Configure backup for multi-account access in AWS
Contributors
Cloud Backup enables you to create backup files in an AWS account that is different than where your source Cloud Volumes ONTAP volumes reside. And both of those accounts can be different than the account where the Cloud Manager Connector resides.
These steps are required only when you are backing up Cloud Volumes ONTAP data to Amazon S3.
Follow the steps below to set up your configuration in this manner.
Set up VPC peering between accounts
-
Log in to second account and Create Peering Connection:
-
Select a local VPC: Select the VPC of the second account.
-
Select another VPC: Enter the account ID of the first account.
-
Select the Region where the Cloud Manager Connector is running. In this test setup both accounts are running in same region.
-
VPC ID: Log into first account and enter the acceptor VPC ID. This is the VPC ID of the Cloud Manager Connector.
A Success dialog displays.
The status of the peering connection shows as Pending Acceptance.
-
-
Log into the first account and accept the peering request:
-
Click Yes.
The connection now shows as Active. We have also added a Name tag to identify the peering connection called
cbs-multi-account
. -
Refresh the peering connection in the second account and notice that the status changes to Active.
-
Add a route to the route tables in both accounts
-
Go to VPC > Subnet > Route table.
-
Click on the Routes tab.
-
Click Edit routes.
-
Click Add route, and from the Target drop-down list select Peering Connection, and then select the peering connection that you created.
-
In the Destination, enter the other account’s subnet CIDR.
-
Click Save routes and a Success dialog displays.
-
Add the second AWS account credentials in Cloud Manager
-
Add the second AWS account, for example, Saran-XCP-Dev.
-
In the Discover Cloud Volumes ONTAP page, select the newly added credentials.
-
Select the Cloud Volumes ONTAP system you want to discover from second account. You can also deploy a new Cloud Volumes ONTAP system in the second account.
The Cloud Volumes ONTAP system from the second account is now added to Cloud Manager which is running in a different account.
Enable backup in the other AWS account
-
In Cloud Manager, enable backup for the Cloud Volumes ONTAP system running in the first account, but select the second account as the location for creating the backup files.
-
Then select a backup policy and the volumes you want to back up, and Cloud Backup attempts to create a new bucket in the selected account.
However, adding the bucket to the Cloud Volumes ONTAP system will fail because Cloud Backup uses the instance profile to add the bucket and the Cloud Manager instance profile doesn’t have access to the resources in the second account.
-
Get the working environment ID for the Cloud Volumes ONTAP system.
Cloud Backup creates every bucket with the prefix
Netapp-backup-
and will include the working environment ID; for example:87ULeA10
-
In the EC2 portal, go to S3 and search for the bucket with name ending with
87uLeA10
and you’ll see the bucket name displayed asNetapp-backup-vsa87uLeA10
. -
Click on the bucket, then click the Permissions tab, and then click Edit in the Bucket policy section.
-
Add a bucket policy for the newly created bucket to provide access to the Cloud Manager’s AWS account, and then Save the changes.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "PublicRead", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::464262061435:root" }, "Action": [ "s3:ListBucket", "s3:GetBucketLocation", "s3:GetObject", "s3:PutObject", "s3:DeleteObject" ], "Resource": [ "arn:aws:s3:::netapp-backup-vsa87uleai0", "arn:aws:s3:::netapp-backup-vsa87uleai0/*" ] } ] }
Note that "AWS": "arn:aws:iam::464262061435:root" gives complete access this bucket for all resources in account 464262061435. If you want to reduce it to specific role, level, you can update the policy with specific role(s). If you are adding individual roles, ensure that occm role also added, otherwise backups will not get updated in the Cloud Backup UI.
For example: "AWS": "arn:aws:iam::464262061435:role/cvo-instance-profile-version10-d8e-IamInstanceRole-IKJPJ1HC2E7R"
-
Retry enabling Cloud Backup on the Cloud Volumes ONTAP system and this time it should be successful.