Appranix Cloud Application Resilience Service for AWS Cloud

Advanced Cloud Resources Protection and Cross-Region Recovery for the Entire Cloud Application Environments

Prerequisites

Appranix can onboard customer AWS accounts using two different methods.

Using Cross-account IAM Role Method

Appranix follows AWS’s well-architected framework to onboard your AWS accounts securely and quickly. Cross-account IAM roles allow you to securely grant access to your AWS account resources to Appranix while retaining the ability to control and audit who is accessing your AWS account.

For more information on IAM Role-Based Access, refer to the official AWS documentation https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_third-party.html

https://aws.amazon.com/blogs/apn/securely-accessing-customer-aws-accounts-with-cross-account-iam-roles/

Appranix further simplifies cross-account IAM role access with an auto-generated CloudFormation template, specific to your AWS Account. Using this mechanism, it is straightforward to generate AWS Role ARN to grant access to Appranix to discover your cloud resources.

Connect AWS Account With Appranix

Using AWS Access Key Method

You can also onboard your AWS accounts using IAM Access Keys. To generate the required AWS credentials to use with the Appranix, you need to create at least one AWS Identity and Access Management (IAM) user and assign proper permission policy to this user. You will have to obtain an AWS Access Key ID and a Secret Access Key for the AWS account, which are the credentials to enter into the Appranix User Console for discovering all the account cloud resources.

Apply the IAM policy shown below in the AWS primary and recovery regions

  • IAM policy JSON details for discovering and managing Primary Region Resources
  • IAM policy JSON details for recovering resources in the Primary Region and Secondary Recovery Regions
  • IAM policy JSON details for managing encrypted EBS volumes using AWS Key Management System (KMS)
  • IAM policy JSON details for managing RDS Primary Region Protection, Primary Region Recovery and RDS Other Region Recovery

Note: Appranix doesn’t copy any customer Keys. All the keys are managed via AWS’s built-in Key Management System (KMS). You can configure a set of keys for your primary region and a separate set of keys for the recovery region as well.

IAM policy JSON details for the Primary Region Protection
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AppranixPrimaryRegionEc2AndElbReadAndSnapshotWriteAccess",
            "Effect": "Allow",
            "Action": [
                "ec2:Describe*",
                "ec2:CreateSnapshot",
                "ec2:CreateTags",
                "ec2:CopySnapshot",
                "ec2:DeleteSnapshot",
                "ec2:DeleteTags",
                "rds:Describe*",
                "rds:ListTagsForResource",
                "rds:CreateDBSnapshot",
                "rds:ModifyDBSnapshot",
                "rds:AddTagsToResource",
                "rds:RemoveTagsFromResource",
                "rds:DeleteDBSnapshot",
                "rds:CopyDBSnapshot",
                "elasticloadbalancing:Describe*"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:RequestedRegion": "Replace your primary region"
                }
            }
        },
        {
            "Sid": "KmsCreateGrantAccess",
            "Effect": "Allow",
            "Action": "kms:CreateGrant",
            "Resource": "*",
            "Condition": {
                "Bool": {
                    "kms:GrantIsForAWSResource": "true"
                }
            }
        }
    ]
}
IAM policy JSON details for the Second Region Recovery
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "OtherRegionRecovery",
            "Effect": "Allow",
            "Action": [
                "ec2:*",
                "cloudformation:*"
                "elasticloadbalancing:*",
                "rds:*"
              ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:RequestedRegion": "Replace your recovery region"
                }
            }
        }
    ]
}
IAM policy JSON details for handling encrypted EBS volumes using KMS
{
    "Id": "kms-describe-and-create-grant-policy",
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "CreateGrant",
            "Effect": "Allow",
            "Action": "kms:CreateGrant",
            "Resource": "*",
            "Condition": {
                "Bool": {
                    "kms:GrantIsForAWSResource": "true"
                }
            }
        },
        {
            "Sid": "AllowUseofTheKey",
            "Effect": "Allow",
            "Action": [
                "kms:ListAliases",
                "kms:DescribeKey*",
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:GenerateDataKey*"
            ],
            "Resource": "*"
        }
    ]
}
IAM policy JSON details for the Same Region Recovery
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "PrimaryRegionRecovery",
            "Effect": "Allow",
            "Action": [
                "ec2:RunInstances",
                "ec2:ModifyInstanceAttribute",
                "ec2:TerminateInstances",
                "ec2:RegisterImage",
                "ec2:DeregisterImage",
                "rds:CreateDBInstance",
                "rds:AddTagsToResource",
                "rds:AddRoleToDBInstance",
                "rds:CreateDBInstanceReadReplica",
                "rds:CreateDBParameterGroup",
                "rds:CreateDBSubnetGroup",
                "rds:CreateDBSecurityGroup",
                "rds:CreateOptionGroup",
                "rds:RestoreDBInstanceFromDBSnapshot",
                "rds:StartDBInstance",
                "rds:StopDBInstance",
                "rds:RebootDBInstance",
                "rds:ModifyDBInstance",
                "rds:ModifyDBParameterGroup",
                "rds:ModifyDBSubnetGroup",
                "rds:ModifyOptionGroup",
                "rds:DeleteDBInstance",
                "rds:RemoveRoleFromDBInstance",
                "rds:DeleteDBParameterGroup",
                "rds:DeleteDBSecurityGroup",
                "rds:DeleteDBSubnetGroup",
                "rds:ResetDBParameterGroup"
                "cloudformation:*"

              ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:RequestedRegion": "Replace your primary region"
                }
            }
        }
    ]
}
IAM policy JSON details for the Route-53 DNS
{
   "Version": "2012-10-17",
   "Statement": [
      {
         "Sid" : "AllowHostedZoneListPermissions",
         "Effect": "Allow",
         "Action": [
            "route53:GetHostedZone",
            "route53:ListHostedZones",
            "route53:GetHostedZoneCount",
            "route53:ListHostedZonesByName"
         ],
         "Resource": "*"
      },
      {
         "Sid" : "AllowHostedZoneRecoredSetUpdatePermissions",
         "Effect": "Allow",
         "Action": [
            "route53:ChangeResourceRecordSets",
            "route53:ListResourceRecordSets",
         ],
         "Resource": ["arn:aws:route53:::hostedzone/Replace your hosted zone id"
             ]
      }
   ]
}
IAM policy JSON details for RDS Primary Region Protection
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "RdsPrimaryRegionReadAndSnapshotWriteAccess",
            "Effect": "Allow",
            "Action": [
                "rds:Describe*",
                "rds:ListTagsForResource",
                "rds:CreateDBSnapshot",
                "rds:ModifyDBSnapshot",
                "rds:AddTagsToResource",
                "rds:RemoveTagsFromResource",
                "rds:DeleteDBSnapshot",
                "rds:CopyDBSnapshot",
                "ec2:Describe*"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:RequestedRegion": "Replace your primary region"
                }
            }
        }
    ]
}
IAM policy JSON details for RDS Primary Region Recovery
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "RdsPrimaryRegionRecovery",
            "Effect": "Allow",
            "Action": [
                "cloudformation:*",
                "rds:CreateDBInstance",
                "rds:AddTagsToResource",
                "rds:AddRoleToDBInstance",
                "rds:CreateDBInstanceReadReplica",
                "rds:CreateDBParameterGroup",
                "rds:CreateDBSubnetGroup",
                "rds:CreateDBSecurityGroup",
                "rds:CreateOptionGroup",
                "rds:RestoreDBInstanceFromDBSnapshot",
                "rds:StartDBInstance",
                "rds:StopDBInstance",
                "rds:RebootDBInstance",
                "rds:ModifyDBInstance",
                "rds:ModifyDBParameterGroup",
                "rds:ModifyDBSubnetGroup",
                "rds:ModifyOptionGroup",
                "rds:DeleteDBInstance",
                "rds:RemoveRoleFromDBInstance",
                "rds:DeleteDBParameterGroup",
                "rds:DeleteDBSecurityGroup",
                "rds:DeleteDBSubnetGroup",
                "rds:ResetDBParameterGroup"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:RequestedRegion": "Replace your primary region"
                }
            }
        }
    ]
}
IAM policy JSON details for RDS Other Region Recovery
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "RdsWriteAndVpcWrite",
            "Effect": "Allow",
            "Action": [
                "rds:*",
                "cloudformation:*",
                "ec2:Describe*",
                "ec2:CreateVpc",
                "ec2:ModifyVpcAttribute",
                "ec2:CreateDhcpOptions",
                "ec2:CreateSubnet",
                "ec2:ModifySubnetAttribute",
                "ec2:CreateNetworkInterface",
                "ec2:CreateSecurityGroup",
                "ec2:CreateNetworkAcl",
                "ec2:CreateNetworkAclEntry",
                "ec2:CreateInternetGateway",
                "ec2:CreateRouteTable",
                "ec2:CreateRoute",
                "ec2:CreateTags",
                "ec2:ReplaceRoute",
                "ec2:ReplaceRouteTableAssociation",
                "ec2:ReplaceNetworkAclEntry",
                "ec2:DeleteVpc",
                "ec2:DeleteSubnet",
                "ec2:DeleteNetworkInterface",
                "ec2:DeleteTags",
                "ec2:DeleteNetworkAcl",
                "ec2:DeleteNetworkAclEntry",
                "ec2:AttachInternetGateway",
                "ec2:AssociateVpcCidrBlock",
                "ec2:AssociateRouteTable",
                "ec2:DisassociateVpcCidrBlock",
                "ec2:AssociateDhcpOptions",
                "ec2:DetachNetworkInterface",
                "ec2:DetachInternetGateway",
                "ec2:DisassociateRouteTable",
                "ec2:DisassociateSubnetCidrBlock",
                "ec2:AssociateSubnetCidrBlock",
                "ec2:AttachNetworkInterface"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:RequestedRegion": "Replace your recovery region"
                }
            }
        },
        {
            "Sid": "VpcAttributeDelete",
            "Effect": "Allow",
            "Action": [
                "ec2:RevokeSecurityGroupIngress",
                "ec2:AuthorizeSecurityGroupEgress",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:RevokeSecurityGroupEgress",
                "ec2:DeleteSecurityGroup",
                "ec2:DeleteRoute",
                "ec2:DeleteDhcpOptions",
                "ec2:DeleteInternetGateway",
                "ec2:DeleteRouteTable"
            ],
            "Resource": [
                "arn:aws:ec2:*:*:route-table/*",
                "arn:aws:ec2:*:*:dhcp-options/*",
                "arn:aws:ec2:*:*:security-group/*",
                "arn:aws:ec2:*:*:internet-gateway/*"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:RequestedRegion": "Replace your recovery region"
                }
            }
        }
    ]
}

