Appranix Cloud Application Resilience Service for AWS Cloud

Advanced Cloud Resources Protection and Cross-Region Recovery for the Entire Cloud Application Environments

Overview

Appranix Cloud Application Resilience Service offers protection and recovery of entire application environments using cloud-native services and cloud-native data lifecycle management. SREs and cloud operations teams do not have to use any complicated third party infrastructure-centric data management solutions. They do not have to manually automate infrastructure-as-code like CloudFormation, Terraform, etc. Appranix discovers hundreds and thousands of data points from all the cloud resources within an account, writes and versions cloud-native infrastructure-as-code (CloudFormation) to automate entire cloud application environment or individual resource’s recovery. Using Appranix, organization can protect virtual machines (EC2), containers, EBS, security groups, load balancers, VPCs, routes, internet gateways, customer gateways, DHCP options and much more with a few clicks and no human intervention. All the dependencies between cloud resources are automatically calculated using Appranix’s intelligent Site Reliability Automation system. Users simply input a few policies from preexisting templates to create a cloud application environment time machine from which they can go back in time to recover cloud resources or entire environments.

Appranix is delivered as a cloud service so cloud operations teams do not have to maintain any data protection infrastructure and do not have to worry about keeping that infrastructure highly available. They can add any number of resources across multiple accounts without having to re-architect the data protection systems for massive scalability. Cloud resources can be recovered in the same region in which the resources are protected or across another region for advanced disaster recovery, test and development, ransomware recovery and business continuity.

Prerequisites

Protect the AWS Cloud Resources

To generate the required AWS credentials to use with the Appranix User Console, you need to create at least one AWS Identity and Access Management (IAM) user and assign proper permission policy to this user. You will have to obtain an AWS Access Key ID and a Secret Access Key for the AWS account, which are the credentials to enter into the Appranix User Console for discovering all the account cloud resources.

Apply the IAM policy shown below in the AWS primary and recovery regions

  • IAM policy JSON details for discovering and managing Primary Region Resources
  • IAM policy JSON details for recovering resources in the Primary Region and Secondary Recovery Regions
  • IAM policy JSON details for managing encrypted EBS volumes using AWS Key Management System (KMS)

Note: Appranix doesn’t copy any customer Keys. All the keys are managed via AWS’s built-in Key Management System (KMS). You can configure a set of keys for your primary region and a separate set of keys for the recovery region as well.

