Appranix Cloud Application Resilience Service for Google Cloud
Advanced Cloud Resources Protection and Cross-Region Recovery for the Entire Cloud Application Environments
Appranix Cloud Application Resilience Service offers protection and recovery of entire application environments using cloud-native services and cloud-native data lifecycle management. SREs and cloud operations teams do not have to use any complicated third party infrastructure-centric data management solutions. They do not have to manually automate infrastructure-as-code like Deployment Manager, Terraform, etc. Appranix discovers hundreds and thousands of data points from all the cloud resources within an account, writes, and versions cloud-native infrastructure-as-code (Deployment Manager) to automate the entire cloud application environment or individual resources recovery.
Using Appranix, organizations can protect virtual machines, containers, persistent disks, firewalls, load balancers, VPCs, routes, external IP configurations, and much more with a few clicks and with no human intervention. All the dependencies between cloud resources are automatically calculated using Appranix’s intelligent Site Reliability Automation system. Users simply input a few policies from preexisting templates to create a cloud application environment time machine from which they can go back in time to recover cloud resources or entire environments in the same region or across another region of the cloud.
Appranix is delivered as a cloud service so cloud operations teams do not have to maintain any data protection infrastructure and do not have to worry about keeping that infrastructure highly available. They can add any number of resources across multiple accounts without having to re-architect the data protection systems for massive scalability. Cloud resources can be recovered in the same region in which the resources are protected or across another region for advanced disaster recovery (DR), and ransomware recovery for business continuity use cases or use it to create copies of production environments for test and dev or to sync multiple production environments across different continents cloud region deployments.
Sign up for the Appranix Service on the Google Cloud Platform Marketplace
Use the GCP search bar to search for the Appranix Site Reliability Automation to select a subscription. There are two options to select, Essentials and Pro.
Appranix Essentials version protects and recovers entire cloud application environments, whereas the Pro version adds self-healing functions with the application blueprint deployments with infrastructure-as-code.
You can activate an appropriate subscription based on your needs from the marketplace. Please note based on the selection, Google cloud resources usage will be billed in your next invoicing cycle.
Create a specific user account with your domain email on the Appranix service to isolate it from other users.
Granting Permissions to Discover Cloud Resources
To generate the required GCP credentials to use with the Appranix User Console, you need to create at least one GCP Identity and Access Management (IAM) user and assign proper permission policies to this user. You will have to obtain a GCP Project ID and a Service Account Configuration JSON, Object storage bucket name for your GCP account, which are the credentials to enter into the Appranix User Console for discovering all the account cloud resources.
Appranix protect and recovery permission guidelines:
- Create a service account with the name 'appranix'. [Example : ‘appranix-protect-service’]
- Create a key for the appranix service account
Appranix bucket creation guidelines
- Provide the name for the bucket
- Choose how to control access to objects -> Select 'Set permission uniformly at bucket-level'
- Create the bucket
- Select the permission tab -> Add 'appranix' service account has a member With Role ' Storage Admin'
NOTE: We required bucket to store/sync all the cloud asset details. The 'appranix' service account will only have Storage Admin permission to this bucket not for other buckets in your GCP storage.
Cloud Asset API
Enable the cloud asset API manages the history and inventory of cloud resources.
Adding CloudSQL permissions. Appranix requires the following prerequisites to protect the CloudSQL resources
- Project Id
- Google JSON Key String
Apply IAM policy binding for the role shown below in the GCP supported regions
- Compute Admin
- Cloud Assert Viewer
- Deployment Manager Editor
- Cloud SQL Admin
As an example, to add an IAM policy binding to the service account ‘serviceAccount:email@example.com' use the following commands on the Cloud Shell
For the role of 'Compute Admin', run:
$ gcloud projects add-iam-policy-binding PROJECT_ID\--member 'serviceAccount:firstname.lastname@example.org' \--role 'roles/compute.admin'
For the role of 'Cloud Asset Viewer', run:
$ gcloud projects add-iam-policy-binding PROJECT_ID\--member 'serviceAccount:email@example.com' \--role 'roles/cloudasset.viewer'
For the role of 'Deployment Manager Editor', run:
$ gcloud projects add-iam-policy-binding PROJECT_ID\--member 'serviceAccount:firstname.lastname@example.org' \--role 'roles/deploymentmanager.editor'
For the custom role of 'serviceusage.services.use' permission, run:
$ gcloud iam roles create custom_role_service_usage --project PROJECT_ID\--title custom-role-service-usage --description\"Service usage" --permissions\Serviceusage.services.use $ gcloud projects add-iam-policy-binding PROJECT_ID\--member 'serviceAccount:email@example.com'\--role 'projects/PROJECT_ID/roles/custom_role_service_usage'
This section summarizes permissions for the Cloud SQL support.
