You can configure a hypervisor (virtualization client) for Amazon EC2 to use a separate service account for data protection operations.
This approach provides the following benefits:
-
Reduces the impact of backup operations and restore operations on tenant production accounts
-
Minimizes the configuration required for tenant accounts
-
Eliminates the need for tenants to deploy access nodes and MediaAgents in AWS, reducing tenant costs
-
Hides backup infrastructure from tenants
By using this feature, tenants in a managed services environment can access resources that are provided by a managed service provider (MSP) to support data protection operations. Similarly, groups within an organization can access shared resources from an AWS service account that provides infrastructure for data protection.
Requirements
-
You must add JSON permissions to both service and tenant accounts.
-
The service account can use an access key and secret key for authentication, or an IAM role, or an STS assume role with IAM policy.
The tenant (user) account can use an access key and secret key, or an STS assume role with IAM policy, for authentication.
Considerations
-
You can configure a hypervisor to use AWS service account resources in the CommCell Console or in the Command Center.
-
Hypervisors can use AWS service account resources for the following operations:
-
Streaming backup
-
IntelliSnap backup
-
Backup copy
-
Restore
-
-
After you configure access to an AWS service account, you can initiate operations from the tenant account, but the operations use resources such as access nodes and MediaAgents that are deployed in the AWS service account.
-
After you configure a tenant hypervisor to use resources from an AWS service account hypervisor, some hypervisor settings are hidden for the tenant hypervisor.
-
Operations can use Windows and Linux access nodes, and can include Windows and Linux instances. If a service hypervisor is created using the Automatic option and no VM group is created for the hypervisor, you must add the access nodes manually at the service hypervisor instance level if you plan to use this service hypervisor as service account for tenant hypervisors.
-
For Hotadd or Import transport modes, you cannot use replication/disaster recovery replication (from VMware to Amazon or from Amazon to Amazon) using resources that are in another account. For example, to replicate VMs to Account1, you must use the resources in Account1. You cannot use the resources in Account2.
-
To perform a HotAdd cross-vendor conversion to an AWS account, you cannot use an access node that is in another AWS account. For example, to perform cross-vendor conversion to Account1, the access node must be in Account1. You cannot use an access node in Account2.
-
When you perform a restore from a streaming backup or backup copy using a tenant account, volume tags are not restored.