IAM policy JSON details for the Primary Region
{
    "Version": "2012-10-17",
    "Statement": [{
            "Sid": "AppranixPrimaryRegionEc2AndElbReadAndSnapshotWriteAccess",
            "Effect": "Allow",
            "Action": [
                "ec2:Describe*",
                "ec2:CreateSnapshot",
                "ec2:CreateTags",
                "ec2:CopySnapshot",
                "ec2:DeleteSnapshot",
                "ec2:DeleteTags",
                "elasticloadbalancing:Describe*"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:RequestedRegion": "Replace your primary region"
                }
            }
        },
        {
            "Sid": "KmsCreateGrantAccess",
            "Effect": "Allow",
            "Action": "kms:CreateGrant",
            "Resource": "*",
            "Condition": {
                "Bool": {
                    "kms:GrantIsForAWSResource": "true"
                }
            }
        }
    ]
}
IAM policy JSON details for the Primary and Recovery Regions
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "PrimaryRegionRecovery",
            "Effect": "Allow",
            "Action": [
                "ec2:RunInstances",
                "ec2:ModifyInstanceAttribute",
                "ec2:TerminateInstances",
                "ec2:RegisterImage",
                "ec2:DeregisterImage",
                "cloudformation:*"
              ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:RequestedRegion": "Replace your primary or recovery region"
                }
            }
        }
    ]
}
IAM policy JSON details for handling encrypted EBS volumes using KMS
{
    "Id": "kms-describe-and-create-grant-policy",
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "CreateGrant",
            "Effect": "Allow",
            "Action": "kms:CreateGrant",
            "Resource": "*",
            "Condition": {
                "Bool": {
                    "kms:GrantIsForAWSResource": "true"
                }
            }
        },
        {
            "Sid": "AllowUseofTheKey",
            "Effect": "Allow",
            "Action": [
                "kms:ListAliases",
                "kms:DescribeKey*",
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:GenerateDataKey*"
            ],
            "Resource": "*"
        }
    ]
}
IAM policy JSON details for the Route-53 DNS
{
   "Version": "2012-10-17",
   "Statement": [
      {
         "Sid" : "AllowHostedZoneListPermissions",
         "Effect": "Allow",
         "Action": [
            "route53:GetHostedZone",
            "route53:ListHostedZones",
            "route53:GetHostedZoneCount",
            "route53:ListHostedZonesByName"
         ],
         "Resource": "*"
      },
      {
         "Sid" : "AllowHostedZoneRecoredSetUpdatePermissions",
         "Effect": "Allow",
         "Action": [
            "route53:ChangeResourceRecordSets",
            "route53:ListResourceRecordSets",
         ],
         "Resource": ["arn:aws:route53:::hostedzone/Replace your hosted zone id"
             ]
      }
   ]
}
IAM policy JSON details for RDS Primary Region Protection
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "RdsPrimaryRegionReadAndSnapshotWriteAccess",
            "Effect": "Allow",
            "Action": [
                "rds:Describe*",
                "rds:ListTagsForResource",
                "rds:CreateDBSnapshot",
                "rds:ModifyDBSnapshot",
                "rds:AddTagsToResource",
                "rds:RemoveTagsFromResource",
                "rds:DeleteDBSnapshot",
                "rds:CopyDBSnapshot",
                "ec2:Describe*"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:RequestedRegion": "Replace your primary region"
                }
            }
        }
    ]
}
IAM policy JSON details for RDS Primary Region Recovery
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "RdsPrimaryRegionRecovery",
            "Effect": "Allow",
            "Action": [
                "cloudformation:*",
                "rds:CreateDBInstance",
                "rds:AddTagsToResource",
                "rds:AddRoleToDBInstance",
                "rds:CreateDBInstanceReadReplica",
                "rds:CreateDBParameterGroup",
                "rds:CreateDBSubnetGroup",
                "rds:CreateDBSecurityGroup",
                "rds:CreateOptionGroup",
                "rds:RestoreDBInstanceFromDBSnapshot",
                "rds:StartDBInstance",
                "rds:StopDBInstance",
                "rds:RebootDBInstance",
                "rds:ModifyDBInstance",
                "rds:ModifyDBParameterGroup",
                "rds:ModifyDBSubnetGroup",
                "rds:ModifyOptionGroup",
                "rds:DeleteDBInstance",
                "rds:RemoveRoleFromDBInstance",
                "rds:DeleteDBParameterGroup",
                "rds:DeleteDBSecurityGroup",
                "rds:DeleteDBSubnetGroup",
                "rds:ResetDBParameterGroup"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:RequestedRegion": "Replace your primary region"
                }
            }
        }
    ]
}
IAM policy JSON details for RDS Other Region Recovery
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "RdsWriteAndVpcWrite",
            "Effect": "Allow",
            "Action": [
                "rds:*",
                "cloudformation:*",
                "ec2:Describe*",
                "ec2:CreateVpc",
                "ec2:ModifyVpcAttribute",
                "ec2:CreateDhcpOptions",
                "ec2:CreateSubnet",
                "ec2:ModifySubnetAttribute",
                "ec2:CreateNetworkInterface",
                "ec2:CreateSecurityGroup",
                "ec2:CreateNetworkAcl",
                "ec2:CreateNetworkAclEntry",
                "ec2:CreateInternetGateway",
                "ec2:CreateRouteTable",
                "ec2:CreateRoute",
                "ec2:CreateTags",
                "ec2:ReplaceRoute",
                "ec2:ReplaceRouteTableAssociation",
                "ec2:ReplaceNetworkAclEntry",
                "ec2:DeleteVpc",
                "ec2:DeleteSubnet",
                "ec2:DeleteNetworkInterface",
                "ec2:DeleteTags",
                "ec2:DeleteNetworkAcl",
                "ec2:DeleteNetworkAclEntry",
                "ec2:AttachInternetGateway",
                "ec2:AssociateVpcCidrBlock",
                "ec2:AssociateRouteTable",
                "ec2:DisassociateVpcCidrBlock",
                "ec2:AssociateDhcpOptions",
                "ec2:DetachNetworkInterface",
                "ec2:DetachInternetGateway",
                "ec2:DisassociateRouteTable",
                "ec2:DisassociateSubnetCidrBlock",
                "ec2:AssociateSubnetCidrBlock",
                "ec2:AttachNetworkInterface"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:RequestedRegion": "Replace your recovery region"
                }
            }
        },
        {
            "Sid": "VpcAttributeDelete",
            "Effect": "Allow",
            "Action": [
                "ec2:RevokeSecurityGroupIngress",
                "ec2:AuthorizeSecurityGroupEgress",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:RevokeSecurityGroupEgress",
                "ec2:DeleteSecurityGroup",
                "ec2:DeleteRoute",
                "ec2:DeleteDhcpOptions",
                "ec2:DeleteInternetGateway",
                "ec2:DeleteRouteTable"
            ],
            "Resource": [
                "arn:aws:ec2:*:*:route-table/*",
                "arn:aws:ec2:*:*:dhcp-options/*",
                "arn:aws:ec2:*:*:security-group/*",
                "arn:aws:ec2:*:*:internet-gateway/*"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:RequestedRegion": "Replace your recovery region"
                }
            }
        }
    ]
}

Creating a Cloud Configuration

  1. Login to your Appranix account using the credentials you created
  2. Go to the cloud configuration page
  3. Select your cloud provider, in this case AWS
  4. Provide the necessary Access Key and Secret Key to configure AWS Cloud Account
  5. Select Primary Region and Secondary Regions for discovery of resources and recovery
  6. Add the needed services from the cloud provider (Eg. EC2 , Classic LB and Network LB)

Configure Cloud Account(s)

Configure Cloud

List of Configured Cloud Accounts

Cloud Account List

Discover Cloud Resources

Appranix discovers all the resources from the configured AWS account automatically. These resources are refreshed periodically based on the policies configured later in the section.