AWS Certificate Manager

For more information on Import a certificate using AWS Console https://docs.aws.amazon.com/acm/latest/userguide/import-certificate-api-cli.html

Step 1 - Import a certificate

You can use AWS Certificate Manager certificates with other AWS Services (Elastic Load Balancing, Amazon CloudFront, AWS Elastic Beanstalk, Amazon API Gateway, AWS CloudFormation)

Import a Certificate

The certificate names in the recovery region match with available certificates in the primary region. The recovery will ignore the https rules in Application Load Balancer during recovery.

Note: Please import the required certificates in the recovery region and tag them appropriately to resolve the issue.

Step 2 - Add Tags

You can add one or more user-defined tags to the certificate by using a key-value pair, and also you can apply the user-defined tags to one or more certificates.

Add Tags to Certificate

Add the same tags to the load balancer in both the Primary and the Recovery Region.

Add Tags to Load Balancer

Load Balancer to Import Certificate

Here we have two options to import certificate

  • ACM (Recommended)
  • IAM

Using ACM in Load Balancer

These are the certificates managed by AWS Certificate Manager.

To import additional certificates for the load balancer that you have.

Using ACM in Load Balancer

Using IAM in Load Balancer

These are the certificates managed by IAM.

Using IAM in Load Balancer

Creating a Cloud Connection in Appranix

  1. Login to your Appranix account using the credentials you created
  2. Go to the Cloud Connections page
  3. Select your cloud provider, in this case, AWS
  4. Select an AWS access type
    • Using AWS Access Key Method
    • Using Cross-account IAM Role Method
  5. Select Primary Region and Secondary Regions for discovery of resources and recovery
  6. Add the needed services from the cloud provider (Eg. EC2, RDS, Application LB, Classic LB and Network LB)

Connect Cloud Account(s)

Connect your cloud accounts with an appropriate description and authentication.

Using AWS Access Key Method

Connect Cloud

Using Cross-account IAM Role Method

Connect Cloud

List of Cloud Connection Accounts

This page lists all the cloud accounts that have been connected.

Cloud Account List

Discover Cloud Resources

Appranix discovers all the resources from the connected AWS account automatically. These resources are refreshed periodically based on the policies configured later in the section.