For the role of 'roles/cloudsql.admin', run:
$ gcloud projects add-iam-policy-binding PROJECT_ID\--member 'serviceAccount:firstname.lastname@example.org'\--role 'roles/cloudsql.admin'
For more information, check out Google Cloud Documentation Click here
Creating a Cloud Configuration in Appranix
- Login to your Appranix account using the credentials you created
- Go to the Cloud Configuration page
- Select your cloud provider, in this case, Google Cloud
- Provide the necessary Project ID and Service Account Configuration JSON to configure your GCP Cloud Account
- Provide the necessary Bucket Name to store the discovered resources
- Select Supported Regions for the discovery of resources and recovery
- Add any additional required services for the cloud app resilience (Cloud SQL, etc.)
Configure Cloud Account(s)
Configure your cloud accounts with an appropriate description and authentication.
List of Configured Google Cloud Accounts
This page lists all the cloud accounts that have been configured.
Discover Cloud Resources
Appranix discovers all the resources from the configured GCP account automatically. These resources are refreshed periodically based on the policies configured later in the section.
Create a Cloud Assembly
Users can flexibly group all the discovered resources as Assemblies. For simplicity, Appranix only shows COMPUTE virtual machines. It is best practice to select and group per application criticality you want to protect and recover. For instance, you can select Tier-1 business-critical applications as an Assembly. Tier-2 applications as another Assembly and so on. You can then select all other resources as a separate Assembly.
Step - 1: Select and name a protection policy based on the Application(s) requirement
Step - 2: Select the cloud configuration to protect the resources
Step - 3: Select all the cloud resources to be protected with the specific policy
Step - 4: Review and Finish the Cloud Assembly creation
List of Assemblies
Appranix lists all the cloud Assemblies created so you modify them later if desired.
All the configurations for the particular Cloud Assembly are shown here. This page lists all the resources that belong to an application from the list of virtual machines selected when the Assembly was created.
Assembly Resources Page
This page lists all the dependent resources managed in an Assembly both as a list view and graph view. If you add any more VMs to this Assembly, all their dependent resources are automatically identified and grouped to show an entire application environment’s cloud resources.
Managed Resources are shown in the graphical view.
Managed Resources are shown in the List view.
Edit Cloud Assembly Resources:
You can add or remove resources from the Cloud Assembly.
Cloud Assembly Resource Details
All the details about the particular resource are shown in the card view.
Policy details are listed here with policy name, frequency, primary regions, and copy retention counts
Applying Protection Policies
You can apply Protection Policies based on the Application(s) requirement. You can apply multiple protection policies for the same Cloud Assembly. Click the “Create Protection Policy” link to name your protection policy and select the snapshot retention count in the primary region and recovery regions.
You can create Hourly, Daily, Weekly, Monthly and Yearly policies. Appranix will manage all the resources lifecycle based on the policies automatically within the application environment time machine.
Creating a new protection policy
Here we can create a new protection policy with multiple frequency type to protect the resources.
Selecting the protection policy from Policy Template
Here we can select a protection policy from Policy Template to protect the resources.
Protection Policy Summary details
Summary details for Protection Policy listed here with policy frequency type, primary region name, protection status, and protection timeline.
Cloud Assembly Timeline
This page shows your Cloud Application Environment Time Machine based on all your Protection Policies.
Recovering Application Environments
Recover the cloud resources within the same region or your selected secondary region using the “RECOVER” button.
Recovering in the Same Cloud Region
Recover the cloud resources in the same region.
Note: Recovering the resources in the same region might have resource conflicts with existing production environment resources. Appranix avoids creating overlapping resources with different IP addresses for the instances.
Recovering in Other Regions
You have the choice to select all the resources or specific resources to recover in other cloud regions
Type text “RECOVER” to confirm the recovery
Once the Recover action is triggered, the recovery status changes to “Recovery In Progress” and recovery logs for the specific timeline.
Recovery logs contain all the details of the execution for creating a copy of the application environment with copies of the application data from the snapshots. The Logs from the GCP Deployment Manager stack execution will be displayed here as well.
Once processed, the status will be updated to RECOVERY COMPLETED.
Login to your GCP account and get access to the recovered resources. All the recovered resources are automatically tagged with a prefix “ax-” so you can identify and manage them appropriately.
Recovered resources are shown in the recovered resources tab
By clicking the Resource from the List to view the resource details
Assembly Recovery Reset
Since every Assembly recovery consumes GCP resources, it is advisable to Reset the recovery region back to the original state. This process will delete all the GCP resources in the reverse order in which they were created. Press “RESET” and type “DELETE” in capital letters to initiate the Reset.
Delete process will show the progress in the status box
Once reset completed, the status will be updated as "Reset completed".