Discover Cloud Resources

Creating an Assembly

Users can flexibly group all the discovered resources as Assemblies. For simplicity, Appranix only shows EC2 virtual machines. It is best practice to select and group per criticality of the applications you want to protect and recover. For instance, you can select Tier-1 business critical applications as an Assembly. Tier-2 applications as another Assembly and so on. You can then select all other resources as one Assembly.

Create Assembly

List of Assemblies

Appranix lists all the cloud Assemblies created so you modify them later on, if you desired.

Assemblies List

Assembly Summary

All the discovered cloud resources for particular Assembly are shown here. This page lists all the resources that belong to an application from the list of virtual machines selected when the Assembly was created.

Assembly Summary

Assembly Resources Page

This page lists all the dependent resources managed in an Assembly as a graph. If you add any more VMs to this Assembly, all their dependent resources are automatically identified and grouped to show an entire application environment’s cloud resources.

Assembly Resources

Applying Protection Policies

You can apply Protection Policies based on the Application(s) requirement. You can apply multiple protection policies for the same Assembly. Click “New Protection Policy” link to name your protection policy and select the snapshot retention count in the primary region and recovery regions.

You can create Hourly, Daily, Weekly, Monthly and Yearly policies. Appranix will manage all the resources lifecycle based on the policies automatically within the application environment time machine.

Protection Policies

Assembly Summary Timeline

This pages shows the Timeline of the selected Assembly’s resources based on the Protection Policies for the entire application environment.

Assembly Summary Timeline

Recovering Assemblies

Recover the entire Assembly within the same region or your selected secondary region using the “RECOVER” button

Recovering Assemblies

Recovering in the Primary Region

Recovers the entire assembly in the primary region.

Note: Recovering the resources in the primary region might have resource conflicts with existing production environment resources. Appranix avoids creating overlapping resources with different IP addresses for the instances.

Recovering in the Primary Region

Upon the initiation of the application environment recovery, status is displayed with the message ”IN PROGRESS”

RECOVERY IN PROGRESS

Once the recovery is completed the status will be updated to “RECOVERY COMPLETED”. Login to your AWS account and get access to the recovered resources. All the recovered resources are automatically tagged with a prefix “ax-” so you can identify and manage them appropriately.

RECOVERY COMPLETED

Deleting Recovered Resources

You can delete all the recovered resources by resetting the entire environment. “Reset” will delete all the recovered resources in the selected region in the reverse order of dependency.

Deleting Recovered Resources

Recovering Assemblies to a Secondary Region

You can recover all the cloud resources in an environment by selecting “RECOVER” and selecting “To Recovery Region”. Similar to the Primary Region recovery, all the could resources will be automatically recovered using the dependency map that’s automatically calculated from the Assembly. There won’t be any resource conflict issue when you recover the resources in a second region as all the VPC and associated infrastructure are newly created.

Recovering Assemblies to a Secondary Region

Recovery Logs

All the recovery statuses are displayed in the Recovery Logs section. Recovery logs contain all the details of the execution for creating a copy of the application environment with copies of the application data from the snapshots. Logs from the AWS Cloud Formation stack execution will be displayed here as well.

Recovery Logs

Updating DNS

Users can also automate a DNS failover upon recovery. You need to provide appropriate DNS zone names in the Assembly Configuration page. After the recovery, use “Update DNS” button to update the DNS entries for the application environment. You can also reset DNS to the original configuration using the “Reset DNS”.

NOTE: Use caution before updating the DNS as your production applications might stop working.

Updating DNS

Assembly Recovery Reset

Since every Assembly recovery consumes AWS resources, it is advisable to Reset the recovery region back to the original state. This process will delete all the AWS resources in the reverse order in which they were created.

Assembly Recovery Reset
Reset Inprogress

Protection Reports

Users can download protection Reports to get the protected Assembly details by clicking “DOWNLOAD REPORT” button. A Protection Report contains all the instances and meta-data of those protected instances.

Protection Reports
Protection Reports

The Process to Delete Environments and Assemblies

1. Select the required Cloud name from the Cloud Account page to get all the Environments configured for the specific cloud Account
Cloud accounts
2. Click the associated Assembly to view the Environment’s resource list
Resource List
3. On the Assembly page, select the Environment from the environments list
Environment List
4. In Environment Configuration Tab, Click the “DELETE” button to delete the environment
Environment Configuration
5. Select the required option for deleting the snapshots in the primary and recovery regions. Type text ‘‘DELETE’’ to confirm.
Delete Confirmation
6. Once the Delete action is triggered, all the selected resources will be deleted in the order in which they were created. It may take a few minutes to complete. Appranix will redirect the user back to the Cloud Configuration Page.
Cloud accounts

results matching ""

    No results matching ""