Discover Cloud Resources

Create a Cloud Assembly

Users can flexibly group all the discovered resources as Assemblies. For simplicity, Appranix only shows EC2 virtual machines. It is best practice to select and group per criticality of the applications you want to protect and recover. For instance, you can select Tier-1 business critical applications as an Assembly. Tier-2 applications as another Assembly and so on. You can then select all other resources as one Assembly.

Step - 1: Select and name a protection policy based on the Application(s) requirement

Assembly Create

Step - 2: Select the cloud connection to protect the resources

Select Cloud Connection

Step - 3: Select the cloud resources to be protected with the specific policy

Select Cloud Resource

Step - 4: Review and Finish the Cloud Assembly creation

Assembly Finish

List of Assemblies

Appranix lists all the cloud assemblies created so you modify them later if desired.

Assembly List

Assembly Summary

All the configurations for the particular Cloud Assembly are shown here. This page lists all the resources that belong to an application from the list of virtual machines selected when the Assembly was created.

Assembly Summary

Assembly Resources Page

This page lists all the dependent resources managed in an Assembly both as a list view and graph view. If you add any more VMs to this Assembly, all their dependent resources are automatically identified and grouped to show an entire application environment’s cloud resources.

Graphical View:

Managed Resources are shown in the graphical view.

Assembly Resources Page

List View:

Managed Resources are shown in the List view.

Assembly Resources List

Edit Cloud Assembly Resources:

You can add or remove resources from the Cloud Assembly.

Update Assembly Resources

Cloud Assembly Resource Details

All the details about the particular resource are shown in the card view.

Assembly Resources Info

Policies List

Policy details are listed here with policy name, frequency, primary regions, and copy retention counts

Policies List

Applying Protection Policies

You can apply Protection Policies based on the Application(s) requirement. You can apply multiple protection policies for the same Cloud Assembly. Click the “Create Protection Policy” link to name your protection policy and select the snapshot retention count in the primary region and recovery regions.

You can create Fifteen Minutes, Thirty Minutes, Hourly, Daily, Weekly, Monthly and Yearly policies. Appranix will manage all the resources lifecycle based on the policies automatically within the application environment time machine.

Creating a new protection policy

Here we can create a new protection policy with multiple frequency type to protect the resources.

Creating a new protection policy

Selecting the protection policy from Policy Template

Here we can select a protection policy from Policy Template to protect the resources.

Creating the protection policy from Policy Template

Protection Policy Summary details

Summary details for Protection Policy listed here with policy frequency type, primary region name, protection status, and protection timeline.

Protection Policy Summary details

Cloud Assembly Timeline

This page shows your Cloud Application Environment Time Machine based on all your Protection Policies.

Cloud Assembly Timeline

Recovering Application Environments

Recover the cloud resources within the same region or your selected secondary region using the “RECOVER” button.

Recovering Application Environments

Recovering in the Same Cloud Region

Recover the cloud resources in the same region.

Note: Recovering the resources in the same region might have resource conflicts with existing production environment resources. Appranix avoids creating overlapping resources with different IP addresses for the instances.

Recovering in the Same Cloud Region

Recovering in Other Regions

You have the choice to select all the resources to recover in other cloud regions

Recovering in Other Regions

or specific resources to recover in other cloud regions

Recovering in Other Regions

Type text “RECOVER” to confirm the recovery

Recover action

Once the Recover action is triggered, the recovery status changes to “Recovery In Progress” and recovery logs for the specific timeline.

Recovery Logs

Recovery logs contain all the details of the execution for creating a copy of the application environment with copies of the application data from the snapshots. The Logs from the AWS CloudFormation stack execution will be displayed here as well.

Recovery Logs

Once processed, the status will be updated to RECOVERY COMPLETED.

Recovery Completed

Recovered resources are shown in the recovered resources tab

Recovered Resources

By clicking the Resource from the List to view the resource details

Recovered Resources Info

Assembly Recovery Reset

Since every Assembly recovery consumes AWS resources, it is advisable to Reset the recovery region back to the original state. This process will delete all the AWS resources in the reverse order in which they were created. Press “RESET” and type “DELETE” in capital letters to initiate the Reset.

Assembly Recovery Reset

Delete process will show the progress in the status box

Assembly Recovery Reset Inprogress

Once reset completed, the status will be updated as "Reset completed".

Assembly Recovery Reset Completed

results matching ""

    No results matching ""