dedicated user to deploy the CFN. The flow of adding a new user and enabling the required permissions is described below:
- Navigate to the Identity and Access Management (IAM) console of your AWS account and press the “Add users” button.
Figure 1: Add users
- Add a user’s name and select password as AWS credential type.
Figure 2: Add users’ credentials
- Press the “Next: Permissions” button. A newly opened page will allow you to set permissions. Select “Attach existing policies directly” and choose the following permissions form the drop-down list:
Figure 3: Setting permissions
- Review the user details and press the “Create user” button.
Figure 4: Create user
- A “Success” notification will be displayed.
Figure 5: Success notification
Note: The added user is required for the CFN deployment and updates only and can be deleted after the completion of the process.
To deploy the Cloud Connector, select the VPC(s) you want to deploy it to. When choosing the VPC(s), note that different configurations may affect the process of deployment. Below you will find possible configurations to be used when deploying the Cloud Connector.
- If the default VPC is used, then it should have a public subnet in every Availability Zone. Such configuration will work fine. If the default VPC is modified so it doesn’t consist entirely of public subnets with access to the Internet, backup operations with Elastio will fail.
Note: In case any other VPC is used, the modifications and/or deletion of the public VPC won’t affect the Elastio backups.
Public subnets with an IGW require “auto-assign public IPv4 address”.
Private subnets with a NAT gateway don’t require “auto-assign public IPv4 address”. (The instructions on how to configure a private subnet with a NAT gateway are here).
Using a public subnet with an IGW or a private subnet with a NAT depends on the need to access the vault from outside of the VPC, such as from a development workstation, a CI/CD pipeline, an on-prem server, etc.
Deploying the vault entirely in public subnets will allow the vault to be accessible over the Internet. So, performing backups, restores and mounts from outside of AWS (either from other clouds or from on-prem workstations) will become available. This is the most flexible configuration, but it might not be permitted depending upon each organization’s security policies.
If the vault is deployed in private subnets, it will be accessed only from within the private subnets. Performing backups and mounts from systems outside of the subnets will be possible only after setting up a VPN tunnel into the VPC with a network path from the VPN tunnel to the private subnets, where the vault is running.